Merge pull request #6606 from MicrosoftDocs/main

1/17/2025 PM Publish
MicrosoftDocs · Jan 17, 2025 · 8f2f4ee · 8f2f4ee
2 parents a5bfa8b + 51ba55f
commit 8f2f4ee
Show file tree

Hide file tree

Showing 50 changed files with 87 additions and 98 deletions.
diff --git a/docs/architecture/security-operations-consumer-accounts.md b/docs/architecture/security-operations-consumer-accounts.md
@@ -112,7 +112,7 @@ Identity Provider deleted by nonapproved actors | High | Microsoft Entra access
 | Added credentials to applications | High | Microsoft Entra audit logs | Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application-Certificates and secrets management<br>-and-<br>Activity: Update Service principal/Update Application | Alert when credentials are: added outside normal business hours or workflows, types not used in your environment, or added to a non-SAML flow supporting service principal. |
 | App assigned to an Azure role-based access control (RBAC) role, or Microsoft Entra role | High to medium | Microsoft Entra audit logs | Type: service principal<br>Activity: “Add member to role”<br>or<br>“Add eligible member to role”<br>-or-<br>“Add scoped member to role.” |N/A|
 | App granted highly privileged permissions, such as permissions with “.All” (Directory.ReadWrite.All) or wide-ranging permissions (Mail.) | High | Microsoft Entra audit logs |N/A | Apps granted broad permissions such as “.All” (Directory.ReadWrite.All) or wide-ranging permissions (Mail.) |
-| Administrator granting application permissions (app roles), or highly privileged delegated permissions | High | Microsoft 365 portal | “Add app role assignment to service principal”<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph) “Add delegated permission grant”<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>-and-<br>DelegatedPermissionGrant.Scope includes high-privilege permissions. | Alert when a global, application, or cloud application administrator consents to an application. Especially look for consent outside normal activity and change procedures. |
+| Administrator granting application permissions (app roles), or highly privileged delegated permissions | High | Microsoft 365 portal | “Add app role assignment to service principal”<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph) “Add delegated permission grant”<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>-and-<br>DelegatedPermissionGrant.Scope includes high-privilege permissions. | Alert when a Global Administrator, Application Administrator, or Cloud Application Administrator consents to an application. Especially look for consent outside normal activity and change procedures. |
 | Application is granted permissions for Microsoft Graph, Exchange, SharePoint, or Microsoft Entra ID. | High | Microsoft Entra audit logs | “Add delegated permission grant”<br>-or-<br>“Add app role assignment to service principal”<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph, Exchange Online, and so on) | Use the alert in the preceding row. |
 | Highly privileged delegated permissions granted on behalf of all users | High | Microsoft Entra audit logs | “Add delegated permission grant”<br>where<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>DelegatedPermissionGrant.Scope includes high-privilege permissions<br>-and-<br>DelegatedPermissionGrant.ConsentType is “AllPrincipals”. | Use the alert in the preceding row. |
 | Applications that are using the ROPC authentication flow | Medium | Microsoft Entra sign-in log | Status=Success<br>Authentication Protocol-ROPC | High level of trust is placed in this application because the credentials can be cached or stored. If possible, move to a more secure authentication flow. Use the process only in automated application testing, if ever. |

diff --git a/docs/architecture/security-operations-devices.md b/docs/architecture/security-operations-devices.md
@@ -149,7 +149,7 @@ The [Microsoft Entra Joined Device Local Administrator](../identity/role-based-a
 
 | What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
 | - |- |- |- |- |
-| Users added to global or device admin roles| High| Audit logs| Activity type = Add member to role.| Look for: new users added to these Microsoft Entra roles, subsequent anomalous behavior by machines or users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/4ad195f4fe6fdbc66fb8469120381e8277ebed81/Detections/AuditLogs/UserAddedtoAdminRole.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
+| Users added to Global Administrator or Microsoft Entra Joined Device Local Administrator roles| High| Audit logs| Activity type = Add member to role.| Look for: new users added to these Microsoft Entra roles, subsequent anomalous behavior by machines or users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/4ad195f4fe6fdbc66fb8469120381e8277ebed81/Detections/AuditLogs/UserAddedtoAdminRole.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
 
 ## Non-Azure AD sign-ins to virtual machines
 

diff --git a/docs/architecture/security-operations-privileged-identity-management.md b/docs/architecture/security-operations-privileged-identity-management.md
@@ -85,7 +85,7 @@ The following are recommended baseline settings:
 
 | What to monitor| Risk level| Recommendation| Roles| Notes |
 | - |- |- |- |- |
-| Microsoft Entra roles assignment| High| Require justification for activation. Require approval to activate. Set two-level approver process. On activation, require Microsoft Entra multifactor authentication. Set maximum elevation duration to 8 hrs.|  Security Administrator, Privileged Role Administrator, Global Administrator| A privileged role administrator can customize PIM in their Microsoft Entra organization, including changing the experience for users activating an eligible role assignment. |
+| Microsoft Entra roles assignment| High| Require justification for activation. Require approval to activate. Set two-level approver process. On activation, require Microsoft Entra multifactor authentication. Set maximum elevation duration to 8 hrs.|  Security Administrator, Privileged Role Administrator, Global Administrator| A Privileged Role Administrator can customize PIM in their Microsoft Entra organization, including changing the experience for users activating an eligible role assignment. |
 | Azure Resource Role Configuration| High| Require justification for activation. Require approval to activate. Set two-level approver process. On activation, require Microsoft Entra multifactor authentication. Set maximum elevation duration to 8 hrs.| Owner, User Access Administrator | Investigate immediately if not a planned change. This setting might enable attacker access to Azure subscriptions in your environment. |
 
 <a name='azure-ad-roles-assignment'></a>
@@ -108,7 +108,7 @@ Privileged Identity Management (PIM) generates alerts when there's suspicious or
 
 ## Microsoft Entra roles assignment
 
-A privileged role administrator can customize PIM in their Microsoft Entra organization, which includes changing the user experience of activating an eligible role assignment:
+A Privileged Role Administrator can customize PIM in their Microsoft Entra organization, which includes changing the user experience of activating an eligible role assignment:
 
 * Prevent bad actor to remove Microsoft Entra multifactor authentication requirements to activate privileged access.
 

diff --git a/docs/external-id/direct-federation.md b/docs/external-id/direct-federation.md
@@ -206,7 +206,7 @@ Next, configure federation with the IdP configured in step 1 in Microsoft Entra
 
 [!INCLUDE [portal updates](~/includes/portal-update.md)]
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
 1. Browse to **Identity** > **External Identities** > **All identity providers**.
 1. Select the **Custom** tab, and then select **Add new** > **SAML/WS-Fed**.
 
@@ -267,7 +267,7 @@ On the **All identity providers** page, you can view the list of SAML/WS-Fed ide
 
 <!--TODO:::image type="content" source="media/direct-federation/new-saml-wsfed-idp-list-multi.png" alt-text="Screenshot showing an identity provider in the SAML WS-Fed list.":::-->
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
 1. Browse to **Identity** > **External Identities** > **All identity providers**.
 1. Select the **Custom** tab.
 1. Scroll to an identity provider in the list or use the search box.
@@ -299,7 +299,7 @@ On the **All identity providers** page, you can view the list of SAML/WS-Fed ide
 You can remove your federation configuration. If you do, federation guest users who have already redeemed their invitations can no longer sign in. But you can give them access to your resources again by [resetting their redemption status](reset-redemption-status.md).
 To remove a configuration for an IdP in the Microsoft Entra admin center:
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
 1. Browse to **Identity** > **External Identities** > **All identity providers**.
 1. Select the **Custom** tab, and then scroll to the identity provider in the list or use the search box.
 1. Select the link in the **Domains** column to view the IdP's domain details.

diff --git a/docs/external-id/google-federation.md b/docs/external-id/google-federation.md
@@ -198,7 +198,7 @@ First, create a new project in the Google Developers Console to obtain a client
 You'll now set the Google client ID and client secret. You can use the Microsoft Entra admin center or PowerShell to do so. Be sure to test your Google federation configuration by inviting yourself. Use a Gmail address and try to redeem the invitation with your invited Google account. 
 
 **To configure Google federation in the Microsoft Entra admin center** 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
 1. Browse to **Identity** > **External Identities** > **All identity providers** and then on the **Google** line, select **Configure**.
 1. Enter the client ID and client secret you obtained earlier. Select **Save**:
 
@@ -245,7 +245,7 @@ At this point, the Google identity provider is set up in your Microsoft Entra te
 You can delete your Google federation setup. If you do so, Google guest users who already redeemed their invitation can't sign in. But you can give them access to your resources again by [resetting their redemption status](reset-redemption-status.md).
 
 **To delete Google federation in the Microsoft Entra admin center**
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
 1. Browse to **Identity** > **External Identities** > **All identity providers**.
 1. On the **Google** line, select (**Configured**), and then select **Delete**.
 

diff --git a/docs/external-id/invite-internal-users.md b/docs/external-id/invite-internal-users.md
@@ -51,7 +51,7 @@ You can use the Microsoft Entra admin center, PowerShell, or the invitation API
 
 [!INCLUDE [portal updates](~/includes/portal-update.md)]
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
 1. Browse to **Identity** > **Users** > **All users**.
 1. Find the user in the list or use the search box. Then select the user.
 1. In the **Overview** tab, under **My Feed**, select **Convert to external user**. 

diff --git a/docs/external-id/leave-the-organization.md b/docs/external-id/leave-the-organization.md
@@ -93,7 +93,7 @@ Administrators can use the **External user leave settings** to control whether e
 > [!IMPORTANT]
 > You can configure **External user leave settings** only if you have [added your privacy information](~/fundamentals/properties-area.yml) to your Microsoft Entra tenant. Otherwise, this setting will be unavailable. We recommend adding your privacy information to allow external users to review your policies and email your privacy contact when necessary.
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
 
 1. Browse to **Identity** > **External Identities** > **External collaboration settings**.
 
@@ -110,7 +110,7 @@ When a B2B collaboration user leaves an organization, the user's account is "sof
 
 If desired, a tenant administrator can permanently delete the account at any time during the soft-deleted period with the following steps. This action is irrevocable.
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
 
 1. Browse to **Identity** > **Users** > **All users**
 

diff --git a/docs/fundamentals/copilot-entra-lifecycle-workflow.md b/docs/fundamentals/copilot-entra-lifecycle-workflow.md
@@ -11,10 +11,7 @@ ms.date: 01/10/2025
 ms.topic: conceptual
 ms.service: entra
 ms.custom: microsoft-copilot
-
-# Customer intent: As a lifecycle workflows Administrators or Global Administrators, I want to learn about risky user summarization in the Identity Protection UX so that I can quickly respond to identity threats.
 ---
-
 # Manage employee lifecycle using Microsoft Security Copilot (Preview)
 
 Microsoft Entra ID Governance applies the capabilities of [Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) to save identity administrators time and effort when configuring custom workflows to manage the lifecycle of users across JML scenarios. It also helps you to customize workflows more efficiently using natural language to configure workflow information including custom tasks, execute workflows, and get workflow insights.

diff --git a/docs/global-secure-access/how-to-configure-customer-premises-equipment.md b/docs/global-secure-access/how-to-configure-customer-premises-equipment.md
@@ -8,7 +8,7 @@ ms.topic: how-to
 ms.date: 03/22/2024
 ms.service: global-secure-access
 
-# Customer Intent: As a Global Secure Access administrator, I need to know how to configure the connection between my customer premises equipment and Microsoft's network so that I can create a tunnel from my remote network to the Global Secure Access network.
+# Customer Intent: As a Global Secure Access Administrator, I need to know how to configure the connection between my customer premises equipment and Microsoft's network so that I can create a tunnel from my remote network to the Global Secure Access network.
 ---
 # Configure customer premises equipment for Global Secure Access
 

diff --git a/docs/global-secure-access/how-to-configure-kerberos-sso.md b/docs/global-secure-access/how-to-configure-kerberos-sso.md
@@ -25,7 +25,7 @@ Before you get started with single sign-on, make sure your environment is ready.
 ### Publish resources for use with single sign-on
 To test single sign-on, create a new enterprise application that publishes a file share. Using an enterprise application to publish your file share lets you assign a Conditional Access policy to the resource and enforce extra security controls, such as multifactor authentication.
 
-1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application administrator](reference-role-based-permissions.md#application-administrator). 
+1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application Administrator](reference-role-based-permissions.md#application-administrator). 
 1. Browse to **Global Secure Access** > **Applications** > **Enterprise Applications**.
 1. Select **New Application**. 
 1. Add a new app segment with the IP of your file server using port `445/TCP` and then select **Save**. The Server Message Block (SMB) protocol uses the port.
@@ -63,7 +63,7 @@ The Domain Controller ports are required to enable SSO to on-premises resources.
 > [!NOTE]
 > The guide focuses on enabling SSO to on-premises resources and excludes configuration required for Windows domain-joined clients to perform domain operations (password change, Group Policy, etc.).
 
-1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application administrator](reference-role-based-permissions.md#application-administrator).
+1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application Administrator](reference-role-based-permissions.md#application-administrator).
 1. Browse to **Global Secure Access** > **Applications** > **Enterprise Applications**.
 1. Select **New Application** to create a new application to publish your Domain Controllers.
 1. Select **Add application segment** and then add all of your Domain Controllers’ IPs or Fully Qualified Domain Names (FQDNs) and ports as per the table. Only the Domain Controllers in the Active Directory site where the Private Access connectors are located should be published.

diff --git a/docs/global-secure-access/reference-role-based-permissions.md b/docs/global-secure-access/reference-role-based-permissions.md
@@ -31,7 +31,7 @@ This article details the built-in Microsoft Entra roles you can assign for manag
 **Limited access**: This role grants permissions to perform specific tasks, such as configuring remote networks, setting up security profiles, managing traffic forwarding profiles, and viewing traffic logs and alerts. However, Global Secure Access admins can't configure Private Access, create or manage Conditional Access policies, manage user and group assignments, or configure Office 365 logging.
 
 > [!NOTE]
-> To perform additional Microsoft Entra tasks, such as editing Conditional Access policies, you need to be both a GSA administrator and have at least one other administrator role assigned to you. Consult the Role-based permissions table above.
+> To perform additional Microsoft Entra tasks, such as editing Conditional Access policies, you need to be both a Global Secure Access Administrator and have at least one other administrator role assigned to you. Consult the Role-based permissions table above.
 
 ### Conditional Access Administrator