Dirty PR

Author: AbhishekMallick-MS

.openpublishing.redirection.active-directory.json

@@ -5465,6 +5465,11 @@
       "redirect_url": "/azure/active-directory/reports-monitoring/reference-sla-performance",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/active-directory/fundamentals/licensing-whatis-azure-portal.md",
+      "redirect_url": "/azure/active-directory/fundamentals/concept-group-based-licensing",
+      "redirect_document_id": false
+    }, 
     {
       "source_path_from_root": "/articles/active-directory/reports-monitoring/quickstart-filter-audit-log.md",
       "redirect_url": "/azure/active-directory/reports-monitoring/howto-customize-filter-logs",

articles/active-directory/fundamentals/licensing-whatis-azure-portal.md renamed to articles/active-directory/fundamentals/concept-group-based-licensing.md

@@ -1,6 +1,6 @@
 ---
 title: What is group-based licensing
-description: Learn about Microsoft Entra group-based licensing, including how it works and best practices.
+description: Learn about Microsoft Entra group-based licensing, including how it works, key features, and best practices.
 services: active-directory
 keywords: Azure AD licensing
 author: barclayn
@@ -10,11 +10,11 @@ ms.service: active-directory
 ms.subservice: fundamentals
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 07/11/2023
+ms.date: 09/28/2023
 ms.author: barclayn
 ms.reviewer: krbain
-ms.custom: "it-pro, seodec18"
-ms.collection: M365-identity-device-management
+
+# Customer intent: As an IT admin, I want to understand group-based licensing, so I can effectively assign licenses to users in my organization.
 ---
 
 # What is group-based licensing in Microsoft Entra ID?

articles/active-directory/fundamentals/how-to-manage-groups.md

@@ -1,6 +1,6 @@
 ---
 title: How to manage groups
-description: Instructions about how to manage Microsoft Entra groups and group membership.
+description: Instructions about how to create and update Microsoft Entra groups, such as membership and settings.
 services: active-directory
 author: shlipsey3
 manager: amycolannino
@@ -12,6 +12,9 @@ ms.topic: how-to
 ms.date: 09/12/2023
 ms.author: sarahlipsey
 ms.reviewer: krbain
+
+# Customer Intent: As an IT admin, I want to learn how to create groups, add members, and adjust setting so that I can grant the right access to the right services for the right people.
+
 ---
 # Manage Microsoft Entra groups and group membership
 
@@ -43,6 +46,8 @@ To create a basic group and add members:
 
 1. Enter a **Group name.** Choose a name that you'll remember and that makes sense for the group. A check will be performed to determine if the name is already in use. If the name is already in use, you'll be asked to change the name of your group.
 
+    - The name of the group can't start with a space. Starting the name with a space prevents the group from appearing as an option for steps such as adding role assignments to group members.
+
 1. **Group email address**: Only available for Microsoft 365 group types. Enter an email address manually or use the email address built from the Group name you provided.
 
 1. **Group description.** Add an optional description to your group.
@@ -192,7 +197,7 @@ You can remove an existing Security group from another Security group; however,
 
 You can delete a group for any number of reasons, but typically it will be because you:
 
-- Chose the incorrect **Group type** option.
+- Choose the incorrect **Group type** option.
 - Created a duplicate group by mistake. 
 - No longer need the group.
 

articles/active-directory/fundamentals/how-to-rename-azure-ad.md

@@ -131,7 +131,6 @@ $terminology = @(
     @{ Key = 'Azure AD seamless single sign-on'; Value = 'Microsoft Entra seamless single sign-on' },
     @{ Key = 'Azure AD self-service password reset'; Value = 'Microsoft Entra self-service password reset' },
     @{ Key = 'Azure AD SSPR'; Value = 'Microsoft Entra SSPR' },
-    @{ Key = 'Azure AD SSPR'; Value = 'Microsoft Entra SSPR' },
     @{ Key = 'Azure AD domain'; Value = 'Microsoft Entra domain' },
     @{ Key = 'Azure AD group'; Value = 'Microsoft Entra group' },
     @{ Key = 'Azure AD login'; Value = 'Microsoft Entra login' },
@@ -297,10 +296,10 @@ $postTransforms = @(
 $terminology = $terminology.GetEnumerator() | Sort-Object -Property { $_.Key.Length } -Descending
 $postTransforms = $postTransforms.GetEnumerator() | Sort-Object -Property { $_.Key.Length } -Descending
 
-# Get all resx and resjson files in the current directory and its subdirectories, ignoring .gitignored files.
-Write-Host "Getting all resx and resjson files in the current directory and its subdirectories, ignoring .gitignored files."
+# Get all resx files in the current directory and its subdirectories, ignoring .gitignored files.
+Write-Host "Getting all resx files in the current directory and its subdirectories, ignoring .gitignored files."
 $gitIgnoreFiles = Get-ChildItem -Path . -Filter .gitignore -Recurse
-$targetFiles = Get-ChildItem -Path . -Include *.resx, *.resjson -Recurse
+$targetFiles = Get-ChildItem -Path . -Include *.resx -Recurse
 
 $filteredFiles = @()
 foreach ($file in $targetFiles) {
@@ -319,7 +318,7 @@ foreach ($file in $targetFiles) {
 $scriptPath = $MyInvocation.MyCommand.Path
 $filteredFiles = $filteredFiles | Where-Object { $_.FullName -ne $scriptPath }
 
-# This command will get all the files with the extensions .resx and .resjson in the current directory and its subdirectories, and then filter out those that match the patterns in the .gitignore file. The Resolve-Path cmdlet will find the full path of the .gitignore file, and the Get-Content cmdlet will read its content as a single string. The -notmatch operator will compare the full name of each file with the .gitignore content using regular expressions, and return only those that do not match.
+# This command will get all the files with the extensions .resx in the current directory and its subdirectories, and then filter out those that match the patterns in the .gitignore file. The Resolve-Path cmdlet will find the full path of the .gitignore file, and the Get-Content cmdlet will read its content as a single string. The -notmatch operator will compare the full name of each file with the .gitignore content using regular expressions, and return only those that do not match.
 Write-Host "Found $($filteredFiles.Count) files."
 
 function Update-Terminology {

articles/active-directory/governance/entitlement-management-access-package-assignments.md

@@ -61,19 +61,38 @@ To use entitlement management and assign users to access packages, you must have
 
 ## View assignments programmatically
 ### View assignments with Microsoft Graph
-You can also retrieve assignments in an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access packages from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve assignments across all catalogs.
+You can also retrieve assignments in an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true).  An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve assignments across all catalogs.
+
+Microsoft Graph will return the results in pages, and will continue to return a reference to the next page of results in the `@odata.nextLink` property with each response, until all pages of the results have been read. To read all results, you must continue to call Microsoft Graph with the `@odata.nextLink` property returned in each response until the `@odata.nextLink` property is no longer returned, as described in [paging Microsoft Graph data in your app](/graph/paging).
+
+While an identity governance administrator can retrieve access packages from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`.
 
 ### View assignments with PowerShell
 
-You can perform this query in PowerShell with the `Get-MgEntitlementManagementAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 2.1.x or later module version.  This script illustrates using the Microsoft Graph PowerShell cmdlets module version 2.4.0. This cmdlet takes as a parameter the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet.
+You can also retrieve assignments to an access package in PowerShell with the `Get-MgEntitlementManagementAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 2.1.x or later module version.  This script illustrates using the Microsoft Graph PowerShell cmdlets module version 2.4.0 to retrieve all assignments to a particular access package. This cmdlet takes as a parameter the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet.  Be sure when using the `Get-MgEntitlementManagementAccessPackage` cmdlet to include the `-All` flag to cause all pages of assignments to be returned.
 
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
 $accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayName eq 'Marketing Campaign'"
+if ($null -eq $accesspackage) { throw "no access package"}
 $assignments = @(Get-MgEntitlementManagementAssignment -AccessPackageId $accesspackage.Id -ExpandProperty target -All -ErrorAction Stop)
 $assignments | ft Id,state,{$_.Target.id},{$_.Target.displayName}
 ```
 
+Note that the preceding query will return expired and delivering assignments as well as delivered assignments.  If you wish to exclude expired or delivering assignments, you can use a filter that includes the access package ID as well as the state of the assignments.  This script illustrates using a filter to retrieve only the assignments in state `Delivered` for a particular access package. The script will then generate a CSV file `assignments.csv`, with one row per assignment.
+
+```powershell
+Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
+$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayName eq 'Marketing Campaign'"
+if ($null -eq $accesspackage) { throw "no access package"}
+$accesspackageId = $accesspackage.Id
+$filter = "accessPackage/id eq '" + $accesspackageId + "' and state eq 'Delivered'"
+$assignments = @(Get-MgEntitlementManagementAssignment -Filter $filter -ExpandProperty target -All -ErrorAction Stop)
+$sp = $assignments | select-object -Property Id,{$_.Target.id},{$_.Target.ObjectId},{$_.Target.DisplayName},{$_.Target.PrincipalName}
+$sp | Export-Csv -Encoding UTF8 -NoTypeInformation -Path ".\assignments.csv"
+```
+
+
 ## Directly assign a user 
 
 In some cases, you might want to directly assign specific users to an access package so that users don't have to go through the process of requesting the access package. To directly assign users, the access package must have a policy that allows administrator direct assignments.
@@ -158,7 +177,8 @@ You can assign a user to an access package in PowerShell with the `New-MgEntitle
 
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
-$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty assignmentpolicies
+$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentpolicies"
+if ($null -eq $accesspackage) { throw "no access package"}
 $policy = $accesspackage.AssignmentPolicies[0]
 $userid = "cdbdf152-82ce-479c-b5b8-df90f561d5c7"
 $params = @{
@@ -184,6 +204,7 @@ Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All,Directory.Read.All"
 $members = @(Get-MgGroupMember -GroupId "a34abd69-6bf8-4abd-ab6b-78218b77dc15" -All)
 
 $accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentPolicies"
+if ($null -eq $accesspackage) { throw "no access package"}
 $policy = $accesspackage.AssignmentPolicies[0]
 $req = New-MgBetaEntitlementManagementAccessPackageAssignment -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -RequiredGroupMember $members
 ```
@@ -196,6 +217,7 @@ If you wish to add an assignment for a user who is not yet in your directory, yo
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
 $accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentPolicies"
+if ($null -eq $accesspackage) { throw "no access package"}
 $policy = $accesspackage.AssignmentPolicies[0]
 $req = New-MgBetaEntitlementManagementAccessPackageAssignmentRequest -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -TargetEmail "[email protected]"
 ```

articles/active-directory/governance/entitlement-management-access-package-requests.md

@@ -49,6 +49,8 @@ If you have a set of users whose requests are in the "Partially Delivered" or "F
 ### View requests with Microsoft Graph
 You can also retrieve requests for an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignmentRequests](/graph/api/entitlementmanagement-list-accesspackageassignmentrequests?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access package requests from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$expand=accessPackage&$filter=accessPackage/id eq '9bbe5f7d-f1e7-4eb1-a586-38cdf6f8b1ea'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve requests across all catalogs.
 
+Microsoft Graph will return the results in pages, and will continue to return a reference to the next page of results in the `@odata.nextLink` property with each response, until all pages of the results have been read. To read all results, you must continue to call Microsoft Graph with the `@odata.nextLink` property returned in each response until the `@odata.nextLink` property is no longer returned, as described in [paging Microsoft Graph data in your app](/graph/paging).
+
 ## Remove request (Preview)
 
 You can also remove a completed request that is no longer needed. To remove a request:

articles/active-directory/governance/entitlement-management-catalog-create.md

@@ -187,8 +187,10 @@ You can also add a resource to a catalog in PowerShell with the `New-MgEntitleme
 Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All,Group.ReadWrite.All"
 
 $g = Get-MgGroup -Filter "displayName eq 'Marketing'"
+if ($null -eq $g) {throw "no group" }
 
 $catalog = Get-MgEntitlementManagementCatalog -Filter "displayName eq 'Marketing'"
+if ($null -eq $catalog) { throw "no catalog" }
 $params = @{
   requestType = "adminAdd"
   resource = @{

articles/active-directory/roles/permissions-reference.md

@@ -112,7 +112,7 @@ This article lists the Microsoft Entra built-in roles you can assign to allow ma
 > | [Teams Communications Support Specialist](#teams-communications-support-specialist) | Can troubleshoot communications issues within Teams using basic tools. | fcf91098-03e3-41a9-b5ba-6f0ec8188a12 |
 > | [Teams Devices Administrator](#teams-devices-administrator) | Can perform management related tasks on Teams certified devices. | 3d762c5a-1b6c-493f-843e-55a3b42923d4 |
 > | [Tenant Creator](#tenant-creator) | Create new Microsoft Entra or Azure AD B2C tenants. | 112ca1a2-15ad-4102-995e-45b0bc479a6a |
-> | [Usage Summary Reports Reader](#usage-summary-reports-reader) | Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. | 75934031-6c7e-415a-99d7-48dbd49e875e |
+> | [Usage Summary Reports Reader](#usage-summary-reports-reader) | Read Usage reports and Adoption Score, but can't access user details. | 75934031-6c7e-415a-99d7-48dbd49e875e |
 > | [User Administrator](#user-administrator) | Can manage all aspects of users and groups, including resetting passwords for limited admins.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | fe930be7-5e62-47db-91af-98c3a49a38b1 |
 > | [Virtual Visits Administrator](#virtual-visits-administrator) | Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. | e300d9e7-4a2b-4295-9eff-f1c78b36cc98 |
 > | [Viva Goals Administrator](#viva-goals-administrator) | Manage and configure all aspects of Microsoft Viva Goals. | 92b086b3-e367-4ef2-b869-1de128fb986e |
@@ -2425,7 +2425,15 @@ Assign the Tenant Creator role to users who need to do the following tasks:
 
 ## Usage Summary Reports Reader
 
-Users with this role can access tenant level aggregated data and associated insights in Microsoft 365 admin center for Usage and Productivity Score but cannot access any user level details or insights. In Microsoft 365 admin center for the two reports, we differentiate between tenant level aggregated data and user level details. This role gives an extra layer of protection on individual user identifiable data, which was requested by both customers and legal teams.
+Assign the Usage Summary Reports Reader role to users who need to do the following tasks in the Microsoft 365 admin center:
+
+- View the Usage reports and Adoption Score
+- Read organizational insights, but not personally identifiable information (PII) of users
+
+This role only allows users to view organizational-level data with the following exceptions:
+
+- Member users can view user management data and settings.
+- Guest users assigned this role can not view user management data and settings.
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |

articles/ai-services/translator/document-translation/quickstarts/document-translation-sdk.md

@@ -1,14 +1,14 @@
 ---
 title: "Document Translation C#/.NET or Python client library"
 titleSuffix: Azure AI services
-description: Use the Translator C#/.NET or Python client library (SDK) for cloud-based batch document translation service and process
+description: Use the Document Translator C#/.NET or Python client library (SDK) for cloud-based batch document translation service and process
 services: cognitive-services
 author: laujan
 manager: nitinme
 ms.service: azure-ai-translator
-ms.custom: build-2023, devx-track-dotnet, devx-track-python
-ms.topic: reference
-ms.date: 07/18/2023
+ms.custom: devx-track-dotnet, devx-track-python
+ms.topic: quickstart
+ms.date: 09/28/2023
 ms.author: lajanuar
 zone_pivot_groups: programming-languages-document-sdk
 ---