Merge pull request #203662 from MicrosoftDocs/main

7/01 PM Publish

Author: huypub

articles/active-directory/authentication/TOC.yml

@@ -170,7 +170,7 @@
     href: how-to-mfa-additional-context.md
   - name: Use Microsoft managed settings 
     href: how-to-mfa-microsoft-managed.md
-  - name: Use a Temporary Access Pass (Preview)
+  - name: Use a Temporary Access Pass
     href: howto-authentication-temporary-access-pass.md
   - name: Use SMS-based authentication
     href: howto-authentication-sms-signin.md
@@ -313,4 +313,4 @@
   - name: Stack Overflow
     href: https://stackoverflow.com/questions/tagged/azure-active-directory
   - name: Videos
-    href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory
+    href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory

articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md

@@ -42,7 +42,7 @@ Yes, non-Azure customers can use our solution. Permissions Management is a multi
 
 ## Is Permissions Management available for tenants hosted in the European Union (EU)?
 
-No, the Permissions Management Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).
+No, the Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).
 
 ## If I'm already using Azure AD  Privileged Identity Management (PIM) for Azure, what value does Permissions Management provide?
 
@@ -64,10 +64,6 @@ Permissions Management currently doesn't support hybrid environments.
 
 Permissions Management supports user identities (for example, employees, customers, external partners) and workload identities (for example, virtual machines, containers, web apps, serverless functions).
 
-<!---## Is Permissions Management General Data Protection Regulation (GDPR) compliant?
-
-Permissions Management is currently not GDPR compliant.--->
-
 ## Is Permissions Management available in Government Cloud?
 
 No, Permissions Management is currently not available in Government clouds.
@@ -128,7 +124,7 @@ It depends on each customer and how many AWS accounts, GCP projects, and Azure s
 
 ## Once Permissions Management is deployed, how fast can I get permissions insights?
 
-Once fully onboarded with data collection set up, customers can access permissions usage insights within hours. Our machine-learning engine refreshes the Permission Creep Index every hour so that customers can start their risk assessment right away.
+Once fully onboarded with data collection setup, customers can access permissions usage insights within hours. Our machine-learning engine refreshes the Permission Creep Index every hour so that customers can start their risk assessment right away.
 
 ## Is Permissions Management collecting and storing sensitive personal data?
 
@@ -138,13 +134,50 @@ No, Permissions Management doesn't have access to sensitive personal data.
 
 You can read our blog and visit our web page. You can also get in touch with your Microsoft point of contact to schedule a demo.
 
+## What is the data destruction/decommission process? 
+
+If a customer initiates a free Permissions Management 90-day trial, but does not follow up and convert to a paid license within 90 days of the free trial expiration, we will delete all collected data on or just before 90 days.  
+
+If a customer decides to discontinue licensing the service, we will also delete all previously collected data within 90 days of license termination.  
+
+We also have the ability to remove, export or modify specific data should the Global Admin using the Entra Permissions Management service file an official Data Subject Request. This can be initiated by opening a ticket in the Azure portal [New support request - Microsoft Entra admin center](https://entra.microsoft.com/#blade/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical), or alternately contacting your local Microsoft representative. 
+
+## Do I require a license to use Entra Permissions Management? 
+
+Yes, as of July 1st, 2022, new customers must acquire a free 90-trial license or a paid license to use the service. You can enable a trial or purchase licenses here: [https://aka.ms/TryPermissionsManagement](https://aka.ms/TryPermissionsManagement)
+ 
+## What do I do if I’m using Public Preview version of Entra Permissions Management?  
+
+If you are using the Public Preview version of Entra Permissions Management, your current deployment(s) will continue to work through October 1st.  
+
+After October 1st you will need to move over to use the newly released version of the service and enable a 90-day trial or purchase licenses to continue using the service.  
+
+## What do I do if I’m using the legacy version of the CloudKnox service?  
+
+We are currently working on developing a migration plan to help customers on the original CloudKnox service move to the new Entra Permissions Management service later in 2022.   
+
+## Can I use Entra Permissions Management in the EU?  
+
+Yes, the product is compliant.  
+
+## How to I enable one of the new 18 languages supported in the GA release? 
+
+We are now localized in 18 languages. We respect your browser setting or you can manually enable your language of choice by adding a query string suffix to your Entra Permissions Management URL:  
+
+`?lang=xx-XX` 
+
+Where xx-XX is one of the following available language parameters: 'cs-CZ', 'de-DE', 'en-US', 'es-ES', 'fr-FR', 'hu-HU', 'id-ID', 'it-IT', 'ja-JP', 'ko-KR', 'nl-NL', 'pl-PL', 'pt-BR', 'pt-PT', 'ru-RU', 'sv-SE', 'tr-TR', 'zh-CN', or 'zh-TW'. 
+
 ## Resources
 
 - [Public Preview announcement blog](https://www.aka.ms/CloudKnox-Public-Preview-Blog)
 - [Permissions Management web page](https://microsoft.com/security/business/identity-access-management/permissions-management)
+- For more information about Microsoft's privacy and security terms, see [Commercial Licensing Terms](https://www.microsoft.com/licensing/terms/product/ForallOnlineServices/all). 
+- For more information about Microsoft's data processing and security terms when you subscribe to a product, see [Microsoft Products and Services Data Protection Addendum (DPA)](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).
+- For more information about Microsoft’s policy and practices for Data Subject Requests for GDPR and CCPA: [https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dsr-azure](https://docs.microsoft.com/compliance/regulatory/gdpr-dsr-azure).
 
 
 ## Next steps
 
-- For an overview of Permissions Management, see [What's Permissions Management Permissions Management?](overview.md).
+- For an overview of Permissions Management, see [What's Permissions Management?](overview.md).
 - For information on how to onboard Permissions Management in your organization, see [Enable Permissions Management in your organization](onboard-enable-tenant.md).

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md

@@ -102,6 +102,27 @@ To view a video on how to configure and onboard AWS accounts in Permissions Mana
 
 ### 5. Set up an AWS member account
 
+Select **Enable AWS SSO checkbox**, if the AWS account access is configured through AWS SSO. 
+
+Choose from 3 options to manage AWS accounts. 
+
+#### Option 1: Automatically manage 
+
+Choose this option to automatically detect and add to monitored account list, without additional configuration. Steps to detect list of accounts and onboard for collection: 
+
+- Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs. 
+- If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details. 
+- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. This creates a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection. 
+
+Any current or future accounts found get onboarded automatically. 
+
+To view status of onboarding after saving the configuration: 
+
+- Navigate to data collectors tab.  
+- Click on the status of the data collector.  
+- View accounts on the In Progress page 
+
+#### Option 2: Enter authorization systems
 1. In the **Permissions Management Onboarding - AWS Member Account Details** page, enter the **Member Account Role** and the **Member Account IDs**.
 
      You can enter up to 10 account IDs. Click the plus icon next to the text box to add more account IDs.
@@ -136,6 +157,18 @@ To view a video on how to configure and onboard AWS accounts in Permissions Mana
 1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Member Account Details** page, select **Next**.
 
     This step completes the sequence of required connections from Azure AD STS to the OIDC connection account and the AWS member account.
+    
+#### Option 3: Select authorization systems 
+
+This option detects all AWS accounts that are accessible through OIDC role access created earlier.  
+
+- Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs. 
+- If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details. 
+- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. This creates a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection. 
+- Click Verify and Save. 
+- Navigate to newly create Data Collector row under AWSdata collectors. 
+- Click on Status column when the row has “Pending” status 
+- To onboard and start collection, choose specific ones from the detected list and consent for collection. 
 
 ### 6. Review and save
 

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md

@@ -39,28 +39,55 @@ To view a video on how to enable Permissions Management in your Azure AD tenant,
 
 ### 1. Add Azure subscription details
 
-1. On the **Permissions Management Onboarding - Azure Subscription Details** page, enter the **Subscription IDs** that you want to onboard.
+Choose from 3 options to manage Azure subscriptions. 
 
-   > [!NOTE]
-   > To locate the Azure subscription IDs, open the **Subscriptions** page in Azure.
-   > You can enter up to 10 subscriptions IDs. Select the plus sign **(+)** icon next to the text box to enter more subscriptions.
+#### Option 1: Automatically manage 
 
-1. From the **Scope** dropdown, select **Subscription** or **Management Group**. The script box displays the role assignment script.
+This option allows subscriptions to be automatically detected and monitored without additional configuration. Steps to detect list of subscriptions and onboard for collection:  
 
-   > [!NOTE]
-   > Select **Subscription** if you want to assign permissions separately for each individual subscription. The generated script has to be executed once per subscription.
-   > Select **Management Group** if all of your subscriptions are under one management group. The generated script must be executed once for the management group.
+- Grant Reader role to Cloud Infrastructure Entitlement Management application at management group or subscription scope.  
 
-1. To give this role assignment to the service principal, copy the script to a file on your system where Azure CLI is installed and execute it.
+Any current or future subscriptions found get onboarded automatically. 
 
-    You can execute the script once for each subscription, or once for all the subscriptions in the management group.
+ To view status of onboarding after saving the configuration: 
 
-1. From the **Enable Controller** dropdown, select:
+1. In the MEPM portal, click the cog on the top right-hand side.  
+1. Navigate to data collectors tab.  
+1. Click ‘Create Configuration’ 
+1. For onboarding mode, select ‘Automatically Manage’ 
+1. Click ‘Verify Now & Save’ 
+1. Collectors will now be listed and change through status types. For each collector listed with a status of “Collected Inventory”, click on that status to view further information. 
+1. You can then view subscriptions on the In Progress page 
 
-    - **True**, if you want the controller to provide Permissions Management with read and write access so that any remediation you want to do from the Permissions Management platform can be done automatically.
-    - **False**, if you want the controller to provide Permissions Management with read-only access.
+#### Option 2: Enter authorization systems 
 
-1. Return to **Permissions Management Onboarding - Azure Subscription Details** page and select **Next**.
+You have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 10 per collector). Follow the steps below to configure these subscriptions to be monitored: 
+
+1. For each subscription you wish to manage, ensure that the ‘Reader’ role has been granted to Cloud Infrastructure Entitlement Management application for this subscription. 
+1. In the MEPM portal, click the cog on the top right-hand side. 
+1. Navigate to data collectors tab 
+1. Click ‘Create Configuration’ 
+1. Select ‘Enter Authorization Systems’ 
+1. Under the Subscription IDs section, enter a desired subscription ID into the input box. Click the “+” up to 9 additional times, putting a single subscription ID into each respective input box. 
+1. Once you have input all of the desired subscriptions, click next 
+1. Click ‘Verify Now & Save’ 
+1. Once the access to read and collect data is verified, collection will begin. 
+
+To view status of onboarding after saving the configuration: 
+
+1. Navigate to data collectors tab.  
+1. Click on the status of the data collector.  
+1. View subscriptions on the In Progress page 
+
+#### Option 3: Select authorization systems 
+
+This option detects all subscriptions that are accessible by the Cloud Infrastructure Entitlement Management application.  
+
+1. Grant Reader role to Cloud Infrastructure Entitlement Management application at management group or subscription(s) scope. 
+1. Click Verify and Save. 
+1. Navigate to newly create Data Collector row under Azure data collectors. 
+1. Click on Status column when the row has “Pending” status 
+1. To onboard and start collection, choose specific ones subscriptions from the detected list and consent for collection.
 
 ### 2. Review and save.
 
@@ -88,4 +115,4 @@ To view a video on how to enable Permissions Management in your Azure AD tenant,
 - For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md).
 - For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md).
 - For an overview on Permissions Management, see [What's Permissions Management?](overview.md).
-- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md).
+- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md).

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md

@@ -38,45 +38,16 @@ To enable Permissions Management in your organization:
 ## How to enable Permissions Management on your Azure AD tenant
 
 1. In your browser:
-    1. Go to [Azure services](https://portal.azure.com) and use your credentials to sign in to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).
+    1. Go to [Entra services](https://entra.microsoft.com) and use your credentials to sign in to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).
     1. If you aren't already authenticated, sign in as a global administrator user.
     1. If needed, activate the global administrator role in your Azure AD tenant.
-    1. In the Azure AD portal, select **Features highlights**, and then select **Permissions Management**.
+    1. In the Azure AD portal, select **Permissions Management**, and then select the link to purchase a license or begin a trial.
 
-    1. If you're prompted to select a sign in account, sign in as a global administrator for a specified tenant.
-
-        The **Welcome to Permissions Management** screen appears, displaying information on how to enable Permissions Management on your tenant.
-
-1. To provide access to the Permissions Management application, create a service principal.
-
-    An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources.
-
-    > [!NOTE]
-    > To complete this step, you must have Azure CLI or Azure PowerShell on your system, or an Azure subscription where you can run Cloud Shell.
-
-    - To create a service principal that points to the Permissions Management application via Cloud Shell:
-
-        1. Copy the script on the **Welcome** screen:
-
-            `az ad sp create --id b46c3ac5-9da6-418f-a849-0a07a10b3c6c`
-
-        1. If you have an Azure subscription, return to the Azure AD portal and select **Cloud Shell** on the navigation bar.
-            If you don't have an Azure subscription, open a command prompt on a Windows Server.
-        1. If you have an Azure subscription, paste the script into Cloud Shell and press **Enter**.
-
-            - For information on how to create a service principal through the Azure portal, see [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
-
-            - For information on the **az** command and how to sign in with the no subscriptions flag, see [az login](/cli/azure/reference-index?view=azure-cli-latest#az-login&preserve-view=true).
-
-            - For information on how to create a service principal via Azure PowerShell, see [Create an Azure service principal with Azure PowerShell](/powershell/azure/create-azure-service-principal-azureps?view=azps-7.1.0&preserve-view=true).
-
-        1. After the script runs successfully, the service principal attributes for Permissions Management display. Confirm the attributes.
-
-             The **Cloud Infrastructure Entitlement Management** application displays in the Azure AD portal under **Enterprise applications**.
-
-1. Return to the **Welcome to Permissions Management** screen and select **Enable Permissions Management**.
+> [!NOTE]
+> There are two ways to enable a trial or a full product license, self-service and volume licensing. 
+> For self-service, navigate to the M365 portal at [https://aka.ms/TryPermissionsManagement](https://aka.ms/TryPermissionsManagement) and purchase licenses or sign up for a free trial. The second way is through Volume Licensing or Enterprise agreements. If your organization falls under a volume license or enterprise agreement scenario, please contact your Microsoft representative.
 
-    You have now completed enabling Permissions Management on your tenant. Permissions Management launches with the **Data Collectors** dashboard.
+Permissions Management launches with the **Data Collectors** dashboard.
 
 ## Configure data collection settings