Merge pull request #253276 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 9/29

Author: ttorble

.openpublishing.redirection.active-directory.json

@@ -5465,6 +5465,11 @@
       "redirect_url": "/azure/active-directory/reports-monitoring/reference-sla-performance",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/active-directory/fundamentals/licensing-whatis-azure-portal.md",
+      "redirect_url": "/azure/active-directory/fundamentals/concept-group-based-licensing",
+      "redirect_document_id": false
+    }, 
     {
       "source_path_from_root": "/articles/active-directory/reports-monitoring/quickstart-filter-audit-log.md",
       "redirect_url": "/azure/active-directory/reports-monitoring/howto-customize-filter-logs",

articles/active-directory/fundamentals/licensing-whatis-azure-portal.md renamed to articles/active-directory/fundamentals/concept-group-based-licensing.md

@@ -1,6 +1,6 @@
 ---
 title: What is group-based licensing
-description: Learn about Microsoft Entra group-based licensing, including how it works and best practices.
+description: Learn about Microsoft Entra group-based licensing, including how it works, key features, and best practices.
 services: active-directory
 keywords: Azure AD licensing
 author: barclayn
@@ -10,11 +10,11 @@ ms.service: active-directory
 ms.subservice: fundamentals
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 07/11/2023
+ms.date: 09/28/2023
 ms.author: barclayn
 ms.reviewer: krbain
-ms.custom: "it-pro, seodec18"
-ms.collection: M365-identity-device-management
+
+# Customer intent: As an IT admin, I want to understand group-based licensing, so I can effectively assign licenses to users in my organization.
 ---
 
 # What is group-based licensing in Microsoft Entra ID?

articles/active-directory/fundamentals/how-to-manage-groups.md

@@ -1,6 +1,6 @@
 ---
 title: How to manage groups
-description: Instructions about how to manage Microsoft Entra groups and group membership.
+description: Instructions about how to create and update Microsoft Entra groups, such as membership and settings.
 services: active-directory
 author: shlipsey3
 manager: amycolannino
@@ -12,6 +12,9 @@ ms.topic: how-to
 ms.date: 09/12/2023
 ms.author: sarahlipsey
 ms.reviewer: krbain
+
+# Customer Intent: As an IT admin, I want to learn how to create groups, add members, and adjust setting so that I can grant the right access to the right services for the right people.
+
 ---
 # Manage Microsoft Entra groups and group membership
 
@@ -43,6 +46,8 @@ To create a basic group and add members:
 
 1. Enter a **Group name.** Choose a name that you'll remember and that makes sense for the group. A check will be performed to determine if the name is already in use. If the name is already in use, you'll be asked to change the name of your group.
 
+    - The name of the group can't start with a space. Starting the name with a space prevents the group from appearing as an option for steps such as adding role assignments to group members.
+
 1. **Group email address**: Only available for Microsoft 365 group types. Enter an email address manually or use the email address built from the Group name you provided.
 
 1. **Group description.** Add an optional description to your group.
@@ -192,7 +197,7 @@ You can remove an existing Security group from another Security group; however,
 
 You can delete a group for any number of reasons, but typically it will be because you:
 
-- Chose the incorrect **Group type** option.
+- Choose the incorrect **Group type** option.
 - Created a duplicate group by mistake. 
 - No longer need the group.
 

articles/active-directory/fundamentals/how-to-rename-azure-ad.md

@@ -131,7 +131,6 @@ $terminology = @(
     @{ Key = 'Azure AD seamless single sign-on'; Value = 'Microsoft Entra seamless single sign-on' },
     @{ Key = 'Azure AD self-service password reset'; Value = 'Microsoft Entra self-service password reset' },
     @{ Key = 'Azure AD SSPR'; Value = 'Microsoft Entra SSPR' },
-    @{ Key = 'Azure AD SSPR'; Value = 'Microsoft Entra SSPR' },
     @{ Key = 'Azure AD domain'; Value = 'Microsoft Entra domain' },
     @{ Key = 'Azure AD group'; Value = 'Microsoft Entra group' },
     @{ Key = 'Azure AD login'; Value = 'Microsoft Entra login' },
@@ -297,10 +296,10 @@ $postTransforms = @(
 $terminology = $terminology.GetEnumerator() | Sort-Object -Property { $_.Key.Length } -Descending
 $postTransforms = $postTransforms.GetEnumerator() | Sort-Object -Property { $_.Key.Length } -Descending
 
-# Get all resx and resjson files in the current directory and its subdirectories, ignoring .gitignored files.
-Write-Host "Getting all resx and resjson files in the current directory and its subdirectories, ignoring .gitignored files."
+# Get all resx files in the current directory and its subdirectories, ignoring .gitignored files.
+Write-Host "Getting all resx files in the current directory and its subdirectories, ignoring .gitignored files."
 $gitIgnoreFiles = Get-ChildItem -Path . -Filter .gitignore -Recurse
-$targetFiles = Get-ChildItem -Path . -Include *.resx, *.resjson -Recurse
+$targetFiles = Get-ChildItem -Path . -Include *.resx -Recurse
 
 $filteredFiles = @()
 foreach ($file in $targetFiles) {
@@ -319,7 +318,7 @@ foreach ($file in $targetFiles) {
 $scriptPath = $MyInvocation.MyCommand.Path
 $filteredFiles = $filteredFiles | Where-Object { $_.FullName -ne $scriptPath }
 
-# This command will get all the files with the extensions .resx and .resjson in the current directory and its subdirectories, and then filter out those that match the patterns in the .gitignore file. The Resolve-Path cmdlet will find the full path of the .gitignore file, and the Get-Content cmdlet will read its content as a single string. The -notmatch operator will compare the full name of each file with the .gitignore content using regular expressions, and return only those that do not match.
+# This command will get all the files with the extensions .resx in the current directory and its subdirectories, and then filter out those that match the patterns in the .gitignore file. The Resolve-Path cmdlet will find the full path of the .gitignore file, and the Get-Content cmdlet will read its content as a single string. The -notmatch operator will compare the full name of each file with the .gitignore content using regular expressions, and return only those that do not match.
 Write-Host "Found $($filteredFiles.Count) files."
 
 function Update-Terminology {

articles/active-directory/governance/entitlement-management-access-package-assignments.md

@@ -61,19 +61,38 @@ To use entitlement management and assign users to access packages, you must have
 
 ## View assignments programmatically
 ### View assignments with Microsoft Graph
-You can also retrieve assignments in an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access packages from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve assignments across all catalogs.
+You can also retrieve assignments in an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true).  An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve assignments across all catalogs.
+
+Microsoft Graph will return the results in pages, and will continue to return a reference to the next page of results in the `@odata.nextLink` property with each response, until all pages of the results have been read. To read all results, you must continue to call Microsoft Graph with the `@odata.nextLink` property returned in each response until the `@odata.nextLink` property is no longer returned, as described in [paging Microsoft Graph data in your app](/graph/paging).
+
+While an identity governance administrator can retrieve access packages from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`.
 
 ### View assignments with PowerShell
 
-You can perform this query in PowerShell with the `Get-MgEntitlementManagementAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 2.1.x or later module version.  This script illustrates using the Microsoft Graph PowerShell cmdlets module version 2.4.0. This cmdlet takes as a parameter the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet.
+You can also retrieve assignments to an access package in PowerShell with the `Get-MgEntitlementManagementAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 2.1.x or later module version.  This script illustrates using the Microsoft Graph PowerShell cmdlets module version 2.4.0 to retrieve all assignments to a particular access package. This cmdlet takes as a parameter the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet.  Be sure when using the `Get-MgEntitlementManagementAccessPackage` cmdlet to include the `-All` flag to cause all pages of assignments to be returned.
 
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
 $accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayName eq 'Marketing Campaign'"
+if ($null -eq $accesspackage) { throw "no access package"}
 $assignments = @(Get-MgEntitlementManagementAssignment -AccessPackageId $accesspackage.Id -ExpandProperty target -All -ErrorAction Stop)
 $assignments | ft Id,state,{$_.Target.id},{$_.Target.displayName}
 ```
 
+Note that the preceding query will return expired and delivering assignments as well as delivered assignments.  If you wish to exclude expired or delivering assignments, you can use a filter that includes the access package ID as well as the state of the assignments.  This script illustrates using a filter to retrieve only the assignments in state `Delivered` for a particular access package. The script will then generate a CSV file `assignments.csv`, with one row per assignment.
+
+```powershell
+Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
+$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayName eq 'Marketing Campaign'"
+if ($null -eq $accesspackage) { throw "no access package"}
+$accesspackageId = $accesspackage.Id
+$filter = "accessPackage/id eq '" + $accesspackageId + "' and state eq 'Delivered'"
+$assignments = @(Get-MgEntitlementManagementAssignment -Filter $filter -ExpandProperty target -All -ErrorAction Stop)
+$sp = $assignments | select-object -Property Id,{$_.Target.id},{$_.Target.ObjectId},{$_.Target.DisplayName},{$_.Target.PrincipalName}
+$sp | Export-Csv -Encoding UTF8 -NoTypeInformation -Path ".\assignments.csv"
+```
+
+
 ## Directly assign a user 
 
 In some cases, you might want to directly assign specific users to an access package so that users don't have to go through the process of requesting the access package. To directly assign users, the access package must have a policy that allows administrator direct assignments.
@@ -158,7 +177,8 @@ You can assign a user to an access package in PowerShell with the `New-MgEntitle
 
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
-$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty assignmentpolicies
+$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentpolicies"
+if ($null -eq $accesspackage) { throw "no access package"}
 $policy = $accesspackage.AssignmentPolicies[0]
 $userid = "cdbdf152-82ce-479c-b5b8-df90f561d5c7"
 $params = @{
@@ -184,6 +204,7 @@ Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All,Directory.Read.All"
 $members = @(Get-MgGroupMember -GroupId "a34abd69-6bf8-4abd-ab6b-78218b77dc15" -All)
 
 $accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentPolicies"
+if ($null -eq $accesspackage) { throw "no access package"}
 $policy = $accesspackage.AssignmentPolicies[0]
 $req = New-MgBetaEntitlementManagementAccessPackageAssignment -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -RequiredGroupMember $members
 ```
@@ -196,6 +217,7 @@ If you wish to add an assignment for a user who is not yet in your directory, yo
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
 $accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentPolicies"
+if ($null -eq $accesspackage) { throw "no access package"}
 $policy = $accesspackage.AssignmentPolicies[0]
 $req = New-MgBetaEntitlementManagementAccessPackageAssignmentRequest -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -TargetEmail "[email protected]"
 ```

articles/active-directory/governance/entitlement-management-access-package-requests.md

@@ -49,6 +49,8 @@ If you have a set of users whose requests are in the "Partially Delivered" or "F
 ### View requests with Microsoft Graph
 You can also retrieve requests for an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignmentRequests](/graph/api/entitlementmanagement-list-accesspackageassignmentrequests?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access package requests from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$expand=accessPackage&$filter=accessPackage/id eq '9bbe5f7d-f1e7-4eb1-a586-38cdf6f8b1ea'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve requests across all catalogs.
 
+Microsoft Graph will return the results in pages, and will continue to return a reference to the next page of results in the `@odata.nextLink` property with each response, until all pages of the results have been read. To read all results, you must continue to call Microsoft Graph with the `@odata.nextLink` property returned in each response until the `@odata.nextLink` property is no longer returned, as described in [paging Microsoft Graph data in your app](/graph/paging).
+
 ## Remove request (Preview)
 
 You can also remove a completed request that is no longer needed. To remove a request:

articles/active-directory/governance/entitlement-management-catalog-create.md

@@ -187,8 +187,10 @@ You can also add a resource to a catalog in PowerShell with the `New-MgEntitleme
 Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All,Group.ReadWrite.All"
 
 $g = Get-MgGroup -Filter "displayName eq 'Marketing'"
+if ($null -eq $g) {throw "no group" }
 
 $catalog = Get-MgEntitlementManagementCatalog -Filter "displayName eq 'Marketing'"
+if ($null -eq $catalog) { throw "no catalog" }
 $params = @{
   requestType = "adminAdd"
   resource = @{

articles/active-directory/reports-monitoring/concept-diagnostic-settings-logs-options.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/09/2023
+ms.date: 09/28/2023
 ms.author: sarahlipsey
 ms.reviewer: besiler
 
@@ -86,7 +86,9 @@ The `EnrichedOffice365AuditLogs` logs are associated with the enriched logs you
 
 ### Microsoft Graph activity logs
 
-The `MicrosoftGraphActivityLogs` logs are associated with a feature that is still in private preview. The logs are visible in Microsoft Entra ID, but selecting these options won't add new logs to your workspace unless your organization was included in the private preview.
+The `MicrosoftGraphActivityLogs` provide administrators full visibility into all HTTP requests accessing your tenant's resources through the Microsoft Graph API. You can use these logs to identify activities that a compromised user account conducted in your tenant or to investigate problematic or unexpected behaviors for client applications, such as extreme call volumes. Route these logs to the same Log Analytics workspace with `SignInLogs` to cross-reference details of token requests for sign-in logs.
+
+The feature is currently in public preview. For more information, see [Access Microsoft Graph activity logs (preview)](/graph/microsoft-graph-activity-logs-overview).
 
 ### Network access traffic logs
 

articles/active-directory/reports-monitoring/toc.yml

@@ -25,6 +25,8 @@ items:
       href: concept-sign-in-log-activity-details.md
     - name: Provisioning logs
       href: concept-provisioning-logs.md
+    - name: Microsoft Graph activity logs
+      href: /graph/microsoft-graph-activity-logs-overview?toc=/azure/active-directory/reports-monitoring/toc.json&bc=/azure/active-directory/reports-monitoring/breadcrumb/toc.json
   - name: How-to guides 
     expanded: true
     items: