Merge pull request #6283 from MicrosoftDocs/main

12/11/2024 PM Publish
MicrosoftDocs · Dec 11, 2024 · 8891f82 · 8891f82
2 parents afa26b0 + 158d879
commit 8891f82
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 26 deletions.
diff --git a/docs/id-governance/entitlement-management-logic-apps-integration.md b/docs/id-governance/entitlement-management-logic-apps-integration.md
@@ -208,6 +208,9 @@ As mentioned, custom extensions created with the request workflow type, which in
 
 The following is an example to resume the processing of an access package assignment request by denying the request that's waiting for a callback. A request can't be denied at the **assignmentRequestCreated** stage of the callout.
 
+> [!TIP]
+> If you resume the access package assignment request via Azure Logic Apps, disable the [asynchronous pattern](/azure/connectors/connectors-native-http?tabs=standard#asynchronous-request-response-behavior).
+
 ``` http
 POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/9e60f18c-b2a0-4887-9da8-da2e30a39d99/resume
 ```

diff --git a/docs/identity/authentication/how-to-mfa-manage-oath-tokens.md b/docs/identity/authentication/how-to-mfa-manage-oath-tokens.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/14/2024
+ms.date: 12/11/2024
 
 ms.author: justinha
 author: justinha
@@ -174,7 +174,7 @@ This example shows how to delete a token with token ID 3dee0e53-f50f-43ef-85c0-b
 DELETE https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices/3dee0e53-f50f-43ef-85c0-b44689f2d66d
 ```
 
-## Scenario: Admin creates and assigns a token that a user activates
+## Scenario: Admin creates and assigns a hardare OATH token that a user activates
 
 In this scenario, an Authentication Policy Administrator creates and assigns a token, and then a user can activate it on their Security info page, or by using Microsoft Graph Explorer. When you assign a token, you can share steps for the user to sign in to [Security info](https://aka.ms/mysecurityinfo) to activate their token. They can choose **Add sign-in method** > **Hardware token**. They need to provide the hardware token serial number, which is typically on the back of the device. 
 
@@ -258,7 +258,7 @@ Here are steps users can follow to self-activate their hardware OATH token by us
    }
    ```
 
-## Scenario: Admin creates token that users self-assign and activate
+## Scenario: Admin creates multiple hardware OATH tokens in bulk that users self-assign and activate
 
 In this scenario, an Authentication Administrator creates tokens without assignment, and users self-assign and activate the tokens. You can upload new tokens to the tenant in bulk. Users can sign in to [Security info](https://aka.ms/mysecurityinfo) to activate their token. They can choose **Add sign-in method** > **Hardware token**. They need to provide the hardware token serial number, which is typically on the back of the device. 
 
@@ -294,9 +294,11 @@ PATCH https://graph.microsoft.com/beta/directory/authenticationMethodDevices/har
 
 
 
-## Troubleshooting
+## Troubleshooting hardware OATH token issues
 
-### User has two tokens with the same SerialNumber
+This section covers common 
+
+### User has two tokens with the same serial number
 
 A user might have two instances of the same hardware OATH token registered as authentication methods. This happens if the legacy token isn't removed from **OATH tokens (Preview)** in the Microsoft Entra admin center after it's uploaded by using Microsoft Graph.
 

diff --git a/docs/identity/monitoring-health/concept-interactive-sign-ins.md b/docs/identity/monitoring-health/concept-interactive-sign-ins.md
@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: entra-id
 ms.topic: conceptual
 ms.subservice: monitoring-health
-ms.date: 09/10/2024
+ms.date: 12/09/2024
 ms.author: sarahlipsey
 ms.reviewer: egreenberg14
 
@@ -65,3 +65,8 @@ You might identify Microsoft Graph events that don't correlate to a service prin
 
 Sign-ins that show **Not applied** for Conditional Access can be difficult to interpret. If the sign-in is interrupted, the sign-in appears on the logs but shows **Not applied** for Conditional Access. Another common scenario is signing in to Windows Hello for Business. This sign-in doesn't have Conditional Access applied because the user is signing in to the device, not to cloud resources protected by Conditional Access.
 
+## TimeGenerated field
+
+If you're integrating your sign-in logs with Azure Monitor logs and Log Analytics, you might notice that the `TimeGenerated` field in the logs doesn't match the time the sign-in occurred. This discrepancy is due to the way the logs are ingested into Azure Monitor. The `TimeGenerated` field is the time the entry was received and published by Log Analytics, not the time the sign-in occurred. The `CreatedDateTime` field in the logs shows the time the sign-in occurred.
+
+Similarly, risky sign-in events also display `TimeGenerated` as the time when the risky event was detected, not when the sign-in occurred. To find the actual sign-in time, you can use the `CorrelationId` to find the sign-in event in the logs and locate the sign-in time.
diff --git a/docs/identity/monitoring-health/reports-faq.yml b/docs/identity/monitoring-health/reports-faq.yml
@@ -8,7 +8,7 @@ metadata:
   ms.service: entra-id
   ms.topic: faq
   ms.subservice: monitoring-health
-  ms.date: 02/21/2024
+  ms.date: 12/09/2024
   ms.author: sarahlipsey
   ms.reviewer: egreenberg14
 title: Frequently asked questions around Microsoft Entra monitoring and health
@@ -27,7 +27,7 @@ sections:
       - question: |
           How soon should I see activity log data after getting a premium license?
         answer: |
-          If you already have activity log data as a free license, then you can see it immediately. If you don't have any data, then it takes up to three days for the data to show up in the reports.
+          If you already have activity log data with a free license, you can see it immediately. If you don't have any data, it can take up to three days for the data to show up in the reports.
 
       - question: |
           Can I see last month's data after getting a Microsoft Entra ID P1 or P2 license?
@@ -40,12 +40,12 @@ sections:
       - question: |
           What role do I need to see the activity logs in the Microsoft Entra admin center?
         answer: |
-          The [least privilege role](../../identity/role-based-access-control/delegate-by-task.md) to view audit and sign-in logs is **Reports Reader**. Other roles include **Security Reader** and **Security Administrator**.
+          The [least privileged role](../../identity/role-based-access-control/delegate-by-task.md) to view audit and sign-in logs is **Reports Reader**. Other roles include **Security Reader** and **Security Administrator**.
 
       - question: |
           What logs can I integrate with Azure Monitor?
         answer: |
-          Sign-in and audit logs are both available for routing through Azure Monitor. B2C-related audit events are currently not included. For more information, see [Microsoft Entra activity log integrations](concept-log-monitoring-integration-options-considerations.md) and the [Graph API activity log overview](/graph/api/resources/azure-ad-auditlog-overview).
+          Sign-in, audit, provisioning, ID Protection, network access, and many other logs can be integrated with Azure Monitor and other monitoring and alerting tools. B2C-related audit events are currently not included. For a complete list of the Microsoft Entra logs that can be integrated with other endpoints, see [Log options for streaming to endpoints](concept-diagnostic-settings-logs-options.md). 
 
       - question: |
           Can I get Microsoft 365 activity log information through the Microsoft Entra admin center or the Azure portal?
@@ -62,14 +62,8 @@ sections:
       - question: |
           How long does Microsoft Entra ID store activity logs? What is the data retention?
         answer: |
-          Depending on your license, Microsoft Entra ID stores activity logs for between 7 and 30 days. For more information, see [Microsoft Entra report retention policies](reference-reports-data-retention.md).  
-
-      - question: |
-          What happens if an administrator changes the retention period of a diagnostic setting?
-        answer: |
-          The Diagnostic settings storage retention feature is being deprecated. For details on this change, see [**Migrate from diagnostic settings storage retention to Azure Storage lifecycle management**](/azure/azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy).
-
-
+          Depending on your license, Microsoft Entra ID stores activity logs for between 7 and 30 days. For more information, see [Microsoft Entra report retention policies](reference-reports-data-retention.md).
+  
   - name: Audit logs
     questions:
       - question: |
@@ -93,16 +87,12 @@ sections:
           It's also important to note the columns included in the downloaded logs don't change, even if you customized the columns in the Microsoft Entra admin center. 
 
       - question: |
-          I see .XXX in part of the IP address from a user in my sign-in logs. Why is that happening?
+          I see .XXX in part of the IP address or "PII Removed" in the Device Details of a user in my sign-in logs. Why is that happening?
         answer: |
-          Microsoft Entra ID might redact part of an IP address in the sign-in logs to protect user privacy when a user might not belong to the tenant viewing the logs. This action happens in two cases:
-          - During cross tenant sign ins, such as when a CSP technician signs into a tenant that CSP manages.
+          Microsoft Entra ID might redact part of a sign-in log to protect user privacy in the following scenarios:
+          - During cross-tenant sign ins, such as when a CSP technician signs into a tenant that CSP manages.
           - When our service wasn't able to determine the user's identity with sufficient confidence to be sure the user belongs to the tenant viewing the logs.
-
-      - question: |
-          I see "PII Removed" in the Device Details of a user in my sign-in logs. Why is that happening?
-        answer: |
-          Microsoft Entra ID redacts Personally Identifiable Information (PII) generated by devices that don't belong to your tenant to ensure customer data. PII doesn't spread beyond tenant boundaries without user and data owner consent.
+          - Microsoft Entra ID redacts Personally Identifiable Information (PII) generated by devices that don't belong to your tenant to ensure customer data. PII doesn't spread beyond tenant boundaries without user and data owner consent.
 
       - question: |
           I see duplicate sign-in entries / multiple sign-in events per requestID. Why is that happening?
@@ -120,6 +110,8 @@ sections:
 
           To confirm the date and time match the sign-in, look for the `CreatedDateTime` field a little further down in the Log Analytics results. The `AuthenticationDetails` fields can also be expanded to see the exact time of the sign-in. The time in Log Analytics appear in UTC, but the time in the sign-in logs in the Microsoft Entra admin center appear in local time, so you might need to adjust.
 
+          Risky sign-in events also have a different TimeGenerated time than the actual sign-in time. The TimeGenerated time for risky sign-ins is the time the risk was detected, not the time of the sign-in. Check the risky sign-in event itself for the activity time, which is the actual time of the sign-in.
+
       - question: |
           Why do my non-interactive sign-ins appear to have the same time stamp?
         answer: |