Merge branch 'MicrosoftDocs:main' into main

Author: kanika1894

.openpublishing.redirection.active-directory.json

@@ -5265,6 +5265,61 @@
       "redirect_url": "/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-use-workbooks",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/concept-log-monitoring-integration-options-considerations",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/tutorial-log-analytics-wizard.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/tutorial-configure-log-analytics-workspace",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-archive-logs-to-storage-account",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/overview-monitoring.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/overview-monitoring-health",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/overview-reports.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/overview-monitoring-health",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-sumologic.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-stream-logs-to-event-hub",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-splunk.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-stream-logs-to-event-hub",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-arcsight.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-stream-logs-to-event-hub",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/overview-service-health-notifications.md",
+      "redirect_url": "/azure/service-health/service-health-portal-update",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/active-directory/reports-monitoring/quickstart-configure-named-locations.md",
       "redirect_url": "/azure/active-directory/conditional-access/location-condition",

CODEOWNERS

@@ -4,11 +4,6 @@
 # Background: https://github.blog/2017-07-06-introducing-code-owners/
 # NOTE: The people you choose as code owners must have _write_ permissions for the repository. When the code owner is a team, that team must be _visible_ and it must have _write_ permissions, even if all the individual members of the team already have write permissions directly, through organization membership, or through another team membership.
 
-# Azure Policy: Samples and Compliance Controls
-/articles/**/policy-reference.md @davidsmatlak
-/articles/**/security-controls-policy.md @davidsmatlak
-/includes/policy/ @davidsmatlak
-
 # Azure Monitor
 articles/azure-monitor/* @bwren
 articles/azure-monitor/agents @guywi-ms @bwren
@@ -56,10 +51,6 @@ articles/service-health @rboucher
 /articles/container-instances/ @macolso @mimckitt
 /articles/container-registry/ @dlepow @mimckitt
 
-# Governance
-/articles/governance/policy @davidsmatlak
-/articles/governance/resource-graph @davidsmatlak
-
 # Security
 /articles/security/fundamentals/feature-availability.md @msmbaldwin @terrylanfear
 

articles/active-directory-b2c/tenant-management-directory-quota.md

@@ -65,7 +65,7 @@ The response from the API call looks similar to the following json:
         {
             "directorySizeQuota": {
                 "used": 211802,
-                "total": 300000
+                "total": 50000000
             }
         }
     ]
@@ -81,4 +81,4 @@ If your tenant usage is higher that 80%, you can remove inactive users or reques
 
 ## Request increase directory quota size
 
-You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md) 
+You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md) 

articles/active-directory/app-proxy/application-proxy-faq.yml

@@ -152,7 +152,7 @@ sections:
               - If the certificate was created with Microsoft Software Key Storage Provider, the RSA algorithm must be used.
           
       - question: |
-         What is the length of the default and "long" back-end timeout? Can the timeout be extended?
+         What is the length of the default and "long" backend timeout? Can the timeout be extended?
         answer: |
               The default length is 85 seconds. The "long" setting is 180 seconds. The timeout limit can't be extended.
 
@@ -170,7 +170,13 @@ sections:
           
               > [!IMPORTANT]
               > Deleting CWAP_AuthSecret breaks pre-authentication for Azure AD Application Proxy. Don't delete CWAP_AuthSecret.
-          
+
+      - question: |
+         I'm using or want to use Azure Active Directory Application Proxy. Can I replace the `onmicrosoft.com` fallback domain of my tenant in Microsoft 365 as suggested in the article [Add and replace your onmicrosoft.com fallback domain in Microsoft 365](../../microsoft-365/admin/setup/add-or-replace-your-onmicrosoftcom-domain?view=o365-worldwide)? 
+        answer: |
+              No. You must use the original fallback domain.  
+
+         
       - question: |
          How do I change the landing page my application loads?
         answer: |

articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/28/2023
+ms.date: 08/15/2023
 
 ms.author: justinha
 author: justinha
@@ -20,7 +20,7 @@ Azure Active Directory (Azure AD) has multiple settings that determine how often
 
 The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt.
 
-It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken).
+It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions by using Microsoft Graph PowerShell](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession).
 
 This article details recommended configurations and how different settings work and interact with each other.
 

articles/active-directory/authentication/howto-mfa-nps-extension-errors.md

@@ -35,6 +35,7 @@ If you encounter errors with the NPS extension for Azure AD Multi-Factor Authent
 | **REQUEST_FORMAT_ERROR** <br> Radius Request missing mandatory Radius userName\Identifier attribute.Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension does not work when installed over such installations and errors out since it cannot read the details from the authentication request. |
 | **REQUEST_MISSING_CODE** | Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. **PAP** supports all the authentication methods of Azure AD MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. **CHAPV2** and **EAP** support phone call and mobile app notification. |
 | **USERNAME_CANONICALIZATION_ERROR** | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you are using cross-forest trusts, [contact support](#contact-microsoft-support) for further help. |
+| **Challenge requested in Authentication Ext for User** | Organizations using a RADIUS protocol other than PAP will observe user VPN authorization failing with these events appearing in the AuthZOptCh event log of the NPS Extension server. You can configure the NPS Server to support PAP. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications. For further help, please check [Number matching using NPS Extension](how-to-mfa-number-match.md#nps-extension). |
 
 ### Alternate login ID errors
 

articles/active-directory/hybrid/connect/reference-connect-version-history.md

@@ -77,6 +77,7 @@ To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
  - We have enabled Auto Upgrade for tenants with custom synchronization rules. Note that deleted (not disabled) default rules will be re-created and enabled upon Auto Upgrade.
  - We have added Microsoft Azure AD Connect Agent Updater service to the install. This new service will be used for future auto upgrades.
  - We have removed the Synchronization Service WebService Connector Config program from the install.
+ - Default sync rule “In from AD – User Common” was updated to flow the employeeType attribute.
 
 ### Bug Fixes
  - We have made improvements to accessibility.

articles/active-directory/includes/diagnostic-settings-include.md

@@ -0,0 +1,22 @@
+---
+title: include file
+description: include file
+author: shlipsey3
+manager: amycolannino
+ms.service: active-directory
+ms.workload: identity
+ms.topic: include
+ms.date: 08/08/2023
+ms.author: saralipsey
+ms.custom: include file
+---
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as a **Security Administrator**.
+
+1. Go to **Azure Active Directory** > **Diagnostic settings**. You can also select **Export Settings** from either the **Audit Logs** or **Sign-ins** page.
+
+1. Select **+ Add diagnostic setting** to create a new integration or select **Edit setting** for an existing integration.
+
+1. Enter a **Diagnostic setting name**. If you're editing an existing integration, you can't change the name.
+
+1. Select the log categories that you want to stream.

articles/active-directory/privileged-identity-management/concept-pim-for-groups.md

@@ -11,7 +11,7 @@ ms.subservice: pim
 ms.topic: overview
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 6/7/2023
+ms.date: 8/15/2023
 ms.author: billmath
 ms.custom: pim 
 ms.collection: M365-identity-device-management
@@ -72,6 +72,19 @@ One group can be an eligible member of another group, even if one of those group
 
 If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. This activation will be only for the user that requested the activation for, it does not mean that the entire Group A becomes an active member of Group B.
 
+## Privileged Identity Management and app provisioning (Public Preview)
+
+If the group is configured for [app provisioning](../app-provisioning/index.yml), activation of group membership will trigger provisioning of group membership (and user account itself if it wasn’t provisioned previously) to the application using SCIM protocol. 
+
+In Public Preview we have a functionality that triggers provisioning right after group membership is activated in PIM.
+Provisioning configuration depends on the application. Generally, we recommend having at least two groups assigned to the application. Depending on the number of roles in your application, you may choose to define additional “privileged groups.”:
+
+
+|Group|Purpose|Members|Group membership|Role assigned in the application|
+|-----|-----|-----|-----|-----|
+|All users group|Ensure that all users that need access to the application are constantly provisioned to the application.|All users that need to access application.|Active|None, or low-privileged role|
+|Privileged group|Provide just-in-time access to privileged role in the application.|Users that need to have just-in-time access to privileged role in the application.|Eligible|Privileged role|
+
 ## Next steps
 
 - [Bring groups into Privileged Identity Management](groups-discover-groups.md)