Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into vivek2

Author: markingmyname

.openpublishing.redirection.defender-for-cloud.json

@@ -710,6 +710,11 @@
             "redirect_url": "/azure/defender-for-cloud/defender-for-containers-usage",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/file-integrity-monitoring-usage.md",
+            "redirect_url": "/azure/defender-for-cloud/file-integrity-monitoring-enable-log-analytics",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/defender-for-cloud/release-notes.md#auto-deployment-of-azure-monitor-agent-preview",
             "redirect_url": "/azure/defender-for-cloud/release-notes#azure-monitor-agent-integration-now-in-preview",

articles/active-directory/governance/TOC.yml

@@ -233,12 +233,14 @@
 - name: Reference
   expanded: true
   items:
+  - name: Identity Governance - PowerShell
+    href: /powershell/module/microsoft.graph.identity.governance/?view=graph-powershell-beta
   - name: Access reviews - Microsoft Graph API
     href: /graph/api/resources/accessreviewsv2-overview
   - name: Entitlement management - Microsoft Graph API
     href: /graph/api/resources/entitlementmanagement-overview
   - name: Lifecycle Workflows - Microsoft Graph API
-    href: /graph/api/resources/identitygovernance-lifecycleworkflows-overview?view=graph-rest-beta
+    href: /graph/api/resources/identitygovernance-lifecycleworkflows-overview
   - name: Lifecycle Workflows - FAQs (Preview)
     href: workflows-faqs.md  
   - name: Developer API reference Lifecycle Workflows- Azure Active Directory

articles/active-directory/reports-monitoring/how-to-view-applied-conditional-access-policies.md

@@ -0,0 +1,145 @@
+---
+
+title: How to view applied conditional access policies in the Azure AD sign-in logs | Microsoft Docs
+description: Learn how to view applied conditional access policies in the Azure AD sign-in logs
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: amycolannino
+editor: ''
+
+ms.service: active-directory
+ms.topic: how-to
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 09/14/2022
+ms.author: markvi
+ms.reviewer: besiler 
+
+ms.collection: M365-identity-device-management
+---
+
+# How to: View applied conditional access policies in the Azure AD sign-in logs
+
+With conditional access policies, you can control, how your users get access to the resources of your Azure tenant. As a tenant admin, you need to be able to determine what impact your conditional access policies have on sign-ins to your tenant, so that you can take action if necessary. The sign-in logs in Azure AD provide you with the information you need to assess the impact of your policies.
+
+  
+This article explains how you can get access to the information about applied conditional access policies. 
+
+
+## What you should know
+
+As an Azure AD administrator, you can use the sign-in logs to:
+
+- Troubleshoot sign in problems
+- Check on feature performance
+- Evaluate security of a tenant
+
+Some scenarios require you to get an understanding for how your conditional access policies were applied to a sign-in event. Common examples include:
+
+- **Helpdesk administrators** who need to look at applied conditional access policies to understand if a policy is the root cause of a ticket opened by a user. 
+
+- **Tenant administrators** who need to verify that conditional access policies have the intended impact on the users of a tenant.
+
+
+You can access the sign-in logs using the Azure portal, MS Graph, and PowerShell.  
+
+
+
+## Required administrator roles 
+
+
+To see applied conditional access policies in the sign-in logs, administrators must have permissions to:  
+
+- View sign-in logs 
+- View conditional access policies
+
+The least privileged built-in role that grants both permissions is the **Security Reader**. As a best practice, your global administrator should add the **Security Reader** role to the related administrator accounts. 
+
+
+The following built in roles grant permissions to read conditional access policies:
+
+- Global Administrator 
+
+- Global Reader 
+
+- Security Administrator 
+
+- Security Reader 
+
+- Conditional Access Administrator 
+
+
+The following built in roles grant permission to view sign-in logs: 
+
+- Global Administrator 
+
+- Security Administrator 
+
+- Security Reader 
+
+- Global Reader 
+
+- Reports Reader 
+
+
+## Permissions for client apps 
+
+If you use a client app to pull sign-in logs from Graph, your app needs permissions to receive the **appliedConditionalAccessPolicy** resource from Graph. As a best practice, assign **Policy.Read.ConditionalAccess** because it's the least privileged permission. Any of the following permissions is sufficient for a client app to access applied CA policies in sign-in logs through Graph: 
+
+- Policy.Read.ConditionalAccess 
+
+- Policy.ReadWrite.ConditionalAccess 
+
+- Policy.Read.All 
+
+ 
+
+## Permissions for PowerShell 
+
+Like any other client app, the Microsoft Graph PowerShell module needs client permissions to access applied conditional access policies in the sign-in logs. To successfully pull applied conditional access in the sign-in logs, you must consent to the necessary permissions with your administrator account for MS Graph PowerShell. As a best practice, consent to:
+
+- Policy.Read.ConditionalAccess
+- AuditLog.Read.All 
+- Directory.Read.All 
+
+These permissions are the least privileged permissions with the necessary access. 
+
+To consent to the necessary permissions, use: 
+
+` Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All `
+
+To view the sign-in logs, use: 
+
+`Get-MgAuditLogSignIn `
+
+The output of this cmdlet contains a **AppliedConditionalAccessPolicies** property that shows all the conditional access policies applied to the sign-in. 
+
+For more information about this cmdlet, see [Get-MgAuditLogSignIn](https://docs.microsoft.com/powershell/module/microsoft.graph.reports/get-mgauditlogsignin?view=graph-powershell-1.0).
+
+The AzureAD Graph PowerShell module doesn't support viewing applied conditional access policies; only the Microsoft Graph PowerShell module returns applied conditional access policies.  
+
+## Confirming access 
+
+In the **Conditional Access** tab, you see a list of conditional access policies applied to that sign-in event.  
+
+
+To confirm that you have admin access to view applied conditional access policies in the sign-ins logs, do: 
+
+1. Navigate to the Azure portal. 
+
+2. In the top-right corner, select your directory, and then select **Azure Active Directory** in the left navigation pane. 
+
+3. In the **Monitoring** section, select **Sign-in logs**. 
+
+4. Click an item in the sign-in row table to bring up the Activity Details: Sign-ins context pane.  
+
+5. Click on the Conditional Access tab in the context pane. If your screen is small, you may need to click the ellipsis […] to see all context pane tabs.  
+
+
+
+
+## Next steps
+
+* [Sign-ins error codes reference](./concept-sign-ins.md)
+* [Sign-ins report overview](concept-sign-ins.md)

articles/active-directory/reports-monitoring/toc.yml

@@ -63,18 +63,20 @@
     items:
     - name: Access activity logs
       href: howto-access-activity-logs.md
+    - name: Configure prerequisites for Reporting API
+      href: howto-configure-prerequisites-for-reporting-api.md
     - name: Download logs
       href: howto-download-logs.md
-    - name: Manage inactive user accounts in Azure AD
-      href: howto-manage-inactive-user-accounts.md
     - name: Find activity reports
       href: howto-find-activity-reports.md
+    - name: Manage inactive user accounts in Azure AD
+      href: howto-manage-inactive-user-accounts.md
     - name: Troubleshoot sign-in errors for a user
       href: howto-troubleshoot-sign-in-errors.md
-    - name: Configure prerequisites for Reporting API
-      href: howto-configure-prerequisites-for-reporting-api.md
-    - name: How to use Azure AD workbooks
+    - name: Use Azure AD workbooks
       href: howto-use-azure-monitor-workbooks.md
+    - name: View applied conditional access policies
+      href: how-to-view-applied-conditional-access-policies.md
 
   - name: Monitoring
     items:
@@ -125,6 +127,7 @@
     href: reports-faq.yml
   - name: Sign-in log schema
     href: reference-azure-monitor-sign-ins-log-schema.md
+
 - name: Workbooks
   items:
     - name: Authentication prompts analysis
@@ -139,6 +142,7 @@
       href: workbook-risk-analysis.md
     - name: Sensitive Operations Report 
       href: workbook-sensitive-operations-report.md
+
 - name: Recommendations
   items:
     - name: Convert to conditional access MFA

articles/active-directory/saas-apps/arena-eu-tutorial.md

@@ -0,0 +1,144 @@
+---
+title: 'Tutorial: Azure AD SSO integration with Arena EU'
+description: Learn how to configure single sign-on between Azure Active Directory and Arena EU.
+services: active-directory
+author: jeevansd
+manager: CelesteDG
+ms.reviewer: CelesteDG
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 09/06/2022
+ms.author: jeedes
+
+---
+
+# Tutorial: Azure AD SSO integration with Arena EU
+
+In this tutorial, you'll learn how to integrate Arena EU with Azure Active Directory (Azure AD). When you integrate Arena EU with Azure AD, you can:
+
+* Control in Azure AD who has access to Arena EU.
+* Enable your users to be automatically signed-in to Arena EU with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Arena EU single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Arena EU supports **SP** and **IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Arena EU from the gallery
+
+To configure the integration of Arena EU into Azure AD, you need to add Arena EU from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Arena EU** in the search box.
+1. Select **Arena EU** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true).
+
+## Configure and test Azure AD SSO for Arena EU
+
+Configure and test Azure AD SSO with Arena EU using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at Arena EU.
+
+To configure and test Azure AD SSO with Arena EU, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Arena EU SSO](#configure-arena-eu-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create Arena EU test user](#create-arena-eu-test-user)** - to have a counterpart of B.Simon in Arena EU that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Arena EU** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+    ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+    In the **Sign-on URL** text box, type the URL:
+    `https://app.europe.arenaplm.com/`
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+    ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate")
+
+1. On the **Set up Arena EU** section, copy the appropriate URL(s) based on your requirement.
+
+	![Screenshot shows how to copy the appropriate configuration URL.](common/copy-configuration-urls.png "Metadata")  
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Arena EU.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Arena EU**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Arena EU SSO
+
+To configure single sign-on on **Arena EU** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Arena EU support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Arena EU test user
+
+In this section, you create a user called Britta Simon at Arena EU. Work with [Arena EU support team](mailto:[email protected]) to add the users in the Arena EU platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration with following options. 
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Arena EU Sign-on URL where you can initiate the login flow.  
+
+* Go to Arena EU Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Arena EU for which you set up the SSO. 
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Arena EU tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Arena EU for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Arena EU you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

articles/active-directory/saas-apps/concur-tutorial.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 08/26/2021
+ms.date: 09/13/2022
 ms.author: jeedes
 ---
 
@@ -21,6 +21,12 @@ In this tutorial, you'll learn how to integrate Concur with Azure Active Directo
 * Enable your users to be automatically signed-in to Concur with their Azure AD accounts.
 * Manage your accounts in one central location - the Azure portal.
 
+> [!NOTE]
+> The guidance provided in this article does not cover the new **Manage Single Sign-On** offering that is available from SAP Concur as of mid 2019.
+> This new self-service SSO offering relies on **IdP initiated** sign-in which the current gallery app does not allow, due to the **Sign on URL** not being optional.
+> The **Sign on URL** must be empty for IdP initiated sign-in via MyApps portal to work as intended.
+> For these reason you must start out with a custom non-galleryp application to set up SSO when using the **Manage Single Sign-On** feature in SAP Concur.
+
 ## Prerequisites
 
 To get started, you need the following items: