Skip to content

Commit f5a03cf

Browse files
authored
Merge pull request #253276 from MicrosoftDocs/main
Publish to live, Friday 4 AM PST, 9/29
2 parents a2bfd90 + 4725551 commit f5a03cf

File tree

100 files changed

+1753
-491
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

100 files changed

+1753
-491
lines changed

.openpublishing.redirection.active-directory.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5465,6 +5465,11 @@
54655465
"redirect_url": "/azure/active-directory/reports-monitoring/reference-sla-performance",
54665466
"redirect_document_id": true
54675467
},
5468+
{
5469+
"source_path_from_root": "/articles/active-directory/fundamentals/licensing-whatis-azure-portal.md",
5470+
"redirect_url": "/azure/active-directory/fundamentals/concept-group-based-licensing",
5471+
"redirect_document_id": false
5472+
},
54685473
{
54695474
"source_path_from_root": "/articles/active-directory/reports-monitoring/quickstart-filter-audit-log.md",
54705475
"redirect_url": "/azure/active-directory/reports-monitoring/howto-customize-filter-logs",

articles/active-directory/fundamentals/licensing-whatis-azure-portal.md renamed to articles/active-directory/fundamentals/concept-group-based-licensing.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
title: What is group-based licensing
3-
description: Learn about Microsoft Entra group-based licensing, including how it works and best practices.
3+
description: Learn about Microsoft Entra group-based licensing, including how it works, key features, and best practices.
44
services: active-directory
55
keywords: Azure AD licensing
66
author: barclayn
@@ -10,11 +10,11 @@ ms.service: active-directory
1010
ms.subservice: fundamentals
1111
ms.topic: conceptual
1212
ms.workload: identity
13-
ms.date: 07/11/2023
13+
ms.date: 09/28/2023
1414
ms.author: barclayn
1515
ms.reviewer: krbain
16-
ms.custom: "it-pro, seodec18"
17-
ms.collection: M365-identity-device-management
16+
17+
# Customer intent: As an IT admin, I want to understand group-based licensing, so I can effectively assign licenses to users in my organization.
1818
---
1919

2020
# What is group-based licensing in Microsoft Entra ID?

articles/active-directory/fundamentals/how-to-manage-groups.md

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
title: How to manage groups
3-
description: Instructions about how to manage Microsoft Entra groups and group membership.
3+
description: Instructions about how to create and update Microsoft Entra groups, such as membership and settings.
44
services: active-directory
55
author: shlipsey3
66
manager: amycolannino
@@ -12,6 +12,9 @@ ms.topic: how-to
1212
ms.date: 09/12/2023
1313
ms.author: sarahlipsey
1414
ms.reviewer: krbain
15+
16+
# Customer Intent: As an IT admin, I want to learn how to create groups, add members, and adjust setting so that I can grant the right access to the right services for the right people.
17+
1518
---
1619
# Manage Microsoft Entra groups and group membership
1720

@@ -43,6 +46,8 @@ To create a basic group and add members:
4346

4447
1. Enter a **Group name.** Choose a name that you'll remember and that makes sense for the group. A check will be performed to determine if the name is already in use. If the name is already in use, you'll be asked to change the name of your group.
4548

49+
- The name of the group can't start with a space. Starting the name with a space prevents the group from appearing as an option for steps such as adding role assignments to group members.
50+
4651
1. **Group email address**: Only available for Microsoft 365 group types. Enter an email address manually or use the email address built from the Group name you provided.
4752

4853
1. **Group description.** Add an optional description to your group.
@@ -192,7 +197,7 @@ You can remove an existing Security group from another Security group; however,
192197

193198
You can delete a group for any number of reasons, but typically it will be because you:
194199

195-
- Chose the incorrect **Group type** option.
200+
- Choose the incorrect **Group type** option.
196201
- Created a duplicate group by mistake.
197202
- No longer need the group.
198203

articles/active-directory/fundamentals/how-to-rename-azure-ad.md

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,6 @@ $terminology = @(
131131
@{ Key = 'Azure AD seamless single sign-on'; Value = 'Microsoft Entra seamless single sign-on' },
132132
@{ Key = 'Azure AD self-service password reset'; Value = 'Microsoft Entra self-service password reset' },
133133
@{ Key = 'Azure AD SSPR'; Value = 'Microsoft Entra SSPR' },
134-
@{ Key = 'Azure AD SSPR'; Value = 'Microsoft Entra SSPR' },
135134
@{ Key = 'Azure AD domain'; Value = 'Microsoft Entra domain' },
136135
@{ Key = 'Azure AD group'; Value = 'Microsoft Entra group' },
137136
@{ Key = 'Azure AD login'; Value = 'Microsoft Entra login' },
@@ -297,10 +296,10 @@ $postTransforms = @(
297296
$terminology = $terminology.GetEnumerator() | Sort-Object -Property { $_.Key.Length } -Descending
298297
$postTransforms = $postTransforms.GetEnumerator() | Sort-Object -Property { $_.Key.Length } -Descending
299298
300-
# Get all resx and resjson files in the current directory and its subdirectories, ignoring .gitignored files.
301-
Write-Host "Getting all resx and resjson files in the current directory and its subdirectories, ignoring .gitignored files."
299+
# Get all resx files in the current directory and its subdirectories, ignoring .gitignored files.
300+
Write-Host "Getting all resx files in the current directory and its subdirectories, ignoring .gitignored files."
302301
$gitIgnoreFiles = Get-ChildItem -Path . -Filter .gitignore -Recurse
303-
$targetFiles = Get-ChildItem -Path . -Include *.resx, *.resjson -Recurse
302+
$targetFiles = Get-ChildItem -Path . -Include *.resx -Recurse
304303
305304
$filteredFiles = @()
306305
foreach ($file in $targetFiles) {
@@ -319,7 +318,7 @@ foreach ($file in $targetFiles) {
319318
$scriptPath = $MyInvocation.MyCommand.Path
320319
$filteredFiles = $filteredFiles | Where-Object { $_.FullName -ne $scriptPath }
321320
322-
# This command will get all the files with the extensions .resx and .resjson in the current directory and its subdirectories, and then filter out those that match the patterns in the .gitignore file. The Resolve-Path cmdlet will find the full path of the .gitignore file, and the Get-Content cmdlet will read its content as a single string. The -notmatch operator will compare the full name of each file with the .gitignore content using regular expressions, and return only those that do not match.
321+
# This command will get all the files with the extensions .resx in the current directory and its subdirectories, and then filter out those that match the patterns in the .gitignore file. The Resolve-Path cmdlet will find the full path of the .gitignore file, and the Get-Content cmdlet will read its content as a single string. The -notmatch operator will compare the full name of each file with the .gitignore content using regular expressions, and return only those that do not match.
323322
Write-Host "Found $($filteredFiles.Count) files."
324323
325324
function Update-Terminology {

articles/active-directory/governance/entitlement-management-access-package-assignments.md

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -61,19 +61,38 @@ To use entitlement management and assign users to access packages, you must have
6161

6262
## View assignments programmatically
6363
### View assignments with Microsoft Graph
64-
You can also retrieve assignments in an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access packages from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve assignments across all catalogs.
64+
You can also retrieve assignments in an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true). An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve assignments across all catalogs.
65+
66+
Microsoft Graph will return the results in pages, and will continue to return a reference to the next page of results in the `@odata.nextLink` property with each response, until all pages of the results have been read. To read all results, you must continue to call Microsoft Graph with the `@odata.nextLink` property returned in each response until the `@odata.nextLink` property is no longer returned, as described in [paging Microsoft Graph data in your app](/graph/paging).
67+
68+
While an identity governance administrator can retrieve access packages from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`.
6569

6670
### View assignments with PowerShell
6771

68-
You can perform this query in PowerShell with the `Get-MgEntitlementManagementAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 2.1.x or later module version. This script illustrates using the Microsoft Graph PowerShell cmdlets module version 2.4.0. This cmdlet takes as a parameter the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet.
72+
You can also retrieve assignments to an access package in PowerShell with the `Get-MgEntitlementManagementAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 2.1.x or later module version. This script illustrates using the Microsoft Graph PowerShell cmdlets module version 2.4.0 to retrieve all assignments to a particular access package. This cmdlet takes as a parameter the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet. Be sure when using the `Get-MgEntitlementManagementAccessPackage` cmdlet to include the `-All` flag to cause all pages of assignments to be returned.
6973

7074
```powershell
7175
Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
7276
$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayName eq 'Marketing Campaign'"
77+
if ($null -eq $accesspackage) { throw "no access package"}
7378
$assignments = @(Get-MgEntitlementManagementAssignment -AccessPackageId $accesspackage.Id -ExpandProperty target -All -ErrorAction Stop)
7479
$assignments | ft Id,state,{$_.Target.id},{$_.Target.displayName}
7580
```
7681

82+
Note that the preceding query will return expired and delivering assignments as well as delivered assignments. If you wish to exclude expired or delivering assignments, you can use a filter that includes the access package ID as well as the state of the assignments. This script illustrates using a filter to retrieve only the assignments in state `Delivered` for a particular access package. The script will then generate a CSV file `assignments.csv`, with one row per assignment.
83+
84+
```powershell
85+
Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
86+
$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayName eq 'Marketing Campaign'"
87+
if ($null -eq $accesspackage) { throw "no access package"}
88+
$accesspackageId = $accesspackage.Id
89+
$filter = "accessPackage/id eq '" + $accesspackageId + "' and state eq 'Delivered'"
90+
$assignments = @(Get-MgEntitlementManagementAssignment -Filter $filter -ExpandProperty target -All -ErrorAction Stop)
91+
$sp = $assignments | select-object -Property Id,{$_.Target.id},{$_.Target.ObjectId},{$_.Target.DisplayName},{$_.Target.PrincipalName}
92+
$sp | Export-Csv -Encoding UTF8 -NoTypeInformation -Path ".\assignments.csv"
93+
```
94+
95+
7796
## Directly assign a user
7897

7998
In some cases, you might want to directly assign specific users to an access package so that users don't have to go through the process of requesting the access package. To directly assign users, the access package must have a policy that allows administrator direct assignments.
@@ -158,7 +177,8 @@ You can assign a user to an access package in PowerShell with the `New-MgEntitle
158177

159178
```powershell
160179
Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
161-
$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty assignmentpolicies
180+
$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentpolicies"
181+
if ($null -eq $accesspackage) { throw "no access package"}
162182
$policy = $accesspackage.AssignmentPolicies[0]
163183
$userid = "cdbdf152-82ce-479c-b5b8-df90f561d5c7"
164184
$params = @{
@@ -184,6 +204,7 @@ Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All,Directory.Read.All"
184204
$members = @(Get-MgGroupMember -GroupId "a34abd69-6bf8-4abd-ab6b-78218b77dc15" -All)
185205
186206
$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentPolicies"
207+
if ($null -eq $accesspackage) { throw "no access package"}
187208
$policy = $accesspackage.AssignmentPolicies[0]
188209
$req = New-MgBetaEntitlementManagementAccessPackageAssignment -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -RequiredGroupMember $members
189210
```
@@ -196,6 +217,7 @@ If you wish to add an assignment for a user who is not yet in your directory, yo
196217
```powershell
197218
Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
198219
$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentPolicies"
220+
if ($null -eq $accesspackage) { throw "no access package"}
199221
$policy = $accesspackage.AssignmentPolicies[0]
200222
$req = New-MgBetaEntitlementManagementAccessPackageAssignmentRequest -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -TargetEmail "[email protected]"
201223
```

articles/active-directory/governance/entitlement-management-access-package-requests.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,8 @@ If you have a set of users whose requests are in the "Partially Delivered" or "F
4949
### View requests with Microsoft Graph
5050
You can also retrieve requests for an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignmentRequests](/graph/api/entitlementmanagement-list-accesspackageassignmentrequests?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access package requests from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$expand=accessPackage&$filter=accessPackage/id eq '9bbe5f7d-f1e7-4eb1-a586-38cdf6f8b1ea'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve requests across all catalogs.
5151

52+
Microsoft Graph will return the results in pages, and will continue to return a reference to the next page of results in the `@odata.nextLink` property with each response, until all pages of the results have been read. To read all results, you must continue to call Microsoft Graph with the `@odata.nextLink` property returned in each response until the `@odata.nextLink` property is no longer returned, as described in [paging Microsoft Graph data in your app](/graph/paging).
53+
5254
## Remove request (Preview)
5355

5456
You can also remove a completed request that is no longer needed. To remove a request:

articles/active-directory/governance/entitlement-management-catalog-create.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -187,8 +187,10 @@ You can also add a resource to a catalog in PowerShell with the `New-MgEntitleme
187187
Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All,Group.ReadWrite.All"
188188
189189
$g = Get-MgGroup -Filter "displayName eq 'Marketing'"
190+
if ($null -eq $g) {throw "no group" }
190191
191192
$catalog = Get-MgEntitlementManagementCatalog -Filter "displayName eq 'Marketing'"
193+
if ($null -eq $catalog) { throw "no catalog" }
192194
$params = @{
193195
requestType = "adminAdd"
194196
resource = @{

articles/active-directory/reports-monitoring/concept-diagnostic-settings-logs-options.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ ms.service: active-directory
99
ms.topic: conceptual
1010
ms.workload: identity
1111
ms.subservice: report-monitor
12-
ms.date: 08/09/2023
12+
ms.date: 09/28/2023
1313
ms.author: sarahlipsey
1414
ms.reviewer: besiler
1515

@@ -86,7 +86,9 @@ The `EnrichedOffice365AuditLogs` logs are associated with the enriched logs you
8686

8787
### Microsoft Graph activity logs
8888

89-
The `MicrosoftGraphActivityLogs` logs are associated with a feature that is still in private preview. The logs are visible in Microsoft Entra ID, but selecting these options won't add new logs to your workspace unless your organization was included in the private preview.
89+
The `MicrosoftGraphActivityLogs` provide administrators full visibility into all HTTP requests accessing your tenant's resources through the Microsoft Graph API. You can use these logs to identify activities that a compromised user account conducted in your tenant or to investigate problematic or unexpected behaviors for client applications, such as extreme call volumes. Route these logs to the same Log Analytics workspace with `SignInLogs` to cross-reference details of token requests for sign-in logs.
90+
91+
The feature is currently in public preview. For more information, see [Access Microsoft Graph activity logs (preview)](/graph/microsoft-graph-activity-logs-overview).
9092

9193
### Network access traffic logs
9294

articles/active-directory/reports-monitoring/toc.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@ items:
2525
href: concept-sign-in-log-activity-details.md
2626
- name: Provisioning logs
2727
href: concept-provisioning-logs.md
28+
- name: Microsoft Graph activity logs
29+
href: /graph/microsoft-graph-activity-logs-overview?toc=/azure/active-directory/reports-monitoring/toc.json&bc=/azure/active-directory/reports-monitoring/breadcrumb/toc.json
2830
- name: How-to guides
2931
expanded: true
3032
items:

0 commit comments

Comments
 (0)