Merge pull request #5427 from MicrosoftDocs/main

Merge main to live, 4 AM
MicrosoftDocs · Oct 4, 2024 · 224cdf8 · 224cdf8
2 parents 525adc6 + d65af41
commit 224cdf8
Show file tree

Hide file tree

Showing 42 changed files with 152 additions and 334 deletions.
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -70,6 +70,16 @@
       "redirect_url": "/entra/identity/monitoring-health/howto-analyze-activity-logs-with-microsoft-graph",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/docs/identity/monitoring-health/concept-sign-in-diagnostics-scenarios.md",
+      "redirect_url": "/entra/identity/monitoring-health/howto-use-sign-in-diagnostics",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/docs/identity/monitoring-health/plan-monitoring-and-reporting.md",
+      "redirect_url": "/entra/identity/monitoring-health/overview-monitoring-health",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/docs/identity/monitoring-health/overview-flagged-sign-ins.md",
       "redirect_url": "/entra/identity/monitoring-health/concept-flagged-sign-ins",

diff --git a/docs/architecture/secure-resource-management.md b/docs/architecture/secure-resource-management.md
@@ -6,9 +6,9 @@ manager: martinco
 ms.service: entra
 ms.subservice: architecture
 ms.topic: conceptual
-ms.date: 3/23/2023
+ms.date: 10/03/2023
 ms.author: justinha
-ms.reviewer: ajburnle
+ms.reviewer: justinha
 ---
 # Azure resource management fundamentals
 
@@ -167,7 +167,7 @@ Microsoft Entra Domain Services provides a managed domain to facilitate authenti
 
 An Azure AD B2C tenant is linked to an Azure subscription for billing and communication purposes. Azure AD B2C tenants have a self-contained role structure in the directory, which is independent from the Azure RBAC privileged roles of the Azure subscription.
 
-When the Azure AD B2C tenant is initially provisioned, the user creating the B2C tenant must have contributor or owner permissions in the subscription. Upon creation, that user becomes the first Azure AD B2C tenant [Global Administrator](../identity/role-based-access-control/permissions-reference.md#global-administrator) and they can later create other accounts and assign them to directory roles.
+When the Azure AD B2C tenant is initially provisioned, the user creating the B2C tenant must have contributor or owner permissions in the subscription. They can later create other accounts and assign them to directory roles. For more information, see [Overview of role-based access control in Microsoft Entra ID](/identity/role-based-access-control/custom-overview).
 
 It's important to note that the owners and contributors of the linked Microsoft Entra subscription can remove the link between the subscription and the directory, which will affect the ongoing billing of the Azure AD B2C usage.
 

diff --git a/docs/identity-platform/howto-update-permissions.md b/docs/identity-platform/howto-update-permissions.md
@@ -4,13 +4,15 @@ description: Learn how developers can stop applications from requesting unnecess
 author: omondiatieno
 manager: celesteDG
 ms.author: jomondi
-ms.date: 12/05/2023
+ms.date: 10/01/2024
 ms.reviewer: yuhko, ergreenl
 ms.service: identity-platform
 
 ms.topic: how-to
 services: active-directory
 zone_pivot_groups: enterprise-apps-with-ms-graph
+
+#customer-intent: As a developer, I want to update an app's requested permissions in Microsoft Entra ID so that I can enhance security, improve user experience, and ensure compliance with privacy standards.
 ---
 # Update an app's requested permissions in Microsoft Entra ID
 
@@ -167,7 +169,7 @@ Removing permissions can reduce the risk of exposing sensitive data or compromis
 
 :::zone pivot="portal"
 
-To stop requesting permissions that require static consent, you need to remove the permission from the **App registrations** pane. An admin of the tenant also needs to revoke the permission on the **Enterprise applications** pane. For more information on how to revoke permissions granted to an enterprise application, see [Revoke permissions for an enterprise application](~/identity/enterprise-apps/manage-application-permissions.md#review-and-revoke-permissions).
+To stop requesting permissions that require static consent, you need to remove the permission from the **App registrations** pane. An admin of the tenant also needs to revoke the permission on the **Enterprise applications** pane. For more information on how to revoke permissions granted to an enterprise application, see [Revoke permissions for an enterprise application](~/identity/enterprise-apps/manage-application-permissions.md#review-and-revoke-permissions-in-the-microsoft-entra-admin-center).
 
 In this section, you learn how to stop requesting permissions for static consent.
 
@@ -226,11 +228,13 @@ To complete the following steps of removing permissions, you need the following
 
 ### Stop requesting permissions with dynamic consent
 
-When you need to remove delegated permissions from dynamic consent request, specify the scope parameter while leaving out the permissions that you want to remove. Removing the permissions ensures the app doesn't call the corresponding API.
+When you need to remove delegated permissions from dynamic consent request, specify the scope parameter while leaving out the permissions that you want to remove. Removing the permissions ensures the app doesn't call the corresponding API. 
+
+This method only works for delegated permissions. Application permissions are requested and granted by an admin through static consent and aren't included in the scope parameter during the OAuth 2.0 authorization request.
 
 To stop requesting permissions with dynamic consent:
 
-- **Using Microsoft Graph**: Remove the unwanted Microsoft Graph delegated permissions from the \`scopes\` parameter. In this example, your application is requesting three permissions - `Analytics.Read`, `User.Read` and `Application.Read.All`. The delegated permission, `Analytics.Read` and application permission, `Application.Read.All` are no longer required for this app. It only requires `User.Read`.
+- **Using Microsoft Graph**: Remove the unwanted Microsoft Graph delegated permissions from the \`scopes\` parameter. In this example, your application is requesting three delegated permissions - `Analytics.Read`, `User.Read` and `Application.Read`. The delegated permissions, `Analytics.Read` and `Application.Read` are no longer required for this app. It only requires `User.Read`.
 
 The request should be similar to the following example:
 

diff --git a/docs/identity/authentication/how-to-authentication-external-method-manage.md b/docs/identity/authentication/how-to-authentication-external-method-manage.md
@@ -18,7 +18,7 @@ ms.reviewer: gkinasewitz, gustavosa
 ---
 # Manage an external authentication method in Microsoft Entra ID (Preview)
 
-An external authentication method (EAM) lets users choose an external provider to meet multifactor authentication (MFA) requirements when they sign to Microsoft Entra ID. An EAM can satisfy MFA requirements from Conditional Access policies, Microsoft Entra ID Protection risk-based Conditional Access policies, Privileged Identity Management (PIM) activation, and when the application itself requires MFA. 
+An external authentication method (EAM) lets users choose an external provider to meet multifactor authentication (MFA) requirements when they sign in to Microsoft Entra ID. An EAM can satisfy MFA requirements from Conditional Access policies, Microsoft Entra ID Protection risk-based Conditional Access policies, Privileged Identity Management (PIM) activation, and when the application itself requires MFA. 
 
 EAMs differ from federation in that the user identity is originated and managed in Microsoft Entra ID. With federation, the identity is managed in the external identity provider. EAMs require at least a Microsoft Entra ID P1 license.
 

diff --git a/docs/identity/enterprise-apps/manage-application-permissions.md b/docs/identity/enterprise-apps/manage-application-permissions.md
@@ -8,7 +8,7 @@ ms.service: entra-id
 ms.subservice: enterprise-apps
 
 ms.topic: how-to
-ms.date: 05/04/2024
+ms.date: 10/03/2024
 ms.author: jawoods
 ms.reviewer: phsignor
 zone_pivot_groups: enterprise-apps-all
@@ -20,7 +20,7 @@ ms.custom: enterprise-apps, has-azure-ad-ps-ref
 
 # Review permissions granted to enterprise applications
 
-In this article, you learn how to review permissions granted to applications in your Microsoft Entra tenant. You may need to review permissions when you've detected a malicious application or the application has been granted more permissions than is necessary. You learn how to revoke permissions granted to the application using Microsoft Graph API and existing versions of PowerShell.
+In this article, you learn how to review permissions granted to applications in your Microsoft Entra tenant. You might need to review permissions when you detect a malicious application, or one that has more permissions than is necessary. You learn how to revoke permissions granted to the application using Microsoft Graph API and existing versions of PowerShell.
 
 The steps in this article apply to all applications that were added to your Microsoft Entra tenant via user or admin consent. For more information on consenting to applications, see [User and admin consent](user-admin-consent-overview.md).
 
@@ -32,27 +32,25 @@ To review permissions granted to applications, you need:
 - One of the following roles: Cloud Application Administrator, Application Administrator.
 - A Service principal owner who isn't an administrator is able to invalidate refresh tokens.
 
-## Restoring permissions
-
-Please see [Restore permissions granted to applications](restore-permissions.md) for information on how to restore permissions that have been revoked or deleted.
-
 :::zone pivot="portal"
 
-## Review and revoke permissions
+## Review and revoke permissions in the Microsoft Entra admin center
 
 [!INCLUDE [portal updates](~/includes/portal-update.md)]
 
 You can access the Microsoft Entra admin center to view the permissions granted to an app. You can revoke permissions granted by admins for your entire organization, and you can get contextual PowerShell scripts to perform other actions.
 
-To review an application's permissions that have been granted for the entire organization or to a specific user or group:
+For information on how to restore revoked or deleted permissions, see [Restore permissions granted to applications](restore-permissions.md).
+
+To review an application's permissions granted for the entire organization or to a specific user or group:
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). 
 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
 1. Select the application that you want to restrict access to.
 1. Select **Permissions**. 
 1. To view permissions that apply to your entire organization, select the **Admin consent** tab. To view permissions granted to a specific user or group, select the **User consent** tab.
 1. To view the details of a given permission, select the permission from the list. The **Permission Details** pane opens.
-   After you've reviewed the permissions granted to an application, you can revoke permissions granted by admins for your entire organization. 
+   After reviewing the permissions granted to an application, you can revoke permissions granted by admins for your entire organization. 
    > [!NOTE]
    > You can't revoke permissions in the **User consent** tab using the portal. You can revoke these permissions using Microsoft Graph API calls or PowerShell cmdlets. Go to the PowerShell and Microsoft Graph tabs of this article for more information.
 
@@ -67,7 +65,7 @@ To revoke permissions in the **Admin consent** tab:
 
 :::zone pivot="aad-powershell"
 
-## Review and revoke permissions
+## Review and revoke permissions using Azure AD PowerShell
 
 Use the following Azure AD PowerShell script to revoke all permissions granted to an application. You need to sign in as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
 
@@ -94,7 +92,7 @@ $spApplicationPermissions | ForEach-Object {
 }
 ```
 
-## Invalidate the refresh tokens
+## Invalidate the refresh tokens using Azure AD PowerShell
 
 Remove appRoleAssignments for users or groups to the application using the following scripts.
 
@@ -116,7 +114,7 @@ $assignments | ForEach-Object {
 
 :::zone pivot="ms-powershell"
 
-## Review and revoke permissions
+## Review and revoke permissions using Microsoft Graph PowerShell
 
 Use the following Microsoft Graph PowerShell script to revoke all permissions granted to an application. You need to sign in as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
 
@@ -145,7 +143,7 @@ Remove-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Sp.Id  -AppRoleA
 }
 ``` 
 
-## Invalidate the refresh tokens
+## Invalidate the refresh tokens using Microsoft Graph PowerShell
 
 Remove appRoleAssignments for users or groups to the application using the following scripts.
 
@@ -170,7 +168,7 @@ $spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrin
 
 :::zone pivot = "ms-graph"
 
-## Review and revoke permissions
+## Review and revoke permissions using Microsoft Graph
 
 To review permissions, Sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
 
@@ -220,7 +218,7 @@ Run the following queries to review application permissions granted to an applic
     DELETE https://graph.microsoft.com/v1.0/servicePrincipals/{resource-servicePrincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}
     ```
 
-## Invalidate the refresh tokens
+## Invalidate the refresh tokens using Microsoft Graph
 
 Run the following queries to remove appRoleAssignments of users or groups to the application.
 
@@ -247,11 +245,11 @@ Run the following queries to remove appRoleAssignments of users or groups to the
 :::zone-end
 
 > [!NOTE]
-> Revoking the current granted permission won't stop users from re-consenting to the application. If you want to block users from consenting, read [Configure how users consent to applications](configure-user-consent.md).
+> Revoking the current granted permission won't stop users from re-consenting to the application's requested permissions. You need to [stop the application from requesting the permissions through dynamic consent](~/identity-platform/howto-update-permissions.md). If you want to block users from consenting altogether, read [Configure how users consent to applications](configure-user-consent.md).
 
 ## Other authorization to consider
 
-Delegated and application permissions are not the only ways to grant applications and users access to protected resources. Admins should be aware of other authorization systems that may grant access to sensitive information. Examples of various authorization systems at Microsoft include [Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference), [Exchange RBAC](/exchange/permissions-exo/application-rbac), and [Teams resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).
+Delegated and application permissions aren't the only ways to grant applications and users access to protected resources. Admins should be aware of other authorization systems that might grant access to sensitive information. Examples of various authorization systems at Microsoft include [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference), [Exchange RBAC](/exchange/permissions-exo/application-rbac), and [Teams resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).
 
 ## Next steps