Merge pull request #245494 from MicrosoftDocs/main

7/19/2023 AM Publish

Author: Taojunshen

.openpublishing.redirection.azure-monitor.json

@@ -6187,12 +6187,12 @@
             "redirect_document_id": false
         }, 
         {
-            "source_path_from_root": "/azure/azure-monitor/essentials/metrics-supported.md",
+            "source_path_from_root": "/articles/azure-monitor/essentials/metrics-supported.md",
             "redirect_url": "/azure/azure-monitor/reference/supported-metrics/metrics-index",
             "redirect_document_id": false
         }, 
         {
-            "source_path_from_root": "/azure/azure-monitor/essentials/resource-logs-categories.md",
+            "source_path_from_root": "/articles/azure-monitor/essentials/resource-logs-categories.md",
             "redirect_url": "/azure/azure-monitor/reference/supported-logs/logs-index",
             "redirect_document_id": false
         } 

articles/active-directory/app-provisioning/inbound-provisioning-api-faqs.md

@@ -139,7 +139,7 @@ You can retrieve the unique API endpoint for each job from the Provisioning blad
 
 To process terminations, identify an attribute in your source that will be used to set the ```accountEnabled``` flag in Azure AD. If you are provisioning to on-premises Active Directory, then map that source attribute to the `accountDisabled` attribute. 
 
-By default, the value associated with the SCIM User Core schema attribute ```active``` determines the status of the user's account in the target directory.
+By default, the value associated with the SCIM Core User schema attribute ```active``` determines the status of the user's account in the target directory.
 
 If the attribute is set to **true**, the default mapping rule enables the account. If the attribute is set to **false**, then the default mapping rule disables the account. 
 

articles/active-directory/cloud-infrastructure-entitlement-management/all-reports.md

@@ -37,13 +37,13 @@ This article provides you with a list and description of the system reports avai
 | Report name                | Type of the report                | File format              | Description               | Availability                | Collated report?                 |
 |----------------------------|-----------------------------------|--------------------------|---------------------------| ----------------------------|----------------------------------|
 | Access Key Entitlements and Usage Report                | Summary </p>Detailed                | CSV                 | This report displays: </p> - Access key age, last rotation date, and last usage date availability in the summary report. Use this report to decide when to rotate access keys. </p> - Granted task and Permissions creep index (PCI) score. This report provides supporting information when you want to take the action on the keys.                | AWS</p>Azure</p>GCP                 | Yes      |
-| All Permissions for Identity                 | Detailed                 | CSV                | This report lists all the assigned permissions for the selected identities.                | AWS</p>Azure</p>GCP            | N/A      |
+| All Permissions for Identity                 | Summary                 | CSV                | This report lists all the assigned permissions for the selected identities.                | AWS</p>Azure</p>GCP            | N/A      |
 | Group Entitlements and Usage       | Summary                | CSV                | This report tracks all group level entitlements and the permission assignment, PCI. The number of members is also listed as part of this report.                 | AWS</p>Azure</p>GCP                 | Yes      |
 | Identity Permissions                 | Summary                | CSV                 | This report tracks any, or specific, task usage per **User**, **Group**, **Role**, or **App**.                 | AWS</p>Azure</p>GCP                 | N/A      |
 | AWS Role Policy Audit       | Detailed | CSV | This report gives the list of AWS roles, which can be assumed by **User**, **Group**, **resource** or **AWS Role**.                | AWS | N/A      |
 | Cross Account Access Details| Detailed                 | CSV                 | This report helps track **User**, **Group** from other AWS accounts have cross account access to the specified AWS account.                | AWS                | N/A      |
 | PCI History                 | Summary                 | CSV                 | This report helps track **Monthly PCI History** for each authorized system. It can be used to plot the trend of the PCI.                 | AWS</p>Azure</p>GCP                 | Yes      |
-| Permissions Analytics Report (PAR)  |     Detailed                 | CSV                 | This report lists the different key findings in the selected authorized systems. The key findings include **Super identities**, **Inactive identities**, **Over-provisioned active identities**, **Storage bucket hygiene**, **Access key age (AWS)**, and so on. </p>This report helps administrators to visualize the findings across the organization and make decisions.                    | AWS</p>Azure</p>GCP                | Yes      |
+| Permissions Analytics Report (PAR)  |     Detailed                 | XSLX, PDF                 | This report lists the different key findings in the selected authorized systems. The key findings include **Super identities**, **Inactive identities**, **Over-provisioned active identities**, **Storage bucket hygiene**, **Access key age (AWS)**, and so on. </p>This report helps administrators to visualize the findings across the organization and make decisions.                    | AWS</p>Azure</p>GCP                | Yes for XSLX     |
 | Role/Policy Details                 | Summary                 | CSV                | This report captures **Assigned/Unassigned** and **Custom/system policy with used/unused condition** for specific or all AWS accounts. </p>Similar data can be captured for Azure and GCP for assigned and unassigned roles.                | AWS</p>Azure</p>GCP                 | No      |
 | User Entitlements and Usage     | Detailed <p>Summary <p> Permissions                | CSV                 | **Summary** This report provides the summary view of all the identities with Permissions Creep Index (PCI), granted and executed tasks per Azure subscription, AWS account, GCP project.     </p>**Detailed** This report provides a detailed view of Azure role assignments, GCP role assignments and AWS policy assignment along with Permissions Creep Index (PCI), tasks used by each identity. </p>**Permissions** This report provides the list of role assignments for Azure, GCP and policy assignments in AWS per identity.                 | AWS</p>Azure</p>GCP                | Yes      |
 

articles/active-directory/cloud-infrastructure-entitlement-management/ui-triggers.md

@@ -1,6 +1,6 @@
 ---
-title: View information about activity triggers in Permissions Management
-description: How to view information about activity triggers in the Activity triggers dashboard in Permissions Management.
+title: View information about alerts and alert triggers in Permissions Management
+description: How to view information about alerts and alert triggers in the Alerts dashboard in Permissions Management.
 services: active-directory
 author: jenniferf-skc
 manager: amycolannino
@@ -55,6 +55,9 @@ The **Rule-Based Anomaly** tab and the **Statistical Anomaly** tab both have one
 - **Columns**: Select the columns you want to display: **Task**, **Resource**, and **Identity**.
     - To return to the system default settings, select **Reset to default**.
 
+Alert triggers are based on data collected. All alerts, if triggered, are shown every hour under the Alerts subtab.
+
+
 ## View information about alert triggers
 
 The **Alert Triggers** subtab in the **Activity**, **Rule-Based Anomaly**, **Statistical Anomaly**, and **Permission Analytics** tab displays the following information:

articles/active-directory/conditional-access/how-to-app-protection-policy-windows.md

@@ -23,19 +23,7 @@ App protection policies apply mobile application management (MAM) to specific ap
 
 ## Prerequisites
 
-The following requirements must be met before you can apply an [app protection policy] to Windows client devices:
-
-- Ensure your Windows client version is Windows 11, build 10.0.22621 (22H2) or newer.
-- Ensure your device isn't managed, including:
-   - Not Azure AD joined or enrolled in Mobile Device Management (MDM) for the same tenant
-as your MAM user.
-   - Not Azure AD registered (workplace joined) with more than two users besides the MAM user. There's a limit of no more than [three Azure AD registered users to a device](../devices/faq.yml#i-can-t-add-more-than-3-azure-ad-user-accounts-under-the-same-user-session-on-a-windows-10-11-device--why).
-- Clients must be running Microsoft Edge build v115.0.1901.155 or newer.
-   - You can check the version by going to `edge://settings/help` in the address bar.
-- Clients must have the **Enable MAM on Edge desktop platforms** flag enabled.
-   - You can enable this going to `edge://flags/#edge-desktop-mam` in the address bar.
-   - Enable **Enable MAM on Edge desktop platforms**
-   - Click the **Restart** button at the bottom of the window.
+Customers interested in the public preview will need to opt-in using the [MAM for Windows Public Preview Sign Up Form](https://aka.ms/MAMforWindowsPublic).
 
 ## User exclusions
 [!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)]

articles/active-directory/develop/msal-net-migration-confidential-client.md

@@ -134,12 +134,21 @@ public partial class AuthWrapper
 
  public async Task<AuthenticationResult> GetAuthenticationResult()
  {
-  if (app == null)
-  {
-   app = ConfidentialClientApplicationBuilder.Create(ClientId)
+
+   var app = ConfidentialClientApplicationBuilder.Create(ClientId)
            .WithCertificate(certificate)
            .WithAuthority(authority)
            .Build();
+
+  // Setup token caching https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnet
+  // For example, for an in-memory cache with 1GB limit, use  
+  app.AddInMemoryTokenCache(services =>
+  {
+      // Configure the memory cache options
+      services.Configure<MemoryCacheOptions>(options =>
+      {
+          options.SizeLimit = 1024 * 1024 * 1024; // in bytes (1 GB of memory)
+      });
   }
 
   var authResult = await app.AcquireTokenForClient(
@@ -158,9 +167,9 @@ public partial class AuthWrapper
 
 #### Benefit from token caching
 
-To benefit from the in-memory cache, the instance of `IConfidentialClientApplication` must be kept in a member variable. If you re-create the confidential client app each time you request a token, you won't benefit from the token cache.
+If you don't setup token caching, the token issuer will throttle you, resulting in errors. It also takes a lot less to get a token from the cache (10-20ms) than it is from ESTS (500-30000ms).
 
-You'll need to serialize `AppTokenCache` if you don't use the default in-memory app token cache. Similarly, If you want to implement a distributed token cache, serialize `AppTokenCache`. For details, see [Token cache for a web app or web API (confidential client application)](msal-net-token-cache-serialization.md?tabs=aspnet) and the sample [active-directory-dotnet-v1-to-v2/ConfidentialClientTokenCache](https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/ConfidentialClientTokenCache).
+If you want to implement a distributed token cache, see [Token cache for a web app or web API (confidential client application)](msal-net-token-cache-serialization.md?tabs=aspnet) and the sample [active-directory-dotnet-v1-to-v2/ConfidentialClientTokenCache](https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/ConfidentialClientTokenCache).
 
 [Learn more about the daemon scenario](scenario-daemon-overview.md) and how it's implemented with MSAL.NET or Microsoft.Identity.Web in new applications.
 
@@ -255,14 +264,22 @@ public partial class AuthWrapper
   string resourceId,
   string tokenUsedToCallTheWebApi)
  {
-  if (app == null)
-  {
-   app = ConfidentialClientApplicationBuilder.Create(ClientId)
+ 
+  var app = ConfidentialClientApplicationBuilder.Create(ClientId)
            .WithCertificate(certificate)
            .WithAuthority(authority)
            .Build();
-  }
 
+  // Setup token caching https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnet
+  // For example, for an in-memory cache with 1GB limit. For OBO, it is recommended to use a distributed cache like Redis.
+  app.AddInMemoryTokenCache(services =>
+  {
+      // Configure the memory cache options
+      services.Configure<MemoryCacheOptions>(options =>
+      {
+          options.SizeLimit = 1024 * 1024 * 1024; // in bytes (1 GB of memory)
+      });
+  }
 
   var userAssertion = new UserAssertion(tokenUsedToCallTheWebApi);
 

articles/active-directory/develop/msal-net-token-cache-serialization.md

@@ -228,10 +228,12 @@ public static async Task<AuthenticationResult> GetTokenAsync(string clientId, X5
 Instead of `app.AddInMemoryTokenCache();`, you can use different caching serialization technologies. For example, you can use no-serialization, in-memory, and distributed token cache storage provided by .NET.
 
 <a id="no-token-cache-serialization"></a>
-#### Token cache without serialization
+#### Token cache without serialization 
 
-You can specify that you don't want to have any token cache serialization and instead rely on the MSAL.NET internal cache. Use `.WithCacheOptions(CacheOptions.EnableSharedCacheOptions)` when building the application and don't add any serializer.
-r.
+Use `.WithCacheOptions(CacheOptions.EnableSharedCacheOptions)` when building the application and don't add any serializer.
+
+> [!IMPORTANT]
+> There is no way to control the size of the cache with this option. If you are building a website, a web API, or a multi-tenant S2S app, then use the `In-memory token cache` option.
 
 ```CSharp
     // Create the confidential client application

articles/active-directory/develop/publisher-verification-overview.md

@@ -56,7 +56,7 @@ App developers must meet a few requirements to complete the publisher verificati
 
 - The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to [set up the MPN PGA as a multitenant account and associate the Azure AD tenant](/partner-center/multi-tenant-account#add-an-azure-ad-tenant-to-your-account).
 
-- The app must be registered in an Azure AD tenant and have a [publisher domain](howto-configure-publisher-domain.md) set.
+- The app must be registered in an Azure AD tenant and have a [publisher domain](howto-configure-publisher-domain.md) set. The feature is not supported in Azure AD B2C tenant.
 
 - The domain of the email address that's used during MPN account verification must either match the publisher domain that's set for the app or be a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) that's added to the Azure AD tenant. (**NOTE**__: the app's publisher domain can't be *.onmicrosoft.com to be publisher verified) 
 

articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md

@@ -62,11 +62,9 @@ To see which users and groups are consuming licenses, select a product. Under **
 
 **Problem:** One of the products that's specified in the group contains a service plan that conflicts with another service plan that's already assigned to the user via a different product. Some service plans are configured in a way that they can't be assigned to the same user as another, related service plan.
 
-Consider the following example. A user has a license for Office 365 Enterprise *E1* assigned directly, with all the plans enabled. The user has been added to a group that has the Office 365 Enterprise *E3* product assigned to it. The E3 product contains service plans that can't overlap with the plans that are included in E1, so the group license assignment fails with the “Conflicting service plans” error. In this example, the conflicting service plans are:
-
-- Exchange Online (Plan 2) conflicts with Exchange Online (Plan 1).
-
-To solve this conflict, you need to disable one of the plans. You can disable the E1 license that's directly assigned to the user. Or, you need to modify the entire group license assignment and disable the plans in the E3 license. Alternatively, you might decide to remove the E1 license from the user if it's redundant in the context of the E3 license.
+> [!TIP]
+> Exchange Online Plan1 and Plan2 were previously non-duplicable service plans. However, now they are service plans that can be duplicated.
+> If you are experiencing conflicts with these service plans, please try reprocessing them.
 
 The decision about how to resolve conflicting product licenses always belongs to the administrator. Azure AD doesn't automatically resolve license conflicts.
 

articles/active-directory/enterprise-users/licensing-powershell-graph-examples.md

@@ -249,7 +249,7 @@ foreach ($userId in $skus.Keys) {
 
     Write-Host ""
 }
-
+```
 
 
 ## Remove direct licenses for users with group licenses