diff --git a/.docutune/dictionaries/known-guids.json b/.docutune/dictionaries/known-guids.json index 8de0e83e852..32616820f5e 100644 --- a/.docutune/dictionaries/known-guids.json +++ b/.docutune/dictionaries/known-guids.json @@ -3348,5 +3348,7 @@ "Business Central Business Foundation": "f3552374-a1f2-4356-848e-196002525837", "Change password": "AB721A53-1E2F-11D0-9819-00AA0040529B", "ID of the Prevhost.exe surrogate host GUID" : "6d2b5079-2f0b-48dd-ab7f-97cec514d30b", - "32-bit preview handlers GUID" : "534A1E02-D58F-44f0-B58B-36CBED287C7C" + "32-bit preview handlers GUID" : "534A1E02-D58F-44f0-B58B-36CBED287C7C", + "Business Central Test Toolkit - Library Assert" : "dd0be2ea-f733-4d65-bb34-a28f4624fb14", + "Business Central Test Toolkit - Test Libraries" : "5d86850b-0d76-4eca-bd7b-951ad998e997" } diff --git a/docs/fundamentals/how-to-rename-azure-ad.yml b/docs/fundamentals/how-to-rename-azure-ad.yml index 0d7ff3778f6..c96a5a19a89 100644 --- a/docs/fundamentals/how-to-rename-azure-ad.yml +++ b/docs/fundamentals/how-to-rename-azure-ad.yml @@ -7,7 +7,7 @@ metadata: ms.author: celested manager: CelesteDG ms.reviewer: nicholepet - ms.date: 05/31/2024 + ms.date: 10/04/2024 ms.service: entra ms.subservice: fundamentals ms.topic: how-to @@ -229,6 +229,7 @@ procedureSection: @{ Key = 'Azure AD group'; Value = 'Microsoft Entra group' }, @{ Key = 'Azure AD login'; Value = 'Microsoft Entra login' }, @{ Key = 'Azure AD managed'; Value = 'Microsoft Entra managed' }, + @{ Key = 'Azure AD managed identities'; Value = 'Managed identities for Azure resources' }, @{ Key = 'Azure AD entitlement'; Value = 'Microsoft Entra entitlement' }, @{ Key = 'Azure AD access review'; Value = 'Microsoft Entra access review' }, @{ Key = 'Azure AD Identity Protection'; Value = 'Microsoft Entra ID Protection' }, diff --git a/docs/fundamentals/new-name.md b/docs/fundamentals/new-name.md index 3763f299d38..6afc0ce4caa 100644 --- a/docs/fundamentals/new-name.md +++ b/docs/fundamentals/new-name.md @@ -6,7 +6,7 @@ manager: CelesteDG ms.service: entra ms.subservice: fundamentals ms.topic: concept-article -ms.date: 03/05/2024 +ms.date: 10/04/2024 ms.author: celested ms.reviewer: nicholepet @@ -205,7 +205,7 @@ Only official product names are capitalized, plus Conditional Access and My * ap | **Category** | **Old terminology** | **Correct name as of July 2023** | |-------------------------|---------------------|----------------------------------| -| **Microsoft Entra product family** | Microsoft Azure Active Directory
Azure Active Directory
Azure Active Directory (Azure AD)
Azure AD
AAD | Microsoft Entra ID
(Second use: Microsoft Entra ID is preferred, ID is acceptable in product/UI experiences, ME-ID if abbreviation is necessary) | +| **Microsoft Entra product family** | Microsoft Azure Active Directory
Azure Active Directory
Azure Active Directory (Azure AD)
Azure AD
AAD | Microsoft Entra ID
(Second use: Microsoft Entra ID is preferred, Entra ID should be used sparingly and only when space is truly limited)

Acronym usage isn't encouraged, but if you must replace AAD with an acronym due to space limitations, use ME-ID. | | | Azure Active Directory External Identities
Azure AD External Identities | Microsoft Entra External ID
(Second use: External ID) | | | Azure Active Directory Identity Governance
Azure AD Identity Governance
Microsoft Entra Identity Governance | Microsoft Entra ID Governance
(Second use: ID Governance) | | | *New* | Microsoft Entra Internet Access
(Second use: Internet Access) | diff --git a/docs/id-governance/scenarios/automate-identity-lifecycle.md b/docs/id-governance/scenarios/automate-identity-lifecycle.md index 611adca2c23..ad2bd878a68 100644 --- a/docs/id-governance/scenarios/automate-identity-lifecycle.md +++ b/docs/id-governance/scenarios/automate-identity-lifecycle.md @@ -1,10 +1,11 @@ --- title: 'Automate identity lifecycle management with Microsoft Entra ID Governance' description: Describes overview of identity lifecycle management for Microsoft Entra ID Governance. -services: active-directory +ms.service: entra-id +ms.subservice: hybrid-cloud-sync author: billmath manager: amycolannino -ms.service: active-directory + ms.workload: identity ms.topic: overview ms.date: 02/28/2024 diff --git a/docs/id-governance/scenarios/deploy-sap-netweaver.md b/docs/id-governance/scenarios/deploy-sap-netweaver.md index 920fa5fdbe9..d56e7da03ba 100644 --- a/docs/id-governance/scenarios/deploy-sap-netweaver.md +++ b/docs/id-governance/scenarios/deploy-sap-netweaver.md @@ -1,12 +1,11 @@ --- title: 'Deploy SAP NetWeaver AS ABAP 7' description: This article describes how to set up a lab environment with SAP ECC for testing. -services: active-directory -documentationcenter: '' +ms.service: entra-id +ms.subservice: app-provisioning author: billmath manager: amycolannino -editor: '' -ms.service: active-directory + ms.topic: conceptual ms.date: 07/28/2023 ms.author: billmath diff --git a/docs/id-governance/scenarios/identity-governance-use-cases.md b/docs/id-governance/scenarios/identity-governance-use-cases.md index d3678c738f4..5efc57f9be8 100644 --- a/docs/id-governance/scenarios/identity-governance-use-cases.md +++ b/docs/id-governance/scenarios/identity-governance-use-cases.md @@ -1,12 +1,12 @@ --- title: 'Microsoft Entra ID Governance use cases' description: This article describes use cases Microsoft Entra ID Governance. -services: active-directory -documentationcenter: '' +ms.service: entra-id-governance + author: billmath manager: amycolannino -editor: '' -ms.service: active-directory + + ms.topic: conceptual ms.date: 02/28/2024 ms.author: billmath diff --git a/docs/id-governance/scenarios/least-privileged.md b/docs/id-governance/scenarios/least-privileged.md index 9cbc74d15d4..f1988e2616f 100644 --- a/docs/id-governance/scenarios/least-privileged.md +++ b/docs/id-governance/scenarios/least-privileged.md @@ -1,12 +1,13 @@ --- title: 'Understanding least privilege with Microsoft Entra ID Governance' description: This article describes the concept of least privilege and how it relates with Microsoft Entra ID Governance. -services: active-directory -documentationcenter: '' +ms.service: entra-id +ms.subservice: app-provisioning + author: billmath manager: amycolannino -editor: '' -ms.service: active-directory + + ms.topic: conceptual ms.date: 07/28/2023 ms.author: billmath diff --git a/docs/id-governance/scenarios/sap-template.md b/docs/id-governance/scenarios/sap-template.md index d0dcf8973d0..35f683f211e 100644 --- a/docs/id-governance/scenarios/sap-template.md +++ b/docs/id-governance/scenarios/sap-template.md @@ -1,12 +1,13 @@ --- title: 'Author SAP ECC 7 Template for ECMA2Host' description: This article describes how to create a template for the Web Service ECMA connector to manage SAP ECC users. -services: active-directory +ms.service: entra-id +ms.subservice: app-provisioning documentationcenter: '' author: billmath manager: amycolannino editor: '' -ms.service: active-directory + ms.topic: conceptual ms.date: 07/28/2023 ms.author: billmath diff --git a/docs/identity-platform/includes/native-auth-api/native-auth-challenge-type.md b/docs/identity-platform/includes/native-auth-api/native-auth-challenge-type.md index 12683a4c106..04c9b98d8b7 100644 --- a/docs/identity-platform/includes/native-auth-api/native-auth-challenge-type.md +++ b/docs/identity-platform/includes/native-auth-api/native-auth-challenge-type.md @@ -1,7 +1,7 @@ --- author: kengaderdus -ms.service: active-directory -ms.subservice: ciam +ms.service: entra-external-id +ms.subservice: customers ms.topic: include ms.date: 03/12/2024 ms.author: kengaderdus diff --git a/docs/identity/authentication/concept-authentication-methods-manage.md b/docs/identity/authentication/concept-authentication-methods-manage.md index 99d03e35eec..7f08c384d5f 100644 --- a/docs/identity/authentication/concept-authentication-methods-manage.md +++ b/docs/identity/authentication/concept-authentication-methods-manage.md @@ -5,7 +5,7 @@ description: Learn about the authentication methods policy and different ways to ms.service: entra-id ms.subservice: authentication ms.topic: conceptual -ms.date: 10/03/2024 +ms.date: 10/04/2024 ms.author: justinha author: justinha @@ -72,10 +72,16 @@ Similarly, let's suppose you enable **Voice calls** for a group. After you enabl ## Migration between policies -The Authentication methods policy provides a migration path toward unified administration of all authentication methods. All desired methods can be enabled in the Authentication methods policy, assuming it has been defined the user groups required for each Authentication Method policy (unless it applies to All Users). After this user groups management activity, methods in the legacy MFA and SSPR policies can be disabled. Migration has three settings to let you move at your own pace, and avoid problems with sign-in or SSPR during the transition. After migration is complete, you'll centralize control over authentication methods for both sign-in and SSPR in a single place, and the legacy MFA and SSPR policies will be disabled. +The Authentication methods policy provides a migration guide to help unify administration of all authentication methods. All desired methods can be enabled in the Authentication methods policy if the policy targets intended user groups, or all users. The authentication methods migration guide automates the steps to audit your current policy settings for MFA and SSPR, and consolidate them in the Authentication methods policy. You can access the guide from the [Microsoft Entra admin center](https://entra.microsoft.com) by browsing to **Protection** > **Authentication methods** > **Policies**. + +:::image type="content" border="false" source="media/how-to-authentication-methods-manage/wizard-entry-point.png" alt-text="Screenshot of the Authentication methods policy blade with highlighted wizard entry point." + +You can also migrate policy settings manually. The migration has three settings to let you move at your own pace, and avoid problems with sign-in or SSPR during the transition. + +After migration is complete, methods in the legacy MFA and SSPR policies can be disabled. You can centralize control over authentication methods for both sign-in and SSPR in a single place, and the legacy MFA and SSPR policies will be disabled. >[!Note] ->Security questions can only be enabled today by using the legacy SSPR policy. In the future, it will be made available in the Authentication methods policy. If you're using security questions, and don't want to disable them, make sure to keep them enabled in the legacy SSPR policy until the new control is available in the future. You can migrate the remainder of your authentication methods and still manage security questions in the legacy SSPR policy. +>Security questions can only be enabled today by using the legacy SSPR policy. If you're using security questions, and don't want to disable them, make sure to keep them enabled in the legacy SSPR policy until a migration control is available. You can migrate the remainder of your authentication methods and still manage security questions in the legacy SSPR policy. To view the migration options, open the Authentication methods policy and click **Manage migration**. diff --git a/docs/identity/authentication/how-to-authentication-methods-manage.md b/docs/identity/authentication/how-to-authentication-methods-manage.md index 49019bc07ec..8ef22fc2211 100644 --- a/docs/identity/authentication/how-to-authentication-methods-manage.md +++ b/docs/identity/authentication/how-to-authentication-methods-manage.md @@ -7,6 +7,7 @@ ms.subservice: authentication ms.topic: conceptual ms.date: 10/04/2024 + ms.author: justinha author: justinha ms.reviewer: jpettere @@ -15,13 +16,41 @@ manager: amycolannino --- # How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID -You can migrate Microsoft Entra ID [legacy policy settings](concept-authentication-methods-manage.md#legacy-mfa-and-sspr-policies) that separately control multifactor authentication and self-service password reset (SSPR) to unified management with the [Authentication methods policy](./concept-authentication-methods-manage.md). +You can migrate Microsoft Entra ID [legacy policy settings](concept-authentication-methods-manage.md#legacy-mfa-and-sspr-policies) that separately control multifactor authentication (MFA) and self-service password reset (SSPR) to unified management with the [Authentication methods policy](./concept-authentication-methods-manage.md). + +You can use the authentication methods migration guide (preview) in the Microsoft Entra admin center to automate the migration. The guide provides a wizard to help audit your current policy settings for MFA and SSPR. Then it consolidates those settings in the Authentication methods policy, where they can be managed together more easily. -You migrate policy settings on your own schedule, and the process is fully reversible. You can continue to use tenant-wide MFA and SSPR policies while you configure authentication methods more precisely for users and groups in the Authentication methods policy. You complete the migration whenever you're ready to manage all authentication methods together in the Authentication methods policy. +You can also migrate policy settings manually on your own schedule. The migration process is fully reversible. You can continue to use tenant-wide MFA and SSPR policies while you configure authentication methods more precisely for users and groups in the Authentication methods policy. For more information about how these policies work together during migration, see [Manage authentication methods for Microsoft Entra ID](concept-authentication-methods-manage.md). -## Before you begin +## Automated migration guide +The automated migration guide lets you migrate where you manage authentication methods in just a few clicks. It can be accessed from the [Microsoft Entra admin center](https://entra.microsoft.com) by browsing to **Protection** > **Authentication methods** > **Policies**. + +:::image type="content" border="false" source="media/how-to-authentication-methods-manage/wizard-entry-point.png" alt-text="Screenshot of the Authentication methods policy blade with highlighted wizard entry point." + +The first page of the wizard explains what it is and how it works. It also provides links to each of the legacy policies for your reference. + +:::image type="content" border="false" source="media/how-to-authentication-methods-manage/wizard-first-page.png" alt-text="Screenshot of the Authentication methods policy blade with highlighted wizard first page." + + +The wizard then configures the Authentication method policy based on what your organization currently has enabled in the legacy MFA and SSPR policies. +If a method is enabled in either legacy policy, the recommendation is to also enable it in the Authentication method policy. +With that configuration, users can continue to sign in and reset their password by using the same method they used previously. + +In addition, we recommend you enable the latest modern, secure methods like passkeys, Temporary Access Pass, and Microsoft Authenticator to help improve your organizations security posture. +To edit the recommended configuration, select the pencil icon next to each method. + +:::image type="content" border="false" source="media/how-to-authentication-methods-manage/wizard-second-page.png" alt-text="Screenshot of the Authentication methods policy blade with highlighted wizard second page." + +Once you're happy with the configuration, select **Migrate**, and then confirm the migration. +The Authentication methods policy gets updated to match the configuration specified in the wizard. +Authentication methods in the legacy MFA and SSPR policies become grayed out and no longer apply. + +Your migration status will be updated to **Migration Complete**. +You can change this status back to **In Progress** anytime to re-enable methods in the legacy policies if needed. + +## Manual migration Begin by doing an audit of your existing policy settings for each authentication method that's available for users. If you roll back during migration, you might want a record of the authentication method settings from each of these policies: diff --git a/docs/identity/authentication/how-to-certificate-based-authentication.md b/docs/identity/authentication/how-to-certificate-based-authentication.md index e97b534ba96..ece930a1779 100644 --- a/docs/identity/authentication/how-to-certificate-based-authentication.md +++ b/docs/identity/authentication/how-to-certificate-based-authentication.md @@ -5,7 +5,7 @@ description: Topic that shows how to configure Microsoft Entra certificate-based ms.service: entra-id ms.subservice: authentication ms.topic: how-to -ms.date: 09/17/2023 +ms.date: 10/04/2024 ms.author: justinha author: vimrang @@ -47,7 +47,9 @@ Make sure that the following prerequisites are in place: ## Steps to configure and test Microsoft Entra CBA -Some configuration steps to be done before you enable Microsoft Entra CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators are needed to make changes. Only the [Global Administrator](../role-based-access-control/permissions-reference.md#global-administrator) role can configure the CA. +Some configuration steps to be done before you enable Microsoft Entra CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators are needed to make changes. + +[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] Optionally, you can also configure authentication bindings to map certificates to single-factor or multifactor authentication, and configure username bindings to map the certificate field to an attribute of the user object. [Authentication Policy Administrators](../role-based-access-control/permissions-reference.md#authentication-policy-administrator) can configure user-related settings. Once all the configurations are complete, enable Microsoft Entra CBA on the tenant. @@ -61,7 +63,7 @@ You can configure certificate authorities(CAs) by using the Microsoft Entra admi To enable the certificate-based authentication and configure user bindings in the Microsoft Entra admin center, complete the following steps: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). +1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)] 1. Browse to **Protection** > **Show more** > **Security Center** (or **Identity Secure Score**) > **Certificate authorities**. 1. To upload a CA, select **Upload**: 1. Select the CA file. @@ -76,7 +78,8 @@ To enable the certificate-based authentication and configure user bindings in th 1. Select **Columns** to add or delete columns. >[!NOTE] ->Upload of a new CA fails if any existing CA expired. A Global Administrator should delete any expired CA, and retry to upload the new CA. +>Upload of a new CA fails if any existing CA expired. You should delete any expired CA, and retry to upload the new CA. +>[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] ### Configure certificate authorities (CA) using PowerShell diff --git a/docs/identity/authentication/howto-authentication-use-email-signin.md b/docs/identity/authentication/howto-authentication-use-email-signin.md index 0e3e91d0531..987af9568d8 100644 --- a/docs/identity/authentication/howto-authentication-use-email-signin.md +++ b/docs/identity/authentication/howto-authentication-use-email-signin.md @@ -6,7 +6,7 @@ ms.service: entra-id ms.subservice: authentication ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done ms.topic: how-to -ms.date: 06/19/2024 +ms.date: 10/04/2024 ms.author: justinha author: calui @@ -43,7 +43,9 @@ Here's what you need to know about email as an alternate login ID: * The feature supports managed authentication with Password Hash Sync (PHS) or Pass-Through Authentication (PTA). * There are two options for configuring the feature: * [Home Realm Discovery (HRD) policy](#enable-user-sign-in-with-an-email-address) - Use this option to enable the feature for the entire tenant. At least the [Application Administrator](../role-based-access-control/permissions-reference.md#application-administrator) role is required. - * [Staged rollout policy](#enable-staged-rollout-to-test-user-sign-in-with-an-email-address) - Use this option to test the feature with specific Microsoft Entra groups. Global Administrator privileges required. When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out. After you've added the group, you can add more users directly to it, as required. + * [Staged rollout policy](#enable-staged-rollout-to-test-user-sign-in-with-an-email-address) - Use this option to test the feature with specific Microsoft Entra groups. When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out. After you've added the group, you can add more users directly to it, as required. + + [!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] ## Preview limitations @@ -139,13 +141,15 @@ Email as an alternate login ID applies to [Microsoft Entra B2B collaboration](~/ Once users with the *ProxyAddresses* attribute applied are synchronized to Microsoft Entra ID using Microsoft Entra Connect, you need to enable the feature for users to sign in with email as an alternate login ID for your tenant. This feature tells the Microsoft Entra login servers to not only check the sign-in identifier against UPN values, but also against *ProxyAddresses* values for the email address. -During preview, you currently need *Global Administrator* permissions to enable sign-in with email as an alternate login ID. You can use either Microsoft Entra admin center or Graph PowerShell to set up the feature. +You can use either Microsoft Entra admin center or Graph PowerShell to set up the feature. + +[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] ### Microsoft Entra admin center [!INCLUDE [portal updates](~/includes/portal-update.md)] -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-policy-administrator). +1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)] 1. From the navigation menu on the left-hand side of the Microsoft Entra window, select **Microsoft Entra Connect > Email as alternate login ID**. ![Screenshot of email as alternate login ID option in the Microsoft Entra admin center.](media/howto-authentication-use-email-signin/azure-ad-connect-screen.png) @@ -164,7 +168,7 @@ With the policy applied, it can take up to one hour to propagate and for users t Once users with the *ProxyAddresses* attribute applied are synchronized to Microsoft Entra ID using Microsoft Entra Connect, you need to enable the feature for users to sign-in with email as an alternate login ID for your tenant. This feature tells the Microsoft Entra login servers to not only check the sign-in identifier against UPN values, but also against *ProxyAddresses* values for the email address. -You need *Global Administrator* privileges to complete the following steps: +[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] 1. Open a PowerShell session as an administrator, then install the *Microsoft.Graph* module using the `Install-Module` cmdlet: @@ -281,8 +285,7 @@ Remove-MgPolicyHomeRealmDiscoveryPolicy -HomeRealmDiscoveryPolicyId "HRD_POLICY_ Staged rollout policy allows tenant administrators to enable features for specific Microsoft Entra groups. It is recommended that tenant administrators use staged rollout to test user sign-in with an email address. When administrators are ready to deploy this feature to their entire tenant, they should use [HRD policy](#enable-user-sign-in-with-an-email-address). - -You need *Global Administrator* permissions to complete the following steps: +[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] 1. Open a PowerShell session as an administrator, then install the *Microsoft.Graph.Beta* module using the [Install-Module][Install-Module] cmdlet: @@ -391,7 +394,9 @@ Within a tenant, a cloud-only user's UPN may take on the same value as another u If prompted, select **Y** to install NuGet or to install from an untrusted repository. -1. Sign in to your Microsoft Entra tenant as a *Global Administrator* using the [Connect-AzureAD][Connect-AzureAD] cmdlet: +1. [!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] + + Sign in to your Microsoft Entra tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet: ```powershell Connect-MgGraph -Scopes "User.Read.All" diff --git a/docs/identity/authentication/howto-mfa-mfasettings.md b/docs/identity/authentication/howto-mfa-mfasettings.md index 8e950f1cdc7..ea9820844d6 100644 --- a/docs/identity/authentication/howto-mfa-mfasettings.md +++ b/docs/identity/authentication/howto-mfa-mfasettings.md @@ -6,7 +6,7 @@ description: Learn how to configure settings for Microsoft Entra multifactor aut ms.service: entra-id ms.subservice: authentication ms.topic: how-to -ms.date: 09/09/2024 +ms.date: 10/04/2024 ms.author: justinha author: justinha @@ -201,7 +201,8 @@ Helga@contoso.com,1234567,1234567abcdef1234567abcdef,60,Contoso,HardwareKey > [!NOTE] > Be sure to include the header row in your CSV file. -Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a Global Administrator, go to **Protection** > **Multifactor authentication** > **OATH tokens**, and upload the CSV file. +1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)] +1. Go to **Protection** > **Multifactor authentication** > **OATH tokens**, and upload the CSV file. Depending on the size of the CSV file, it might take a few minutes to process. Select **Refresh** to get the status. If there are any errors in the file, you can download a CSV file that lists them. The field names in the downloaded CSV file are different from those in the uploaded version. diff --git a/docs/identity/authentication/howto-mfa-nps-extension.md b/docs/identity/authentication/howto-mfa-nps-extension.md index 92796966068..fe66d2900b5 100644 --- a/docs/identity/authentication/howto-mfa-nps-extension.md +++ b/docs/identity/authentication/howto-mfa-nps-extension.md @@ -6,7 +6,7 @@ description: Learn how to use Microsoft Entra multifactor authentication capabil ms.service: entra-id ms.subservice: authentication ms.topic: how-to -ms.date: 03/27/2024 +ms.date: 10/04/2024 ms.author: justinha author: justinha @@ -263,7 +263,10 @@ To provide load-balancing capabilities or for redundancy, repeat these steps on .\AzureMfaNpsExtnConfigSetup.ps1 ``` -1. When prompted, sign in to Microsoft Entra ID as a Global Administrator. +1. When prompted, sign in to Microsoft Entra ID. + + [!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] + 1. PowerShell prompts for your tenant ID. Use the *Tenant ID* GUID that you copied in the prerequisites section. 1. A success message is shown when the script is finished. @@ -360,7 +363,11 @@ Connect-MgGraph -Scopes 'Application.ReadWrite.All' New-MgServicePrincipal -AppId 00001111-aaaa-2222-bbbb-3333cccc4444 -DisplayName "Azure Multi-Factor Auth Client" ``` -Once done, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). Browse to **Identity** > **Applications** > **Enterprise applications** > and search for "Azure Multi-factor Auth Client". Then click **Check properties for this app**. Confirm if the service principal is enabled or disabled. Click the application entry > **Properties**. If the option **Enabled for users to sign-in?** is set to **No**, set it to **Yes**. +1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)] +1. Browse to **Identity** > **Applications** > **Enterprise applications** > and search for "Azure Multi-factor Auth Client". +1. Click **Check properties for this app**. Confirm if the service principal is enabled or disabled. +1. Click the application entry > **Properties**. +1. If the option **Enabled for users to sign-in?** is set to **No**, set it to **Yes**. Run the `AzureMfaNpsExtnConfigSetup.ps1` script again and it should not return the **Service principal was not found** error. diff --git a/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-entry-point.png b/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-entry-point.png new file mode 100644 index 00000000000..a107ca35c45 Binary files /dev/null and b/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-entry-point.png differ diff --git a/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-first-page.png b/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-first-page.png new file mode 100644 index 00000000000..e49efdf391d Binary files /dev/null and b/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-first-page.png differ diff --git a/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-second-page.png b/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-second-page.png new file mode 100644 index 00000000000..e977320abc1 Binary files /dev/null and b/docs/identity/authentication/media/how-to-authentication-methods-manage/wizard-second-page.png differ diff --git a/docs/identity/monitoring-health/reference-audit-activities.md b/docs/identity/monitoring-health/reference-audit-activities.md index e5b05f08d8c..06338f3197a 100644 --- a/docs/identity/monitoring-health/reference-audit-activities.md +++ b/docs/identity/monitoring-health/reference-audit-activities.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.topic: reference ms.subservice: monitoring-health -ms.date: 05/09/2024 +ms.date: 10/04/2024 ms.author: sarahlipsey ms.reviewer: dhanyahk --- @@ -26,7 +26,7 @@ Audit log activities and categories change periodically. The tables are updated -## Microsoft Entra Management UX +## Microsoft Entra (AAD) Management UX |Audit Category|Activity| |---|---| @@ -73,6 +73,7 @@ With [Microsoft Entra ID Governance access reviews](~/id-governance/manage-user- |DirectoryManagement|Create program| |DirectoryManagement|Link program control| |DirectoryManagement|Unlink program control| +|DirectoryManagement|Update program| |Policy|Access review ended| |Policy|Apply decision| |Policy|Approve decision| @@ -144,6 +145,7 @@ If you're utilizing [Application Proxy](~/identity/app-proxy/overview-what-is-ap |Authentication|Remove a group from feature rollout| |Authentication|Remove user from feature rollout| |Authentication|Update rollout policy of feature| +|Authorization|User authorization for application access| |DirectoryManagement|Disable Desktop Sso| |DirectoryManagement|Disable Desktop Sso for a specific domain| |DirectoryManagement|Disable application proxy| @@ -164,10 +166,6 @@ If you're utilizing [Application Proxy](~/identity/app-proxy/overview-what-is-ap The Audit logs for Authentication Methods can be used to make sure that your users have registered their mobile device properly to enable multifactor authentication. -Audit events related to GDPR and data protection are also found in this service and are found in the `DirectoryManagement` category. These events include strings like `MFA.CosmosDB.mfa-prd-cust-rpt-eu.activations` and `DSR Export: MFA.PostgreSQL.bypassed_users_creations`. - -[!INCLUDE [GDPR-related guidance](~/includes/azure-docs-pr/gdpr-dsr-and-stp-note.md)] - |Audit Category|Activity| |---|---| |ApplicationManagement|Assign Hardware Oath Token| @@ -181,73 +179,18 @@ Audit events related to GDPR and data protection are also found in this service |ApplicationManagement|Authentication Strength Policy Update| |ApplicationManagement|Bulk upload Hardware Oath Token| |ApplicationManagement|Create Hardware Oath Token| -|ApplicationManagement|DELETE Subscription.DeleteProviders| -|ApplicationManagement|DELETE Tenant.DeleteAgentStatuses| -|ApplicationManagement|DELETE Tenant.DeleteCaches| -|ApplicationManagement|DELETE Tenant.DeleteGreetings| |ApplicationManagement|Delete Hardware Oath Token| -|ApplicationManagement|PATCH Tenant.Patch| -|ApplicationManagement|PATCH Tenant.PatchCaches| +|ApplicationManagement|MFA Service Policy Update| |ApplicationManagement|PATCH UserAuthMethod.PatchSignInPreferencesAsync| -|ApplicationManagement|POST SoundFile.Post| -|ApplicationManagement|Subscription.CreateProvider| -|ApplicationManagement|Subscription.CreateSubscription| -|ApplicationManagement|POST Tenant.CreateBlockedUser| -|ApplicationManagement|POST Tenant.CreateBypassedUser| -|ApplicationManagement|POST Tenant.CreateCacheConfig| -|ApplicationManagement|POST Tenant.CreateGreeting| -|ApplicationManagement|POST Tenant.CreateOemTenant| -|ApplicationManagement|POST Tenant.CreateTenant| -|ApplicationManagement|POST Tenant.GenerateNewActivationCredentials| -|ApplicationManagement|POST Tenant.RemoveBlockedUser| -|ApplicationManagement|POST Tenant.RemoveBypassedUser| +|ApplicationManagement|PATCH UserAuthMethod.ResetQRPinAsync| +|ApplicationManagement|PATCH UserAuthMethod.UpdateQRPinAsync| +|ApplicationManagement|POST UserAuthMethod.SecurityInfoRegistrationCallback| +|ApplicationManagement|POST UserAuthMethod.SoftwareOathProofupRegistration| |ApplicationManagement|Update Hardware Oath Token| |DirectoryManagement|DELETE Subscription.DeleteProviders| |DirectoryManagement|DELETE Tenant.DeleteAgentStatuses| |DirectoryManagement|DELETE Tenant.DeleteCaches| |DirectoryManagement|DELETE Tenant.DeleteGreetings| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-au.activations| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-au.authentications| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-cn.activations| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-cn.authentications| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-eu.activations| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-eu.authentications| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ff.activations| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ff.authentications| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ge.activations| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ge.authentications| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-gv.activations| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-gv.authentications| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ww.activations| -|DirectoryManagement|DSR Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ww.authentications| -|DirectoryManagement|DSR Delete: MFA.PostgreSQL.blocked_users| -|DirectoryManagement|DSR Delete: MFA.PostgreSQL.blocked_users_completions| -|DirectoryManagement|DSR Delete: MFA.PostgreSQL.blocked_creations| -|DirectoryManagement|DSR Delete: MFA.PostgreSQL.bypassed_users_completions| -|DirectoryManagement|DSR Delete: MFA.PostgreSQL.bypassed_users_creations| -|DirectoryManagement|DSR Delete: MFA.PostgreSQL.change_request_statuses| -|DirectoryManagement|DSR Delete: MFA.PostgreSQL.change_request| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-au.activations| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-au.authentications| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-cn.activations| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-cn.authentications| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-eu.activations| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-eu.authentications| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-ff.activations| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-ff.authentications| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-ge.activations| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-ge.authentications| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-gv.activations| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-gv.authentications| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-ww.activations| -|DirectoryManagement|DSR Export: MFA.CosmosDB.mfa-prd-cust-rpt-ww.authentications| -|DirectoryManagement|DSR Export: MFA.PostgreSQL.blocked_users| -|DirectoryManagement|DSR Export: MFA.PostgreSQL.blocked_users_completions| -|DirectoryManagement|DSR Export: MFA.PostgreSQL.blocked_creations| -|DirectoryManagement|DSR Export: MFA.PostgreSQL.bypassed_users_completions| -|DirectoryManagement|DSR Export: MFA.PostgreSQL.bypassed_users_creations| -|DirectoryManagement|DSR Export: MFA.PostgreSQL.change_request_statuses| -|DirectoryManagement|DSR Export: MFA.PostgreSQL.change_request| |DirectoryManagement|PATCH Tenant.Patch| |DirectoryManagement|PATCH Tenant.PatchCaches| |DirectoryManagement|POST SoundFile.Post| @@ -260,12 +203,14 @@ Audit events related to GDPR and data protection are also found in this service |DirectoryManagement|POST Tenant.CreateTenant| |DirectoryManagement|POST Tenant.GenerateNewActivationCredentials| |DirectoryManagement|POST Tenant.RemoveBlockedUser| -|DirectoryManagement|POST TenantRemoveBypassedUser| +|DirectoryManagement|POST Tenant.RemoveBypassedUser| |UserManagement|Admin deleted security info| |UserManagement|Admin registered security info| |UserManagement|Admin started password reset| |UserManagement|Admin updated security info| |UserManagement|Get passkey creation options| +|UserManagement|Restore multifactor authentication on all remembered devices| +|UserManagement|Update per-user multifactor authentication state| |UserManagement|User canceled security info registration| |UserManagement|User changed default security info| |UserManagement|User deleted security info| @@ -279,7 +224,7 @@ Audit events related to GDPR and data protection are also found in this service -## Microsoft Entra Recommendations +## Microsoft Entra (Azure AD) Recommendations [Microsoft Entra Recommendations](overview-recommendations.md) monitors your Microsoft Entra tenant and provides personalized insights and actionable guidance to implement best practices for Microsoft Entra features and optimize your tenant configurations. These logs provide a history of the changes made to the status of a recommendation. @@ -291,17 +236,29 @@ Audit events related to GDPR and data protection are also found in this service -## Microsoft Entra multifactor authentication +## Microsoft Entra (Azure MFA) multifactor authentication The Microsoft Entra multifactor authentication audit logs can help you track trends in suspicious activity or when fraud was reported. Use the [Microsoft Entra sign-in logs](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/SignIns) to see each time a user signs in when MFA is required. |Audit Category|Activity| |---|---| +|DirectoryManagement|DeleteDataFromBackend| +|DirectoryManagement|DeleteDataFromCosmosDb| +|DirectoryManagement|ExportDataFromBackend| +|DirectoryManagement|ExportDataFromCosmosDb| |UserManagement|Fraud reported - no action taken| |UserManagement|Fraud reported - user is blocked for MFA| |UserManagement|Suspicious activity reported| |UserManagement|User registered security info| +## Azure RBAC (Elevated Access) + +|Audit Category|Activity| +|---|---| +|AzureRBACRoleManagementElevateAccess|The role assignment of User Access Administrator has been removed from the user| +|AzureRBACRoleManagementElevateAccess|User has elevated their access to User Access Administrator for their Azure Resources| + + ## B2B Auth |Audit Category|Activity| @@ -314,19 +271,6 @@ This set of audit logs is related to [B2C](/azure/active-directory-b2c/overview) |Audit Category|Activity| |---|---| -|ApplicationManagement|Add V2 application permissions| -|ApplicationManagement|Create V2 application| -|ApplicationManagement|Delete V2 application| -|ApplicationManagement|Delete V2 application permission grant| -|ApplicationManagement|Get V1 and V2 applications| -|ApplicationManagement|Get V1 application| -|ApplicationManagement|Get V1 applications| -|ApplicationManagement|Get V2 application| -|ApplicationManagement|Get V2 applications| -|ApplicationManagement|Retrieve V2 application permissions grants| -|ApplicationManagement|Retrieve V2 application service principals| -|ApplicationManagement|Update V2 application| -|ApplicationManagement|Update V2 application permission grant| |Authentication|A self-service sign-up request was completed| |Authentication|An API was called as part of a user flow| |Authentication|Delete all available strong authentication devices| @@ -437,10 +381,8 @@ This set of audit logs is related to [B2C](/azure/active-directory-b2c/overview) |Authorization|Get user flow| |Authorization|Get user flows| |Authorization|Get v1 and v2 applications| -|Authorization|Get v1 application| |Authorization|Get v1 applications| |Authorization|Get v2 application| -|Authorization|Get v2 applications| |Authorization|Initialize tenant| |Authorization|Move resources| |Authorization|Restore policy key| @@ -466,31 +408,42 @@ This set of audit logs is related to [B2C](/azure/active-directory-b2c/overview) |Authorization|Update local identity provider| |Authorization|Update policy key| |Authorization|Update subscription status| +|Authorization|Update tenant metadata| |Authorization|Update user attribute| |Authorization|Update user flow| -|Authorization|Update v2 application| -|Authorization|Update v2 application permission grant| |Authorization|Upload certificate to policy key| |Authorization|Upload key to policy key| |Authorization|Upload secret into policy key| |Authorization|Validate customExtension authenticationConfiguration| |Authorization|Validate move resources| +|Authorization|Verify if tenant is B2C| +|Device|Delete pre-created device| +|Device|Pre-create device| +|Device|Recover device local administrator password| +|Device|Register device| +|Device|Unregister device| +|Device|Update device local administrator password| |Directory Management|Get age gating configuration| -|Directory Management|Get custom domains| |Directory Management|Get list of tenants| |Directory Management|Get resources properties of a tenant| |Directory Management|Get tenant details| |Directory Management|Get tenant domains| |Directory Management|Initialize tenant| |Directory Management|Update age gating configuration| +|Directory Management|Update tenant metadata| +|Directory Management|Verify if tenant is B2C| |IdentityProtection|Evaluate Conditional Access policies| |IdentityProtection|Remediate user| +|KeyManagement|Add BitLocker key| |KeyManagement|Create policy key| +|KeyManagement|Delete BitLocker key| |KeyManagement|Delete policy key| |KeyManagement|Get active key metadata from policy key| |KeyManagement|Get policy key| |KeyManagement|Get policy keys| +|KeyManagement|Read BitLocker key| |KeyManagement|Restore policy key| +|KeyManagement|Update policy key| |KeyManagement|Upload key to policy key| |KeyManagement|Upload secret into policy key| |Other|Generate one time password| @@ -601,6 +554,10 @@ This set of audit logs is related to [B2C](/azure/active-directory-b2c/overview) |ResourceManagement|Update certificate to policy key| |ResourceManagement|Update secret into policy key| |ResourceManagement|Validate move resources| +|UserManagement|Add Windows Hello for Business credential| +|UserManagement|Add passwordless phone sign-in credential| +|UserManagement|Delete Windows Hello for Business credential| +|UserManagement|Delete passwordless phone sign-in credential| ## Conditional Access @@ -672,42 +629,61 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |ApplicationManagement|Update application - Certificates and secrets management| |ApplicationManagement|Update external secrets| |ApplicationManagement|Update service principal| -|AttributeManagement|Add an attribute set| -|AttributeManagement|Add custom security attribute definition in an attribute set| -|AttributeManagement|Update an attribute set| -|AttributeManagement|Update attribute values assigned to a servicePrincipal| -|AttributeManagement|Update attribute values assigned to a user| -|AttributeManagement|Update custom security attribute definition in an attribute set| +|Authentication|Test audit log| |AuthorizationPolicy|Update authorization policy| -|CertificateBasedAuthConfiguration|Add CertificationBasedAuthConfiguration| -|CertificateBasedAuthConfiguration|Delete CertificationBasedAuthConfiguration| +|CertBasedConfiguration|Add CertBasedAuthConfiguration| +|CertBasedConfiguration|Hard delete CertificationBasedAuthConfiguration| +|CertificateAuthorityEntity|Create CertificateAuthorityEntity| +|CertificateAuthorityEntity|Delete CertificateAuthorityEntity| +|CertificateAuthorityEntity|Hard Delete CertificateAuthorityEntity| +|CertificateAuthorityEntity|Restore CertificateAuthorityEntity| +|CertificateAuthorityEntity|Update CertificateAuthorityEntity| +|CertificateBasedAuthConfiguration|Add CertificateBasedAuthConfiguration| +|CertificateBasedAuthConfiguration|Delete CertificateBasedAuthConfiguration| +|CertificateBasedAuthConfiguration|Update CertificateBasedAuthConfiguration| +|CompanyBranding|Create Branding Theme| +|CompanyBranding|Delete Branding Theme| +|CompanyBranding|Hard Delete Branding Theme| +|CompanyBranding|Update Branding Theme| +|CompanyBrandingLocale|Create Branding Theme Localization| +|CompanyBrandingLocale|Delete Branding Theme Localization| +|CompanyBrandingLocale|Hard Delete Branding Theme Localization| +|CompanyBrandingLocale|Update Branding Theme Localization| |Contact|Add contact| |Contact|Delete contact| |Contact|Update contact| +|CrossTenantAccessSettings|Add a domain-based partner to cross-tenant access setting| |CrossTenantAccessSettings|Add a partner to cross-tenant access setting| +|CrossTenantAccessSettings|Delete a domain-based partner to cross-tenant access setting| |CrossTenantAccessSettings|Delete partner specific cross-tenant access setting| |CrossTenantAccessSettings|Migrated partner cross-tenant access settings to the scalable model| |CrossTenantAccessSettings|Reset the cross-tenant access default setting| +|CrossTenantAccessSettings|Update a domain-based partner to cross-tenant access setting| |CrossTenantAccessSettings|Update a partner cross-tenant access setting| |CrossTenantAccessSettings|Update the company default cross-tenant access setting| |CrossTenantIdentitySyncSettings|Create a partner cross-tenant identity sync setting| |CrossTenantIdentitySyncSettings|Delete a partner cross-tenant identity sync setting| |CrossTenantIdentitySyncSettings|Update a partner cross-tenant identity sync setting| +|DelegatedAdminServiceProviderConstraints|Adding allowed assignable roles| +|DelegatedAdminServiceProviderConstraints|Updating allowed assignable roles| |Device|Add device| |Device|Add registered owner to device| |Device|Add registered users to device| |Device|Delete device| |Device|Device no longer compliant| |Device|Device no longer managed| +|Device|Hard Delete device| |Device|Remove registered owner from device| |Device|Remove registered users from device| +|Device|Restore device| |Device|Update device| |DeviceConfiguration|Add device configuration| |DeviceConfiguration|Delete device configuration| |DeviceConfiguration|Update device configuration| |DeviceTemplate|Add device from DeviceTemplate| +|DeviceTemplate|Add DeviceTemplate| +|DeviceTemplate|Add owner to DeviceTemplate| |DeviceTemplate|Delete DeviceTemplate| -|DeviceTemplate|Update DeviceTemplate| |DirectoryManagement|Add partner to company| |DirectoryManagement|Add sharedEmailDomainInvitation| |DirectoryManagement|Add unverified domain| @@ -717,12 +693,14 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |DirectoryManagement|Delete company allowed data location| |DirectoryManagement|Delete company settings| |DirectoryManagement|Delete subscription| +|DirectoryManagement|Deleting Source Tenant subscriptions| |DirectoryManagement|Demote partner| |DirectoryManagement|Directory deleted| |DirectoryManagement|Directory deleted permanently| |DirectoryManagement|Directory scheduled for deletion (Lifecycle)| |DirectoryManagement|Directory scheduled for deletion (UserRequest)| |DirectoryManagement|Get cross-cloud verification code for domain| +|DirectoryManagement|Hard Delete Domain| |DirectoryManagement|Promote company to partner| |DirectoryManagement|Promote sub domain to root domain| |DirectoryManagement|Remove partner from company| @@ -741,6 +719,9 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |DirectoryManagement|Set domain authentication| |DirectoryManagement|Set federation settings on domain| |DirectoryManagement|Set password policy| +|DirectoryManagement|Soft Delete Domain| +|DirectoryManagement|Suspending Source Tenant Subscriptions| +|DirectoryManagement|Update Domain| |DirectoryManagement|Update company| |DirectoryManagement|Update company settings| |DirectoryManagement|Update domain| @@ -748,11 +729,6 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |DirectoryManagement|Update sharedEmailDomainInvitation| |DirectoryManagement|Verify domain| |DirectoryManagement|Verify email verified domain| -|ExternalUserProfile|Create ExternalUserProfile| -|ExternalUserProfile|Delete ExternalUserProfile| -|ExternalUserProfile|Hard Delete ExternalUserProfile| -|ExternalUserProfile|Restore ExternalUserProfile| -|ExternalUserProfile|Update ExternalUserProfile| |GroupManagement|Add app role assignment to group| |GroupManagement|Add group| |GroupManagement|Add member to group| @@ -765,6 +741,8 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |GroupManagement|Grant contextual consent to application| |GroupManagement|Hard Delete group| |GroupManagement|Remove app role assignment from group| +|GroupManagement|Remove eligible member from group| +|GroupManagement|Remove eligible owner from group| |GroupManagement|Remove label from group| |GroupManagement|Remove member from group| |GroupManagement|Remove owner from group| @@ -782,12 +760,11 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |Label|Add label| |Label|Delete label| |Label|Update label| -|MicrosoftSupportAccessManagement|Approval approved| -|MicrosoftSupportAccessManagement|Approval removed| +|MicrosoftSupportAccessManagement|Access approved| +|MicrosoftSupportAccessManagement|Access removed| |MicrosoftSupportAccessManagement|Request approved| |MicrosoftSupportAccessManagement|Request canceled| |MicrosoftSupportAccessManagement|Request created| -|MicrosoftSupportAccessManagement|Request created| |MicrosoftSupportAccessManagement|Request rejected| |MultiTenantOrg|Create a MultiTenantOrg| |MultiTenantOrg|Hard Delete MultiTenantOrg| @@ -801,24 +778,29 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |MultiTenantOrgTenant|Hard Delete MultiTenantOrg tenant| |MultiTenantOrgTenant|Tenant joining MultiTenantOrg tenant| |MultiTenantOrgTenant|Update MultiTenantOrg tenant| +|OrganizationalUnitContainer|Create OrganizationalUnit| +|OrganizationalUnitContainer|Delete OrganizationalUnit| +|OrganizationalUnitContainer|Update OrganizationalUnit| |PendingExternalUserProfile|Create PendingExternalUserProfile| |PendingExternalUserProfile|Delete PendingExternalUserProfile| |PendingExternalUserProfile|Hard Delete PendingExternalUserProfile| -|PendingExternalUserProfile|Update PendingExternalUserProfile| |PermissionGrantPolicy|Add permission grant policy| |PermissionGrantPolicy|Delete permission grant policy| |PermissionGrantPolicy|Update permission grant policy| |Policy|Add owner to policy| |Policy|Add policy| |Policy|Delete policy| +|Policy|Hard Delete policy| |Policy|Remove owner from policy| |Policy|Remove policy credentials| +|Policy|Restore policy| |Policy|Update policy| -|PrivateEndpoint|Add PrivateEndpoint| -|PrivateEndpoint|Delete PrivateEndpoint| -|PrivateLinkResource|Add PrivateLinkResource| -|PrivateLinkResource|Delete PrivateLinkResource| -|PrivateLinkResource|Update PrivateLinkResource| +|PublicKeyInfrastructure|Create PublicKeyInfrastructure| +|PublicKeyInfrastructure|Delete PublicKeyInfrastructure| +|PublicKeyInfrastructure|Hard Delete PublicKeyInfrastructure| +|PublicKeyInfrastructure|Initiate PublicKeyInfrastructure| +|PublicKeyInfrastructure|Restore PublicKeyInfrastructure| +|PublicKeyInfrastructure|Update PublicKeyInfrastructure| |RoleManagement|Add EligibleRoleAssignment to RoleDefinition| |RoleManagement|Add eligible member to role| |RoleManagement|Add member to role| @@ -836,10 +818,9 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |RoleManagement|Remove scoped member from role| |RoleManagement|Update role| |RoleManagement|Update role definition| -|SourceOfAuthorityPolicy|Add SOA policy| |UserManagement|Add app role assignment to group| |UserManagement|Add user| -|UserManagement|Add users strong authentication phone app detail| +|UserManagement|Add user sponsor| |UserManagement|Change user license| |UserManagement|Change user password| |UserManagement|Convert federated user to managed| @@ -851,13 +832,15 @@ Logs captured in the Core Directory service cover a wide variety of scenarios. C |UserManagement|Enable Strong Authentication| |UserManagement|Enable account| |UserManagement|Hard Delete user| +|UserManagement|Remove OrganizationalUnit assigned to a user| |UserManagement|Remove app role assignment from user| -|UserManagement|Remove users strong authentication phone app detail| +|UserManagement|Remove user sponsor| |UserManagement|Reset password| |UserManagement|Restore user| |UserManagement|Set force change user password| |UserManagement|Set user manager| -|UserManagement|Set user oath token metadata enabled| +|UserManagement|Takeover user cloned| +|UserManagement|Update OrganizationalUnit assigned to a user| |UserManagement|Update StsRefreshTokenValidFrom Timestamp| |UserManagement|Update external secrets| |UserManagement|Update user| @@ -869,20 +852,20 @@ If you need to manage [Microsoft Entra ID and Microsoft Entra hybrid joined devi |Audit Category|Activity| |---|---| |Device|Delete pre-created device| -|Device|pre-create device| +|Device|Pre-create device| +|Device|Recover device local administrator password| |Device|Register device| -|Device|Reveal local administrator password| |Device|Unregister device| |Device|Update local administrator password| |KeyManagement|Add BitLocker key| |KeyManagement|Delete BitLocker key| |KeyManagement|Read BitLocker key| |Policy|Set device registration policies| -|UserManagement|Add FIDO2 security key| +|UserManagement|Add Passkey (device-bound)| |UserManagement|Add Windows Hello for Business credential| |UserManagement|Add passwordless phone sign-in credential| |UserManagement|Add platform credential| -|UserManagement|Delete FIDO2 security key(s)| +|UserManagement|Delete Passkey (device-bound)| |UserManagement|Delete Windows Hello for Business credential| |UserManagement|Delete passwordless phone sign-in credential| |UserManagement|Delete platform credential| @@ -957,22 +940,35 @@ If you're using Microsoft Entra Internet Access or Microsoft Entra Private Acces |Audit Category|Activity| |---|---| +|ApplicationManagement|Create Certificate| +|ApplicationManagement|Delete Certificate| +|ApplicationManagement|Update Certificate| +|ObjectManagement|Offboarding Process Started| |ObjectManagement|Onboarding Process Started| |ObjectManagement|Update Adaptive Access Policy| |ObjectManagement|Update Enriched Audit Logs Settings| -|PolicyManagement|Create Branch| +|ObjectManagement|Update Forwarding Options Policy| |PolicyManagement|Create Filtering Policy| |PolicyManagement|Create Filtering Policy Profile| +|PolicyManagement|Create Remote Network| +|PolicyManagement|Create Security Provider Policy| |PolicyManagement|Delete Filtering Policy| |PolicyManagement|Delete Filtering Policy Profile| -|PolicyManagement|Create Forwarding Policy| -|PolicyManagement|Update Branch| +|PolicyManagement|Delete Forwarding Policy| +|PolicyManagement|Delete Private Access Policy| +|PolicyManagement|Delete Remote Network| +|PolicyManagement|Delete Security Provider Policy| |PolicyManagement|Update Filtering Policy| |PolicyManagement|Update Filtering Policy Profile| |PolicyManagement|Update Filtering Profile| |PolicyManagement|Update Forwarding Options Policy| |PolicyManagement|Update Forwarding Policy| |PolicyManagement|Update Forwarding Profile| +|PolicyManagement|Update Forwarding Rule| +|PolicyManagement|Update Private Access Policy| +|PolicyManagement|Update Remote Network| +|PolicyManagement|Update Security Provider Policy| +|ResourceManagement|Create Registration of Security Provider| ## Hybrid Authentication @@ -983,18 +979,20 @@ If you're using Microsoft Entra Internet Access or Microsoft Entra Private Acces -#### Microsoft Entra ID Protection +#### Microsoft Entra ID Protection (Identity Protection) |Audit Category|Activity| |---|---| |IdentityProtection|Update IdentityProtectionPolicy| |IdentityProtection|Update NotificationSettings| |Other|ConfirmAccountCompromised| +|Other|ConfirmAccountSafe| |Other|ConfirmCompromised| |Other|ConfirmSafe| -|Other|ConfirmServicePrincipalCompromised| -|Other|DismissServicePrincipal| +|Other|DismissRisk| |Other|DismissUser| +|Other|confirmServicePrincipalCompromised| +|Other|DismissServicePrincipal| ## Invited users @@ -1004,13 +1002,11 @@ Use the Invited users logs to help you manage the status of users who were invit |---|---| |UserManagement|Delete external user| |UserManagement|Email not sent, user unsubscribed| -|UserManagement|Email subscribed| -|UserManagement|Email unsubscribed| +|UserManagement|Invitation Email| |UserManagement|Invite external user| |UserManagement|Invite external user with reset invitation status| |UserManagement|Invite internal user to B2B collaboration| |UserManagement|Redeem external user invite| -|UserManagement|Viral user creation| ## Lifecycle Workflows @@ -1064,8 +1060,18 @@ If you're using [MIM](/microsoft-identity-manager/microsoft-identity-manager-201 |Audit Category|Activity| |---|---| -|PolicyManagement|Delete policy| -|PolicyManagement|Update mobility management policy| +|Authentication|User confirmed unusual sign-in event as legitimate| +|Authentication|User reported unusual sign-in event as not legitimate| +|UserManagement|User changed default security info| +|UserManagement|User deleted security info| +|UserManagement|User registered security info| +|UserManagement|User started security info registration| + +## MyAccess + +|Audit Category|Activity| +|---|---| +|ApplicationManagement|Create application collection| ## MyApps @@ -1291,11 +1297,9 @@ Many of the activities in this group are associated with background processes re |Audit Category|Activity| |---|---| |GroupManagement|ApprovalNotification_Create| -|GroupManagement|Autorenew group| |GroupManagement|Approval_Act| |GroupManagement|Approval_Get| |GroupManagement|Approval_GetAll| -|GroupManagement|Approvals_ActOnApproval| |GroupManagement|Approvals_Post| |GroupManagement|Approve a pending request to join a group| |GroupManagement|Cancel a pending request to join a group| @@ -1341,6 +1345,7 @@ Many of the activities in this group are associated with background processes re |GroupManagement|Reject a pending request to join a group| |GroupManagement|Renew group| |GroupManagement|Request to join a group| +|GroupManagement|set dynamic group properties| |GroupManagement|Settings_GetSettingsAsync| |GroupManagement|Update lifecycle management policy| |GroupManagement|User_Create| @@ -1390,6 +1395,7 @@ The Self-service password management logs provide insight into changes made to p |Audit Category|Activity| |---|---| |ResourceManagement|Create authority| +|ResourceManagement|Create authorization policy| |ResourceManagement|Create contract| |ResourceManagement|Create issuance policy| |ResourceManagement|Delete issuance policy| diff --git a/docs/includes/licensing-governance.md b/docs/includes/licensing-governance.md index c20769ad6e4..d66292626d7 100644 --- a/docs/includes/licensing-governance.md +++ b/docs/includes/licensing-governance.md @@ -27,11 +27,11 @@ The following table shows what features are available with each license. Not al |[Entitlement management - Conditional Access Scoping](~/id-governance/entitlement-management-external-users.md#review-your-conditional-access-policies)||| :white_check_mark: | :white_check_mark: | :white_check_mark: | |[Entitlement management MyAccess Search](~/id-governance/my-access-portal-overview.md)||| :white_check_mark: | :white_check_mark: | :white_check_mark: | |[Entitlement management with Verified ID](~/id-governance/entitlement-management-verified-id-settings.md)|||| :white_check_mark: | :white_check_mark: | -|[Entitlement management + Custom Extensions (Logic Apps)](~/id-governance/entitlement-management-logic-apps-integration.md)|||| :white_check_mark: | :white_check_mark: | -|[Entitlement management + Auto Assignment Policies](~/id-governance/entitlement-management-access-package-auto-assignment-policy.md)|||| :white_check_mark: | :white_check_mark: | -|[Entitlement management - Directly Assign Any User(Preview)](~/id-governance/entitlement-management-access-package-assignments.md#directly-assign-any-user-preview)|||| :white_check_mark: | :white_check_mark: | +|[Entitlement management - Custom Extensions (Logic Apps)](~/id-governance/entitlement-management-logic-apps-integration.md)|||| :white_check_mark: | :white_check_mark: | +|[Entitlement management - Auto Assignment Policies](~/id-governance/entitlement-management-access-package-auto-assignment-policy.md)|||| :white_check_mark: | :white_check_mark: | +|[Entitlement management - Directly Assign Any User (Preview)](~/id-governance/entitlement-management-access-package-assignments.md#directly-assign-any-user-preview)|||| :white_check_mark: | :white_check_mark: | |[Entitlement management - Guest Conversion API](~/id-governance/entitlement-management-access-package-manage-lifecycle.md)|||| :white_check_mark: | :white_check_mark: | -|[Entitlement management - Grace Period(Preview)](~/id-governance/entitlement-management-external-users.md#manage-the-lifecycle-of-external-users)||| :white_check_mark: | :white_check_mark: | :white_check_mark: | +|[Entitlement management - Manage the lifecycle of external users](~/id-governance/entitlement-management-external-users.md#manage-the-lifecycle-of-external-users)||| :white_check_mark: | :white_check_mark: | :white_check_mark: | |[My Access portal](~/id-governance/my-access-portal-overview.md)||| :white_check_mark: | :white_check_mark: | :white_check_mark: | |[Entitlement management - Microsoft Entra Roles (Preview)](~/id-governance/entitlement-management-roles.md)|||| :white_check_mark: | :white_check_mark: | |[Entitlement management - Sponsors Policy](~/id-governance/entitlement-management-access-package-create.md)|||| :white_check_mark: | :white_check_mark: |