Merge pull request #6309 from MicrosoftDocs/main

12/13/2024 AM Publish

docs/fundamentals/properties-area.yml

@@ -6,7 +6,7 @@ metadata:
   description: Add your organization's privacy information, privacy contact, and technical contact to your directory.
   author: barclayn
   ms.author: barclayn
-  ms.date: 12/04/2023
+  ms.date: 12/13/2024
   ms.service: entra
   ms.topic: how-to
   ms.custom:

docs/global-secure-access/toc.yml

@@ -184,6 +184,8 @@ items:
         href: troubleshoot-global-secure-access-client-advanced-diagnostics.md
       - name: "Troubleshoot the Global Secure Access client: Health check tab"
         href: troubleshoot-global-secure-access-client-diagnostics-health-check.md
+      - name: "Troubleshoot Distributed File System (DFS) issues"
+        href: troubleshoot-distributed-file-system.md
   - name: Partner ecosystem
     expanded: true
     items:

docs/global-secure-access/troubleshoot-distributed-file-system.md

@@ -0,0 +1,70 @@
+---
+title: Learn how to solve an issue where Global Secure Access fails with a Distributed File System
+description: A troubleshooting article that includes a workaround for a case where a Distributed File System (DFS) doesn't operate correctly with Global Secure Access.
+author: kenwith
+ms.author: kenwith
+manager: amycolannino
+ms.topic: troubleshooting
+ms.date: 12/13/2024
+ms.service: global-secure-access
+ms.subservice: entra-private-access 
+ms.reviewer: nbeesetti
+ai-usage: ai-assisted
+#customer intent: As a administrator, I want to understand how to work around an issue with Global Secure Access and a Distributed File System.
+---
+
+# Troubleshoot Distributed File System issue with Global Secure Access
+This document presents a case where a Distributed File System (DFS) doesn't operate correctly with Global Secure Access and offers a temporary workaround. 
+
+The scenario involves accessing a file-share location. For instance, consider a DFS path: `\\foo.internal\share\bar`. The `bar` folder is set up as shown in the table: 
+
+| Referral Status | Site       | Path                        |
+|-----------------|------------|-----------------------------|
+| Enabled         | Location1  | \\foo-loc1.contoso.com\bar  |
+| Enabled         | Location2  | \\foo-loc2.contoso.com\bar  |
+| Enabled         | Location3  | \\foo-loc3.contoso.com\bar  | 
+
+
+Furthermore, site-locations are configured as: 
+
+- Location1: `10.0.0.1 – 10.0.0.10`
+- Location2: `10.0.0.11 – 10.0.0.20`
+- Location3: `10.0.0.21 – 10.0.0.30`
+
+If a user tries to access the common DFS path and appears to be coming from the IP address `10.0.0.3`, then the user should get directed to the path: `\\foo-loc1.contoso.com\bar`. The IPs are usually the addresses of VPN locations, and don't correspond to the clients original IP.
+
+:::image type="content" source="media/troubleshoot-distributed-file-system/dfs-1.png" alt-text="Diagram showing the connection between VPN and DFS.":::
+
+## Issue
+IP-based network Access Control Lists (ACL) don't work with Global Secure Access as there’s no VPN in the middle. However, the employee computer should still be referred to the appropriate fileshare.
+
+## Workaround
+The proposed workaround for the above-mentioned scenario is as follows. 
+
+As a workaround, we suggest moving this employee-to-fileshare mapping to the employee computer (as a Domain Name System (DNS) search suffix), so the traffic would be: 
+
+
+:::image type="content" source="media/troubleshoot-distributed-file-system/dfs-2.png" alt-text="Diagram showing the connector.":::
+
+The workaround is to make changes in the network-architecture in the environment: 
+
+1. Add more `C-NAME DNS` records (aliases) on domain controllers: 
+    - `shares.foo-loc1.contoso.com` **->** `foo-loc1.contoso.com` 
+    - `shares.foo-loc2.contoso.com` **->** `foo-loc2.contoso.com` 
+    - `shares.foo-loc3.contoso.com` **->** `foo-loc3.contoso.com` 
+2. Push DNS search suffixes to the employees’ computer such that: 
+    - Employees at *Location1* get suffix: `foo-loc1.contoso.com` 
+    - Employees at *Location2* get suffix: `foo-loc2.contoso.com` 
+    - Employees at *Location3* get suffix: `foo-loc3.contoso.com` 
+3. Now a dedicated Global Secure Access application can be created for each of the following Fully Qualified Domain Names (FQDNs) (or their IPs): 
+    - `foo-loc1.contoso.com`
+    - `foo-loc2.contoso.com` 
+    - `foo-loc3.contoso.com` 
+4. Each of these applications maps to the connector (via connector group specified in the app) in the corresponding location. 
+
+After these changes, the employees accessing the common path: `\\shares\bar` from *Location1* are directed to the website: `\\foo-loc1.contoso.com\bar`, and likewise for other locations.
+
+
+## Related content
+- [What is Global Secure Access?](overview-what-is-global-secure-access.md)
+

docs/id-governance/create-access-review-pim-for-groups.md

@@ -7,7 +7,7 @@ editor: markwahl-msft
 ms.service: entra-id-governance
 ms.subservice: access-reviews
 ms.topic: how-to
-ms.date: 08/12/2024
+ms.date: 12/13/2024
 ms.author: owinfrey
 ms.reviewer: jgangadhar
 ---
@@ -18,10 +18,7 @@ This article describes how to create one or more access reviews for PIM for Grou
 
 ## Prerequisites
 
-- Microsoft Entra ID Governance License.
-- Only users in the Global Administrator, Identity Governance Administrator, or Privileged Role Administrator role can create reviews on PIM for Groups. For more information, see [Use Microsoft Entra groups to manage role assignments](../identity/role-based-access-control/groups-concept.md).
-
-For more information, see [License requirements](access-reviews-overview.md#license-requirements).
+[!INCLUDE [Microsoft Entra ID Governance license](../includes/entra-entra-governance-license.md)]
 
 ## Create a PIM for Groups access review
 

docs/id-governance/create-access-review.md

@@ -7,7 +7,7 @@ editor: markwahl-msft
 ms.service: entra-id-governance
 ms.subservice: access-reviews
 ms.topic: how-to
-ms.date: 07/23/2024
+ms.date: 12/13/2024
 ms.author: owinfrey
 ms.reviewer: mwahl
 ---
@@ -30,16 +30,7 @@ This article describes how to create one or more access reviews for group member
 
 ## Prerequisites
 
-- Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses.  
-- Creating a review on inactive users, or with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations, requires a Microsoft Entra ID Governance license.
-- Global Administrator or Identity Governance Administrator to create reviews on groups or applications.
-- Users must be at least a Privileged Role Administrator to create reviews on role-assignable groups. For more information, see [Use Microsoft Entra groups to manage role assignments](../identity/role-based-access-control/groups-concept.md).
-- Microsoft 365 and Security group owner.
-
-For more information, see [License requirements](access-reviews-overview.md#license-requirements).
-
-> [!NOTE]
-> Following least privilege access, we recommend using the Identity Governance Administrator role.
+[!INCLUDE [Microsoft Entra ID Governance license](../includes/entra-entra-governance-license.md)]
 
 If you're reviewing access to an application, then before you create the review, see the article on how to [prepare for an access review of users' access to an application](access-reviews-application-preparation.md) to ensure the application is integrated with Microsoft Entra ID in your tenant.
 

docs/id-governance/entitlement-management-access-reviews-create.md

@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: entitlement-management
 ms.topic: how-to
-ms.date: 07/15/2024
+ms.date: 12/13/2024
 ms.author: owinfrey
 #Customer intent: As an administrator, I want to create an access review for my access packages so I can review the active assignments of my users to ensure everyone has the appropriate access.
 ---
@@ -16,14 +16,7 @@ To reduce the risk of stale access, you should enable periodic reviews of users
 
 ## Prerequisites
 
-To enable reviews of access packages, you must meet the prerequisites for creating an access package:
-- Microsoft Entra ID P2 or Microsoft Entra ID Governance
-- Global Administrator, Identity Governance Administrator, Catalog owner, or Access package manager
-
-> [!NOTE]
-> Following least privilege access, we recommend using the Identity Governance Administrator, catalog owner, or Access package manager role.
-
-For more information, see [License requirements](entitlement-management-overview.md#license-requirements).
+[!INCLUDE [Microsoft Entra ID Governance license](../includes/entra-entra-governance-license.md)]
 
 ## Create an access review of an access package
 

docs/id-governance/entitlement-management-access-reviews-review-access.md

@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: entitlement-management
 ms.topic: how-to
-ms.date: 07/15/2024
+ms.date: 12/13/2024
 ms.author: owinfrey
 #Customer intent: As an administrator, I want to review the active assignments of my users to ensure everyone has the appropriate access.
 ---
@@ -16,22 +16,12 @@ Entitlement management simplifies how enterprises manage access to groups, appli
 
 ## Prerequisites
 
-To review users' active access package assignments, the creator of a review must satisfy these prerequisites:
-- Microsoft Entra ID P2 or Microsoft Entra ID Governance
-- Global Administrator or Identity Governance Administrator role
-
-> [!NOTE]
-> Following least privilege access, we recommend using the Identity Governance Administrator role.
-
-For more information, see [License requirements](entitlement-management-overview.md#license-requirements).
-
->[!NOTE]
->The reviewer can be anyone the creator of a review selects (group owner, manager of user, the user themselves, or any selected user or group).
+[!INCLUDE [Microsoft Entra ID Governance license](../includes/entra-entra-governance-license.md)]
 
 
 ## Open the access review
 
-Use the following steps to find and open the access review:
+As at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator), use the following steps to find and open the access review:
 
 1. You could receive an email from Microsoft that asks you to review access. Locate the email to open the access review. Here's an example email to review access:
 

docs/id-governance/manage-access-review.md

@@ -7,7 +7,7 @@ editor: markwahl-msft
 ms.service: entra-id-governance
 ms.subservice: access-reviews
 ms.topic: conceptual
-ms.date: 04/09/2024
+ms.date: 12/13/2024
 ms.author: owinfrey
 ms.reviewer: mwahl
 ---
@@ -21,9 +21,7 @@ With access reviews, you can easily ensure that users or guests have appropriate
  
 ## Prerequisites
 
-- Microsoft Entra ID P2 or Microsoft Entra ID Governance
-
-For more information, see [License requirements](access-reviews-overview.md#license-requirements).
+[!INCLUDE [Microsoft Entra ID Governance license](../includes/entra-entra-governance-license.md)]
 
 ## Create and perform an access review for users
 First, you must be assigned one of the following roles:

docs/id-governance/privileged-identity-management/groups-assign-member-owner.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: conceptual
 ms.subservice: privileged-identity-management
-ms.date: 09/12/2023
+ms.date: 12/13/2024
 ms.author: barclayn
 ms.reviewer: ilyal
 ms.custom: pim
@@ -30,7 +30,7 @@ When a membership or ownership is assigned, the assignment:
 
 [!INCLUDE [portal updates](~/includes/portal-update.md)]
 
-Follow these steps to make a user eligible member or owner of a group. You'll need permissions to manage groups. For role-assignable groups, you need to be at least a Privileged Role Administrator role or be an Owner of the group. For non-role-assignable groups, you need to be at least a Directory Writer, Groups Administrator, or Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level). 
+Follow these steps to make a user eligible member or owner of a group. You need permissions to manage groups. For role-assignable groups, you need to be at least a Privileged Role Administrator role or be an Owner of the group. For non-role-assignable groups, you need to be at least a Directory Writer, Groups Administrator, or Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level). 
 
 > [!NOTE]
 > Other roles with permissions to manage groups (such as Exchange Administrators for non-role-assignable M365 groups) and administrators with assignments scoped at administrative unit level can manage groups through Groups API/UX and override changes made in Microsoft Entra PIM.
@@ -62,7 +62,7 @@ Follow these steps to make a user eligible member or owner of a group. You'll ne
 1. Select **Next**.
 
 1. In the Assignment type list, select Eligible or Active. Privileged Identity Management provides two distinct assignment types:
-    - Eligible assignment requires member or owner to perform an activation to use the role. Activations may also require providing a multi-factor authentication (MFA), providing a business justification, or requesting approval from designated approvers.
+    - Eligible assignment requires member or owner to perform an activation to use the role. Activations may also require providing a multifactor authentication (MFA), providing a business justification, or requesting approval from designated approvers.
     > [!IMPORTANT]
     > For groups used for elevating into Microsoft Entra roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from another administrator with permission to reset an eligible user's passwords.
     - Active assignments don't require the member to perform any activations to use the role. Members or owners assigned as active have the privileges assigned to the role at all times.
@@ -77,7 +77,7 @@ Follow these steps to make a user eligible member or owner of a group. You'll ne
 
 [!INCLUDE [portal updates](~/includes/portal-update.md)]
 
-Follow these steps to update or remove an existing role assignment. You'll need permissions to manage groups. For role-assignable groups, you need to be at least a Privileged Role Administrator role or be an Owner of the group. For non-role-assignable groups, you need to have at least the Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level). 
+Follow these steps to update or remove an existing role assignment. You need permissions to manage groups. For role-assignable groups, you need to be at least a Privileged Role Administrator role or be an Owner of the group. For non-role-assignable groups, you need to have at least the Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level). 
 
 > [!NOTE]
 > Other roles with permissions to manage groups (such as Exchange Administrators for non-role-assignable M365 groups) and administrators with assignments scoped at administrative unit level can manage groups through Groups API/UX and override changes made in Microsoft Entra PIM.