Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: grminch

.openpublishing.redirection.azure-monitor.json

@@ -216,6 +216,41 @@
             "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/visualize/view-designer-conversion-access.md",
+            "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/visualize/view-designer-conversion-examples.md",
+            "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/visualize/view-designer-conversion-options.md",
+            "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/visualize/view-designer-conversion-overview.md",
+            "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/visualize/view-designer-conversion-tasks.md",
+            "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/visualize/view-designer-conversion-tiles.md",
+            "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/visualize/workbooks-interactive.md",
+            "redirect_url": "/azure/azure-monitor/visualize/workbooks-configurations",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/visualize/workbooks-groups.md",   
             "redirect_url": "/azure/azure-monitor/visualize/workbooks-create-workbook",

.openpublishing.redirection.defender-for-iot.json

@@ -5,11 +5,6 @@
             "redirect_url": "/azure/defender-for-iot/organizations/ot-appliance-sizing",
             "redirect_document_id": false
         },
-        {
-            "source_path_from_root": "/articles/defender-for-iot/organizations/resources-manage-proprietary-protocols.md",
-            "redirect_url": "/azure/defender-for-iot/organizations/overview#extend-support-to-proprietary-protocols",
-            "redirect_document_id": false
-        },
         {
             "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-configure-windows-endpoint-monitoring.md",
             "redirect_url": "/azure/defender-for-iot/organizations/how-to-control-what-traffic-is-monitored#configure-windows-endpoint-monitoring",

.openpublishing.redirection.json

@@ -21376,6 +21376,11 @@
       "redirect_url": "/azure/sentinel/microsoft-365-defender-sentinel-integration#microsoft-365-defender-incidents-and-microsoft-incident-creation-rules",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/sentinel/ueba-enrichments.md",
+      "redirect_url": "/azure/sentinel/ueba-reference",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/sentinel/import-threat-intelligence.md",
       "redirect_url": "/azure/sentinel/understand-threat-intelligence",

articles/active-directory/app-provisioning/workday-integration-reference.md

@@ -64,10 +64,6 @@ Permissions Management currently doesn't support hybrid environments.
 
 Permissions Management supports user identities (for example, employees, customers, external partners) and workload identities (for example, virtual machines, containers, web apps, serverless functions).
 
-<!---## Is Permissions Management General Data Protection Regulation (GDPR) compliant?
-
-Permissions Management is currently not GDPR compliant.--->
-
 ## Is Permissions Management available in Government Cloud?
 
 No, Permissions Management is currently not available in Government clouds.
@@ -146,6 +142,32 @@ If a customer decides to discontinue licensing the service, we will also delete
 
 We also have the ability to remove, export or modify specific data should the Global Admin using the Entra Permissions Management service file an official Data Subject Request. This can be initiated by opening a ticket in the Azure portal [New support request - Microsoft Entra admin center](https://entra.microsoft.com/#blade/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical), or alternately contacting your local Microsoft representative. 
 
+## Do I require a license to use Entra Permissions Management? 
+
+Yes, as of July 1st, 2022, new customers must acquire a free 90-trial license or a paid license to use the service. You can enable a trial or purchase licenses here: [https://aka.ms/TryPermissionsManagement](https://aka.ms/TryPermissionsManagement)
+ 
+## What do I do if I’m using Public Preview version of Entra Permissions Management?  
+
+If you are using the Public Preview version of Entra Permissions Management, your current deployment(s) will continue to work through October 1st.  
+
+After October 1st you will need to move over to use the newly released version of the service and enable a 90-day trial or purchase licenses to continue using the service.  
+
+## What do I do if I’m using the legacy version of the CloudKnox service?  
+
+We are currently working on developing a migration plan to help customers on the original CloudKnox service move to the new Entra Permissions Management service later in 2022.   
+
+## Can I use Entra Permissions Management in the EU?  
+
+Yes, the product is compliant.  
+
+## How to I enable one of the new 18 languages supported in the GA release? 
+
+We are now localized in 18 languages. We respect your browser setting or you can manually enable your language of choice by adding a query string suffix to your Entra Permissions Management URL:  
+
+`?lang=xx-XX` 
+
+Where xx-XX is one of the following available language parameters: 'cs-CZ', 'de-DE', 'en-US', 'es-ES', 'fr-FR', 'hu-HU', 'id-ID', 'it-IT', 'ja-JP', 'ko-KR', 'nl-NL', 'pl-PL', 'pt-BR', 'pt-PT', 'ru-RU', 'sv-SE', 'tr-TR', 'zh-CN', or 'zh-TW'. 
+
 ## Resources
 
 - [Public Preview announcement blog](https://www.aka.ms/CloudKnox-Public-Preview-Blog)

articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md

@@ -7,22 +7,22 @@ manager: karenhoran
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 11/16/2020
+ms.date: 07/01/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets
 
-The purpose of this document is to describe the Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Azure AD Connect cloud sync applies all permissions similar to Azure AD Connect on the default gMSA or a custom gMSA.
+The purpose of this document is to describe the Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Azure AD Connect cloud sync applies all permissions similar to Azure AD Connect on the default gMSA or a custom gMSA, during cloud provisioning agent install.
 
 This document will cover the following cmdlets:
 
-`Set-AADCloudSyncRestrictedPermissions`
-
 `Set-AADCloudSyncPermissions`
 
+`Set-AADCloudSyncRestrictedPermissions`
+
 ## How to use the cmdlets:
 
 The following prerequisites are required to use these cmdlets.
@@ -32,34 +32,26 @@ The following prerequisites are required to use these cmdlets.
 2. Import Provisioning Agent PS module into a PowerShell session.
 
    ```powershell
-   Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll"  
+   Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll"
    ```
 
-3. Remove existing permissions.  To remove all existing permissions on the service account, except SELF use: `Set-AADCloudSyncRestrictedPermission`.
-
-   This cmdlet requires a parameter called `Credential` which can be passed, or it will prompt if called without it.
+3. These cmdlets require a parameter called `Credential` which can be passed, or will prompt the user if not provided in the command line. Depending on the cmdlet syntax used, these credentials must be an enterprise admin account or, at a minimum, a domain administrator of the target domain where you're setting the permissions. 
 
-   To create a variable, use:
+4. To create a variable for credentials, use:
 
    `$credential = Get-Credential`
+   
+5. To set Active Directory permissions for cloud provisioning agent, you can use the following cmdlet. This will grant permissions in the root of the domain allowing the service account to manage on-premises Active Directory objects. See [Using Set-AADCloudSyncPermissions](#using-set-aadcloudsyncpermissions) below for examples on setting the permissions.
 
-   This will prompt the user to enter username and password. The credentials must be at a minimum domain administrator(of the domain where agent is installed), could be enterprise admin as well.
-
-4. Then you can call the cmdlet to remove extra permissions:
+   `Set-AADCloudSyncPermissions -EACredential $credential`
 
-   ```powershell
-   Set-AADCloudSyncRestrictedPermissions -Credential $credential 
-   ```
-
-5. Or you can simply call:
+6. To restrict Active Directory permissions set by default on the cloud provisioning agent account, you can use the following cmdlet. This will increase the security of the service account by disabling permission inheritance and removing all existing permissions, except SELF and Full Control for administrators. See [Using Set-AADCloudSyncRestrictedPermission](#using-set-aadcloudsyncrestrictedpermissions) below for examples on restricting the permissions.
 
-   `Set-AADCloudSyncRestrictedPermissions` which will prompt for credentials.
-
-6. Add specific permission type. Permissions added are same as Azure AD Connect. See [Using Set-AADCloudSyncPermissions](#using-set-aadcloudsyncpermissions) below for examples on setting the permissions.
+   `Set-AADCloudSyncRestrictedPermission -Credential $credential`
 
 ## Using Set-AADCloudSyncPermissions
 
-`Set-AADCloudSyncPermissions` supports the following permission types which are identical to the permissions used by Azure AD Connect. The following permission types are supported:
+`Set-AADCloudSyncPermissions` supports the following permission types which are identical to the permissions used by Azure AD Connect Classic Sync (ADSync). The following permission types are supported:
 
 |Permission type|Description|
 |-----|-----|
@@ -69,28 +61,43 @@ The following prerequisites are required to use these cmdlets.
 |HybridExchangePermissions|See [HybridExchangePermissions](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-hybrid-deployment) permissions for Azure AD Connect|
 |ExchangeMailPublicFolderPermissions| See [ExchangeMailPublicFolderPermissions](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-mail-public-folders) permissions for Azure AD Connect|
 |CloudHR| Applies 'Create/delete User objects' on 'This object and all descendant objects'|
-|All|adds all the above permissions.|
+|All| Applies all the above permissions|
 
 You can use AADCloudSyncPermissions in one of two ways:
-- [Grant a certain permission to all configured domains](#grant-a-certain-permission-to-all-configured-domains)
-- [Grant a certain permission to a specific domain](#grant-a-certain-permission-to-a-specific-domain)
+- [Grant permissions to all configured domains](#grant-permissions-to-all-configured-domains)
+- [Grant permissions to a specific domain](#grant-permissions-to-a-specific-domain)
 
-## Grant a certain permission to all configured domains
+## Grant permissions to all configured domains
 
 Granting certain permissions to all configured domains will require the use of an enterprise admin account.
 
 ```powershell
-Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -EACredential $credential (prepopulated same as above [$credential = Get-Credential]) 
+$credential = Get-Credential
+Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -EACredential $credential 
 ```
 
-## Grant a certain permission to a specific domain
+## Grant permissions to a specific domain
 
-Granting certain permissions to a specific domain will require the use of, at minimum a domain admin account of the domain you are attempting to add.
+Granting certain permissions to a specific domain will require the use of a TargetDomainCredential that is enterprise admin or, domain admin of the target domain. The TargetDomain has to be already configured through wizard.
 
 ```powershell
-Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -TargetDomain "FQDN of domain" (has to be already configured through wizard) -TargetDomainCredential $credential(same as above) 
+$credential = Get-Credential
+Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -TargetDomain "FQDN of domain" -TargetDomainCredential $credential
 ```
 
-Note: for 1. The credentials must be at a minimum Enterprise admin.
-
-For 2. The Credentials can be either Domain admin or enterprise admin.
+## Using Set-AADCloudSyncRestrictedPermissions
+For increased security, `Set-AADCloudSyncRestrictedPermissions` will tighten the permissions set on the cloud provisioning agent account itself. Hardening permissions on the cloud provisioning agent account involves the following changes: 
+
+- Disable inheritance
+- Remove all default permissions, except ACEs specific to SELF.
+- Set Full Control permissions for SYSTEM, Administrators, Domain Admins, and Enterprise Admins.
+- Set Read permissions for Authenticated Users and Enterprise Domain Controllers.
+ 
+  The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the cloud provisioning agent account. This is typically the domain or enterprise administrator.  
+ 
+For Example: 
+
+``` powershell
+$credential = Get-Credential 
+Set-AADCloudSyncRestrictedPermissions -Credential $credential  
+```

articles/active-directory/cloud-sync/how-to-gmsa-cmdlets.md

@@ -5,7 +5,7 @@ services: active-directory
 author: mmacy
 manager: CelesteDG
 
-ms.date: 06/02/2022
+ms.date: 07/04/2022
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
@@ -18,6 +18,16 @@ ms.custom: has-adal-ref
 
 Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
 
+## June 2022
+
+### Updated articles
+
+- [Add app roles to your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md)
+- [Azure AD Authentication and authorization error codes](reference-aadsts-error-codes.md)
+- [Microsoft identity platform refresh tokens](refresh-tokens.md)
+- [Single-page application: Acquire a token to call an API](scenario-spa-acquire-token.md)
+- [Tutorial: Sign in users and call the Microsoft Graph API in an Electron desktop app](tutorial-v2-nodejs-desktop.md)
+
 ## May 2022
 
 ### Updated articles
@@ -28,7 +38,7 @@ Welcome to what's new in the Microsoft identity platform documentation. This art
 - [Quickstart: Sign in users and call the Microsoft Graph API from an Android app](mobile-app-quickstart-portal-android.md)
 - [Quickstart: Sign in users and call the Microsoft Graph API from an iOS or macOS app](mobile-app-quickstart-portal-ios.md)
 - [Set up your application's Azure AD test environment](test-setup-environment.md)
-- [Single Sign-On SAML protocol](single-sign-on-saml-protocol.md)
+- [Single sign-on SAML protocol](single-sign-on-saml-protocol.md)
 - [Single sign-on with MSAL.js](msal-js-sso.md)
 - [Tutorial: Sign in users and acquire a token for Microsoft Graph in a Node.js & Express web app](tutorial-v2-nodejs-webapp-msal.md)
 - [What's new for authentication?](reference-breaking-changes.md)
@@ -47,9 +57,3 @@ Welcome to what's new in the Microsoft identity platform documentation. This art
 - [OAuth 2.0 and OpenID Connect in the Microsoft identity platform](active-directory-v2-protocols.md)
 - [Signing key rollover in the Microsoft identity platform](active-directory-signing-key-rollover.md)
 - [Troubleshoot publisher verification](troubleshoot-publisher-verification.md)
-
-## February 2022
-
-### Updated articles
-
-- [Desktop app that calls web APIs: Acquire a token using WAM](scenario-desktop-acquire-token-wam.md)