Merge pull request #244619 from MicrosoftDocs/main

7/11/2023 AM Publish

Author: Taojunshen

.openpublishing.redirection.active-directory.json

@@ -100,6 +100,16 @@
       "redirect_url": "/azure/active-directory/saas-apps/safety-culture-tutorial",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/saas-apps/opentext-fax-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/xm-fax-and-xm-send-secure-tutorial",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/saas-apps/opentext-directory-services-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/directory-services-tutorial",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/saas-apps/firstbird-tutorial.md",
       "redirect_url": "/azure/active-directory/saas-apps/radancys-employee-referrals-tutorial",

articles/active-directory/app-provisioning/toc.yml

@@ -37,6 +37,14 @@ items:
         href: on-premises-custom-connector.md
       - name: Provisioning to SAP ECC 7.0
         href: on-premises-sap-connector-configure.md
+    - name: API-driven inbound provisioning tutorials
+      items:
+      - name: Configure API-driven provisioning app
+        href: inbound-provisioning-api-configure-app.md
+      - name: Grant permissions for API-driven provisioning
+        href: inbound-provisioning-api-grant-access.md
+      - name: Quickstart using cURL
+        href: inbound-provisioning-api-curl-tutorial.md
     - name: Customize attribute mappings
       href: customize-application-attributes.md
   - name: Concepts

articles/active-directory/conditional-access/TOC.yml

@@ -10,7 +10,7 @@
     href: require-tou.md
 - name: Tutorials
   items:
-  - name: Require Azure AD Multifactor Authentication
+  - name: Require multifactor Authentication
     href: ../authentication/tutorial-enable-azure-mfa.md?toc=/azure/active-directory/conditional-access/toc.json&bc=/azure/active-directory/conditional-access/breadcrumb/toc.json
 - name: Concepts
   expanded: false
@@ -23,7 +23,7 @@
     items: 
      - name: Users and groups
        href: concept-conditional-access-users-groups.md
-     - name: Cloud apps or actions
+     - name: Target resources
        href: concept-conditional-access-cloud-apps.md
      - name: Conditions
        href: concept-conditional-access-conditions.md
@@ -108,7 +108,7 @@
     href: block-legacy-authentication.md
   - name: Require terms of use
     href: terms-of-use.md
-  - name: Sign-in frequency and browser persistence controls
+  - name: Sign-in frequency and browser persistence control
     href: howto-conditional-access-session-lifetime.md
   - name: Troubleshooting
     items:

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -6,6 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
+
 ms.date: 06/27/2023
 
 ms.author: joflore
@@ -15,12 +16,13 @@ ms.reviewer: lhuangnorth
 
 ms.collection: M365-identity-device-management
 ---
-# Conditional Access: Cloud apps, actions, and authentication context
+# Conditional Access: Target resources
 
-Cloud apps, actions, and authentication context are key signals in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications, actions, or authentication context.
+Target resources (formerly Cloud apps, actions, and authentication context) are key signals in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications, actions, or authentication context.
 
 - Administrators can choose from the list of applications that include built-in Microsoft applications and any [Azure AD integrated applications](../manage-apps/what-is-application-management.md) including gallery, non-gallery, and applications published through [Application Proxy](../app-proxy/what-is-application-proxy.md).
 - Administrators may choose to define policy not based on a cloud application but on a [user action](#user-actions) like **Register security information** or **Register or join devices**, allowing Conditional Access to enforce controls around those actions.
+- Administrators can target [traffic forwarding profiles](#traffic-forwarding-profiles) from Global Secure Access for enhanced functionality.
 - Administrators can use [authentication context](#authentication-context) to provide an extra layer of security in applications. 
 
 ![Define a Conditional Access policy and specify cloud apps](./media/concept-conditional-access-cloud-apps/conditional-access-cloud-apps-or-actions.png)
@@ -201,6 +203,12 @@ User actions are tasks that can be performed by a user. Currently, Conditional A
    - `Client apps`, `Filters for devices` and `Device state` conditions aren't available with this user action since they're dependent on Azure AD device registration to enforce Conditional Access policies.
    - When a Conditional Access policy is enabled with this user action, you must set **Azure Active Directory** > **Devices** > **Device Settings** - `Devices to be Azure AD joined or Azure AD registered require Multifactor Authentication` to **No**. Otherwise, the Conditional Access policy with this user action isn't properly enforced. More information about this device setting can found in [Configure device settings](../devices/device-management-azure-portal.md#configure-device-settings). 
 
+## Traffic forwarding profiles
+
+Traffic forwarding profiles in Global Secure Access enable administrators to define and control how traffic is routed through Microsoft Entra Internet Access and Microsoft Entra Private Access. Traffic forwarding profiles can be assigned to devices and remote networks. For an example of how to configure these traffic profiles in Conditional Access policy, see the article [How to require a compliant network check](../../global-secure-access/how-to-compliant-network.md).
+
+For more information about these profiles, see the article [Global Secure Access traffic forwarding profiles](../../global-secure-access/concept-traffic-forwarding.md).
+
 ## Authentication context
 
 Authentication context can be used to further secure data and actions in applications. These applications can be your own custom applications, custom line of business (LOB) applications, applications like SharePoint, or applications protected by Microsoft Defender for Cloud Apps. 

articles/active-directory/conditional-access/concept-conditional-access-conditions.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 06/14/2023
+ms.date: 07/07/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -55,13 +55,11 @@ We don't support selecting macOS or Linux device platforms when selecting **Requ
 
 ## Locations
 
-When configuring location as a condition, organizations can choose to include or exclude locations. These named locations may include the public IPv4 or IPv6 network information, country or region, or even unknown areas that don't map to specific countries or regions. Only IP ranges can be marked as a trusted location.
+When configuring location as a condition, organizations can choose to include or exclude locations. These named locations may include the public IPv4 or IPv6 network information, country or region, unknown areas that don't map to specific countries or regions, and [Global Secure Access' compliant network](../../global-secure-access/how-to-compliant-network.md).
 
 When including **any location**, this option includes any IP address on the internet not just configured named locations. When selecting **any location**, administrators can choose to exclude **all trusted** or **selected locations**.
 
-For example, some organizations may choose to not require multifactor authentication when their users are connected to the network in a trusted location such as their physical headquarters. Administrators could create a policy that includes any location but excludes the selected locations for their headquarters networks.
-
-More information about locations can be found in the article, [What is the location condition in Azure Active Directory Conditional Access](location-condition.md).
+Administrators can create policies that target specific locations along with other conditions. More information about locations can be found in the article, [What is the location condition in Azure Active Directory Conditional Access](location-condition.md).
 
 ## Client apps
 

articles/active-directory/conditional-access/concept-conditional-access-policies.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 08/05/2022
+ms.date: 07/07/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -75,7 +75,7 @@ The information used to calculate the device platform comes from unverified sour
 
 #### Locations
 
-Location data is provided by IP geolocation data. Administrators can choose to define locations and choose to mark some as trusted like those for their organization's network locations.
+Locations connect IP addresses, geographies, and [Global Secure Access' compliant network](../../global-secure-access/how-to-compliant-network.md) to Conditional Access policy decisions. Administrators can choose to define locations and  mark some as trusted like those for their organization's primary network locations.
 
 #### Client apps
 

articles/active-directory/conditional-access/location-condition.md

@@ -106,7 +106,7 @@ Multiple Conditional Access policies may prompt users for their GPS location bef
 
 Some IP addresses don't map to a specific country or region. To capture these IP locations, check the box **Include unknown countries/regions** when defining a geographic location. This option allows you to choose if these IP addresses should be included in the named location. Use this setting when the policy using the named location should apply to unknown locations.
 
-### Define locations
+## Define locations
 
 1. Sign in to the **Azure portal** as a Conditional Access Administrator or Security Administrator.
 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**.
@@ -123,6 +123,7 @@ When you configure the location condition, you can distinguish between:
 
 - Any location
 - All trusted locations
+- All Network Access locations
 - Selected locations
 
 ### Any location
@@ -142,6 +143,10 @@ Using the trusted IPs section of multifactor authentication's service settings i
 
 If you have these trusted IPs configured, they show up as **MFA Trusted IPs** in the list of locations for the location condition.
 
+### All Network Access locations of my tenant
+
+Organizations with access to Global Secure Access preview features will have an additional location listed that is made up of users and devices that comply with your organization's security policies. For more information, see the section [Enable Global Secure Access signaling for Conditional Access](../../global-secure-access/how-to-compliant-network.md#enable-global-secure-access-signaling-for-conditional-access). It can be used with Conditional Access policies to perform a compliant network check for access to resources.
+
 ### Selected locations
 
 With this option, you can select one or more named locations. For a policy with this setting to apply, a user needs to connect from any of the selected locations. When you **Select** the named network selection control that shows the list of named networks opens. The list also shows if the network location is marked as trusted.
@@ -166,6 +171,8 @@ When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses
 
 When a cloud proxy is in place, a policy that requires a [hybrid Azure AD joined or compliant device](howto-conditional-access-policy-compliant-device.md#create-a-conditional-access-policy) can be easier to manage. Keeping a list of IP addresses used by your cloud hosted proxy or VPN solution up to date can be nearly impossible.
 
+We recommend organizations utilize Global Secure Access to enable [source IP restoration](../../global-secure-access/how-to-source-ip-restoration.md) to avoid this change in address and simplify management.
+
 ### When is a location evaluated?
 
 Conditional Access policies are evaluated when:

articles/active-directory/develop/app-only-access-primer.md

@@ -42,7 +42,7 @@ For example, to read a list of all teams created in an organization, you need to
 
 As a developer, you need to configure all required app-only permissions, also referred to as app roles on your application registration. You can configure your app's requested app-only permissions through the Azure portal or Microsoft Graph. App-only access doesn't support dynamic consent, so you can't request individual permissions or sets of permissions at runtime.
 
-Once you've configured all the permissions your app needs, it must get admin consent [admin consent](../manage-apps/grant-admin-consent.md) for it to access the resources. For example, only users with the global admin role can grant app-only permissions (app roles) for the Microsoft Graph API. Users with other admin roles, like application admin and cloud app admin, are able to grant app-only permissions for other resources. 
+Once you've configured all the permissions your app needs, it must get [admin consent](../manage-apps/grant-admin-consent.md) for it to access the resources. For example, only users with the global admin role can grant app-only permissions (app roles) for the Microsoft Graph API. Users with other admin roles, like application admin and cloud app admin, are able to grant app-only permissions for other resources. 
 
 Admin users can grant app-only permissions by using the Azure portal or by creating grants programmatically through the Microsoft Graph API. You can also prompt for interactive consent from within your app, but this option isn't preferable since app-only access doesn't require a user.
 
@@ -85,4 +85,4 @@ The example given is a simple illustration of application authorization. The pro
 
 - [Learn how to create and assign app roles in Azure AD](howto-add-app-roles-in-azure-ad-apps.md)
 - [Overview of permissions in Microsoft Graph](/graph/permissions-overview)
-- [Microsoft Graph permissions reference](/graph/permissions-reference)
+- [Microsoft Graph permissions reference](/graph/permissions-reference)

articles/active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions.md

@@ -59,6 +59,9 @@ During installation of Azure AD Connect, an application is registered where thes
 
 ![Schema extension app](./media/how-to-connect-sync-feature-directory-extensions/extension3new.png)
 
+>[!NOTE]
+> The **Tenant Schema Extension App** is a system-only application that can't be deleted and attribute extension definitions can't be removed.
+
 Make sure you select **All applications** to see this app.
 
 The attributes are prefixed with **extension \_{ApplicationId}\_**. ApplicationId has the same value for all attributes in your Azure AD tenant. You will need this value for all other scenarios in this topic.

articles/active-directory/identity-protection/TOC.yml

@@ -1,14 +1,14 @@
-- name: Identity Protection Documentation
+- name: Microsoft Entra ID Protection Documentation
   href: index.yml
 - name: Overview
   items:
-  - name: What is Identity Protection?
+  - name: What is Microsoft Entra ID Protection?
     href: overview-identity-protection.md
 - name: Concepts
   expanded: false
   items:
-  - name: Security overview
-    href: concept-identity-protection-security-overview.md
+  - name: Microsoft Entra ID Protection dashboard
+    href: id-protection-dashboard.md
   - name: What are risks?
     href: concept-identity-protection-risks.md
   - name: Risk-based access control policies
@@ -17,12 +17,12 @@
     href: concept-identity-protection-user-experience.md
   - name: Securing workload identities
     href: concept-workload-identity-risk.md
-  - name: Identity Protection and B2B users
+  - name: Microsoft Entra ID Protection and B2B users
     href: concept-identity-protection-b2b.md
 - name: How-to guides
   expanded: true
   items:
-  - name: Deploy Identity Protection
+  - name: Deploy Microsoft Entra ID Protection
     href: how-to-deploy-identity-protection.md
   - name: Configure notifications
     href: howto-identity-protection-configure-notifications.md
@@ -50,6 +50,8 @@
     href: troubleshooting-identity-protection-faq.yml
 - name: Reference
   items:
+  - name: Security overview
+    href: concept-identity-protection-security-overview.md
   - name: Microsoft Graph APIs
     items: 
     - name: riskDetection API