Merging changes synced from https://github.com/MicrosoftDocs/entra-do…

…cs-pr (branch live)
MicrosoftDocs · Dec 12, 2023 · d412326 · d412326
2 parents e2c1b56 + 330c394
commit d412326
Show file tree

Hide file tree

Showing 9 changed files with 208 additions and 173 deletions.
diff --git a/docs/architecture/sse-deployment-guide-m365.md b/docs/architecture/sse-deployment-guide-m365.md
diff --git a/docs/identity-platform/apple-sso-plugin.md b/docs/identity-platform/apple-sso-plugin.md
@@ -12,6 +12,7 @@ ms.subservice: develop
 ms.topic: conceptual
 #Customer intent:
 ---
+
 # Microsoft Enterprise SSO plug-in for Apple devices
 
 The **Microsoft Enterprise SSO plug-in for Apple devices** provides single sign-on (SSO) for Microsoft Entra accounts on macOS, iOS, and iPadOS across all applications that support Apple's [enterprise single sign-on](https://developer.apple.com/documentation/authenticationservices) feature. The plug-in provides SSO for even old applications that your business might depend on but that don't yet support the latest identity libraries or protocols. Microsoft worked closely with Apple to develop this plug-in to increase your application's usability while providing the best protection available.
@@ -31,6 +32,12 @@ The Microsoft Enterprise SSO plug-in for Apple devices offers the following bene
 - It extends SSO to applications that use OAuth 2, OpenID Connect, and SAML.
 - It is natively integrated with the MSAL, which provides a smooth native experience to the end user when the Microsoft Enterprise SSO plug-in is enabled. 
 
+>[!IMPORTANT]
+> In August of 2023, [Microsoft announced that Platform SSO for macOS devices is coming soon to Entra ID.](https://techcommunity.microsoft.com/t5/microsoft-entra-blog/coming-soon-platform-sso-for-macos/ba-p/3902280).
+>
+> As these features are still under development, the use of Platform SSO features is not yet supported on the Entra ID platform. Limited customer support will be provided once these features enter public preview. 
+
+
 ## Requirements
 
 To use the Microsoft Enterprise SSO plug-in for Apple devices:

diff --git a/docs/identity/conditional-access/concept-conditional-access-grant.md b/docs/identity/conditional-access/concept-conditional-access-grant.md
@@ -2,17 +2,15 @@
 title: Grant controls in Conditional Access policy
 description: Grant controls in a Microsoft Entra Conditional Access policy.
 
-services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 06/26/2023
+ms.date: 12/12/2023
+
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
-ms.reviewer: calebb, sandeo
-
-ms.collection: M365-identity-device-management
+ms.reviewer: lhuangnorth, jogro
 ---
 # Conditional Access: Grant
 
@@ -28,7 +26,7 @@ The control for blocking access considers any assignments and prevents access ba
 
 ## Grant access
 
-Administrators can choose to enforce one or more controls when granting access. These controls include the following options: 
+Administrators can choose to enforce one or more controls when granting access. These controls include the following options:
 
 - [Require multifactor authentication (Microsoft Entra multifactor authentication)](~/identity/authentication/concept-mfa-howitworks.md)
 - [Require authentication strength](#require-authentication-strength)
@@ -57,16 +55,16 @@ Administrators can choose to require [specific authentication strengths](~/ident
 
 ### Require device to be marked as compliant
 
-Organizations that have deployed Intune can use the information returned from their devices to identify devices that meet specific policy compliance requirements. Intune sends compliance information to Microsoft Entra ID so Conditional Access can decide to grant or block access to resources. For more information about compliance policies, see [Set rules on devices to allow access to resources in your organization by using Intune](/mem/intune/protect/device-compliance-get-started).
+Organizations that deploy Intune can use the information returned from their devices to identify devices that meet specific policy compliance requirements. Intune sends compliance information to Microsoft Entra ID so Conditional Access can decide to grant or block access to resources. For more information about compliance policies, see [Set rules on devices to allow access to resources in your organization by using Intune](/mem/intune/protect/device-compliance-get-started).
 
 A device can be marked as compliant by Intune for any device operating system or by a third-party mobile device management system for Windows devices. You can find a list of supported third-party mobile device management systems in [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).
 
 Devices must be registered in Microsoft Entra ID before they can be marked as compliant. You can find more information about device registration in [What is a device identity?](~/identity/devices/overview.md).
 
 The **Require device to be marked as compliant** control:
 
-   - Only supports Windows 10+, iOS, Android, and macOS devices registered with Microsoft Entra ID and enrolled with Intune.
-   - Microsoft Edge in InPrivate mode is considered a non-compliant device.
+- Only supports Windows 10+, iOS, Android, and macOS devices registered with Microsoft Entra ID and enrolled with Intune.
+- Microsoft Edge in InPrivate mode is considered a noncompliant device.
 
 > [!NOTE]
 > On Windows, iOS, Android, macOS, and some third-party web browsers, Microsoft Entra ID identifies the device by using a client certificate that is provisioned when the device is registered with Microsoft Entra ID. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser.
@@ -82,12 +80,16 @@ Organizations can choose to use the device identity as part of their Conditional
 When you use the [device-code OAuth flow](~/identity-platform/v2-oauth2-device-code.md), the required grant control for the managed device or a device state condition isn't supported. This is because the device that is performing authentication can't provide its device state to the device that is providing a code. Also, the device state in the token is locked to the device performing authentication. Use the **Require multifactor authentication** control instead.
 
 The **Require Microsoft Entra hybrid joined device** control:
-   - Only supports domain-joined Windows down-level (before Windows 10) and Windows current (Windows 10+) devices.
-   - Doesn't consider Microsoft Edge in InPrivate mode as a Microsoft Entra hybrid joined device.
+
+- Only supports domain-joined Windows down-level (before Windows 10) and Windows current (Windows 10+) devices.
+- Doesn't consider Microsoft Edge in InPrivate mode as a Microsoft Entra hybrid joined device.
 
 ### Require approved client app
 
-Organizations can require that an approved client app is used  to access selected cloud apps. These approved client apps support [Intune app protection policies](/mem/intune/apps/app-protection-policy) independent of any mobile device management solution.
+Organizations can require that an approved client app is used to access selected cloud apps. These approved client apps support [Intune app protection policies](/mem/intune/apps/app-protection-policy) independent of any mobile device management solution.
+
+> [!WARNING]
+> The approved client app grant is retiring in early March 2026. Organizations must transition all current Conditional Access policies that use only the Require Approved Client App grant to Require Approved Client App or Application Protection Policy by March 2026. Additionally, for any new Conditional Access policy, only apply the Require application protection policy grant. For more inforamtion, see the article [Migrate approved client app to application protection policy in Conditional Access](migrate-approved-client-app.md).
 
 To apply this grant control, the device must be registered in Microsoft Entra ID, which requires using a broker app. The broker app can be Microsoft Authenticator for iOS, or either Microsoft Authenticator or Microsoft Company Portal for Android devices. If a broker app isn't installed on the device when the user attempts to authenticate, the user is redirected to the appropriate app store to install the required broker app.
 
@@ -115,38 +117,40 @@ The following client apps support this setting. This list isn't exhaustive and i
 - Microsoft Skype for Business
 - Microsoft Stream
 - Microsoft Teams
-- Microsoft To-Do
+- Microsoft To Do
 - Microsoft Visio
 - Microsoft Word
 - Microsoft Yammer
 - Microsoft Whiteboard
 - Microsoft 365 Admin
 
-**Remarks**
-   - The approved client apps support the Intune mobile application management feature.
-   -  The **Require approved client app** requirement:
-      - Only supports the iOS and Android for device platform condition.
-      - Requires a broker app to register the device. The broker app can be Microsoft Authenticator for iOS, or either Microsoft Authenticator or Microsoft Company Portal for Android devices.
+#### Remarks
+
+- The approved client apps support the Intune mobile application management feature.
+- The **Require approved client app** requirement:
+   - Only supports the iOS and Android for device platform condition.
+   - Requires a broker app to register the device. The broker app can be Microsoft Authenticator for iOS, or either Microsoft Authenticator or Microsoft Company Portal for Android devices.
 - Conditional Access can't consider Microsoft Edge in InPrivate mode an approved client app.
 - Conditional Access policies that require Microsoft Power BI as an approved client app don't support using Microsoft Entra application proxy to connect the Power BI mobile app to the on-premises Power BI Report Server.
+- WebViews hosted outside of Microsoft Edge don't satisfy the approved client app policy. For example: If an app is trying to load SharePoint in a webview, app protection policies fail.
 
 See [Require approved client apps for cloud app access with Conditional Access](./howto-policy-approved-app-or-app-protection.md) for configuration examples.
 
 ### Require app protection policy
 
 In Conditional Access policy, you can require that an [Intune app protection policy](/mem/intune/apps/app-protection-policy) is present on the client app before access is available to the selected applications. These mobile application management (MAM) app protection policies allow you to manage and protect your organization's data within specific applications.
 
-To apply this grant control, Conditional Access requires that the device is registered in Microsoft Entra ID, which requires using a broker app. The broker app can be either Microsoft Authenticator for iOS or Microsoft Company Portal for Android devices. If a broker app isn't installed on the device when the user attempts to authenticate, the user is redirected to the app store to install the broker app. App protection policies are generally available for iOS and Android, and in public preview for Microsoft Edge on Windows. [Windows devices support no more than 3 Microsoft Entra user accounts in the same session](~/identity/devices/faq.yml#i-can-t-add-more-than-3-microsoft-entra-user-accounts-under-the-same-user-session-on-a-windows-10-11-device--why). For more information about how to apply policy to Windows devices, see the article [Require an app protection policy on Windows devices (preview)](how-to-app-protection-policy-windows.md).
+To apply this grant control, Conditional Access requires that the device is registered in Microsoft Entra ID, which requires using a broker app. The broker app can be either Microsoft Authenticator for iOS or Microsoft Company Portal for Android devices. If a broker app isn't installed on the device when the user attempts to authenticate, the user is redirected to the app store to install the broker app. The Microsoft Authenticator app can be used as the broker app but doesn't support being targeted as an approved client app. App protection policies are generally available for iOS and Android, and in public preview for Microsoft Edge on Windows. [Windows devices support no more than three Microsoft Entra user accounts in the same session](~/identity/devices/faq.yml#i-can-t-add-more-than-3-microsoft-entra-user-accounts-under-the-same-user-session-on-a-windows-10-11-device--why). For more information about how to apply policy to Windows devices, see the article [Require an app protection policy on Windows devices (preview)](how-to-app-protection-policy-windows.md).
 
 Applications must meet certain requirements to support app protection policies. Developers can find more information about these requirements in the section [Apps you can manage with app protection policies](/mem/intune/apps/app-protection-policy#apps-you-can-manage-with-app-protection-policies). 
 
-The following client apps support this setting. This list isn't exhaustive and is subject to change. If your app isn't in the list please check with the application vendor to confirm support:
+The following client apps support this setting. This list isn't exhaustive and is subject to change. If your app isn't in the list, check with the application vendor to confirm support:
 
 - Adobe Acrobat Reader mobile app
 - iAnnotate for Office 365
 - Microsoft Cortana
 - Microsoft Dynamics 365 for Phones
-- Micorsoft Dynamics 365 Sales
+- Microsoft Dynamics 365 Sales
 - Microsoft Edge
 - Microsoft Excel
 - Microsoft Power Automate
@@ -181,7 +185,7 @@ See [Require app protection policy and an approved client app for cloud app acce
 
 When user risk is detected, administrators can employ the user risk policy conditions to have the user securely change a password by using Microsoft Entra self-service password reset. Users can perform a self-service password reset to self-remediate. This process closes the user risk event to prevent unnecessary alerts for administrators.
 
-When a user is prompted to change a password, they'll first be required to complete multifactor authentication. Make sure all users have registered for multifactor authentication, so they're prepared in case risk is detected for their account.  
+When a user is prompted to change a password, they're first required to complete multifactor authentication. Make sure all users register for multifactor authentication, so they're prepared in case risk is detected for their account.  
 
 > [!WARNING]
 > Users must have previously registered for multifactor authentication before triggering the user risk policy.
@@ -194,7 +198,7 @@ The following restrictions apply when you configure a policy by using the passwo
 
 ### Terms of use
 
-If your organization has created terms of use, other options might be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources that the policy protects. You can find more information about terms of use in [Microsoft Entra terms of use](terms-of-use.md).
+If your organization created terms of use, other options might be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources that the policy protects. You can find more information about terms of use in [Microsoft Entra terms of use](terms-of-use.md).
 
 ### Custom controls (preview)
 

diff --git a/docs/identity/conditional-access/how-to-app-protection-policy-windows.md b/docs/identity/conditional-access/how-to-app-protection-policy-windows.md
@@ -5,7 +5,7 @@ description: Create a Conditional Access policy to require app protection policy
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 11/01/2023
+ms.date: 12/12/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -20,8 +20,7 @@ App protection policies apply [mobile application management (MAM)](/mem/intune/
 
 ## Prerequisites
 
-- [Windows 11 Version 22H2 (OS build 22621)](/windows/release-health/windows11-release-information#windows-11-current-versions) with KB 5031455.
-- Windows 10 Version 2004 (OS build 19045) with KB 5031445.
+- We support applying policy to the Microsoft Edge browser on devices running Windows 11 and Windows 10 version 20H2 and higher with KB5031445.
 - [Configured app protection policy targeting Windows devices](/mem/intune/apps/app-protection-policy-settings-windows).
 - Currently unsupported in sovereign clouds.
 
@@ -76,10 +75,10 @@ Clicking on **Switch Edge profile** opens a window listing their Work or school
 
    ![Screenshot showing the popup in Microsoft Edge asking user to sign in.](./media/how-to-app-protection-policy-windows/browser-sign-in-continue-with-work-or-school-account.png)
 
-This process opens a window offering to allow Windows to remember your account and automatically sign you in to your apps and websites. 
+This process opens a window offering to allow Windows to remember your account and automatically sign you in to your apps and websites.
 
 > [!CAUTION]
-> You must *CLEAR THE CHECKBOX* **Allow my organization to manage my device**. Leaving this checked enrolls your device in mobile device management (MDM) not mobile application management (MAM). 
+> You must *CLEAR THE CHECKBOX* **Allow my organization to manage my device**. Leaving this checked enrolls your device in mobile device management (MDM) not mobile application management (MAM).
 >
 > Don't select **No, sign in to this app only**.