Skip to content

Commit

Permalink
Merge pull request #793 from MicrosoftDocs/main
Browse files Browse the repository at this point in the history
12/11/2023 PM Publish
  • Loading branch information
Taojunshen authored Dec 11, 2023
2 parents dc08093 + 220518c commit 17a5b0b
Show file tree
Hide file tree
Showing 36 changed files with 77 additions and 229 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion docs/architecture/secure-best-practices.md
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ Check this example to [create service principals with self-signed certificate](~

In the following sections are recommendations for Azure solutions. For general guidance on Conditional Access policies for individual environments, check the [Conditional Access Best practices](~/identity/conditional-access/overview.md), [Microsoft Entra Operations Guide](./ops-guide-auth.md), and [Conditional Access for Zero Trust](/azure/architecture/guide/security/conditional-access-zero-trust):

* Define [Conditional Access policies](~/identity/conditional-access/workload-identity.md) for the [Microsoft Azure Management](~/identity/authentication/howto-password-smart-lockout.md) cloud app to enforce identity security posture when accessing Azure Resource Manager. This should include controls on MFA and device-based controls to enable access only through secure workstations (more on this in the Privileged Roles section under Identity Governance). Additionally, use [Conditional Access to filter for devices](~/identity/conditional-access/concept-condition-filters-for-devices.md).
* Define [Conditional Access policies](~/identity/conditional-access/workload-identity.md) for the [Windows Azure Service Management API](~/identity/authentication/howto-password-smart-lockout.md) cloud app to enforce identity security posture when accessing Azure Resource Manager. This should include controls on MFA and device-based controls to enable access only through secure workstations (more on this in the Privileged Roles section under Identity Governance). Additionally, use [Conditional Access to filter for devices](~/identity/conditional-access/concept-condition-filters-for-devices.md).

* All applications onboarded to isolated environments must have explicit Conditional Access policies applied as part of the onboarding process.

Expand Down
2 changes: 1 addition & 1 deletion docs/architecture/secure-resource-management.md
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ Azure ABAC builds on Azure RBAC by adding role assignment conditions based on at

## Conditional Access

Microsoft Entra [Conditional Access](~/identity/conditional-access/concept-conditional-access-cloud-apps.md) can be used to manage access to Azure management endpoints. Conditional Access policies can be applied to the Microsoft Azure Management cloud app to protect the Azure resource management endpoints such as:
Microsoft Entra [Conditional Access](~/identity/conditional-access/concept-conditional-access-cloud-apps.md) can be used to manage access to Azure management endpoints. Conditional Access policies can be applied to the Windows Azure Service Management API cloud app to protect the Azure resource management endpoints such as:

* Azure Resource Manager Provider (services)

Expand Down
8 changes: 4 additions & 4 deletions docs/external-id/b2b-tutorial-require-mfa.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ In this tutorial, you will:
> [!div class="checklist"]
>
> - Test the sign-in experience before MFA setup.
> - Create a Conditional Access policy that requires MFA for access to a cloud app in your environment. In this tutorial, we’ll use the Microsoft Azure Management app to illustrate the process.
> - Create a Conditional Access policy that requires MFA for access to a cloud app in your environment. In this tutorial, we’ll use the Windows Azure Service Management API app to illustrate the process.
> - Use the What If tool to simulate MFA sign-in.
> - Test your Conditional Access policy.
> - Clean up the test user and policy.
Expand Down Expand Up @@ -96,7 +96,7 @@ To complete the scenario in this tutorial, you need:

:::image type="content" source="media/tutorial-mfa/tutorial-mfa-app-access.png" alt-text="Screenshot showing the Cloud apps page and the Select option." lightbox="media/tutorial-mfa/tutorial-mfa-app-access.png":::

1. On the **Select** page, choose **Microsoft Azure Management**, and then choose **Select**.
1. On the **Select** page, choose **Windows Azure Service Management API**, and then choose **Select**.

1. On the **New** page, in the **Access controls** section, choose the link under **Grant**.
1. On the **Grant** page, choose **Grant access**, select the **Require multifactor authentication** check box, and then choose **Select**.
Expand All @@ -123,9 +123,9 @@ To complete the scenario in this tutorial, you need:

1. Select the link under **Cloud apps, actions, or authentication content**. Choose **Select apps**, and then choose the link under **Select**.

:::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if-app.png" alt-text="Screenshot showing the Microsoft Azure Management app selected." lightbox="media/tutorial-mfa/tutorial-mfa-what-if-app.png":::
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if-app.png" alt-text="Screenshot showing the Windows Azure Service Management API app selected." lightbox="media/tutorial-mfa/tutorial-mfa-what-if-app.png":::

1. On the **Cloud apps** page, in the applications list, choose **Microsoft Azure Management**, and then choose **Select**.
1. On the **Cloud apps** page, in the applications list, choose **Windows Azure Service Management API**, and then choose **Select**.
1. Choose **What If**, and verify that your new policy appears under **Evaluation results** on the **Policies that will apply** tab.

:::image type="content" source="media/tutorial-mfa/tutorial-mfa-whatif-4.png" alt-text="Screenshot showing the results of the What If evaluation.":::
Expand Down
2 changes: 1 addition & 1 deletion docs/external-id/faq.yml
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ sections:
9. Select **Done**.
10. On the **New** page, in the **Assignments** section, select **Cloud apps or actions**.
11. On the **Cloud apps or actions** page, choose **Select apps**, and then choose **Select**.
12. On the **Select** page, choose **Microsoft Azure Management**, and then choose **Select**.
12. On the **Select** page, choose **Windows Azure Service Management API**, and then choose **Select**.
13. On the **Cloud apps or actions** page, select **Done**.
- question: |
Expand Down
2 changes: 1 addition & 1 deletion docs/fundamentals/users-default-permissions.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ You can restrict default permissions for member users in the following ways:
| **Allow users to connect work or school account with LinkedIn** | Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](~/identity/users/linkedin-user-consent.md). |
| **Create security groups** | Setting this option to **No** prevents users from creating security groups. Global Administrators and User Administrators can still create security groups. To learn how, see [Microsoft Entra cmdlets for configuring group settings](~/identity/users/groups-settings-cmdlets.md). |
| **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global Administrators and User Administrators can still create Microsoft 365 groups. To learn how, see [Microsoft Entra cmdlets for configuring group settings](~/identity/users/groups-settings-cmdlets.md). |
| **Restrict access to Microsoft Entra administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Microsoft Entra administration portal. <br>**Yes** Restricts non-administrators from browsing the Microsoft Entra administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It doesn't restrict access to Microsoft Entra data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It doesn't restrict access as long as a user is assigned a custom role (or any role). </p><p></p><p>**When should I use this switch?** <br>Use this option to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Don't use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management that blocks non-administrators access to [Microsoft Azure Management](~/identity/conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Microsoft Entra administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Microsoft Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management targets access to all Azure management. |
| **Restrict access to Microsoft Entra administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Microsoft Entra administration portal. <br>**Yes** Restricts non-administrators from browsing the Microsoft Entra administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It doesn't restrict access to Microsoft Entra data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It doesn't restrict access as long as a user is assigned a custom role (or any role). </p><p></p><p>**When should I use this switch?** <br>Use this option to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Don't use this switch as a security measure. Instead, create a Conditional Access policy that targets Windows Azure Service Management API that blocks non-administrators access to [Windows Azure Service Management API](~/identity/conditional-access/concept-conditional-access-cloud-apps.md#windows-azure-service-management-api). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Microsoft Entra administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Microsoft Entra administration portal** <br>A Conditional Access policy that targets Windows Azure Service Management API targets access to all Azure management. |
| **Restrict non-admin users from creating tenants** | Users can create tenants in the Microsoft Entra ID and Microsoft Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations. </p><p></p><p>**What does this switch do?** <br> Setting this option to **Yes** restricts creation of Microsoft Entra tenants to the Global Administrator or tenant creator roles. Setting this option to **No** allows non-admin users to create Microsoft Entra tenants. Tenant create will continue to be recorded in the Audit log. </p><p></p><p>**How do I grant only a specific non-administrator users the ability to create new tenants?** <br> Set this option to Yes, then assign them the tenant creator role.|
| **Restrict users from recovering the BitLocker key(s) for their owned devices** | This setting can be found in the Microsoft Entra admin center in the Device Settings. Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Users will have to contact their organization's helpdesk to retrieve their BitLocker keys. Setting this option to **No** allows users to recover their BitLocker key(s). |
| **Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag doesn't prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`. |
Expand Down
150 changes: 0 additions & 150 deletions docs/fundamentals/whats-new-archive.md
Original file line number Diff line number Diff line change
Expand Up @@ -2092,154 +2092,4 @@ With this new parity update, customers can now integrate non-gallery application
For more information, see [Claims mapping policy - Microsoft Entra](~/identity-platform/reference-claims-mapping-policy-type.md#claim-schema-entry-elements).


---

## June 2022


### Public preview - New provisioning connectors in the Azure AD Application Gallery - June 2022

**Type:** New feature
**Service category:** App Provisioning
**Product capability:** 3rd Party Integration


You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

- [Whimsical](~/identity/saas-apps/whimsical-provisioning-tutorial.md)

For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](~/identity/app-provisioning/user-provisioning.md).


---


### Public Preview - Roles are being assigned outside of Privileged Identity Management

**Type:** New feature
**Service category:** Privileged Identity Management
**Product capability:** Privileged Identity Management

Customers can be alerted on assignments made outside PIM either directly on the Azure portal or also via email. For the current public preview, the assignments are being tracked at the subscription level. For more information, see [Configure security alerts for Azure roles in Privileged Identity Management](~/id-governance/privileged-identity-management/pim-resource-roles-configure-alerts.md#alerts).

---


### General Availability - Temporary Access Pass is now available

**Type:** New feature
**Service category:** MFA
**Product capability:** User Authentication



Temporary Access Pass (TAP) is now generally available. TAP can be used to securely register password-less methods such as Phone Sign-in, phishing resistant methods such as FIDO2, and even help Windows onboarding (AADJ and WHFB). TAP also makes recovery easier when a user has lost or forgotten their strong authentication methods and needs to sign in to register new authentication methods. For more information, see: [Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods](~/identity/authentication/howto-authentication-temporary-access-pass.md).


---



### Public Preview of Dynamic Group support for MemberOf

**Type:** New feature
**Service category:** Group Management
**Product capability:** Directory



Create "nested" groups with Azure AD Dynamic Groups! This feature enables you to build dynamic Azure AD Security Groups and Microsoft 365 groups based on other groups! For example, you can now create Dynamic-Group-A with members of Group-X and Group-Y. For more information, see: [Steps to create a memberOf dynamic group](~/identity/users/groups-dynamic-rule-member-of.md#steps-to-create-a-memberof-dynamic-group).


---



### New Federated Apps available in Azure AD Application gallery - June 2022

**Type:** New feature
**Service category:** Enterprise Apps
**Product capability:** 3rd Party Integration



In June 2022 we've added the following 22 new applications in our App gallery with Federation support:

[Leadcamp Mailer](https://app.leadcamp.io/sign-in), [PULCE](https://ups.pulce.tech/index.php), [Hive Learning](~/identity/saas-apps/hive-learning-tutorial.md), [Planview LeanKit](~/identity/saas-apps/planview-leankit-tutorial.md), [Javelo](~/identity/saas-apps/javelo-tutorial.md), [きょうしつでビスケット,Agile Provisioning](https://online.viscuit.com/v1/all/?server=7), [xCarrier®](~/identity/saas-apps/xcarrier-tutorial.md), [Skillcast](~/identity/saas-apps/skillcast-tutorial.md), [JTRA](https://www.jingtengtech.com/r/#/register?id=1), [InnerSpace inTELLO](https://intello.innerspace.io/), [Seculio](~/identity/saas-apps/seculio-tutorial.md), [XplicitTrust Partner Console](https://console.xplicittrust.com/#/partner/auth), [Veracity Single-Sign On](https://www.veracity.com/), [Guardium Data Protection](~/identity/saas-apps/guardium-data-protection-tutorial.md), [IntellicureEHR v7](https://www.intellicure.com/wound-care-software/ehr/), [BMIS - Battery Management Information System](~/identity/saas-apps/battery-management-information-system-tutorial.md), [Finbiosoft Cloud](https://account.finbiosoft.com/), [Standard for Success K-12](~/identity/saas-apps/standard-for-success-tutorial.md), [E2open LSP](~/identity/saas-apps/e2open-lsp-tutorial.md), [TVU Service](~/identity/saas-apps/tvu-service-tutorial.md), [S4 - Digitsec](~/identity/saas-apps/s4-digitsec-tutorial.md).

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, see the details here https://aka.ms/AzureADAppRequest





---



### General Availability – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

**Type:** New feature
**Service category:** MS Graph
**Product capability:** Identity Security & Protection



We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0&preserve-view=true#federatedidpmfabehavior-values).

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit [Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-ad-multi-factor-authentication-when-federated-with-azure-ad).


---



### Public Preview - New Azure portal All Users list and User Profile UI

**Type:** Changed feature
**Service category:** User Management
**Product capability:** User Management


We're enhancing the All Users list and User Profile in the Azure portal to make it easier to find and manage your users. Improvements include:


All Users List:
- Infinite scrolling (yes, no 'Load more')
- More user properties can be added as columns and filtered on
- Columns can be reordered via drag and drop
- Default columns shown and their order can be managed via the column picker
- The ability to copy and share the current view


User Profile:
- A new Overview page that surfaces insights (that is, group memberships, account enabled, MFA capable, risky user, etc.)
- A new monitoring tab
- More user properties can be viewed and edited in the properties tab

For more information, see: [User management enhancements in Azure Active Directory](~/identity/users/users-search-enhanced.md).

---



### General Availability - More device properties supported for Dynamic Device groups

**Type:** Changed feature
**Service category:** Group Management
**Product capability:** Directory



You can now create or update dynamic device groups using the following properties:
- deviceManagementAppId
- deviceTrustType
- extensionAttribute1-15
- profileType

For more information on how to use this feature, see: [Dynamic membership rule for device groups](~/identity/users/groups-dynamic-membership.md#rules-for-devices).


---
Loading

0 comments on commit 17a5b0b

Please sign in to comment.