Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into four-how-to-connect-articles

Author: ShawnJackson

.openpublishing.redirection.defender-for-cloud.json

@@ -710,6 +710,11 @@
             "redirect_url": "/azure/defender-for-cloud/defender-for-containers-usage",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/file-integrity-monitoring-usage.md",
+            "redirect_url": "/azure/defender-for-cloud/file-integrity-monitoring-enable-log-analytics",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/defender-for-cloud/release-notes.md#auto-deployment-of-azure-monitor-agent-preview",
             "redirect_url": "/azure/defender-for-cloud/release-notes#azure-monitor-agent-integration-now-in-preview",

.openpublishing.redirection.json

@@ -27872,6 +27872,11 @@
             "source_path_from_root": "/articles/virtual-machines/scripts/virtual-machines-cli-sample-copy-managed-disks-to-same-or-different-subscription.md",
             "redirect_url": "/previous-versions/azure/virtual-machines/scripts/virtual-machines-cli-sample-copy-managed-disks-to-same-or-different-subscription",
             "redirect_document_id": false
+        },        
+        {
+            "source_path_from_root": "/articles/virtual-machines/disks-cross-tenant-cmk.md",
+            "redirect_url": "/azure/virtual-machines/disks-cross-tenant-customer-managed-keys",
+            "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/virtual-machines/scripts/virtual-machines-cli-sample-copy-managed-disks-vhd.md",

articles/active-directory-b2c/add-web-api-application.md

@@ -17,7 +17,7 @@ ms.subservice: B2C
 
 This article shows you how to register web API resources in your Azure Active Directory B2C (Azure AD B2C) tenant so that they can accept and respond to requests by client applications that present an access token.
 
-To register an application in your Azure AD B2C tenant, you can use Azure portal's new unified **App registrations** experience the legacy **Applications (Legacy)** experience. [Learn more about the new experience](./app-registrations-training-guide.md).
+To register an application in your Azure AD B2C tenant, you can use the Azure portal's new unified **App registrations** experience or the legacy **Applications (Legacy)** experience. [Learn more about the new experience](./app-registrations-training-guide.md).
 
 #### [App registrations](#tab/app-reg-ga/)
 
@@ -60,4 +60,4 @@ To call a protected web API from an application, you need to grant your applicat
 
 [!INCLUDE [active-directory-b2c-permissions-api](../../includes/active-directory-b2c-permissions-api.md)]
 
-Your application is registered to call the protected web API. A user authenticates with Azure AD B2C to use the application. The application obtains an authorization grant from Azure AD B2C to access the protected web API.
+Your application is registered to call the protected web API. A user authenticates with Azure AD B2C to use the application. The application obtains an authorization grant from Azure AD B2C to access the protected web API.

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 08/17/2022
+ms.date: 09/13/2022
 
 ms.author: justinha
 author: justinha
@@ -179,7 +179,7 @@ Here are some factors for you to consider when choosing Microsoft passwordless t
 
 ||**Windows Hello for Business**|**Passwordless sign-in with the Authenticator app**|**FIDO2 security keys**|
 |:-|:-|:-|:-|
-|**Pre-requisite**| Windows 10, version 1809 or later<br>Azure Active Directory| Authenticator app<br>Phone (iOS and Android devices running Android 6.0 or above.)|Windows 10, version 1903 or later<br>Azure Active Directory|
+|**Pre-requisite**| Windows 10, version 1809 or later<br>Azure Active Directory| Authenticator app<br>Phone (iOS and Android devices running Android 8.0 or above.)|Windows 10, version 1903 or later<br>Azure Active Directory|
 |**Mode**|Platform|Software|Hardware|
 |**Systems and devices**|PC with a built-in Trusted Platform Module (TPM)<br>PIN and biometrics recognition |PIN and biometrics recognition on phone|FIDO2 security devices that are Microsoft compatible|
 |**User experience**|Sign in using a PIN or biometric recognition (facial, iris, or fingerprint) with Windows devices.<br>Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources.|Sign in using a mobile phone with fingerprint scan, facial or iris recognition, or PIN.<br>Users sign in to work or personal account from their PC or mobile phone.|Sign in using FIDO2 security device (biometrics, PIN, and NFC)<br>User can access device based on organization controls and authenticate based on PIN, biometrics using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables.|

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 07/19/2022
+ms.date: 09/13/2022
 
 
 ms.author: justinha
@@ -48,7 +48,7 @@ The Azure AD accounts can be in the same tenant or different tenants. Guest acco
 To use passwordless phone sign-in with Microsoft Authenticator, the following prerequisites must be met:
 
 - Recommended: Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity. 
-- Latest version of Microsoft Authenticator installed on devices running iOS 12.0 or greater, or Android 6.0 or greater.
+- Latest version of Microsoft Authenticator installed on devices running iOS 12.0 or greater, or Android 8.0 or greater.
 - For Android, the device that runs Microsoft Authenticator must be registered to an individual user. We're actively working to enable multiple accounts on Android. 
 - For iOS, the device must be registered with each tenant where it's used to sign in. For example, the following device must be registered with Contoso and Wingtiptoys to allow all accounts to sign in:
   - [email protected]
@@ -152,4 +152,4 @@ To learn about Azure AD authentication and passwordless methods, see the followi
 
 - [Learn how passwordless authentication works](concept-authentication-passwordless.md)
 - [Learn about device registration](../devices/overview.md)
-- [Learn about Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)
+- [Learn about Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)

articles/active-directory/develop/access-tokens.md

@@ -280,7 +280,7 @@ An application may receive tokens for a user or directly from an application thr
 - Use `roles` to see permissions that have been granted to the subject of the token.
 - Use `oid` or `sub` to validate that the calling service principal is the expected one.
 
-If the application needs to distinguish between app-only access tokens and access tokens for users, use the `idtyp` [optional claim](active-directory-optional-claims.md). Add the `idtyp` claim to the `accessToken` field, and check for the value `app`, app-only access tokens can be detected. ID tokens and access tokens for users won't have the `idtyp` claim included.
+If the application needs to distinguish between app-only access tokens and access tokens for users, use the `idtyp` [optional claim](active-directory-optional-claims.md). To detect app-only access tokens, add the `idtyp` claim to the `accessToken` field, and check for the value `app`. ID tokens and access tokens for users won't have the `idtyp` claim included.
 
 ## Token revocation
 

articles/active-directory/governance/TOC.yml

@@ -233,12 +233,14 @@
 - name: Reference
   expanded: true
   items:
+  - name: Identity Governance - PowerShell
+    href: /powershell/module/microsoft.graph.identity.governance/?view=graph-powershell-beta
   - name: Access reviews - Microsoft Graph API
     href: /graph/api/resources/accessreviewsv2-overview
   - name: Entitlement management - Microsoft Graph API
     href: /graph/api/resources/entitlementmanagement-overview
   - name: Lifecycle Workflows - Microsoft Graph API
-    href: /graph/api/resources/identitygovernance-lifecycleworkflows-overview?view=graph-rest-beta
+    href: /graph/api/resources/identitygovernance-lifecycleworkflows-overview
   - name: Lifecycle Workflows - FAQs (Preview)
     href: workflows-faqs.md  
   - name: Developer API reference Lifecycle Workflows- Azure Active Directory

articles/active-directory/governance/entitlement-management-organization.md

@@ -78,20 +78,20 @@ To add an external Azure AD directory or domain as a connected organization, fol
 
     The **Select directories + domains** pane opens.
 
-1. In the search box, enter a domain name to search for the Azure AD directory or domain. You can also add domains that are not in Azure AD. Be sure to enter the entire domain name.
+1. In the search box, enter a domain name to search for the Azure AD directory or domain. Be sure to enter the entire domain name.
 
-1. Confirm that the organization name(s) and authentication type(s) are correct. User sign in, prior to being able to access the MyAccess portal, depends on the authentication type for their organization.  If the authentication type for a connected organization is Azure AD, all users with an account in any verified domain of that Azure AD directory will sign into their directory, and then can request access to access packages that allow that connected organization. If the authentication type is One-time passcode, this allows users with email addresses from just that domain to visit the MyAccess portal. After they authenticate with the passcode, the user can make a request.
+1. Confirm that the organization name and authentication type are correct. User sign in, prior to being able to access the MyAccess portal, depends on the authentication type for their organization.  If the authentication type for a connected organization is Azure AD, all users with an account in any verified domain of that Azure AD directory will sign into their directory, and then can request access to access packages that allow that connected organization. If the authentication type is One-time passcode, this allows users with email addresses from just that domain to visit the MyAccess portal. After they authenticate with the passcode, the user can make a request.
 
     ![The "Select directories + domains" pane](./media/entitlement-management-organization/organization-select-directories-domains.png)
 
     > [!NOTE]
     > Access from some domains could be blocked by the Azure AD business to business (B2B) allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).
 
-1. Select **Add** to add the Azure AD directory or domain. **You can add multiple Azure AD directories and domains**.
+1. Select **Add** to add the Azure AD directory or domain. Currently, you can add only one Azure AD directory or domain per connected organization.
 
-1. After you've added the Azure AD directories or domains, select **Select**.
+1. After you've added the Azure AD directory or domain, select **Select**.
 
-    The organization(s) appears in the list.
+    The organization appears in the list.
 
     ![The "Directory + domain" pane](./media/entitlement-management-organization/organization-directory-domain.png)
 

articles/active-directory/hybrid/reference-connect-health-version-history.md

@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 The Azure Active Directory team regularly updates Azure AD Connect Health with new features and functionality. This article lists the versions and features that have been released.  
 
 > [!NOTE]
-> Connect Health agents are updated automatically when new version is released. Please ensure the auto-upgrade settings is enabled from Azure portal.
+> Azure AD Connect Health agents are updated automatically when new version is released.
 >
 
 Azure AD Connect Health for Sync is integrated with Azure AD Connect installation. Read more about [Azure AD Connect release history](./reference-connect-version-history.md)

articles/active-directory/reports-monitoring/how-to-view-applied-conditional-access-policies.md

@@ -0,0 +1,145 @@
+---
+
+title: How to view applied conditional access policies in the Azure AD sign-in logs | Microsoft Docs
+description: Learn how to view applied conditional access policies in the Azure AD sign-in logs
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: amycolannino
+editor: ''
+
+ms.service: active-directory
+ms.topic: how-to
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 09/14/2022
+ms.author: markvi
+ms.reviewer: besiler 
+
+ms.collection: M365-identity-device-management
+---
+
+# How to: View applied conditional access policies in the Azure AD sign-in logs
+
+With conditional access policies, you can control, how your users get access to the resources of your Azure tenant. As a tenant admin, you need to be able to determine what impact your conditional access policies have on sign-ins to your tenant, so that you can take action if necessary. The sign-in logs in Azure AD provide you with the information you need to assess the impact of your policies.
+
+  
+This article explains how you can get access to the information about applied conditional access policies. 
+
+
+## What you should know
+
+As an Azure AD administrator, you can use the sign-in logs to:
+
+- Troubleshoot sign in problems
+- Check on feature performance
+- Evaluate security of a tenant
+
+Some scenarios require you to get an understanding for how your conditional access policies were applied to a sign-in event. Common examples include:
+
+- **Helpdesk administrators** who need to look at applied conditional access policies to understand if a policy is the root cause of a ticket opened by a user. 
+
+- **Tenant administrators** who need to verify that conditional access policies have the intended impact on the users of a tenant.
+
+
+You can access the sign-in logs using the Azure portal, MS Graph, and PowerShell.  
+
+
+
+## Required administrator roles 
+
+
+To see applied conditional access policies in the sign-in logs, administrators must have permissions to:  
+
+- View sign-in logs 
+- View conditional access policies
+
+The least privileged built-in role that grants both permissions is the **Security Reader**. As a best practice, your global administrator should add the **Security Reader** role to the related administrator accounts. 
+
+
+The following built in roles grant permissions to read conditional access policies:
+
+- Global Administrator 
+
+- Global Reader 
+
+- Security Administrator 
+
+- Security Reader 
+
+- Conditional Access Administrator 
+
+
+The following built in roles grant permission to view sign-in logs: 
+
+- Global Administrator 
+
+- Security Administrator 
+
+- Security Reader 
+
+- Global Reader 
+
+- Reports Reader 
+
+
+## Permissions for client apps 
+
+If you use a client app to pull sign-in logs from Graph, your app needs permissions to receive the **appliedConditionalAccessPolicy** resource from Graph. As a best practice, assign **Policy.Read.ConditionalAccess** because it's the least privileged permission. Any of the following permissions is sufficient for a client app to access applied CA policies in sign-in logs through Graph: 
+
+- Policy.Read.ConditionalAccess 
+
+- Policy.ReadWrite.ConditionalAccess 
+
+- Policy.Read.All 
+
+ 
+
+## Permissions for PowerShell 
+
+Like any other client app, the Microsoft Graph PowerShell module needs client permissions to access applied conditional access policies in the sign-in logs. To successfully pull applied conditional access in the sign-in logs, you must consent to the necessary permissions with your administrator account for MS Graph PowerShell. As a best practice, consent to:
+
+- Policy.Read.ConditionalAccess
+- AuditLog.Read.All 
+- Directory.Read.All 
+
+These permissions are the least privileged permissions with the necessary access. 
+
+To consent to the necessary permissions, use: 
+
+` Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All `
+
+To view the sign-in logs, use: 
+
+`Get-MgAuditLogSignIn `
+
+The output of this cmdlet contains a **AppliedConditionalAccessPolicies** property that shows all the conditional access policies applied to the sign-in. 
+
+For more information about this cmdlet, see [Get-MgAuditLogSignIn](https://docs.microsoft.com/powershell/module/microsoft.graph.reports/get-mgauditlogsignin?view=graph-powershell-1.0).
+
+The AzureAD Graph PowerShell module doesn't support viewing applied conditional access policies; only the Microsoft Graph PowerShell module returns applied conditional access policies.  
+
+## Confirming access 
+
+In the **Conditional Access** tab, you see a list of conditional access policies applied to that sign-in event.  
+
+
+To confirm that you have admin access to view applied conditional access policies in the sign-ins logs, do: 
+
+1. Navigate to the Azure portal. 
+
+2. In the top-right corner, select your directory, and then select **Azure Active Directory** in the left navigation pane. 
+
+3. In the **Monitoring** section, select **Sign-in logs**. 
+
+4. Click an item in the sign-in row table to bring up the Activity Details: Sign-ins context pane.  
+
+5. Click on the Conditional Access tab in the context pane. If your screen is small, you may need to click the ellipsis […] to see all context pane tabs.  
+
+
+
+
+## Next steps
+
+* [Sign-ins error codes reference](./concept-sign-ins.md)
+* [Sign-ins report overview](concept-sign-ins.md)