From e2e232f0d4e9c88030556bd097c71fc472089d76 Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Sun, 12 Nov 2023 16:59:59 -0800 Subject: [PATCH 01/22] Update troubleshoot-mac-sso-extension-plugin.md Added more details on troubleshooting --- .../troubleshoot-mac-sso-extension-plugin.md | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md index 58477475f4c..da571130995 100644 --- a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md +++ b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md @@ -147,17 +147,41 @@ Apple provides a macOS tool for checking a number of common configuration issues If these checks have a warning or error then there might be TLS inspection occurring on the device. Work with your network team to exempt ***.cdn-apple.com** and ***.networking.apple** from TLS inspection. +##### Output detailed swcd logs + +Apple provides a command line utility called swcutil that allows monitoring the progress of the associated domain validation. You can monitor for any associated domain errors using the following command: + + ```zsh + sudo swcutil watch --verbose + ``` + +Look for the following entry in the logs and check if it is marked approved, or if there're any errors: + +``` +Entry s = authsrv, a = UBF8T346G9.com.microsoft.CompanyPortalMac, d = login.microsoftonline.com +``` + ##### Clear macOS TLS Inspection Cache -If you had issues with associated domains and have allow-listed domains in your on-device TLS inspection tool, you can run this command to reset the device's cache rather than waiting for the device to recover: +If you had issues with associated domains and have allow-listed domains in your on-device TLS inspection tool, then it might take some time for Apple's associated domain validation cache to be invalidated. Unfortunately, there're no deterministic steps that re-trigger associated domain re-validation on all machines, but there're a few things that can be attempted. +You can run following commands to reset the device's cache: ```zsh + pkill -9 swcd sudo swcutil reset + pkill -9 AppSSOAgent ``` Re-test the SSO extension configuration after resetting the cache. +Sometimes, above command is insufficient and doesn't fully reset the cache. In those cases, attempt the following: + +* Remove or move Intune Company Portal app to the Trash, then restart your device, then re-install Intune Company Portal app after restart. +* Re-enroll your device. + +If none of above methods resolve your issue, there might be something else in your environment that could be blocking associated domain validation. If that happens, please reach out to Apple support for further troubleshooting. + #### Validate SSO configuration profile on macOS device Assuming the MDM administrator has followed the steps in the previous section [MDM Deployment of SSO Extension Profile](#mdm-deployment-of-sso-extension-configuration-profile), the next step is to verify if the profile has been deployed successfully to the device. From 77bbe7a4136426213e26aca572fc21b997d66986 Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 14 Nov 2023 08:00:46 -0800 Subject: [PATCH 02/22] Update docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md Co-authored-by: Owen Richards <91555661+OwenRichards1@users.noreply.github.com> --- docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md index da571130995..5f72db4527b 100644 --- a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md +++ b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md @@ -149,7 +149,7 @@ If these checks have a warning or error then there might be TLS inspection occur ##### Output detailed swcd logs -Apple provides a command line utility called swcutil that allows monitoring the progress of the associated domain validation. You can monitor for any associated domain errors using the following command: +Apple provides a command line utility called `swcutil` that allows for monitoring the progress of the associated domain validation. You can monitor for any associated domain errors using the following command: ```zsh sudo swcutil watch --verbose From 2ad523cde68f598dc6ac735717ea71de6eed9921 Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 14 Nov 2023 08:00:55 -0800 Subject: [PATCH 03/22] Update docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md Co-authored-by: Owen Richards <91555661+OwenRichards1@users.noreply.github.com> --- docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md index 5f72db4527b..4bbb21aadbb 100644 --- a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md +++ b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md @@ -155,7 +155,7 @@ Apple provides a command line utility called `swcutil` that allows for monitorin sudo swcutil watch --verbose ``` -Look for the following entry in the logs and check if it is marked approved, or if there're any errors: +Locate the following entry in the logs and check if it is marked approved, or if there're any errors: ``` Entry s = authsrv, a = UBF8T346G9.com.microsoft.CompanyPortalMac, d = login.microsoftonline.com From 80ac039683a3c576bd2d3b3724ee14d22227d80c Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 14 Nov 2023 08:01:05 -0800 Subject: [PATCH 04/22] Update docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md Co-authored-by: Owen Richards <91555661+OwenRichards1@users.noreply.github.com> --- .../devices/troubleshoot-mac-sso-extension-plugin.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md index 4bbb21aadbb..340bcfaa10f 100644 --- a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md +++ b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md @@ -158,7 +158,11 @@ Apple provides a command line utility called `swcutil` that allows for monitorin Locate the following entry in the logs and check if it is marked approved, or if there're any errors: ``` -Entry s = authsrv, a = UBF8T346G9.com.microsoft.CompanyPortalMac, d = login.microsoftonline.com + + ``` + Entry s = authsrv, a = UBF8T346G9.com.microsoft.CompanyPortalMac, d = login.microsoftonline.com + ``` + ``` ##### Clear macOS TLS Inspection Cache From 09dfffa8c5317b6ec78ffcc571dc4c1e86e9e07e Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 14 Nov 2023 08:01:15 -0800 Subject: [PATCH 05/22] Update docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md Co-authored-by: Owen Richards <91555661+OwenRichards1@users.noreply.github.com> --- docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md index 340bcfaa10f..945bb9c25e3 100644 --- a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md +++ b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md @@ -167,7 +167,7 @@ Locate the following entry in the logs and check if it is marked approved, or if ##### Clear macOS TLS Inspection Cache -If you had issues with associated domains and have allow-listed domains in your on-device TLS inspection tool, then it might take some time for Apple's associated domain validation cache to be invalidated. Unfortunately, there're no deterministic steps that re-trigger associated domain re-validation on all machines, but there're a few things that can be attempted. +If you have issues with associated domains and have allow-listed domains in your on-device TLS inspection tool, then it may take some time for Apple's associated domain validation cache to be invalidated. Unfortunately, there're no deterministic steps that re-trigger associated domain re-validation on all machines, but there're a few things that can be attempted. You can run following commands to reset the device's cache: From 262ba27a63acbf306b5c26919d619661beca3719 Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 14 Nov 2023 08:01:24 -0800 Subject: [PATCH 06/22] Update docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md Co-authored-by: Owen Richards <91555661+OwenRichards1@users.noreply.github.com> --- docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md index 945bb9c25e3..c8aa7783dad 100644 --- a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md +++ b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md @@ -179,7 +179,7 @@ You can run following commands to reset the device's cache: Re-test the SSO extension configuration after resetting the cache. -Sometimes, above command is insufficient and doesn't fully reset the cache. In those cases, attempt the following: +Sometimes, this command is insufficient and doesn't fully reset the cache. In these cases, you can attempt the following: * Remove or move Intune Company Portal app to the Trash, then restart your device, then re-install Intune Company Portal app after restart. * Re-enroll your device. From 512f8cd21f1e89fd6401254da8e163ae94ddb2ff Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 14 Nov 2023 08:01:40 -0800 Subject: [PATCH 07/22] Update docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md Co-authored-by: Owen Richards <91555661+OwenRichards1@users.noreply.github.com> --- docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md index c8aa7783dad..3e956abddbb 100644 --- a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md +++ b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md @@ -181,7 +181,7 @@ Re-test the SSO extension configuration after resetting the cache. Sometimes, this command is insufficient and doesn't fully reset the cache. In these cases, you can attempt the following: -* Remove or move Intune Company Portal app to the Trash, then restart your device, then re-install Intune Company Portal app after restart. +* Remove or move the Intune Company Portal app to the Trash, then restart your device. After the restart is complete, you can try re-install the Company Portal app. * Re-enroll your device. If none of above methods resolve your issue, there might be something else in your environment that could be blocking associated domain validation. If that happens, please reach out to Apple support for further troubleshooting. From e554e91b4ab41ff1450f01aecd3e60ba71150bab Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 14 Nov 2023 08:02:21 -0800 Subject: [PATCH 08/22] Update docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md Co-authored-by: Owen Richards <91555661+OwenRichards1@users.noreply.github.com> --- docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md index 3e956abddbb..d88312e73c4 100644 --- a/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md +++ b/docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md @@ -184,7 +184,7 @@ Sometimes, this command is insufficient and doesn't fully reset the cache. In th * Remove or move the Intune Company Portal app to the Trash, then restart your device. After the restart is complete, you can try re-install the Company Portal app. * Re-enroll your device. -If none of above methods resolve your issue, there might be something else in your environment that could be blocking associated domain validation. If that happens, please reach out to Apple support for further troubleshooting. +If none of above methods resolve your issue, there may be something else in your environment that could be blocking the associated domain validation. If this happens, please reach out to Apple support for further troubleshooting. #### Validate SSO configuration profile on macOS device From 94f2e9b344c9060cd75b16d4ca248e908430a845 Mon Sep 17 00:00:00 2001 From: paulth1 <42621139+paulth1@users.noreply.github.com> Date: Thu, 7 Dec 2023 12:47:34 -0800 Subject: [PATCH 09/22] edit pass: groups-dynamic-rule-member-of --- .../users/groups-dynamic-rule-member-of.md | 34 ++++++++++--------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/docs/identity/users/groups-dynamic-rule-member-of.md b/docs/identity/users/groups-dynamic-rule-member-of.md index 1e8a45acd00..6b19af82006 100644 --- a/docs/identity/users/groups-dynamic-rule-member-of.md +++ b/docs/identity/users/groups-dynamic-rule-member-of.md @@ -1,6 +1,6 @@ --- title: Group membership for Microsoft Entra dynamic groups with memberOf -description: How to create a dynamic membership group that can contain members of other groups in Microsoft Entra ID. +description: Learn how to create a dynamic membership group that can contain members of other groups in Microsoft Entra ID. services: active-directory documentationcenter: '' author: billmath @@ -18,36 +18,38 @@ ms.collection: M365-identity-device-management # Group membership in a dynamic group (preview) in Microsoft Entra ID -This feature preview in Microsoft Entra ID, part of Microsoft Entra, enables admins to create dynamic groups and administrative units that populate by adding members of other groups using the memberOf attribute. Apps that couldn't read group-based membership previously in Microsoft Entra ID can now read the entire membership of these new memberOf groups. Not only can these groups be used for apps, they can also be used for licensing assignments. The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside of Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A. - -:::image type="content" source="./media/groups-dynamic-rule-member-of/member-of-diagram.png" alt-text="Diagram showing how the memberOf attribute works."::: +This feature preview in Microsoft Entra ID, part of Microsoft Entra, enables admins to create dynamic groups and administrative units that populate by adding members of other groups using the `memberOf` attribute. Apps that couldn't read group-based membership previously in Microsoft Entra ID can now read the entire membership of these new `memberOf` groups. Not only can these groups be used for apps but they can also be used for licensing assignments. -With this preview, admins can configure dynamic groups with the memberOf attribute in the Azure portal, Microsoft Graph, and PowerShell. Security groups, Microsoft 365 groups, groups that are synced from on-premises Active Directory can all be added as members of these dynamic groups, and can all be added to a single group. For example, the dynamic group could be a security group, but you can use Microsoft 365 groups, security groups, and groups that are synced from on-premises to define its membership. +The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A. + +:::image type="content" source="./media/groups-dynamic-rule-member-of/member-of-diagram.png" alt-text="Diagram that shows how the memberOf attribute works."::: + +With this preview, admins can configure dynamic groups with the `memberOf` attribute in the Azure portal, Microsoft Graph, and PowerShell. Security groups, Microsoft 365 groups, and groups that are synced from on-premises Active Directory can all be added as members of these dynamic groups. They can also all be added to a single group. For example, the dynamic group could be a security group, but you can use Microsoft 365 groups, security groups, and groups that are synced from on-premises to define its membership. ## Prerequisites -Only administrators in the Global Administrator, Intune Administrator, or User Administrator role can use the memberOf attribute to create a Microsoft Entra dynamic group. You must have a Microsoft Entra ID P1 or P2 license for the Microsoft Entra tenant. +Only administrators in the Global Administrator, Intune Administrator, or User Administrator role can use the `memberOf` attribute to create a Microsoft Entra dynamic group. You must have a Microsoft Entra ID P1 or P2 license for the Microsoft Entra tenant. ## Preview limitations -- Each Microsoft Entra tenant is limited to 500 dynamic groups using the memberOf attribute. memberOf groups do count towards the total dynamic group member quota of 5,000. -- Each dynamic group can have up to 50 member groups. -- When adding members of security groups to memberOf dynamic groups, only direct members of the security group become members of the dynamic group. -- You can't use one memberOf dynamic group to define the membership of another memberOf dynamic groups. For example, Dynamic Group A, with members of group B and C in it, can't be a member of Dynamic Group D). +- Each Microsoft Entra tenant is limited to 500 dynamic groups using the `memberOf` attribute. The `memberOf` groups count toward the total dynamic group member quota of 5,000. +- Each dynamic group can have up to 50 member groups. +- When you add members of security groups to `memberOf` dynamic groups, only direct members of the security group become members of the dynamic group. +- You can't use one `memberOf` dynamic group to define the membership of another `memberOf` dynamic group. For example, Dynamic Group A, with members of group B and C in it, can't be a member of Dynamic Group D. - MemberOf can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail. -- Dynamic group rule builder and validate feature can't be used for memberOf at this time. -- MemberOf can't be used with other operators. For example, you can't create a rule that states “Members Of group A can't be in Dynamic group B.” +- The dynamic group rule builder and validate feature can't be used for `memberOf` at this time. +- The `memberOf` attribute can't be used with other operators. For example, you can't create a rule that states "Members Of group A can't be in Dynamic group B." -## Getting started +## Get started -This feature can be used in the Azure portal, Microsoft Graph, and in PowerShell. Because memberOf isn't yet supported in the rule builder, you must enter your rule in the rule editor. +This feature can be used in the Azure portal, Microsoft Graph, and PowerShell. Because `memberOf` isn't yet supported in the rule builder, you must enter your rule in the rule editor. -### Steps to create a memberOf dynamic group +### Create a memberOf dynamic group 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator). 1. Browse to **Identity** > **Groups** > **All groups**. 1. Select **New group**. -1. Fill in group details. The group type can be Security or Microsoft 365, and the membership type can be set to **Dynamic User** or **Dynamic Device**. +1. Fill in group details. The group type can be **Security** or **Microsoft 365**, and the membership type can be set to **Dynamic User** or **Dynamic Device**. 1. Select **Add dynamic query**. 1. MemberOf isn't yet supported in the rule builder. Select **Edit** to write the rule in the **Rule syntax** box. 1. Example user rule: `user.memberof -any (group.objectId -in ['groupId', 'groupId'])` From d2a59c9f008bf2244318c200a9c20d7bc177c338 Mon Sep 17 00:00:00 2001 From: paulth1 <42621139+paulth1@users.noreply.github.com> Date: Thu, 7 Dec 2023 12:56:34 -0800 Subject: [PATCH 10/22] fixing broken bookmark --- docs/fundamentals/whats-new-archive.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fundamentals/whats-new-archive.md b/docs/fundamentals/whats-new-archive.md index 0212a0cae34..8d7c2384d34 100644 --- a/docs/fundamentals/whats-new-archive.md +++ b/docs/fundamentals/whats-new-archive.md @@ -2006,7 +2006,7 @@ Temporary Access Pass (TAP) is now generally available. TAP can be used to secur -Create "nested" groups with Azure AD Dynamic Groups! This feature enables you to build dynamic Azure AD Security Groups and Microsoft 365 groups based on other groups! For example, you can now create Dynamic-Group-A with members of Group-X and Group-Y. For more information, see: [Steps to create a memberOf dynamic group](~/identity/users/groups-dynamic-rule-member-of.md#steps-to-create-a-memberof-dynamic-group). +Create "nested" groups with Azure AD Dynamic Groups! This feature enables you to build dynamic Azure AD Security Groups and Microsoft 365 groups based on other groups! For example, you can now create Dynamic-Group-A with members of Group-X and Group-Y. For more information, see: [Create a memberOf dynamic group](~/identity/users/groups-dynamic-rule-member-of.md#create-a-memberof-dynamic-group). --- From 490627029af20eba66ead92cb179b01734fc917c Mon Sep 17 00:00:00 2001 From: paulth1 <42621139+paulth1@users.noreply.github.com> Date: Thu, 7 Dec 2023 13:09:51 -0800 Subject: [PATCH 11/22] edit pass: groups-dynamic-rule-member-of --- docs/identity/users/groups-dynamic-rule-member-of.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/users/groups-dynamic-rule-member-of.md b/docs/identity/users/groups-dynamic-rule-member-of.md index 6b19af82006..167f2b25483 100644 --- a/docs/identity/users/groups-dynamic-rule-member-of.md +++ b/docs/identity/users/groups-dynamic-rule-member-of.md @@ -36,7 +36,7 @@ Only administrators in the Global Administrator, Intune Administrator, or User A - Each dynamic group can have up to 50 member groups. - When you add members of security groups to `memberOf` dynamic groups, only direct members of the security group become members of the dynamic group. - You can't use one `memberOf` dynamic group to define the membership of another `memberOf` dynamic group. For example, Dynamic Group A, with members of group B and C in it, can't be a member of Dynamic Group D. -- MemberOf can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail. +- The `memberOf` attribute can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail. - The dynamic group rule builder and validate feature can't be used for `memberOf` at this time. - The `memberOf` attribute can't be used with other operators. For example, you can't create a rule that states "Members Of group A can't be in Dynamic group B." From becd0ed61dbd353da68fa22ef1e089302b0bb5be Mon Sep 17 00:00:00 2001 From: paulth1 <42621139+paulth1@users.noreply.github.com> Date: Mon, 11 Dec 2023 16:41:17 -0800 Subject: [PATCH 12/22] edit pass: dynamic-groups-batch-4 --- docs/identity/users/groups-lifecycle.md | 137 +++++++++++++----------- 1 file changed, 76 insertions(+), 61 deletions(-) diff --git a/docs/identity/users/groups-lifecycle.md b/docs/identity/users/groups-lifecycle.md index dcdf6e47c34..ee06da0895e 100644 --- a/docs/identity/users/groups-lifecycle.md +++ b/docs/identity/users/groups-lifecycle.md @@ -1,6 +1,6 @@ --- title: Set expiration for Microsoft 365 groups -description: How to set up expiration for Microsoft 365 groups in Microsoft Entra ID +description: Learn how to set up expiration for Microsoft 365 groups in Microsoft Entra ID. services: active-directory documentationcenter: '' author: barclayn @@ -21,48 +21,61 @@ ms.collection: M365-identity-device-management # Configure the expiration policy for Microsoft 365 groups -This article tells you how to manage the lifecycle of Microsoft 365 groups by setting an expiration policy for them. You can set expiration policy only for Microsoft 365 groups in Microsoft Entra ID, part of Microsoft Entra. +This article tells you how to manage the lifecycle of Microsoft 365 groups by setting an expiration policy for them. You can set an expiration policy only for Microsoft 365 groups in Microsoft Entra ID. -Once you set a group to expire: +After you set a group to expire: - Groups with user activities are automatically renewed as the expiration nears. -- Owners of the group are notified to renew the group, if the group is not auto-renewed. -- Any group that is not renewed is deleted. -- Any Microsoft 365 group that is deleted can be restored within 30 days by the group owners or the administrator. +- Owners of the group are notified to renew the group, if the group isn't autorenewed. +- Any group that isn't renewed is deleted. +- Any Microsoft 365 group that was deleted can be restored within 30 days by the group owners or the administrator. -Currently, only one expiration policy can be configured for all Microsoft 365 groups in a Microsoft Entra organization. +Currently, you can configure only one expiration policy for all Microsoft 365 groups in a Microsoft Entra organization. > [!NOTE] > Configuring and using the expiration policy for Microsoft 365 groups requires you to possess but not necessarily assign Microsoft Entra ID P1 or P2 licenses for the members of all groups to which the expiration policy is applied. -For information on how to download and install the Azure AD PowerShell cmdlets, see [Azure Active Directory PowerShell for Graph 2.0.0.137](https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.137). +For information on how to download and install the Azure Active Directory (Azure AD) PowerShell cmdlets, see [Azure AD PowerShell for Graph 2.0.0.137](https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.137). [!INCLUDE [Azure AD PowerShell migration](../../includes/aad-powershell-migration-include.md)] ## Activity-based automatic renewal -With Microsoft Entra intelligence, groups are now automatically renewed based on whether they have been recently used. This feature eliminates the need for manual action by group owners, because it's based on user activity in groups across Microsoft 365 services like Outlook, SharePoint, Teams, or Yammer. For example, if an owner or a group member does something like upload a document to SharePoint, visit a Teams channel, send an email to the group in Outlook, or view a post in Yammer, the group is automatically renewed around 35 days before the group expires and the owner does not get any renewal notifications. +With Microsoft Entra intelligence, groups are now automatically renewed based on whether they were recently used. This feature eliminates the need for manual action by group owners. It's based on user activity in groups across Microsoft 365 services like Outlook, SharePoint, Teams, or Yammer. -For example, consider an expiration policy that is set so that a group expires after 30 days of inactivity. However, to keep from sending an expiration email the day that group expiration is enabled (because there's no record activity yet), Microsoft Entra first waits five days. If there is activity in those five days, the expiration policy works as expected. If there is no activity within five days, we send an expiration/renewal email. Of course, if the group was inactive for five days, an email was sent, and then the group was active, we will autorenew it and start the expiration period again. +For example, an owner or a group member might do something like: + +- Send an email to the group in Outlook. +- Upload a document to SharePoint. +- Visit a Teams channel. +- View a post in Yammer. + +In the preceding scenarios, the group is automatically renewed around 35 days before the group expires and the owner doesn't get any renewal notifications. + +Now consider an expiration policy that was set so that a group expires after 30 days of inactivity. To keep from sending an expiration email the day that group expiration is enabled (because there's no record activity yet), Microsoft Entra first waits five days. Then: + +- If there's activity in those five days, the expiration policy works as expected. +- If there's no activity within five days, Microsoft Entra sends an expiration or renewal email. +- If the group was inactive for five days, an email was sent, and then the group was active, Microsoft Entra autorenews it and starts the expiration period again. ### Activities that automatically renew group expiration The following user actions cause automatic group renewal: -- SharePoint: View, edit, download, move, share, or upload files -- Outlook: Join group, read/write group message from group space, Like a message (in Outlook Web Access) -- Teams: Visit a Teams channel -- Yammer: View a post within a Yammer community or an interactive email in Outlook +- **SharePoint**: View, edit, download, move, share, or upload files. +- **Outlook**: Join a group, read or write a group message from a group space, or "like" a message (in Outlook Web Access). +- **Teams**: Visit a Teams channel. +- **Yammer**: View a post within a Yammer community or an interactive email in Outlook. ### Auditing and reporting Administrators can get a list of automatically renewed groups from the activity audit logs in Microsoft Entra ID. -:::image type="content" source="./media/groups-lifecycle/audit-logs-autorenew-group.png" alt-text="Screenshot of automatic renewal of groups based on activity."::: +:::image type="content" source="./media/groups-lifecycle/audit-logs-autorenew-group.png" alt-text="Screenshot that shows automatic renewal of groups based on activity."::: ## Roles and permissions -The following are roles that can configure and use expiration for Microsoft 365 groups in Microsoft Entra ID. +The following roles can configure and use expiration for Microsoft 365 groups in Microsoft Entra ID. Role | Permissions -------- | -------- @@ -73,85 +86,87 @@ For more information on permissions to restore a deleted group, see [Restore a d ## Set group expiration -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). -1. Select Microsoft Entra ID. -1. Select **Groups**, **All groups** then select **Expiration** to open the expiration settings. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). +1. Select **Microsoft Entra ID**. +1. Select **Groups** > **All groups**, and then select **Expiration** to open the expiration settings. - :::image type="content" source="./media/groups-lifecycle/expiration-settings.png" alt-text="Screenshot of expiration settings for groups."::: + :::image type="content" source="./media/groups-lifecycle/expiration-settings.png" alt-text="Screenshot that shows expiration settings for groups."::: -3. On the **Expiration** page, you can: +1. On the **Expiration** page, you can: - - Set the group lifetime in days. You could select one of the preset values, or a custom value (should be 30 days or more). - - Specify an email address where the renewal and expiration notifications should be sent when a group has no owner. + - Set the group lifetime in days. You can select one of the preset values or a custom value. It should be 30 days or more. + - Specify an email address where the renewal and expiration notifications are sent when a group has no owner. - Select which Microsoft 365 groups expire. You can set expiration for: - - **All** Microsoft 365 groups - - A list of **Selected** Microsoft 365 groups - - **None** to restrict expiration for all groups + - **All** Microsoft 365 groups. + - **Selected** Microsoft 365 groups. + - **None** to restrict expiration for all groups. - Save your settings when you're done by selecting **Save**. > [!NOTE] > - When you first set up expiration, any groups that are older than the expiration interval are set to 35 days until expiration unless the group is automatically renewed or the owner renews it. -> - When a dynamic group is deleted and restored, it's seen as a new group and re-populated according to the rule. This process can take up to 24 hours. +> - When a dynamic group is deleted and restored, it's seen as a new group and repopulated according to the rule. This process can take up to 24 hours. > - Expiration notices for groups used in Teams appear in the Teams Owners feed. > - When you enable expiration for selected groups, you can add up to 500 groups to the list. If you need to add more than 500 groups, you can enable expiration for all your groups. In that scenario, the 500-group limitation doesn't apply. ->- Groups do not renew immediately when auto-renew activities occur. In the event of an activity, a flag is placed on the group to indicate it is ready for renewal when it's near expiry. If the group is near expiry, then renewal will occur within 24 hours. +>- Groups don't renew immediately when auto-renew activities occur. In the event of an activity, a flag is placed on the group to indicate it's ready for renewal when it's near expiry. If the group is near expiry, renewal occurs within 24 hours. ## Email notifications -If groups are not automatically renewed, email notifications such as this one are sent to the Microsoft 365 group owners 30 days, 15 days, and 1 day prior to expiration of the group. The language of the email is determined by groups owner's preferred language or Microsoft Entra language setting. If the group owner has defined a preferred language, or multiple owners have the same preferred language, then that language is used. For all other cases, Microsoft Entra language setting is used. +If groups aren't automatically renewed, email notifications like the following example are sent to the Microsoft 365 group owners 30 days, 15 days, and 1 day prior to expiration of the group. + + The groups owner's preferred language or the Microsoft Entra language setting determines the language of the email. If the group owner defined a preferred language, or multiple owners have the same preferred language, that language is used. For all other cases, the Microsoft Entra language setting is used. -:::image type="content" source="./media/groups-lifecycle/expiration-notification.png" alt-text="Screenshot of expiration email notifications."::: +:::image type="content" source="./media/groups-lifecycle/expiration-notification.png" alt-text="Screenshot that shows expiration email notifications."::: -From the **Renew group** notification email, group owners can directly access the group details page in the [Access Panel](https://account.activedirectory.windowsazure.com/r#/applications). There, the users can get more information about the group such as its description, when it was last renewed, when it will expire, and also the ability to renew the group. The group details page now also includes links to the Microsoft 365 group resources, so that the group owner can conveniently view the content and activity in their group. +From the **Renew group** notification email, group owners can directly access the group details page in the [Access Panel](https://account.activedirectory.windowsazure.com/r#/applications). There, users can get more information about the group, such as its description, when it was last renewed, when it will expire, and also the ability to renew the group. The group details page now also includes links to the Microsoft 365 group resources so that the group owner can conveniently view the content and activity in their group. >[!Important] -> If there is any problem with the notification emails, and they aren't sent out or they are delayed, be assured that Microsoft will never delete a group before the last email is sent. +> If there's any problem with the notification emails and they aren't sent out or they're delayed, be assured that Microsoft never deletes a group before the last email is sent. When a group expires, the group is deleted one day after the expiration date. An email notification such as this one is sent to the Microsoft 365 group owners informing them about the expiration and subsequent deletion of their Microsoft 365 group. -:::image type="content" source="./media/groups-lifecycle/deletion-notification.png" alt-text="Screenshot of group deletion email notifications."::: +:::image type="content" source="./media/groups-lifecycle/deletion-notification.png" alt-text="Screenshot that shows group deletion email notifications."::: -The group can be restored within 30 days of its deletion by selecting **Restore group** or by using PowerShell cmdlets, as described in [Restore a deleted Microsoft 365 group in Microsoft Entra ID](groups-restore-deleted.md). Please note that the 30-day group restoration period is not customizable. +You can restore the group within 30 days of its deletion by selecting **Restore group** or by using PowerShell cmdlets. For more information, see [Restore a deleted Microsoft 365 group in Microsoft Entra ID](groups-restore-deleted.md). The 30-day group restoration period isn't customizable. If the group you're restoring contains documents, SharePoint sites, or other persistent objects, it might take up to 24 hours to fully restore the group and its contents. -## How to retrieve Microsoft 365 group expiration date +## Retrieve the Microsoft 365 group expiration date -In addition to Access Panel where users can view group details including expiration date and last renewed date, expiration date of a Microsoft 365 group can be retrieved from Microsoft Graph REST API Beta. expirationDateTime as a group property has been enabled in Microsoft Graph Beta. It can be retrieved with a GET request. For more details, please refer to [this example](/graph/api/group-get?view=graph-rest-beta&preserve-view=true#example). +In addition to using Access Panel to view group details like expiration date and last renewed date, you can also retrieve the expiration date of a Microsoft 365 group from Microsoft Graph REST API Beta. The group property `expirationDateTime` is enabled in Microsoft Graph Beta. You can retrieve it with a GET request. For more information, see [this example](/graph/api/group-get?view=graph-rest-beta&preserve-view=true#example). > [!NOTE] -> In order to manage group memberships on Access Panel, "Restrict access to Groups in Access Panel" needs to be set to "No" in Microsoft Entra groups General Setting. +> To manage group memberships on Access Panel, **Restrict access to Groups in Access Panel** must be set to **No** in the Microsoft Entra groups **General** setting. -## How Microsoft 365 group expiration works with a mailbox on legal hold +## Microsoft 365 group expiration with a mailbox on legal hold -When a group expires and is deleted, then 30 days after deletion the group's data from apps like Planner, Sites, or Teams is permanently deleted, but the group mailbox that is on legal hold is retained and is not permanently deleted. The administrator can use Exchange cmdlets to restore the mailbox to fetch the data. +When a group expires and is deleted, 30 days after deletion the group's data from apps like Planner, Sites, or Teams is permanently deleted. The group mailbox that's on legal hold is retained and isn't permanently deleted. The administrator can use Exchange cmdlets to restore the mailbox to fetch the data. -## How Microsoft 365 group expiration works with retention policy +## Microsoft 365 group expiration with a retention policy -The retention policy is configured by way of the Security & Compliance portal. If you have set up a retention policy for Microsoft 365 groups, when a group expires and is deleted, the group conversations in the group mailbox and files in the group site are retained in the retention container for the specific number of days defined in the retention policy. Users won't see the group or its content after expiration, but can recover the site and mailbox data via e-discovery. +You can configure the retention policy in the Security & Compliance portal. There you can set up a retention policy for Microsoft 365 groups. When a group expires and is deleted, the group conversations in the group mailbox and files in the group site are retained in the retention container for the specific number of days defined in the retention policy. Users won't see the group or its content after expiration. They can recover the site and mailbox data via e-discovery. ## PowerShell examples Here are examples of how you can use PowerShell cmdlets to configure the expiration settings for Microsoft 365 groups in your Microsoft Entra organization: -1. Install the PowerShell v2.0 module and sign in at the PowerShell prompt: +1. Install the PowerShell v2.0 module and sign in at the PowerShell prompt. ``` PowerShell Install-Module -Name AzureAD Connect-AzureAD ``` -1. Configure the expiration settings Use the New-AzureADMSGroupLifecyclePolicy cmdlet to set the lifetime for all Microsoft 365 groups in the Microsoft Entra organization to 365 days. Renewal notifications for Microsoft 365 groups without owners will be sent to `emailaddress@contoso.com` +1. Configure the expiration settings. Use the `New-AzureADMSGroupLifecyclePolicy` cmdlet to set the lifetime for all Microsoft 365 groups in the Microsoft Entra organization to 365 days. Renewal notifications for Microsoft 365 groups without owners are sent to `emailaddress@contoso.com`. ``` PowerShell New-AzureADMSGroupLifecyclePolicy -GroupLifetimeInDays 365 -ManagedGroupTypes All -AlternateNotificationEmails emailaddress@contoso.com ``` -1. Retrieve the existing policy Get-AzureADMSGroupLifecyclePolicy: This cmdlet retrieves the current Microsoft 365 group expiration settings that have been configured. In this example, you can see: +1. Retrieve the existing policy `Get-AzureADMSGroupLifecyclePolicy`. This cmdlet retrieves the current Microsoft 365 group expiration settings that were configured. In this example, you can see: - - The policy ID - - The lifetime for all Microsoft 365 groups in the Microsoft Entra organization is set to 365 days - - Renewal notifications for Microsoft 365 groups without owners will be sent to 'emailaddress@contoso.com.' + - The policy ID. + - The lifetime for all Microsoft 365 groups in the Microsoft Entra organization is set to 365 days. + - Renewal notifications for Microsoft 365 groups without owners are sent to `emailaddress@contoso.com`. ```powershell Get-AzureADMSGroupLifecyclePolicy @@ -161,40 +176,40 @@ Here are examples of how you can use PowerShell cmdlets to configure the expirat 26fcc232-d1c3-4375-b68d-15c296f1f077 365 All emailaddress@contoso.com ``` -1. Update the existing policy Set-AzureADMSGroupLifecyclePolicy: This cmdlet is used to update an existing policy. In the example below, the group lifetime in the existing policy is changed from 365 days to 180 days. +1. Update the existing policy `Set-AzureADMSGroupLifecyclePolicy`. This cmdlet is used to update an existing policy. In the following example, the group lifetime in the existing policy is changed from 365 days to 180 days. ```powershell Set-AzureADMSGroupLifecyclePolicy -Id "26fcc232-d1c3-4375-b68d-15c296f1f077" -GroupLifetimeInDays 180 -AlternateNotificationEmails "emailaddress@contoso.com" ``` -1. Add specific groups to the policy Add-AzureADMSLifecyclePolicyGroup: This cmdlet adds a group to the lifecycle policy. As an example: +1. Add specific groups to the policy `Add-AzureADMSLifecyclePolicyGroup`. This cmdlet adds a group to the lifecycle policy. As an example: ```powershell Add-AzureADMSLifecyclePolicyGroup -Id "26fcc232-d1c3-4375-b68d-15c296f1f077" -groupId "cffd97bd-6b91-4c4e-b553-6918a320211c" ``` -1. Remove the existing Policy Remove-AzureADMSGroupLifecyclePolicy: This cmdlet deletes the Microsoft 365 group expiration settings but requires the policy ID. This cmdlet disables expiration for Microsoft 365 groups. +1. Remove the existing policy `Remove-AzureADMSGroupLifecyclePolicy`. This cmdlet deletes the Microsoft 365 group expiration settings but requires the policy ID. This cmdlet disables expiration for Microsoft 365 groups. ```powershell Remove-AzureADMSGroupLifecyclePolicy -Id "26fcc232-d1c3-4375-b68d-15c296f1f077" ``` -The following cmdlets can be used to configure the policy in more detail. For more information, see [PowerShell documentation](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#groups). +You can use the following cmdlets to configure the policy in more detail. For more information, see [PowerShell documentation](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#groups). -- Get-AzureADMSGroupLifecyclePolicy -- New-AzureADMSGroupLifecyclePolicy -- Set-AzureADMSGroupLifecyclePolicy -- Remove-AzureADMSGroupLifecyclePolicy -- Add-AzureADMSLifecyclePolicyGroup -- Remove-AzureADMSLifecyclePolicyGroup -- Reset-AzureADMSLifeCycleGroup -- Get-AzureADMSLifecyclePolicyGroup +- `Get-AzureADMSGroupLifecyclePolicy` +- `New-AzureADMSGroupLifecyclePolicy` +- `Set-AzureADMSGroupLifecyclePolicy` +- `Remove-AzureADMSGroupLifecyclePolicy` +- `Add-AzureADMSLifecyclePolicyGroup` +- `Remove-AzureADMSLifecyclePolicyGroup` +- `Reset-AzureADMSLifeCycleGroup` +- `Get-AzureADMSLifecyclePolicyGroup` ## Next steps -These articles provide additional information on Microsoft Entra groups. +For more information on Microsoft Entra groups, see: -- [See existing groups](~/fundamentals/groups-view-azure-portal.md) +- [Existing groups](~/fundamentals/groups-view-azure-portal.md) - [Manage settings of a group](~/fundamentals/how-to-manage-groups.md) - [Manage members of a group](~/fundamentals/how-to-manage-groups.md) - [Manage memberships of a group](~/fundamentals/how-to-manage-groups.md) From d463034b0f7303f677949e264c16dd8fa01c96da Mon Sep 17 00:00:00 2001 From: paulth1 <42621139+paulth1@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:49:08 -0800 Subject: [PATCH 13/22] edit pass: dynamic-groups-batch-4 --- .../users/groups-assign-sensitivity-labels.md | 93 ++++++++++--------- .../users/groups-self-service-management.md | 78 ++++++++-------- 2 files changed, 85 insertions(+), 86 deletions(-) diff --git a/docs/identity/users/groups-assign-sensitivity-labels.md b/docs/identity/users/groups-assign-sensitivity-labels.md index 7660d0c54e3..7d7e7a68554 100644 --- a/docs/identity/users/groups-assign-sensitivity-labels.md +++ b/docs/identity/users/groups-assign-sensitivity-labels.md @@ -1,6 +1,6 @@ --- title: Assign sensitivity labels to groups -description: Learn how to assign sensitivity labels to groups. See troubleshooting information and view additional available resources. +description: Learn how to assign sensitivity labels to groups. See troubleshooting information and view more resources. services: active-directory documentationcenter: '' author: barclayn @@ -18,14 +18,14 @@ ms.collection: M365-identity-device-management # Assign sensitivity labels to Microsoft 365 groups in Microsoft Entra ID -Microsoft Entra ID, part of Microsoft Entra, supports applying sensitivity labels published by the [Microsoft Purview compliance portal](https://compliance.microsoft.com) to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint. For more information about Microsoft 365 apps support, see [Microsoft 365 support for sensitivity labels](/purview/sensitivity-labels-teams-groups-sites#support-for-the-sensitivity-labels). +Microsoft Entra ID supports applying sensitivity labels published by the [Microsoft Purview compliance portal](https://compliance.microsoft.com) to Microsoft 365 groups. Sensitivity labels apply to groups across services like Outlook, Microsoft Teams, and SharePoint. For more information about Microsoft 365 apps support, see [Microsoft 365 support for sensitivity labels](/purview/sensitivity-labels-teams-groups-sites#support-for-the-sensitivity-labels). > [!IMPORTANT] > To configure this feature, there must be at least one active Microsoft Entra ID P1 license in your Microsoft Entra organization. ## Enable sensitivity label support in PowerShell -To apply published labels to groups, you must first enable the feature. These steps enable the feature in Microsoft Entra ID. The Microsoft Graph PowerShell SDK comes in 2 modules, `Microsoft.Graph` and `Microsoft.Graph.Beta`. +To apply published labels to groups, you must first enable the feature. These steps enable the feature in Microsoft Entra ID. The Microsoft Graph PowerShell SDK comes in two modules, `Microsoft.Graph` and `Microsoft.Graph.Beta`. 1. Open a PowerShell prompt on your computer and run the following commands to prepare to run the cmdlets. @@ -46,13 +46,13 @@ To apply published labels to groups, you must first enable the feature. These st $grpUnifiedSetting = Get-MgBetaDirectorySetting -Search DisplayName:"Group.Unified" ``` - > [!NOTE] - > If no group settings have been created for this Microsoft Entra organization, you will get an empty screen. In this case, you must first create the settings. Follow the steps in [Microsoft Entra cmdlets for configuring group settings](~/identity/users/groups-settings-cmdlets.md) to create group settings for this Microsoft Entra organization. + + If no group settings were created for this Microsoft Entra organization, you get an empty screen. In this case, you must first create the settings. Follow the steps in [Microsoft Entra cmdlets for configuring group settings](~/identity/users/groups-settings-cmdlets.md) to create group settings for this Microsoft Entra organization. > [!NOTE] - > If the sensitivity label has been enabled previously, you will see **EnableMIPLabels** = **True**. In this case, you do not need to do anything. + > If the sensitivity label was enabled previously, you see **EnableMIPLabels** = **True**. In this case, you don't need to do anything. -1. Apply the new settings: +1. Apply the new settings. ```powershell $params = @{ @@ -74,97 +74,98 @@ To apply published labels to groups, you must first enable the feature. These st $Setting.Values ``` -If you’re receiving a Request_BadRequest error, it's because the settings already exist in the tenant, so when you try to create a new property:value pair, the result is an error. In this case, take the following steps: +If you receive a `Request_BadRequest` error, it's because the settings already exist in the tenant. When you try to create a new `property:value` pair, the result is an error. In this case, follow these steps: -1. Issue a `Get-MgBetaDirectorySetting | FL` cmdlet and check the ID. If several ID values are present, use the one where you see the EnableMIPLabels property on the Values settings. -1. Issue the `Update-MgBetaDirectorySetting` cmdlet, using the ID that you retrieved. +1. Issue a `Get-MgBetaDirectorySetting | FL` cmdlet and check the ID. If several ID values are present, use the one where you see the `EnableMIPLabels` property on the **Values** settings. +1. Issue the `Update-MgBetaDirectorySetting` cmdlet by using the ID that you retrieved. -You will also need to synchronize your sensitivity labels to Microsoft Entra ID. For instructions, see [How to enable sensitivity labels for containers and synchronize labels](/purview/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels). +You also need to synchronize your sensitivity labels to Microsoft Entra ID. For instructions, see [Enable sensitivity labels for containers and synchronize labels](/purview/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels). -## Assign a label to a new group in Azure portal +## Assign a label to a new group in the Azure portal 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). -1. Select Microsoft Entra ID. -1. Choose **Groups** > **All groups** > **New group**. -1. On the **New Group** page, select **Microsoft 365**, and then fill out the required information for the new group and select a sensitivity label from the list. +1. Select **Microsoft Entra ID**. +1. Select **Groups** > **All groups** > **New group**. +1. On the **New Group** page, select **Microsoft 365**. Then fill out the required information for the new group and select a sensitivity label from the list. - :::image type="content" source="./media/groups-assign-sensitivity-labels/new-group-page.png" alt-text="Screenshot of assigning a sensitivity label in the New groups page."::: + :::image type="content" source="./media/groups-assign-sensitivity-labels/new-group-page.png" alt-text="Screenshot that shows assigning a sensitivity label on the New groups page."::: 1. Select **Create** to save your changes. Your group is created and the site and group settings associated with the selected label are then automatically enforced. -## Assign a label to an existing group in Azure portal +## Assign a label to an existing group in the Azure portal 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). -1. Select Microsoft Entra ID. +1. Select **Microsoft Entra ID**. 1. Select **Groups**. 1. From the **All groups** page, select the group that you want to label. 1. On the selected group's page, select **Properties** and select a sensitivity label from the list. - :::image type="content" source="./media/groups-assign-sensitivity-labels/assign-to-existing.png" alt-text="Screenshot of assigning a sensitivity label on the overview page for a group."::: + :::image type="content" source="./media/groups-assign-sensitivity-labels/assign-to-existing.png" alt-text="Screenshot that shows assigning a sensitivity label on the overview page for a group."::: 1. Select **Save** to save your changes. -## Remove a label from an existing group in Azure portal +## Remove a label from an existing group in the Azure portal 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). -1. Select Microsoft Entra ID. +1. Select **Microsoft Entra ID**. 1. Select **Groups** > **All groups**. -1. From the **All groups** page, select the group that you want to remove the label from. +1. On the **All groups** page, select the group that you want to remove the label from. 1. On the **Group** page, select **Properties**. 1. Select **Remove**. 1. Select **Save** to apply your changes. -## Using classic Microsoft Entra classifications +## Use classic Microsoft Entra classifications -After you enable this feature, the “classic” classifications for groups will appear only existing groups and sites, and you should use them for new groups only if creating groups in apps that don’t support sensitivity labels. Your admin can convert them to sensitivity labels later if needed. Classic classifications are the old classifications you set up by defining values for the `ClassificationList` setting in Azure AD PowerShell. When this feature is enabled, those classifications will not be applied to groups. +After you enable this feature, the "classic" classifications for groups appear only on existing groups and sites. You should use them for new groups only if you create groups in apps that don't support sensitivity labels. Your admin can convert them to sensitivity labels later, if needed. Classic classifications are the old classifications you set up by defining values for the `ClassificationList` setting in Azure AD PowerShell. When this feature is enabled, those classifications aren't applied to groups. [!INCLUDE [Azure AD PowerShell migration](../../includes/aad-powershell-migration-include.md)] ## Troubleshooting issues -### Sensitivity labels are not available for assignment on a group +This section offers troubleshooting tips for common issues. + +### Sensitivity labels aren't available for assignment on a group -The sensitivity label option is only displayed for groups when all of the following conditions are met: +The sensitivity label option appears for groups only when all the following conditions are met: 1. The organization has an active Microsoft Entra ID P1 license. -1. The feature is enabled, EnableMIPLabels is set to True in from the Microsoft Graph PowerShell module. -1. In addition, the sensitivity labels are published in the Microsoft Purview compliance portal for this Microsoft Entra organization. -1. Labels are synchronized to Microsoft Entra ID with the Execute-AzureAdLabelSync cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Microsoft Entra ID. +1. The feature is enabled and `EnableMIPLabels` is set to **True** in the Microsoft Graph PowerShell module. +1. The sensitivity labels are published in the Microsoft Purview compliance portal for this Microsoft Entra organization. +1. Labels are synchronized to Microsoft Entra ID with the `Execute-AzureAdLabelSync` cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Microsoft Entra ID. 1. The [sensitivity label scope](/purview/sensitivity-labels?preserve-view=true&view=o365-worldwide#label-scopes) must be configured for Groups & Sites. -3. The group is a Microsoft 365 group. -4. The current signed-in user: - 1. has sufficient privileges to assign sensitivity labels. The user must be a Global Administrator, Group Administrator, or the group owner - 1. and must be within the scope of the [sensitivity label publishing policy](/purview/sensitivity-labels?preserve-view=true&view=o365-worldwide#what-label-policies-can-do) +1. The group is a Microsoft 365 group. +1. The current signed-in user: + 1. Has sufficient privileges to assign sensitivity labels. The user must be a Global Administrator, Group Administrator, or the group owner. + 1. Must be within the scope of the [sensitivity label publishing policy](/purview/sensitivity-labels?preserve-view=true&view=o365-worldwide#what-label-policies-can-do). -Please make sure all the conditions above are met in order to assign labels to a group. +Make sure all the preceding conditions are met to assign labels to a group. -### The label I want to assign is not in the list +### The label you want to assign isn't in the list -If the label you are looking for is not in the list, this could be the case for one of the following reasons: +If the label you're looking for isn't in the list: -- The label might not be published in the Microsoft Purview compliance portal. This could also apply to labels that are no longer published. Please check with your administrator for more information. -- The label may be published, however, it is not available to the user that is signed-in. Please check with your administrator for more information on how to get access to the label. +- The label might not be published in the Microsoft Purview compliance portal. Also, the label might no longer be published. Check with your administrator for more information. +- The label might be published, but it isn't available to the user who is signed in. Check with your administrator for more information on how to get access to the label. -### How to change the label on a group +### Change the label on a group -Labels can be swapped at any time using the same steps as assigning a label to an existing group, as follows: +Labels can be swapped at any time by using the same steps as assigning a label to an existing group: -1. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). -1. Select Microsoft Entra ID. -1. Select **Groups**. -1. Choose **All groups**, select the group that you want to label. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). +1. Select **Microsoft Entra ID**. +1. Select **Groups** > **All groups** and select the group that you want to label. 1. On the selected group's page, select **Properties** and select a new sensitivity label from the list. 1. Select **Save**. ### Group setting changes to published labels aren't updated on the groups -When you make changes to group settings for a published label in the [Microsoft Purview compliance portal](https://compliance.microsoft.com), those policy changes aren't automatically applied on the labeled groups. Once the sensitivity label is published and applied to groups, Microsoft recommend that you not change the group settings for the label in the Microsoft Purview compliance portal. +When you make changes to group settings for a published label in the [Microsoft Purview compliance portal](https://compliance.microsoft.com), those policy changes aren't automatically applied on the labeled groups. After the sensitivity label is published and applied to groups, Microsoft recommends that you don't change the group settings for the label in the Microsoft Purview compliance portal. -If you must make a change, use a [PowerShell script](https://github.com/microsoftgraph/powershell-aad-samples/blob/master/ReassignSensitivityLabelToO365Groups.ps1) to manually apply updates to the impacted groups. This method makes sure that all existing groups enforce the new setting. +If you must make a change, use a [PowerShell script](https://github.com/microsoftgraph/powershell-aad-samples/blob/master/ReassignSensitivityLabelToO365Groups.ps1) to manually apply updates to the affected groups. This method makes sure that all existing groups enforce the new setting. ## Next steps diff --git a/docs/identity/users/groups-self-service-management.md b/docs/identity/users/groups-self-service-management.md index 407209fb549..6c135c3a5a4 100644 --- a/docs/identity/users/groups-self-service-management.md +++ b/docs/identity/users/groups-self-service-management.md @@ -1,6 +1,6 @@ --- title: Set up self-service group management -description: Create and manage security groups or Microsoft 365 groups in Microsoft Entra ID and request security group or Microsoft 365 group memberships +description: Create and manage security groups or Microsoft 365 groups in Microsoft Entra ID and request security group or Microsoft 365 group memberships. services: active-directory documentationcenter: '' author: barclayn @@ -18,98 +18,96 @@ ms.custom: it-pro, seo-update-azuread-jan, has-azure-ad-ps-ref, azure-ad-ref-lev ms.collection: M365-identity-device-management --- -# Set up self-service group management in Microsoft Entra ID +# Set up self-service group management in Microsoft Entra ID -You can enable users to create and manage their own security groups or Microsoft 365 groups in Microsoft Entra ID, part of Microsoft Entra. The owner of the group can approve or deny membership requests, and can delegate control of group membership. Self-service group management features are not available for [mail-enabled security groups or distribution lists](~/fundamentals/concept-learn-about-groups.md). +You can enable users to create and manage their own security groups or Microsoft 365 groups in Microsoft Entra ID. The owner of the group can approve or deny membership requests and delegate control of group membership. Self-service group management features aren't available for [mail-enabled security groups or distribution lists](~/fundamentals/concept-learn-about-groups.md). ## Self-service group membership -You can allow users to create security groups, which are used to manage access to shared resources. Security groups can be created by users in Azure portals, using Azure AD PowerShell, or from the [MyApps Groups Access panel](https://account.activedirectory.windowsazure.com/r#/groups). +You can allow users to create security groups, which are used to manage access to shared resources. Users can create security groups in the Azure portal by using Azure Active Directory (Azure AD) PowerShell or from the [MyApps Groups Access Panel](https://account.activedirectory.windowsazure.com/r#/groups). [!INCLUDE [Azure AD PowerShell migration](../../includes/aad-powershell-migration-include.md)] -Only the group's owners can update membership, but you can provide group owners the ability to approve or deny membership requests from the MyApps Groups Access panel. Security groups created by self-service through the MyApps Groups Access panel are available to join for all users, whether owner-approved or auto-approved. In the MyApps Groups Access panel, you can change membership options when you create the group. +Only the group's owners can update membership, but you can provide group owners with the ability to approve or deny membership requests from the MyApps Groups Access Panel. Security groups created by self-service through the MyApps Groups Access Panel are available to join for all users, whether owner-approved or autoapproved. In the MyApps Groups Access Panel, you can change membership options when you create the group. -Microsoft 365 groups, which provide collaboration opportunities for your users, can be created in any of the Microsoft 365 applications, such as SharePoint, Microsoft Teams, and Planner. Microsoft 365 groups can also be created in Azure portals, using Microsoft Graph PowerShell, or from the MyApps Groups Access panel. For more information on the difference between security groups and Microsoft 365 groups, see [Learn about groups](~/fundamentals/concept-learn-about-groups.md#what-to-know-before-creating-a-group) +Microsoft 365 groups provide collaboration opportunities for your users. You can create groups in any of the Microsoft 365 applications, such as SharePoint, Microsoft Teams, and Planner. You can also create Microsoft 365 groups in Azure portals by using Microsoft Graph PowerShell or from the MyApps Groups Access Panel. For more information on the difference between security groups and Microsoft 365 groups, see [Learn about groups](~/fundamentals/concept-learn-about-groups.md#what-to-know-before-creating-a-group). Groups created in | Security group default behavior | Microsoft 365 group default behavior ------------------ | ------------------------------- | --------------------------------- -[Microsoft Graph PowerShell](/entra/identity/users/groups-settings-v2-cmdlets) | Only owners can add members
Visible but not available to join in MyApp Groups Access panel | Open to join for all users -[Azure portal](https://portal.azure.com) | Only owners can add members
Visible but not available to join in MyApps Groups Access panel
Owner is not assigned automatically at group creation | Open to join for all users -[MyApps Groups Access panel](https://account.activedirectory.windowsazure.com/r#/joinGroups) | Open to join for all users
Membership options can be changed when the group is created | Open to join for all users
Membership options can be changed when the group is created +[Microsoft Graph PowerShell](/entra/identity/users/groups-settings-v2-cmdlets) | Only owners can add members.
Visible but not available to join in MyApp Groups Access Panel. | Open to join for all users. +[Azure portal](https://portal.azure.com) | Only owners can add members.
Visible but not available to join in MyApps Groups Access Panel.
Owner isn't assigned automatically at group creation. | Open to join for all users. +[MyApps Groups Access Panel](https://account.activedirectory.windowsazure.com/r#/joinGroups) | Open to join for all users.
Membership options can be changed when the group is created. | Open to join for all users.
Membership options can be changed when the group is created. ## Self-service group management scenarios -* **Delegated group management** - An example is an administrator who is managing access to a Software as a Service (SaaS) application that the company is using. Managing these access rights is becoming cumbersome, so this administrator asks the business owner to create a new group. The administrator assigns access for the application to the new group, and adds to the group all people already accessing the application. The business owner then can add more users, and those users are automatically provisioned to the application. The business owner doesn't need to wait for the administrator to manage access for users. If the administrator grants the same permission to a manager in a different business group, that person can also manage access for their own group members. Neither the business owner nor the manager can view or manage each other's group memberships. The administrator can still see all users who have access to the application and block access rights if needed. -* **Self-service group management** - An example of this scenario is two users who both have SharePoint Online sites that they set up independently. They want to give each other's teams access to their sites. To accomplish this, they can create one group in Microsoft Entra ID, and in SharePoint Online each of them selects that group to provide access to their sites. When someone wants access, they request it from the MyApps Groups Access Panel, and after approval they get access to both SharePoint Online sites automatically. Later, one of them decides that all people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS application can add access rights for the application to the SharePoint Online site. From then on, any requests that get approved give access to the two SharePoint Online sites and also to this SaaS application. +* **Delegated group management**: An example scenario is an administrator who is managing access to a software as a service (SaaS) application that the company is using. Managing these access rights is cumbersome, so this administrator asks the business owner to create a new group. The administrator assigns access for the application to the new group and adds to the group all people already accessing the application. The business owner then can add more users, and those users are automatically provisioned to the application. The business owner doesn't need to wait for the administrator to manage access for users. If the administrator grants the same permission to a manager in a different business group, that person can also manage access for their own group members. The business owner and the manager can't view or manage each other's group memberships. The administrator can still see all users who have access to the application and block access rights, if needed. +* **Self-service group management**: An example scenario is two users who both have SharePoint Online sites that they set up independently. They want to give each other's teams access to their sites. To accomplish this task, they can create one group in Microsoft Entra ID, and in SharePoint Online each of them selects that group to provide access to their sites. When someone wants access, they request it from the MyApps Groups Access Panel. After approval, they get access to both SharePoint Online sites automatically. Later, one of them decides that all people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS application can add access rights for the application to the SharePoint Online site. From then on, any requests that get approved give access to the two SharePoint Online sites and also to the SaaS application. ## Make a group available for user self-service 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator). -1. Select Microsoft Entra ID. +1. Select **Microsoft Entra ID**. -2. Select **All groups** > **Groups**, and then select **General** settings. +1. Select **All groups** > **Groups**, and then select **General** settings. - > [!NOTE] - > This setting only restricts access of group information in **My Groups**. It does not restrict access to group information via other methods like Microsoft Graph API calls or the Microsoft Entra admin center. + > [!NOTE] + > This setting only restricts access of group information in **My Groups**. It doesn't restrict access to group information via other methods like Microsoft Graph API calls or the Microsoft Entra admin center. -:::image type="content" source="./media/groups-self-service-management/groups-settings-general.png" alt-text="Screenshot of Microsoft Entra groups general settings."::: + :::image type="content" source="./media/groups-self-service-management/groups-settings-general.png" alt-text="Screenshot that shows Microsoft Entra groups General settings."::: > [!NOTE] - > In June 2024, the setting **Restrict users access to My Groups** will change to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to ‘Yes,’ end users will be able to access My Groups in June 2024, but will not be able to see security groups. + > In June 2024, the setting **Restrict users access to My Groups** changes to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to **Yes**, users can access My Groups in June 2024 but can't see security groups. -3. Set **Owners can manage group membership requests in the Access Panel** to **Yes**. -4. Set **Restrict user ability to access groups features in the Access Panel** to **No**. -5. Set **Users can create security groups in Azure portals, API or PowerShell** to **Yes** or **No**. +1. Set **Owners can manage group membership requests in the Access Panel** to **Yes**. +1. Set **Restrict user ability to access groups features in the Access Panel** to **No**. +1. Set **Users can create security groups in Azure portals, API or PowerShell** to **Yes** or **No**. - For more information about this setting, see the next section [Group settings](#group-settings). + For more information about this setting, see [Group settings](#group-settings). -6. Set **Users can create Microsoft 365 groups in Azure portals, API or PowerShell** to **Yes** or **No**. +1. Set **Users can create Microsoft 365 groups in Azure portals, API or PowerShell** to **Yes** or **No**. - For more information about this setting, see the next section [Group settings](#group-settings). + For more information about this setting, see [Group settings](#group-settings). You can also use **Owners who can assign members as group owners in the Azure portal** to achieve more granular access control over self-service group management for your users. -When users can create groups, all users in your organization are allowed to create new groups and then can, as the default owner, add members to these groups. You can't specify individuals who can create their own groups. You can specify individuals only for making another group member a group owner. +When users can create groups, all users in your organization are allowed to create new groups. As the default owner, they can then add members to these groups. You can't specify individuals who can create their own groups. You can specify individuals only for making another group member a group owner. > [!NOTE] -> A Microsoft Entra ID P1 or P2 license is required for users to request to join a security group or Microsoft 365 group and for owners to approve or deny membership requests. Without a Microsoft Entra ID P1 or P2 license, users can still manage their groups in the MyApp Groups Access panel, but they can't create a group that requires owner approval and they can't request to join a group. +> A Microsoft Entra ID P1 or P2 license is required for users to request to join a security group or Microsoft 365 group and for owners to approve or deny membership requests. Without a Microsoft Entra ID P1 or P2 license, users can still manage their groups in the MyApp Groups Access Panel. But they can't create a group that requires owner approval, and they can't request to join a group. ## Group settings The group settings enable you to control who can create security and Microsoft 365 groups. -:::image type="content" source="./media/groups-self-service-management/security-groups-setting.png" alt-text="Screenshot of Microsoft Entra security groups setting change."::: +:::image type="content" source="./media/groups-self-service-management/security-groups-setting.png" alt-text="Screenshot that shows Microsoft Entra security groups setting change."::: The following table helps you decide which values to choose. | Setting | Value | Effect on your tenant | | --- | :---: | --- | -| Users can create security groups in Azure portals, API or PowerShell | Yes | All users in your Microsoft Entra organization are allowed to create new security groups and add members to these groups in Azure portals, API, or PowerShell. These new groups would also show up in the Access Panel for all other users. If the policy setting on the group allows it, other users can create requests to join these groups. | -| | No | Users can't create security groups and can't change existing groups for which they are an owner. However, they can still manage the memberships of those groups and approve requests from other users to join their groups. | -| Users can create Microsoft 365 groups in Azure portals, API or PowerShell | Yes | All users in your Microsoft Entra organization are allowed to create new Microsoft 365 groups and add members to these groups in Azure portals, API, or PowerShell. These new groups would also show up in the Access Panel for all other users. If the policy setting on the group allows it, other users can create requests to join these groups. | -| | No | Users can't create Microsoft 365 groups and can't change existing groups for which they are an owner. However, they can still manage the memberships of those groups and approve requests from other users to join their groups. | +| Users can create security groups in the Azure portal, API, or PowerShell. | Yes | All users in your Microsoft Entra organization are allowed to create new security groups and add members to these groups in the Azure portal, API, or PowerShell. These new groups also show up in the Access Panel for all other users. If the policy setting on the group allows it, other users can create requests to join these groups. | +| | No | Users can't create security groups and can't change existing groups for which they're an owner. They can still manage the memberships of those groups and approve requests from other users to join their groups. | +| Users can create Microsoft 365 groups in the Azure portal, API, or PowerShell. | Yes | All users in your Microsoft Entra organization are allowed to create new Microsoft 365 groups and add members to these groups in the Azure portal, API, or PowerShell. These new groups also show up in the Access Panel for all other users. If the policy setting on the group allows it, other users can create requests to join these groups. | +| | No | Users can't create Microsoft 365 groups and can't change existing groups for which they're an owner. They can still manage the memberships of those groups and approve requests from other users to join their groups. | -Here are some additional details about these group settings. +Here are some more details about these group settings: -- These setting can take up to 15 minutes to take effect. +- These settings can take up to 15 minutes to take effect. - If you want to enable some, but not all, of your users to create groups, you can assign those users a role that can create groups, such as [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator). -- These settings are for users and don't impact service principals. For example, if you have a service principal with permissions to create groups, even if you set these settings to **No**, the service principal will still be able to create groups. +- These settings are for users and don't affect service principals. For example, if you had a service principal with permissions to create groups, even if you set these settings to **No**, the service principal can still create groups. -## Configure group settings using Microsoft Graph +## Configure group settings by using Microsoft Graph -To configure the _Users can create security groups in Azure portals, API or PowerShell_ setting using Microsoft Graph, configure the **EnableGroupCreation** object in the groupSettings object. For more information, see [Overview of group settings](/graph/group-directory-settings). +To configure the **Users can create security groups in Azure portals, API or PowerShell** setting by using Microsoft Graph, configure the `EnableGroupCreation` object in the `groupSettings` object. For more information, see [Overview of group settings](/graph/group-directory-settings). -To configure the _Users can create security groups in Azure portals, API or PowerShell_ setting using Microsoft Graph, update the **allowedToCreateSecurityGroups** property of **defaultUserRolePermissions** in the [authorizationPolicy](/graph/api/resources/authorizationpolicy) object. +To configure the **Users can create security groups in Azure portals, API or PowerShell** setting by using Microsoft Graph, update the `allowedToCreateSecurityGroups` property of `defaultUserRolePermissions` in the [authorizationPolicy](/graph/api/resources/authorizationpolicy) object. ## Next steps -These articles provide additional information on Microsoft Entra ID. +For more information on Microsoft Entra ID, see: * [Manage access to resources with Microsoft Entra groups](~/fundamentals/concept-learn-about-groups.md) * [Microsoft Entra cmdlets for configuring group settings](~/identity/users/groups-settings-cmdlets.md) -* [Application Management in Microsoft Entra ID](~/identity/enterprise-apps/what-is-application-management.md) +* [Application management in Microsoft Entra ID](~/identity/enterprise-apps/what-is-application-management.md) * [What is Microsoft Entra ID?](~/fundamentals/whatis.md) * [Integrate your on-premises identities with Microsoft Entra ID](~/identity/hybrid/whatis-hybrid-identity.md) From 3971682fb9dd6e732847df0fee269bb9b2cc5eed Mon Sep 17 00:00:00 2001 From: paulth1 <42621139+paulth1@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:19:14 -0800 Subject: [PATCH 14/22] edit pass: dynamic-groups-batch-4 --- .../users/groups-assign-sensitivity-labels.md | 2 +- .../users/groups-self-service-management.md | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/identity/users/groups-assign-sensitivity-labels.md b/docs/identity/users/groups-assign-sensitivity-labels.md index 7d7e7a68554..e4be2c8dd04 100644 --- a/docs/identity/users/groups-assign-sensitivity-labels.md +++ b/docs/identity/users/groups-assign-sensitivity-labels.md @@ -157,7 +157,7 @@ Labels can be swapped at any time by using the same steps as assigning a label t 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). 1. Select **Microsoft Entra ID**. -1. Select **Groups** > **All groups** and select the group that you want to label. +1. Select **Groups** > **All groups**, and then select the group that you want to label. 1. On the selected group's page, select **Properties** and select a new sensitivity label from the list. 1. Select **Save**. diff --git a/docs/identity/users/groups-self-service-management.md b/docs/identity/users/groups-self-service-management.md index 6c135c3a5a4..8b7c3e145fd 100644 --- a/docs/identity/users/groups-self-service-management.md +++ b/docs/identity/users/groups-self-service-management.md @@ -40,8 +40,19 @@ Groups created in | Security group default behavior | Microsoft 365 group defaul ## Self-service group management scenarios -* **Delegated group management**: An example scenario is an administrator who is managing access to a software as a service (SaaS) application that the company is using. Managing these access rights is cumbersome, so this administrator asks the business owner to create a new group. The administrator assigns access for the application to the new group and adds to the group all people already accessing the application. The business owner then can add more users, and those users are automatically provisioned to the application. The business owner doesn't need to wait for the administrator to manage access for users. If the administrator grants the same permission to a manager in a different business group, that person can also manage access for their own group members. The business owner and the manager can't view or manage each other's group memberships. The administrator can still see all users who have access to the application and block access rights, if needed. -* **Self-service group management**: An example scenario is two users who both have SharePoint Online sites that they set up independently. They want to give each other's teams access to their sites. To accomplish this task, they can create one group in Microsoft Entra ID, and in SharePoint Online each of them selects that group to provide access to their sites. When someone wants access, they request it from the MyApps Groups Access Panel. After approval, they get access to both SharePoint Online sites automatically. Later, one of them decides that all people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS application can add access rights for the application to the SharePoint Online site. From then on, any requests that get approved give access to the two SharePoint Online sites and also to the SaaS application. +Two scenarios help to explain self-service group management. + +### Delegated group management + +In this example scenario, an administrator manages access to a software as a service (SaaS) application that the company is using. Managing the access rights is cumbersome, so the administrator asks the business owner to create a new group. The administrator assigns access for the application to the new group and adds to the group all people already accessing the application. The business owner then can add more users, and those users are automatically provisioned to the application. + +The business owner doesn't need to wait for the administrator to manage access for users. If the administrator grants the same permission to a manager in a different business group, that person can also manage access for their own group members. The business owner and the manager can't view or manage each other's group memberships. The administrator can still see all users who have access to the application and block access rights, if needed. + +### Self-service group management + +In this example scenario, two users have SharePoint Online sites that they set up independently. They want to give each other's teams access to their sites. To accomplish this task, they can create one group in Microsoft Entra ID. In SharePoint Online, each of them selects that group to provide access to their sites. + +When someone wants access, they request it from the MyApps Groups Access Panel. After approval, they get access to both SharePoint Online sites automatically. Later, one of them decides that all people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS application can add access rights for the application to the SharePoint Online site. From then on, any requests that get approved give access to the two SharePoint Online sites and also to the SaaS application. ## Make a group available for user self-service From 5e9859acd78547dc1e068d3926c7ee5525add7b2 Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Thu, 14 Dec 2023 08:08:58 -0800 Subject: [PATCH 15/22] Update apple-sso-plugin.md - network config --- docs/identity-platform/apple-sso-plugin.md | 25 ++++++++++++---------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/docs/identity-platform/apple-sso-plugin.md b/docs/identity-platform/apple-sso-plugin.md index 2d7e615b42f..7bc3d52e440 100644 --- a/docs/identity-platform/apple-sso-plugin.md +++ b/docs/identity-platform/apple-sso-plugin.md @@ -338,20 +338,23 @@ For the SSO plug-in to function properly, Apple devices should be allowed to rea Here is the minimum set of URLs that need to be allowed for the SSO plug-in to function: - - `*.cdn-apple.com` - - `*.networking.apple` - - `login.microsoftonline.com` - - `login.microsoft.com` - - `sts.windows.net` - - `login.partner.microsoftonline.cn` - - `login.chinacloudapi.cn` - - `login.microsoftonline.us` - - `login-us.microsoftonline.com` + - `app-site-association.cdn-apple.com` + - `app-site-association.networking.apple` + - `login.microsoftonline.com`(*) + - `login.microsoft.com`(*) + - `sts.windows.net`(*) + - `login.partner.microsoftonline.cn`(*)(**) + - `login.chinacloudapi.cn`(*)(**) + - `login.microsoftonline.us`(*)(**) + - `login-us.microsoftonline.com`(*)(**) + +(*) Allowing Microsoft domains is only required on operating system versions released before 2022. On the latest operating system versions, Apple relies fully on its CDN. +(**) You only need to allow sovereign cloud domains if you rely on those in your environment. > [!WARNING] -> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access. +> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs will cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access. **SSO plugin will not work reliably without fully excluding Apple CDN domains from interception, and you will experience intermittent issues until you do so. ** -If your organization blocks these URLs users may see errors like `1012 NSURLErrorDomain error` or `1000 com.apple.AuthenticationServices.AuthorizationError`. +If your organization blocks these URLs users may see errors like `1012 NSURLErrorDomain error`, `1000 com.apple.AuthenticationServices.AuthorizationError` or `1001 Unexpected`. Other Apple URLs that may need to be allowed are documented in their support article, [Use Apple products on enterprise networks](https://support.apple.com/HT210060). From 1b869c646902b6d0b95b2ffd75b9891a5a93d916 Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Thu, 14 Dec 2023 08:10:05 -0800 Subject: [PATCH 16/22] Update apple-sso-plugin.md --- docs/identity-platform/apple-sso-plugin.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/identity-platform/apple-sso-plugin.md b/docs/identity-platform/apple-sso-plugin.md index 7bc3d52e440..76ee44fd60c 100644 --- a/docs/identity-platform/apple-sso-plugin.md +++ b/docs/identity-platform/apple-sso-plugin.md @@ -349,10 +349,11 @@ Here is the minimum set of URLs that need to be allowed for the SSO plug-in to f - `login-us.microsoftonline.com`(*)(**) (*) Allowing Microsoft domains is only required on operating system versions released before 2022. On the latest operating system versions, Apple relies fully on its CDN. + (**) You only need to allow sovereign cloud domains if you rely on those in your environment. > [!WARNING] -> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs will cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access. **SSO plugin will not work reliably without fully excluding Apple CDN domains from interception, and you will experience intermittent issues until you do so. ** +> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs will cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access. SSO plugin will not work reliably without fully excluding Apple CDN domains from interception, and you will experience intermittent issues until you do so. If your organization blocks these URLs users may see errors like `1012 NSURLErrorDomain error`, `1000 com.apple.AuthenticationServices.AuthorizationError` or `1001 Unexpected`. From 295e852f6e84b43c657c01f6e9908ddb8d66d632 Mon Sep 17 00:00:00 2001 From: paulth1 <42621139+paulth1@users.noreply.github.com> Date: Thu, 14 Dec 2023 13:23:14 -0800 Subject: [PATCH 17/22] edit pass: dynamic-groups-batch-4 --- docs/identity/users/groups-assign-sensitivity-labels.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/identity/users/groups-assign-sensitivity-labels.md b/docs/identity/users/groups-assign-sensitivity-labels.md index e4be2c8dd04..da91ca29311 100644 --- a/docs/identity/users/groups-assign-sensitivity-labels.md +++ b/docs/identity/users/groups-assign-sensitivity-labels.md @@ -81,7 +81,7 @@ If you receive a `Request_BadRequest` error, it's because the settings already e You also need to synchronize your sensitivity labels to Microsoft Entra ID. For instructions, see [Enable sensitivity labels for containers and synchronize labels](/purview/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels). -## Assign a label to a new group in the Azure portal +## Assign a label to a new group in the Microsoft Entra admin center 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). 1. Select **Microsoft Entra ID**. @@ -94,7 +94,7 @@ You also need to synchronize your sensitivity labels to Microsoft Entra ID. For Your group is created and the site and group settings associated with the selected label are then automatically enforced. -## Assign a label to an existing group in the Azure portal +## Assign a label to an existing group in the Microsoft Entra admin center 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). 1. Select **Microsoft Entra ID**. @@ -106,7 +106,7 @@ Your group is created and the site and group settings associated with the select 1. Select **Save** to save your changes. -## Remove a label from an existing group in the Azure portal +## Remove a label from an existing group in the Microsoft Entra admin center 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). 1. Select **Microsoft Entra ID**. From d7c39516a770cac4d51190c23adcb678c4ec67e6 Mon Sep 17 00:00:00 2001 From: Ryan Wike <> Date: Fri, 15 Dec 2023 15:35:15 -0800 Subject: [PATCH 18/22] Adding missing customer intent statements --- docs/identity-platform/app-objects-and-service-principals.md | 4 ++-- docs/identity-platform/configurable-token-lifetimes.md | 2 +- docs/identity-platform/configure-token-lifetimes.md | 2 +- .../deploy-web-app-authentication-pipeline.md | 2 +- docs/identity-platform/developer-glossary.md | 2 +- docs/identity-platform/federation-metadata.md | 4 ++-- docs/identity-platform/howto-add-branding-in-apps.md | 3 ++- .../howto-add-terms-of-service-privacy-statement.md | 4 ++-- .../howto-authenticate-service-principal-powershell.md | 4 ++-- docs/identity-platform/mark-app-as-publisher-verified.md | 2 +- docs/identity-platform/publisher-verification-overview.md | 2 +- docs/identity-platform/reference-app-manifest.md | 2 +- docs/identity-platform/reference-breaking-changes.md | 2 +- docs/identity-platform/reference-error-codes.md | 2 +- docs/identity-platform/signing-key-rollover.md | 2 +- docs/identity-platform/single-and-multi-tenant-apps.md | 2 +- docs/identity-platform/troubleshoot-publisher-verification.md | 1 + docs/identity-platform/v2-admin-consent.md | 2 +- docs/identity-platform/v2-conditional-access-dev-guide.md | 2 +- docs/identity-platform/v2-howto-get-appsource-certified.md | 2 +- 20 files changed, 25 insertions(+), 23 deletions(-) diff --git a/docs/identity-platform/app-objects-and-service-principals.md b/docs/identity-platform/app-objects-and-service-principals.md index 1eae276afee..ffd2772808c 100644 --- a/docs/identity-platform/app-objects-and-service-principals.md +++ b/docs/identity-platform/app-objects-and-service-principals.md @@ -5,12 +5,12 @@ author: rwike77 manager: CelesteDG ms.author: ryanwi ms.custom: has-azure-ad-ps-ref -ms.date: 05/22/2023 +ms.date: 12/15/2023 ms.reviewer: sureshja ms.service: active-directory ms.subservice: develop ms.topic: conceptual -#Customer intent: +# Customer intent: As an application developer, I want to understand the relationship between application objects and service principal objects in Microsoft Entra ID, so that I can properly register and manage my application's identity and access management functions. --- # Application and service principal objects in Microsoft Entra ID diff --git a/docs/identity-platform/configurable-token-lifetimes.md b/docs/identity-platform/configurable-token-lifetimes.md index fafc790ce6a..1bc6c2df70d 100644 --- a/docs/identity-platform/configurable-token-lifetimes.md +++ b/docs/identity-platform/configurable-token-lifetimes.md @@ -10,7 +10,7 @@ ms.reviewer: joroja ms.service: active-directory ms.subservice: develop ms.topic: conceptual -#Customer intent: +#Customer intent: As an IT admin, I want to configure the lifetime of access, ID, and SAML tokens for different types of applications, so that I can help mitigate the actions of a malicous actor who has obtained a token. --- # Configurable token lifetimes in the Microsoft identity platform (preview) diff --git a/docs/identity-platform/configure-token-lifetimes.md b/docs/identity-platform/configure-token-lifetimes.md index d3811cf44f1..aaafa45608e 100644 --- a/docs/identity-platform/configure-token-lifetimes.md +++ b/docs/identity-platform/configure-token-lifetimes.md @@ -10,7 +10,7 @@ ms.reviewer: joroja ms.service: active-directory ms.subservice: develop ms.topic: how-to -#Customer intent: +#Customer intent: As an IT admin, I want to create and assign token lifetime policies to apps and service principals, so that I can control the lifetime of access, SAML, or ID tokens for improved security and authentication management. --- # Configure token lifetime policies (preview) diff --git a/docs/identity-platform/deploy-web-app-authentication-pipeline.md b/docs/identity-platform/deploy-web-app-authentication-pipeline.md index d687c6779b9..e3912a6d7b8 100644 --- a/docs/identity-platform/deploy-web-app-authentication-pipeline.md +++ b/docs/identity-platform/deploy-web-app-authentication-pipeline.md @@ -10,7 +10,7 @@ ms.reviewer: mahender, jukullam ms.service: active-directory ms.subservice: develop ms.topic: how-to -#Customer intent: +#Customer intent: As a developer, I want to deploy a web app in a pipeline and configure App Service authentication using Azure Pipelines, so that I can automate the deployment process and secure access to the web app. --- # Deploy a web app in a pipeline and configure App Service authentication diff --git a/docs/identity-platform/developer-glossary.md b/docs/identity-platform/developer-glossary.md index 7190b9cc83e..a651563872c 100644 --- a/docs/identity-platform/developer-glossary.md +++ b/docs/identity-platform/developer-glossary.md @@ -9,7 +9,7 @@ ms.reviewer: ms.service: active-directory ms.subservice: develop ms.topic: reference -#Customer intent: +#Customer intent: As a developer integrating with the Microsoft identity platform, I want to understand the terminology and concepts related to authentication and authorization, so that I can effectively implement secure access to protected resources in my application. --- # Glossary: Microsoft identity platform diff --git a/docs/identity-platform/federation-metadata.md b/docs/identity-platform/federation-metadata.md index 1df279650d0..884e018cc14 100644 --- a/docs/identity-platform/federation-metadata.md +++ b/docs/identity-platform/federation-metadata.md @@ -10,12 +10,12 @@ ms.reviewer: ludwignick ms.service: active-directory ms.subservice: azuread-dev ms.topic: conceptual -#Customer intent: +#Customer intent: As a developer integrating with Microsoft Entra ID, I want to understand the federation metadata document format and endpoints, so that I can configure my application to validate the issuer and token signing certificates of security tokens issued by Microsoft Entra ID. --- # Federation metadata -Microsoft Entra ID publishes a federation metadata document for services that is configured to accept the security tokens that Microsoft Entra ID issues. The federation metadata document format is described in the [Web Services Federation Language (WS-Federation) Version 1.2](https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html), which extends [Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). +Microsoft Entra ID publishes a federation metadata document for services that are configured to accept the security tokens that Microsoft Entra ID issues. The federation metadata document format is described in the [Web Services Federation Language (WS-Federation) Version 1.2](https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html), which extends [Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). ## Tenant-specific and tenant-independent metadata endpoints diff --git a/docs/identity-platform/howto-add-branding-in-apps.md b/docs/identity-platform/howto-add-branding-in-apps.md index 31c81e483a9..2660f161ca6 100644 --- a/docs/identity-platform/howto-add-branding-in-apps.md +++ b/docs/identity-platform/howto-add-branding-in-apps.md @@ -5,11 +5,12 @@ author: rwike77 manager: CelesteDG ms.author: ryanwi ms.custom: signin_art -ms.date: 07/26/2023 +ms.date: 12/15/2023 ms.reviewer: arielgo ms.service: active-directory ms.subservice: develop ms.topic: conceptual +#Customer intent: As a developer integrating with Microsoft Entra ID, I want to understand the branding guidelines for applications, so that I can correctly use the appropriate Microsoft logo and images in my app. --- # Sign in with Microsoft: Branding guidelines for applications diff --git a/docs/identity-platform/howto-add-terms-of-service-privacy-statement.md b/docs/identity-platform/howto-add-terms-of-service-privacy-statement.md index 8075fc7bf66..8644218520d 100644 --- a/docs/identity-platform/howto-add-terms-of-service-privacy-statement.md +++ b/docs/identity-platform/howto-add-terms-of-service-privacy-statement.md @@ -5,12 +5,12 @@ author: rwike77 manager: CelesteDG ms.author: ryanwi ms.custom: -ms.date: 03/07/2023 +ms.date: 12/15/2023 ms.reviewer: sureshja ms.service: active-directory ms.subservice: develop ms.topic: how-to -#Customer intent: +#Customer intent: As an application developer building a multi-tenant app, I want to configure the terms of service and privacy statement for my app, so that I can help gain user's trust and encourage them to consent to using my app. --- # Configure terms of service and privacy statement for an app diff --git a/docs/identity-platform/howto-authenticate-service-principal-powershell.md b/docs/identity-platform/howto-authenticate-service-principal-powershell.md index 298a635fab3..bf703c209ed 100644 --- a/docs/identity-platform/howto-authenticate-service-principal-powershell.md +++ b/docs/identity-platform/howto-authenticate-service-principal-powershell.md @@ -5,13 +5,13 @@ author: rwike77 manager: CelesteDG ms.author: ryanwi ms.custom: devx-track-azurepowershell -ms.date: 03/07/2023 +ms.date: 12/15/2023 ms.reviewer: tomfitz ms.service: active-directory ms.subservice: develop ms.tgt_pltfrm: multiple ms.topic: how-to -#Customer intent: +#Customer intent: As a developer, I want to create a service principal with a certificate, so my app or script can authenticate and access resources with its own credentials. --- # Use Azure PowerShell to create a service principal with a certificate diff --git a/docs/identity-platform/mark-app-as-publisher-verified.md b/docs/identity-platform/mark-app-as-publisher-verified.md index 0391103658b..46dcaa2509d 100644 --- a/docs/identity-platform/mark-app-as-publisher-verified.md +++ b/docs/identity-platform/mark-app-as-publisher-verified.md @@ -10,7 +10,7 @@ ms.reviewer: xurobert ms.service: active-directory ms.subservice: develop ms.topic: how-to -#Customer intent: +#Customer intent: As a developer integrating my app with the Microsoft identity platform, I want to complete the publisher verification process for my app registration, so that users can see that my app is publisher verified and trust its authenticity. --- # Mark your app as publisher verified diff --git a/docs/identity-platform/publisher-verification-overview.md b/docs/identity-platform/publisher-verification-overview.md index e2e650b769f..c962f7b6449 100644 --- a/docs/identity-platform/publisher-verification-overview.md +++ b/docs/identity-platform/publisher-verification-overview.md @@ -10,7 +10,7 @@ ms.reviewer: xurobert ms.service: active-directory ms.subservice: develop ms.topic: conceptual -#Customer intent: +#Customer intent: As a developer integrating my app with the Microsoft identity platform, I want to learn about the publisher verification process, so that my organization can be identified as authentic by Microsoft and my app can gain increased transparency, improved branding, and smoother enterprise adoption. --- # Publisher verification diff --git a/docs/identity-platform/reference-app-manifest.md b/docs/identity-platform/reference-app-manifest.md index f44a029d73d..4a17ce04227 100644 --- a/docs/identity-platform/reference-app-manifest.md +++ b/docs/identity-platform/reference-app-manifest.md @@ -10,7 +10,7 @@ ms.reviewer: sureshja ms.service: active-directory ms.subservice: develop ms.topic: reference -#Customer intent: +#Customer intent: As an application developer, I want to configure the attributes of an application in the Microsoft Entra admin center or programmatically, so that I can update the application object and define permissions and roles for the app. --- # Microsoft Entra app manifest diff --git a/docs/identity-platform/reference-breaking-changes.md b/docs/identity-platform/reference-breaking-changes.md index 7257b81a3dd..b22cf556981 100644 --- a/docs/identity-platform/reference-breaking-changes.md +++ b/docs/identity-platform/reference-breaking-changes.md @@ -10,7 +10,7 @@ ms.reviewer: ludwignick ms.service: active-directory ms.subservice: develop ms.topic: reference -#Customer intent: +#Customer intent: As a developer, I want to stay updated on the changes and updates to the Microsoft identity platform, so that I can ensure the security, usability, and compliance of my applications. --- # What's new for authentication? diff --git a/docs/identity-platform/reference-error-codes.md b/docs/identity-platform/reference-error-codes.md index acaf6bedd3d..421973b8ca9 100644 --- a/docs/identity-platform/reference-error-codes.md +++ b/docs/identity-platform/reference-error-codes.md @@ -10,7 +10,7 @@ ms.reviewer: ludwignick ms.service: active-directory ms.subservice: develop ms.topic: reference -#Customer intent: +#Customer intent: As a developer troubleshooting authentication errors, I want to understand the meaning and possible resolutions for the AADSTS error codes returned by the Microsoft Entra security token service, so that I can effectively debug and fix authentication issues in my application. --- # Microsoft Entra authentication and authorization error codes diff --git a/docs/identity-platform/signing-key-rollover.md b/docs/identity-platform/signing-key-rollover.md index 48a09cc0e5b..e38c0141396 100644 --- a/docs/identity-platform/signing-key-rollover.md +++ b/docs/identity-platform/signing-key-rollover.md @@ -10,7 +10,7 @@ ms.reviewer: paulgarn, ludwignick ms.service: active-directory ms.subservice: develop ms.topic: conceptual -#Customer intent: +#Customer intent: As a developer using the Microsoft identity platform for authentication in my web application, I want to ensure that my application can handle public key rollover automatically, so that my application will continue to validate token signatures without manual intervention. --- # Signing key rollover in the Microsoft identity platform diff --git a/docs/identity-platform/single-and-multi-tenant-apps.md b/docs/identity-platform/single-and-multi-tenant-apps.md index 40cbebcd93d..0cc86c88e21 100644 --- a/docs/identity-platform/single-and-multi-tenant-apps.md +++ b/docs/identity-platform/single-and-multi-tenant-apps.md @@ -10,7 +10,7 @@ ms.reviewer: justhu ms.service: active-directory ms.subservice: develop ms.topic: conceptual -#Customer intent: +#Customer intent: As a developer, I want to understand the concept of tenancy in Microsoft Entra ID, so that I can configure my app to be either single-tenant or multi-tenant during app registration and determine who can sign in to my app. --- # Tenancy in Microsoft Entra ID diff --git a/docs/identity-platform/troubleshoot-publisher-verification.md b/docs/identity-platform/troubleshoot-publisher-verification.md index bc34f20c81a..03effc18c52 100644 --- a/docs/identity-platform/troubleshoot-publisher-verification.md +++ b/docs/identity-platform/troubleshoot-publisher-verification.md @@ -10,6 +10,7 @@ ms.reviewer: xurobert ms.service: active-directory ms.subservice: develop ms.topic: troubleshooting +#Customer intent: As a developer troubleshooting publisher verification, I want to understand the common issues and potential error codes related to the process, so that I can resolve any issues and successfully complete the verification for my application. --- # Troubleshoot publisher verification diff --git a/docs/identity-platform/v2-admin-consent.md b/docs/identity-platform/v2-admin-consent.md index 1600f084f48..b752e58fb18 100644 --- a/docs/identity-platform/v2-admin-consent.md +++ b/docs/identity-platform/v2-admin-consent.md @@ -10,7 +10,7 @@ ms.reviewer: ludwignick ms.service: active-directory ms.subservice: develop ms.topic: reference -#Customer intent: +#Customer intent: As an application developer, I want to use the admin consent endpoint in my app, so that the user can request permissions from the organization's admin if needed. --- # Admin consent on the Microsoft identity platform diff --git a/docs/identity-platform/v2-conditional-access-dev-guide.md b/docs/identity-platform/v2-conditional-access-dev-guide.md index 70a84b5b9f5..5549bfb66d5 100644 --- a/docs/identity-platform/v2-conditional-access-dev-guide.md +++ b/docs/identity-platform/v2-conditional-access-dev-guide.md @@ -11,7 +11,7 @@ ms.reviewer: jmprieur, saeeda ms.service: active-directory ms.subservice: develop ms.topic: conceptual -#Customer intent: +#Customer intent: As a developer building apps for Microsoft Entra ID, I want to understand how my app is impacted by Conditional Access challenges, so that I can secure my app and protect the services it accesses. --- # Developer guidance for Microsoft Entra Conditional Access diff --git a/docs/identity-platform/v2-howto-get-appsource-certified.md b/docs/identity-platform/v2-howto-get-appsource-certified.md index 23ceb0a3642..4625b015e62 100644 --- a/docs/identity-platform/v2-howto-get-appsource-certified.md +++ b/docs/identity-platform/v2-howto-get-appsource-certified.md @@ -10,7 +10,7 @@ ms.reviewer: jeedes ms.service: active-directory ms.subservice: develop ms.topic: how-to -#Customer intent: +#Customer intent: As a developer, I want to understand the requirements for listing a standalone SaaS application on Microsoft AppSource, so that I business users can discover, try, and manage my line-of-business SaaS application. --- # Get AppSource certified for Microsoft Entra ID From bb33b4ebc523123c281381fdd03e377ee5b741c6 Mon Sep 17 00:00:00 2001 From: Ryan Wike <> Date: Fri, 15 Dec 2023 15:53:53 -0800 Subject: [PATCH 19/22] acrolinx updates --- .../troubleshoot-publisher-verification.md | 16 +++++------ .../v2-conditional-access-dev-guide.md | 28 +++++++++---------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/identity-platform/troubleshoot-publisher-verification.md b/docs/identity-platform/troubleshoot-publisher-verification.md index 03effc18c52..7b715eb37db 100644 --- a/docs/identity-platform/troubleshoot-publisher-verification.md +++ b/docs/identity-platform/troubleshoot-publisher-verification.md @@ -27,7 +27,7 @@ Below are some common issues that may occur during the process. - **I don’t know my Cloud Partner Program ID (Partner One ID) or I don’t know who the primary contact for the account is.** 1. Navigate to the [Cloud Partner Program enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new). 1. Sign in with a user account in the org's primary Microsoft Entra tenant. - 1. If an Cloud Partner Program account already exists, this is recognized and you are added to the account. + 1. If a Cloud Partner Program account already exists, this is recognized and you are added to the account. 1. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the Partner One ID and primary account contact will be listed. - **I don’t know who my Microsoft Entra Global Administrator (also known as company admin or tenant admin) is, how do I find them? What about the Application Administrator or Cloud Application Administrator?** @@ -46,7 +46,7 @@ Below are some common issues that may occur during the process. Your app registrations may have been created using a different user account in this tenant, a personal/consumer account, or in a different tenant. Ensure you're signed in with the correct account in the tenant where your app registrations were created. - **I'm getting an error related to multi-factor authentication. What should I do?** - Ensure [multi-factor authentication](~/identity/authentication/concept-mfa-licensing.md) is enabled and **required** for the user you're signing in with and for this scenario. For example, MFA could be: + Ensure [multifactor authentication](~/identity/authentication/concept-mfa-licensing.md) is enabled and **required** for the user you're signing in with and for this scenario. For example, MFA could be: - Always required for the user you're signing in with. - [Required for Azure management](~/identity/conditional-access/howto-conditional-access-policy-azure-management.md). - [Required for the type of administrator](~/identity/conditional-access/howto-conditional-access-policy-admin-mfa.md) you're signing in with. @@ -154,7 +154,7 @@ Most commonly caused by the signed-in user not being a member of the proper role The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused when an Partner One ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details. +Most commonly caused when a Partner One ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. @@ -215,7 +215,7 @@ Most commonly caused when verification is being performed via Graph API, and the ### ApplicationObjectisInvalid -The target application's object ID is invalid. Please provide a valid ID and try again. +The target application's object ID is invalid. Provide a valid ID and try again. Most commonly caused when the verification is being performed via Graph API, and the ID of the application provided does not exist. @@ -291,17 +291,17 @@ Occurs when a consumer account is used for app registration (Hotmail, Messenger, ### InteractionRequired -Occurs when multi-factor authentication (MFA) hasn't been enabled and performed before attempting to add a verified publisher to the app. See [common issues](#common-issues) for more information. Note: MFA must be performed in the same session when attempting to add a verified publisher. If MFA is enabled but not required to be performed in the session, the request will fail. +Occurs when multifactor authentication (MFA) hasn't been enabled and performed before attempting to add a verified publisher to the app. See [common issues](#common-issues) for more information. Note: MFA must be performed in the same session when attempting to add a verified publisher. If MFA is enabled but not required to be performed in the session, the request fails. -The error message displayed will be: "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to proceed." +The error message displayed will be: "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multifactor authentication to proceed." **Remediation Steps** -1. Ensure [multi-factor authentication](~/identity/authentication/concept-mfa-licensing.md) is enabled and **required** for the user you're signing in with and for this scenario +1. Ensure [multifactor authentication](~/identity/authentication/concept-mfa-licensing.md) is enabled and **required** for the user you're signing in with and for this scenario 1. Retry Publisher Verification ### UserUnableToAddPublisher -When a request to add a verified publisher is made, many signals are used to make a security risk assessment. If the user risk state is determined to be ‘AtRisk’, an error, “You're unable to add a verified publisher to this application. Contact your administrator for assistance” will be returned. Please investigate the user risk and take the appropriate steps to remediate the risk (guidance below): +When a request to add a verified publisher is made, many signals are used to make a security risk assessment. If the user risk state is determined to be ‘AtRisk’, an error, “You're unable to add a verified publisher to this application. Contact your administrator for assistance” will be returned. Investigate the user risk and take the appropriate steps to remediate the risk (guidance below): **Remediation Steps** > [Investigate risk](~/id-protection/howto-identity-protection-investigate-risk.md#risky-users) diff --git a/docs/identity-platform/v2-conditional-access-dev-guide.md b/docs/identity-platform/v2-conditional-access-dev-guide.md index 5549bfb66d5..5b8a03c2bf1 100644 --- a/docs/identity-platform/v2-conditional-access-dev-guide.md +++ b/docs/identity-platform/v2-conditional-access-dev-guide.md @@ -18,7 +18,7 @@ ms.topic: conceptual The Conditional Access feature in Microsoft Entra ID offers one of several ways that you can use to secure your app and protect a service. Conditional Access enables developers and enterprise customers to protect services in a multitude of ways including: -* [Multi-factor authentication](~/identity/authentication/concept-mfa-howitworks.md) +* [Multifactor authentication](~/identity/authentication/concept-mfa-howitworks.md) * Allowing only Intune enrolled devices to access specific services * Restricting user locations and IP ranges @@ -26,7 +26,7 @@ For more information on the full capabilities of Conditional Access, see the art For developers building apps for Microsoft Entra ID, this article shows how you can use Conditional Access and you'll also learn about the impact of accessing resources that you don't have control over that may have Conditional Access policies applied. The article also explores the implications of Conditional Access in the on-behalf-of flow, web apps, accessing Microsoft Graph, and calling APIs. -Knowledge of [single](quickstart-register-app.md) and [multi-tenant](howto-convert-app-to-be-multi-tenant.md) apps and [common authentication patterns](./authentication-vs-authorization.md) is assumed. +Knowledge of [single](quickstart-register-app.md) and [multitenant](howto-convert-app-to-be-multi-tenant.md) apps and [common authentication patterns](./authentication-vs-authorization.md) is assumed. > [!NOTE] > Using this feature requires a Microsoft Entra ID P1 license. To find the right license for your requirements, see [Comparing generally available features of the Free, Basic, and Premium editions](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). @@ -36,7 +36,7 @@ Knowledge of [single](quickstart-register-app.md) and [multi-tenant](howto-conve ### App types impacted -In most common cases, Conditional Access does not change an app's behavior or requires any changes from the developer. Only in certain cases when an app indirectly or silently requests a token for a service, an app requires code changes to handle Conditional Access challenges. It may be as simple as performing an interactive sign-in request. +In most common cases, Conditional Access doesn't change an app's behavior or requires any changes from the developer. Only in certain cases when an app indirectly or silently requests a token for a service, an app requires code changes to handle Conditional Access challenges. It may be as simple as performing an interactive sign-in request. Specifically, the following scenarios require code to handle Conditional Access challenges: @@ -51,16 +51,16 @@ Depending on the scenario, an enterprise customer can apply and remove Condition ### Conditional Access examples -Some scenarios require code changes to handle Conditional Access whereas others work as is. Here are a few scenarios using Conditional Access to do multi-factor authentication that gives some insight into the difference. +Some scenarios require code changes to handle Conditional Access whereas others work as is. Here are a few scenarios using Conditional Access to do multifactor authentication that gives some insight into the difference. -* You are building a single-tenant iOS app and apply a Conditional Access policy. The app signs in a user and doesn't request access to an API. When the user signs in, the policy is automatically invoked and the user needs to perform multi-factor authentication (MFA). -* You are building a native app that uses a middle tier service to access a downstream API. An enterprise customer at the company using this app applies a policy to the downstream API. When an end user signs in, the native app requests access to the middle tier and sends the token. The middle tier performs on-behalf-of flow to request access to the downstream API. At this point, a claims "challenge" is presented to the middle tier. The middle tier sends the challenge back to the native app, which needs to comply with the Conditional Access policy. +* You are building a single-tenant iOS app and apply a Conditional Access policy. The app signs in a user and doesn't request access to an API. When the user signs in, the policy is automatically invoked and the user needs to perform multifactor authentication (MFA). +* You're building a native app that uses a middle tier service to access a downstream API. An enterprise customer at the company using this app applies a policy to the downstream API. When an end user signs in, the native app requests access to the middle tier and sends the token. The middle tier performs on-behalf-of flow to request access to the downstream API. At this point, a claims "challenge" is presented to the middle tier. The middle tier sends the challenge back to the native app, which needs to comply with the Conditional Access policy. #### Microsoft Graph Microsoft Graph has special considerations when building apps in Conditional Access environments. Generally, the mechanics of Conditional Access behave the same, but the policies your users see will be based on the underlying data your app is requesting from the graph. -Specifically, all Microsoft Graph scopes represent some dataset that can individually have policies applied. Since Conditional Access policies are assigned the specific datasets, Microsoft Entra ID will enforce Conditional Access policies based on the data behind Graph - rather than Graph itself. +Specifically, all Microsoft Graph scopes represent some dataset that can individually have policies applied. Since Conditional Access policies are assigned the specific datasets, Microsoft Entra ID enforces Conditional Access policies based on the data behind Graph - rather than Graph itself. For example, if an app requests the following Microsoft Graph scopes, @@ -104,7 +104,7 @@ In this scenario, we walk through the case in which a native app calls a web ser ![App performing the on-behalf-of flow diagram](./media/v2-conditional-access-dev-guide/app-performing-on-behalf-of-scenario.png) -The initial token request for Web API 1 does not prompt the end user for multi-factor authentication as Web API 1 may not always hit the downstream API. Once Web API 1 tries to request a token on-behalf-of the user for Web API 2, the request fails since the user has not signed in with multi-factor authentication. +The initial token request for Web API 1 does not prompt the end user for multifactor authentication as Web API 1 may not always hit the downstream API. Once Web API 1 tries to request a token on-behalf-of the user for Web API 2, the request fails since the user has not signed in with multifactor authentication. Microsoft Entra ID returns an HTTP response with some interesting data: @@ -118,7 +118,7 @@ error_description=AADSTS50076: Due to a configuration change made by your admini claims={"access_token":{"polids":{"essential":true,"Values":[""]}}} ``` -In Web API 1, we catch the error `error=interaction_required`, and send back the `claims` challenge to the desktop app. At that point, the desktop app can make a new `acquireToken()` call and append the `claims`challenge as an extra query string parameter. This new request requires the user to do multi-factor authentication and then send this new token back to Web API 1 and complete the on-behalf-of flow. +In Web API 1, we catch the error `error=interaction_required`, and send back the `claims` challenge to the desktop app. At that point, the desktop app can make a new `acquireToken()` call and append the `claims`challenge as an extra query string parameter. This new request requires the user to do multifactor authentication and then send this new token back to Web API 1 and complete the on-behalf-of flow. To try out this scenario, see our [.NET code sample](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph#handling-required-interactions-with-the-user-dynamic-consent-mfa-etc-). It demonstrates how to pass the claims challenge back from Web API 1 to the native app and construct a new request inside the client app. @@ -130,7 +130,7 @@ Let's assume we have web service A and B and web service B has our Conditional A ![App accessing multiple-services flow diagram](./media/v2-conditional-access-dev-guide/app-accessing-multiple-services-scenario.png) -Alternatively, if the app initially requests a token for web service A, the end user does not invoke the Conditional Access policy. This allows the app developer to control the end-user experience and not force the Conditional Access policy to be invoked in all cases. The tricky case is if the app subsequently requests a token for web service B. At this point, the end user needs to comply with the Conditional Access policy. When the app tries to `acquireToken`, it may generate the following error (illustrated in the following diagram): +Alternatively, if the app initially requests a token for web service A, the end user does not invoke the Conditional Access policy. This allows the app developer to control the end-user experience and not force the Conditional Access policy to be invoked in all cases. The tricky case is if the app later requests a token for web service B. At this point, the end user needs to comply with the Conditional Access policy. When the app tries to `acquireToken`, it may generate the following error (illustrated in the following diagram): ``` HTTP 400; Bad Request @@ -156,7 +156,7 @@ When an app needs an access token to call a web API, it attempts an `acquireToke ![Single-page app using MSAL flow diagram](./media/v2-conditional-access-dev-guide/spa-using-msal-scenario.png) -Let's walk through an example with our Conditional Access scenario. The end user just landed on the site and doesn’t have a session. We perform a `loginPopup()` call, get an ID token without multi-factor authentication. Then the user hits a button that requires the app to request data from a web API. The app tries to do an `acquireTokenSilent()` call but fails since the user has not performed multi-factor authentication yet and needs to comply with the Conditional Access policy. +Let's walk through an example with our Conditional Access scenario. The end user just landed on the site and doesn’t have a session. We perform a `loginPopup()` call, get an ID token without multifactor authentication. Then the user hits a button that requires the app to request data from a web API. The app tries to do an `acquireTokenSilent()` call but fails since the user has not performed multifactor authentication yet and needs to comply with the Conditional Access policy. Microsoft Entra ID sends back the following HTTP response: @@ -166,7 +166,7 @@ error=interaction_required error_description=AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ''. ``` -Our app needs to catch the `error=interaction_required`. The application can then use either `acquireTokenPopup()` or `acquireTokenRedirect()` on the same resource. The user is forced to do a multi-factor authentication. After the user completes the multi-factor authentication, the app is issued a fresh access token for the requested resource. +Our app needs to catch the `error=interaction_required`. The application can then use either `acquireTokenPopup()` or `acquireTokenRedirect()` on the same resource. The user is forced to do a multifactor authentication. After the user completes the multifactor authentication, the app is issued a fresh access token for the requested resource. To try out this scenario, see our [React SPA calling Node.js web API using on-behalf-of flow](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/1-call-api-obo) code sample. This code sample uses the Conditional Access policy and web API you registered earlier with a React SPA to demonstrate this scenario. It shows how to properly handle the claims challenge and get an access token that can be used for your web API. @@ -174,6 +174,6 @@ To try out this scenario, see our [React SPA calling Node.js web API using on-be * To learn more about the capabilities, see [Conditional Access in Microsoft Entra ID](~/identity/conditional-access/overview.md). * For more Microsoft Entra code samples, see [samples](sample-v2-code.md). -* For more info on the MSAL SDK's and access the reference documentation, see the [Microsoft Authentication Library overview](msal-overview.md). -* To learn more about multi-tenant scenarios, see [How to sign in users using the multi-tenant pattern](howto-convert-app-to-be-multi-tenant.md). +* For more info on the MSAL SDKs and access the reference documentation, see the [Microsoft Authentication Library overview](msal-overview.md). +* To learn more about multitenant scenarios, see [How to sign in users using the multitenant pattern](howto-convert-app-to-be-multi-tenant.md). * Learn more about [Conditional Access and securing access to IoT apps](/azure/architecture/reference-architectures/iot). From e576c72bfd1e1fbbc6242b4606f214673fbf1be9 Mon Sep 17 00:00:00 2001 From: Ryan Wike <> Date: Fri, 15 Dec 2023 16:01:58 -0800 Subject: [PATCH 20/22] acrolinx updates --- .../mark-app-as-publisher-verified.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/identity-platform/mark-app-as-publisher-verified.md b/docs/identity-platform/mark-app-as-publisher-verified.md index 46dcaa2509d..da1150d9828 100644 --- a/docs/identity-platform/mark-app-as-publisher-verified.md +++ b/docs/identity-platform/mark-app-as-publisher-verified.md @@ -18,22 +18,22 @@ ms.topic: how-to When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Cloud Partner Program (CPP) account and has associated this CPP account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process. ## Quickstart -If you are already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away: +If you're already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [prerequisites](publisher-verification-overview.md#requirements), you can get started right away: -1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multi-factor authentication](~/identity/authentication/concept-mfa-licensing.md) +1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multifactor authentication](~/identity/authentication/concept-mfa-licensing.md) -1. Choose an app and click **Branding & properties**. +1. Choose an app and select **Branding & properties**. -1. Click **Add Partner One ID to verify publisher** and review the listed requirements. +1. Select **Add Partner One ID to verify publisher** and review the listed requirements. -1. Enter your Partner One ID and click **Verify and save**. +1. Enter your Partner One ID and select **Verify and save**. For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md). ## Mark your app as publisher verified -Make sure you meet the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified. +Make sure you meet the [prerequisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified. -1. Sign in using [multi-factor authentication](~/identity/authentication/concept-mfa-licensing.md) to an organizational (Microsoft Entra) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center. +1. Sign in using [multifactor authentication](~/identity/authentication/concept-mfa-licensing.md) to an organizational (Microsoft Entra) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center. - The Microsoft Entra user must have one of the following [roles](~/identity/role-based-access-control/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator. @@ -41,13 +41,13 @@ Make sure you meet the [pre-requisites](publisher-verification-overview.md#requi 1. Navigate to the **App registrations** blade: -1. Click on an app you would like to mark as Publisher Verified and open the **Branding & properties** blade. +1. Select on an app you would like to mark as Publisher Verified and open the **Branding & properties** blade. 1. Ensure the app’s [publisher domain](howto-configure-publisher-domain.md) is set. 1. Ensure that either the publisher domain or a DNS-verified [custom domain](~/fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your CPP account. -1. Click **Add Partner One ID to verify publisher** near the bottom of the page. +1. Select **Add Partner One ID to verify publisher** near the bottom of the page. 1. Enter the **Partner One ID** for: @@ -55,7 +55,7 @@ Make sure you meet the [pre-requisites](publisher-verification-overview.md#requi - The Partner global account (PGA) for your organization. -1. Click **Verify and save**. +1. Select **Verify and save**. 1. Wait for the request to process, this may take a few minutes. From 20575860cc65a125275641173dcab79b0d3c7f0d Mon Sep 17 00:00:00 2001 From: Shawn Jackson <9558114+ShawnJackson@users.noreply.github.com> Date: Fri, 15 Dec 2023 18:20:06 -0600 Subject: [PATCH 21/22] Update groups-self-service-management.md --- docs/identity/users/groups-self-service-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/users/groups-self-service-management.md b/docs/identity/users/groups-self-service-management.md index 8b7c3e145fd..81b1891f7e0 100644 --- a/docs/identity/users/groups-self-service-management.md +++ b/docs/identity/users/groups-self-service-management.md @@ -67,7 +67,7 @@ When someone wants access, they request it from the MyApps Groups Access Panel. :::image type="content" source="./media/groups-self-service-management/groups-settings-general.png" alt-text="Screenshot that shows Microsoft Entra groups General settings."::: > [!NOTE] - > In June 2024, the setting **Restrict users access to My Groups** changes to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to **Yes**, users can access My Groups in June 2024 but can't see security groups. + > In June 2024, the setting **Restrict users access to My Groups** will change to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to **Yes**, users will be able to access My Groups in June 2024 but won't be able to see security groups. 1. Set **Owners can manage group membership requests in the Access Panel** to **Yes**. 1. Set **Restrict user ability to access groups features in the Access Panel** to **No**. From a8b86756f9c15c56ab4be133a906bdb40f487650 Mon Sep 17 00:00:00 2001 From: Shawn Jackson <9558114+ShawnJackson@users.noreply.github.com> Date: Fri, 15 Dec 2023 18:20:27 -0600 Subject: [PATCH 22/22] Update groups-lifecycle.md --- docs/identity/users/groups-lifecycle.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/users/groups-lifecycle.md b/docs/identity/users/groups-lifecycle.md index ee06da0895e..7946c360657 100644 --- a/docs/identity/users/groups-lifecycle.md +++ b/docs/identity/users/groups-lifecycle.md @@ -132,7 +132,7 @@ If the group you're restoring contains documents, SharePoint sites, or other per ## Retrieve the Microsoft 365 group expiration date -In addition to using Access Panel to view group details like expiration date and last renewed date, you can also retrieve the expiration date of a Microsoft 365 group from Microsoft Graph REST API Beta. The group property `expirationDateTime` is enabled in Microsoft Graph Beta. You can retrieve it with a GET request. For more information, see [this example](/graph/api/group-get?view=graph-rest-beta&preserve-view=true#example). +In addition to using Access Panel to view group details like expiration date and last renewed date, you can retrieve the expiration date of a Microsoft 365 group from Microsoft Graph REST API Beta. The group property `expirationDateTime` is enabled in Microsoft Graph Beta. You can retrieve it with a GET request. For more information, see [this example](/graph/api/group-get?view=graph-rest-beta&preserve-view=true#example). > [!NOTE] > To manage group memberships on Access Panel, **Restrict access to Groups in Access Panel** must be set to **No** in the Microsoft Entra groups **General** setting.