Merge pull request #215903 from MicrosoftDocs/main

10/25 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -948,7 +948,7 @@
     ".openpublishing.redirection.virtual-desktop.json",
     ".openpublishing.redirection.deployment-environments.json",
     "articles/applied-ai-services/.openpublishing.redirection.applied-ai-services.json",
-    "articles/applied-ai-services/.openpublishing.archived.json",
+    "articles/applied-ai-services/.openpublishing.redirection.applied-ai-old.json",
     "articles/cognitive-services/.openpublishing.redirection.cognitive-services.json",
     ".openpublishing.redirection.baremetal-infrastructure.json",
     "articles/iot-dps/.openpublishing.redirection.iot-dps.json"

articles/active-directory/conditional-access/TOC.yml

@@ -37,6 +37,8 @@
     href: concept-conditional-access-report-only.md
   - name: Service dependencies
     href: service-dependencies.md
+  - name: Filter for applications
+    href: concept-filter-for-applications.md
   - name: Location conditions
     href: location-condition.md
   - name: Workload identities

articles/active-directory/conditional-access/concept-conditional-access-users-groups.md

@@ -15,9 +15,9 @@ ms.reviewer: calebb
 
 ms.collection: M365-identity-device-management
 ---
-# Conditional Access: Users and groups
+# Conditional Access: Users, groups, and workload identities
 
-A Conditional Access policy must include a user assignment as one of the signals in the decision process. Users can be included or excluded from Conditional Access policies. Azure Active Directory evaluates all policies and ensures that all requirements are met before granting access to the user. 
+A Conditional Access policy must include a user, group, or workload identity assignment as one of the signals in the decision process. These can be included or excluded from Conditional Access policies. Azure Active Directory evaluates all policies and ensures that all requirements are met before granting access. 
 
 > [!VIDEO https://www.youtube.com/embed/5DsW1hB3Jqs]
 
@@ -97,6 +97,14 @@ If you do find yourself locked out, see [What to do if you're locked out of the
 
 Conditional Access policies that target external users may interfere with service provider access, for example granular delegated admin privileges [Introduction to granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction). For policies that are intended to target service provider tenants, use the **Service provider user** external user type available in the **Guest or external users** selection options.
 
+## Workload identities (Preview)
+
+A workload identity is an identity that allows an application or service principal access to resources, sometimes in the context of a user. Conditional Access policies can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities aren't covered by policy.
+
+Organizations can target specific workload identities to be included or excluded from policy.
+
+For more information, see the article [Conditional Access for workload identities preview](workload-identity.md).
+
 ## Next steps
 
 - [Conditional Access: Cloud apps or actions](concept-conditional-access-cloud-apps.md)

articles/active-directory/conditional-access/concept-filter-for-applications.md

@@ -0,0 +1,129 @@
+---
+title: Filter for applications in Conditional Access policy (Preview) - Azure Active Directory
+description: Use filter for applications in Conditional Access to manage conditions.
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 09/30/2022
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: karenhoran
+ms.reviewer: calebb, oanae
+
+ms.custom: subject-rbac-steps
+
+ms.collection: M365-identity-device-management
+---
+# Conditional Access: Filter for applications (Preview)
+
+Currently Conditional Access policies can be applied to all apps or to individual apps. Organizations with a large number of apps may find this process difficult to manage across multiple Conditional Access policies. 
+ 
+Application filters are a new feature for Conditional Access that allows organizations to tag service principals with custom attributes. These custom attributes are then added to their Conditional Access policies. Filters for applications are evaluated at token issuance runtime, a common question is if apps are assigned at runtime or configuration time.
+ 
+In this document, you create a custom attribute set, assign a custom security attribute to your application, and create a Conditional Access policy to secure the application. 
+
+> [!NOTE]
+> Filter for applications is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+## Assign roles
+
+Custom security attributes are security sensitive and can only be managed by delegated users. Even global administrators don't have default permissions for custom security attributes. One or more of the following roles should be assigned to the users who manage or report on these attributes.
+
+| Role name | Description |
+| --- | --- |
+| Attribute assignment administrator | Assign custom security attribute keys and values to supported Azure AD objects. |
+| Attribute assignment reader | Read custom security attribute keys and values for supported Azure AD objects. |
+| Attribute definition administrator | Define and manage the definition of custom security attributes. |
+| Attribute definition reader | Read the definition of custom security attributes. |
+
+1. Assign the appropriate role to the users who will manage or report on these attributes at the directory scope.
+
+    For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+
+## Create custom security attributes
+
+Follow the instructions in the article, [Add or deactivate custom security attributes in Azure AD (Preview)](../fundamentals/custom-security-attributes-add.md) to add the following **Attribute set** and **New attributes**. 
+
+- Create an **Attribute set** named *ConditionalAccessTest*.
+- Create **New attributes** named *policyRequirement* that **Allow multiple values to be assigned** and **Only allow predefined values to be assigned**. We add the following predefined values:
+   - legacyAuthAllowed
+   - blockGuesUsers
+   - requireMFA
+   - requireCompliantDevice
+   - requireHybridJoinedDevice
+   - requireCompliantApp
+
+:::image type="content" source="media/concept-filter-for-applications/custom-attributes.png" alt-text="A screenshot showing custom security attribute and predefined values in Azure AD." lightbox="media/concept-filter-for-applications/custom-attributes.png":::
+
+> [!NOTE] 
+> Conditional Access filters for devices only works with custom security attributes of type "string".
+
+## Create a Conditional Access policy
+
+:::image type="content" source="media/concept-filter-for-applications/edit-filter-for-applications.png" alt-text="A screenshot showing a Conditional Access policy with the edit filter window showing an attribute of require MFA." lightbox="media/concept-filter-for-applications/edit-filter-for-applications.png":::
+
+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users or workload identities**.
+   1. Under **Include**, select **All users**.
+   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
+   1. Select **Done**.
+1. Under **Cloud apps or actions**, select the following options:
+   1. Select what this policy applies to **Cloud apps**.
+   1. Include **Select apps**.
+   1. Select **Edit filter**.
+   1. Set **Configure** to **Yes**.
+   1. Select the **Attribute** we created earlier called *policyRequirement*.
+   1. Set **Operator** to **Contains**.
+   1. Set **Value** to **requireMFA**.
+   1. Select **Done**.
+1. Under **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and select **Select**.
+1. Confirm your settings and set **Enable policy** to **Report-only**.
+1. Select **Create** to create to enable your policy.
+
+After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
+
+## Configure custom attributes
+
+### Step 1: Set up a sample application
+
+If you already have a test application that makes use of a service principal, you can skip this step.
+
+Set up a sample application that, demonstrates how a job or a Windows service can run with an application identity, instead of a user's identity. Follow the instructions in the article [Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity](../develop/quickstart-v2-netcore-daemon.md) to create this application.
+
+### Step 2: Assign a custom security attribute to an application
+
+When you don't have a service principal listed in your tenant, it can't be targeted. The Office 365 suite is an example of one such service principal.
+
+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1. Browse to **Azure Active Directory** > **Enterprise applications**.
+1. Select the service principal you want to apply a custom security attribute to.
+1. Under **Manage** > **Custom security attributes (preview)**, select **Add assignment**.
+1. Under **Attribute set**, select **ConditionalAccessTest**.
+1. Under **Attribute name**, select **policyRequirement**.
+1. Under **Assigned values**, select **Add values**, select **requireMFA** from the list, then select **Done**.
+1. Select **Save**.
+
+### Step 3: Test the policy
+
+Sign in as a user who the policy would apply to and test to see that MFA is required when accessing the application.
+
+## Other scenarios
+
+- Blocking legacy authentication
+- Blocking external access to applications
+- Requiring compliant device or Intune app protection policies
+- Enforcing sign in frequency controls for specific applications
+- Requiring a privileged access workstation for specific applications
+- Require session controls for high risk users and specific applications
+
+## Next steps
+
+[Conditional Access common policies](concept-conditional-access-policy-common.md)
+
+[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
+
+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

articles/active-directory/conditional-access/media/concept-filter-for-applications/custom-attributes.png

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
-ms.date: 09/26/2022
+ms.date: 10/24/2022
 ms.author: ryanwi
 ms.custom: aaddev
 ms.reviewer: shkhalide, udayh, vakarand
@@ -257,6 +257,79 @@ az identity federated-credential delete --name $ficId --identity-name $uaId --re
 
 ::: zone-end
 
+::: zone pivot="identity-wif-mi-methods-powershell"
+## Prerequisites
+
+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](/azure/active-directory/managed-identities-azure-resources/overview). Be sure to review the [difference between a system-assigned and user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types).
+- If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.
+- Get the information for your external IdP and software workload, which you need in the following steps.
+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
+- To run the example scripts, you have two options:
+  - Use [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open by using the **Try It** button in the upper-right corner of code blocks.
+  - Run scripts locally with Azure PowerShell, as described in the next section.
+- [Create a user-assigned manged identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-powershell#list-user-assigned-managed-identities-2) 
+- Find the object ID of the user-assigned managed identity, which you need in the following steps.
+
+### Configure Azure PowerShell locally
+
+To use Azure PowerShell locally for this article instead of using Cloud Shell:
+
+1. Install [the latest version of Azure PowerShell](/powershell/azure/install-az-ps) if you haven't already.
+
+1. Sign in to Azure.
+
+    ```azurepowershell
+    Connect-AzAccount
+    ```
+
+1. Install the [latest version of PowerShellGet](/powershell/scripting/gallery/installing-psget#for-systems-with-powershell-50-or-newer-you-can-install-the-latest-powershellget).
+
+    ```azurepowershell
+    Install-Module -Name PowerShellGet -AllowPrerelease
+    ```
+
+    You might need to `Exit` out of the current PowerShell session after you run this command for the next step.
+
+1. Install the `Az.ManagedServiceIdentity` module to perform the user-assigned managed identity operations in this article.
+
+    ```azurepowershell
+    Install-Module -Name Az.ManagedServiceIdentity
+    ```
+
+## Configure a federated identity credential on a user-assigned managed identity
+
+Run the New-AzFederatedIdentityCredentials command to create a new federated identity credential on your user-assigned managed identity (specified by the object ID of the app).  Specify the *name*, *issuer*, *subject*, and other parameters.
+
+```azurepowershell
+New-AzFederatedIdentityCredentials -ResourceGroupName azure-rg-test -IdentityName uai-pwsh01 `
+    -Name fic-pwsh01 -Issuer "https://kubernetes-oauth.azure.com" -Subject "system:serviceaccount:ns:svcaccount"
+```
+
+## List federated identity credentials on a user-assigned managed identity
+
+Run the Get-AzFederatedIdentityCredentials command to read all the federated identity credentials configured on a user-assigned managed identity:
+
+```azurepowershell
+Get-AzFederatedIdentityCredentials -ResourceGroupName azure-rg-test -IdentityName uai-pwsh01
+```
+
+## Get a federated identity credential on a user-assigned managed identity
+
+Run the Get-AzFederatedIdentityCredentials command to show a federated identity credential (by ID):
+
+```azurepowershell
+Get-AzFederatedIdentityCredentials -ResourceGroupName azure-rg-test -IdentityName uai-pwsh01 -Name fic-pwsh01
+```
+
+## Delete a federated identity credential from a user-assigned managed identity
+
+Run the Remove-AzFederatedIdentityCredentials command to delete a federated identity credential under an existing user assigned identity.
+
+```azurepowershell
+Remove-AzFederatedIdentityCredentials -ResourceGroupName azure-rg-test -IdentityName uai-pwsh01 -Name fic-pwsh01
+```
+
+::: zone-end
 ::: zone pivot="identity-wif-mi-methods-arm"
 
 ## Prerequisites
@@ -285,7 +358,7 @@ All of the template parameters are mandatory.
 
 There is a limit of 3-120 characters for a federated identity credential name length. It must be alphanumeric, dash, underscore. First symbol is alphanumeric only.  
 
-You must add exactly 1 audience to a federated identity credential, this gets verified during token exchange. Use “api://AzureADTokenExchange” as the default value.
+You must add exactly 1 audience to a federated identity credential. The audience is verified during token exchange. Use “api://AzureADTokenExchange” as the default value.
 
 List, Get, and Delete operations are not available with template. Refer to Azure CLI for these operations.  By default, all child federated identity credentials are created in parallel, which triggers concurrency detection logic and causes the deployment to fail with a 409-conflict HTTP status code. To create them sequentially, specify a chain of dependencies using the *dependsOn* property.
 
@@ -483,7 +556,7 @@ https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RES
 
 ## Delete a federated identity credential from a user-assigned managed identity
 
-Delete a federated identity credentials on the specified user-assigned managed identity.
+Delete a federated identity credential on the specified user-assigned managed identity.
 
 ```bash
 curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/<RESOURCE NAME>/federatedIdentityCredentials/<FEDERATED IDENTITY CREDENTIAL RESOURCENAME>?api-version=2022-01-31-preview' -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

articles/active-directory/conditional-access/media/concept-filter-for-applications/edit-filter-for-applications.png

@@ -13,6 +13,7 @@ ms.author: mimart
 author: msmimart
 manager: celestedg
 ms.collection: M365-identity-device-management
+ms.custom: engagement-fy23
 ---
 
 # Add Azure Active Directory (Azure AD) as an identity provider for External Identities

articles/active-directory/develop/workload-identity-federation-create-trust-user-assigned-managed-identity.md

@@ -9,7 +9,7 @@ ms.date: 05/10/2022
 ms.topic: quickstart
 ms.service: active-directory
 ms.subservice: B2B
-ms.custom: it-pro, seo-update-azuread-jan, mode-ui
+ms.custom: engagement-fy23, it-pro, seo-update-azuread-jan, mode-ui
 ms.collection: M365-identity-device-management
 #Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a guest user in the portal, and understand the end user experience.
 ---

articles/active-directory/external-identities/azure-ad-account.md

@@ -10,7 +10,7 @@ ms.date: 08/05/2022
 ms.author: mimart
 author: msmimart
 manager: celestedg
-ms.custom: "it-pro"
+ms.custom: engagement-fy23, "it-pro"
 ms.collection: M365-identity-device-management
 ---