Merge pull request #6263 from MicrosoftDocs/main

12/10/2024 PM Publish

docs/external-id/customers/how-to-region-code-opt-in.md

@@ -111,7 +111,7 @@ Starting January 2025, the following country codes will be deactivated by defaul
 | 234 | Nigeria |
 | 968 | Oman |
 | 92 | Pakistan |
-| 970 | Palestine |
+| 970 | Palestinian Authority |
 | 675 | Papua New Guinea |
 | 63 | Philippines |
 | 974 | Qatar |

docs/global-secure-access/concept-traffic-forwarding.md

@@ -34,7 +34,7 @@ The Microsoft traffic forwarding profile includes Microsoft Entra ID/ Microsoft
 
 Microsoft traffic is forwarded to the service through either [remote network connectivity](concept-remote-network-connectivity.md), such as branch office location, or through the [Global Secure Access client](how-to-install-windows-client.md).
 
-[Learn more about the Microsoft traffic profile](concept-microsoft-traffic-profile.md)\
+[Learn more about the Microsoft traffic profile](concept-microsoft-traffic-profile.md)
 
 ### Licensing
 

docs/global-secure-access/how-to-manage-microsoft-profile.md

@@ -60,7 +60,7 @@ The policy groups include the following details:
 You can configure the traffic acquisition rules to bypass traffic acquisition. If you do, the users will still be able to access resources; however, the Global Secure Access service will not process the traffic. You can bypass traffic to a specific FQDN or IP address, an entire policy group within the profile, or the entire Microsoft profile itself. If you only need to forward some of the Microsoft resources within a policy group, enable the group then change the **Action** in the details accordingly.
 
 > [!IMPORTANT]
-> When a rule is set to Bypass, the Internet Access traffic profile will not acquire this traffic. Even with the Internet Access profile enabled, the bypassed traffic will skip Global Secure Access acquisition and use that client's network routing path to egress to the Internet. Traffic available for acquisition in the Microsoft traffic profile can be only acquired in the Microsoft traffic profile.
+> When a rule is set to Bypass in the Microsoft traffic profile, the Internet Access traffic profile will not acquire this traffic. Even with the Internet Access profile enabled, the bypassed traffic will skip Global Secure Access acquisition and use that client's network routing path to egress to the Internet. Traffic available for acquisition in the Microsoft traffic profile can be only acquired in the Microsoft traffic profile.
 
 The following example shows setting the `*.sharepoint.com` FQDN to **Bypass** so the traffic isn't forwarded to the service.
 

docs/global-secure-access/how-to-universal-tenant-restrictions.md

@@ -24,33 +24,36 @@ The following table explains the steps taken at each point in the previous diagr
 | **1** | Contoso configures a **tenant restrictions v2 ** policy in their cross-tenant access settings to block all external accounts and external apps. Contoso enforces the policy using Global Secure Access universal tenant restrictions. |
 | **2** | A user with a Contoso-managed device tries to access a Microsoft Entra integrated app with an unsanctioned external identity. |
 | **3** | *Authentication plane protection:* Using Microsoft Entra ID, Contoso's policy blocks unsanctioned external accounts from accessing external tenants. | 
-| **4** | *Data plane protection:* If the user again tries to access an external unsanctioned application by copying an authentication response token they obtained outside of Contoso's network and pasting it into the device, they're blocked. The token mismatch triggers reauthentication and blocks access. For SharePoint Online, any attempt at anonymously accessing resources will be blocked. | 
+| **4** | *Data plane protection:* If the user again tries to access an external unsanctioned application by copying an authentication response token they obtained outside of Contoso's network and pasting it into the device, they're blocked. The token mismatch triggers reauthentication and blocks access. For SharePoint Online, any attempt at anonymously accessing resources will be blocked. For Teams, attempts to join meetings anonymously will be denied.| 
 
 Universal tenant restrictions help to prevent data exfiltration across browsers, devices, and networks in the following ways:
 
 - It enables Microsoft Entra ID, Microsoft Accounts, and Microsoft applications to look up and enforce the associated tenant restrictions v2 policy. This lookup enables consistent policy application. 
 - Works with all Microsoft Entra integrated third-party apps at the auth plane during sign in.
-- Works with Exchange, SharePoint, and Microsoft Graph for data plane protection (Preview)
+- Works with Exchange, SharePoint/OneDrive, Teams, and Microsoft Graph for data plane protection (Preview)
+
+## Universal Tenant Restrictions enforcement points
+### Authentication Plane
+Authentication plane enforcement happens at the time of Entra ID or Microsoft Account authentication. When the user is connected with the Global Secure Access client or via Remote Network connectivity, Tenant Restrictions v2 policy is checked to determine if authentication should be allowed. If the user is signing in to the tenant of their organization, tenant restrictions policy is not applied. If the user is signing in to a different tenant, policy is enforced. Any application that is integrated with Entra ID or uses Microsoft Account for authentication supports Universal Tenant Restrictions at the authentication plane.
+
+## Data Plane (Preview)
+Data plane enforcement is done by the resource provider (a Microsoft service that supports tenant restrictions) at the time that the data is accessed. Data plane protection ensures that imported authentication artifacts (for example, an access token obtained on another device, bypassing authentication plane enforcements defined in your Tenant Restrictions v2 policy) cannot be replayed from your organization's devices to exfiltrate data. Additionally, data plane protection prevents the user of anonymous access links in SharePoint/OneDrive for Business, and prevents the users from joining Teams meetings anonymously.
 
 ## Prerequisites
 
 * Administrators who interact with **Global Secure Access** features must have one or more of the following role assignments depending on the tasks they're performing.
    * The [Global Secure Access Administrator role](/azure/active-directory/roles/permissions-reference) role to manage the Global Secure Access features.
-   * The [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) to create and interact with Conditional Access policies.
 * The product requires licensing. For details, see the licensing section of [What is Global Secure Access](overview-what-is-global-secure-access.md). If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-
-### Known limitations
-
-- Data plane protection capabilities are in preview (authentication plane protection is generally available)
-- When you use Universal Tenant Restrictions and access the Microsoft Entra admin center to manage a partner tenant allowed by the Tenant Restrictions v2 policy, you may get authorization errors. To work around this issue, you need to add `?exp.msaljsoptedoutextensions=%7B%7D` query parameter to the Microsoft Entra admin center URL (for example, `https://entra.microsoft.com/?exp.msaljsoptedoutextensions=%7B%7D`).
+* [Microsoft traffic profile](concept-microsoft-traffic-profile.md) must be enabled and FQDNs/IP addresses of services that will have Universal Tenant Restrictions are set to 'Tunnel' mode.
+* [Global Secure Access clients](concept-clients.md) are deployed or [Remote Network connectivity](concept-remote-network-connectivity.md) is configured.
 
 ## Configure Tenant Restrictions v2 policy 
 
 Before an organization can use universal tenant restrictions, they must configure both the default tenant restrictions and tenant restrictions for any specific partners.
 
 For more information to configure these policies, see the article [Set up tenant restrictions v2](/azure/active-directory/external-identities/tenant-restrictions-v2).
 
-## Enable tagging for Tenant Restrictions v2
+## Enable Global Secure Access signaling for Tenant Restrictions
 
 Once you have created the tenant restriction v2 policies, you can utilize Global Secure Access to apply tagging for tenant restrictions v2. An administrator with both the [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference) and [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) roles must take the following steps to enable enforcement with Global Secure Access.
 
@@ -97,6 +100,12 @@ Tenant restrictions are not enforced when a user (or a guest user) tries to acce
       1. `Restrict-Access-Confirm: 1`
       1. `x-ms-diagnostics: 2000020;reason="xms_trpid claim was not present but sec-tenant-restriction-access-policy header was in requres";error_category="insufficiant_claims"`
 
+### Known limitations
+
+- Data plane protection capabilities are in preview (authentication plane protection is generally available)
+- When you use Universal Tenant Restrictions and access the Microsoft Entra admin center to manage a partner tenant allowed by the Tenant Restrictions v2 policy, you may get authorization errors. To work around this issue, you need to add `?exp.msaljsoptedoutextensions=%7B%7D` query parameter to the Microsoft Entra admin center URL (for example, `https://entra.microsoft.com/?exp.msaljsoptedoutextensions=%7B%7D`).
+- When the Teams service blocks anonymous meeting join due to Universal Tenant Restrictions, a generic error message is presented in the Teams client application.
+
 ## Next steps
 - [Enable enhanced Global Secure Access signaling](how-to-source-ip-restoration.md#enable-global-secure-access-signaling-for-conditional-access)
 - [Set up tenant restrictions v2](/azure/active-directory/external-identities/tenant-restrictions-v2)

docs/id-governance/apps.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: overview
-ms.date: 08/24/2023
+ms.date: 12/10/2024
 ms.author: billmath
 ms.reviewer: amycolannino
 ---

docs/id-governance/best-practices-secure-id-governance.md

@@ -8,7 +8,7 @@ manager: amycolannino
 editor: ''
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 07/28/2023
+ms.date: 12/10/2024
 ms.author: billmath
 ---
 

docs/id-governance/check-status-workflow.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 06/22/2023
+ms.date: 12/10/2024
 ms.custom: template-how-to
 ---
 

docs/id-governance/check-workflow-execution-scope.md

@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 05/31/2023
+ms.date: 12/10/2024
 ms.author: owinfrey
 ms.reviewer: krbain
 ---

docs/id-governance/complete-access-review.md

@@ -7,7 +7,7 @@ editor: markwahl-msft
 ms.service: entra-id-governance
 ms.subservice: access-reviews
 ms.topic: how-to
-ms.date: 06/28/2023
+ms.date: 12/10/2024
 ms.author: owinfrey
 ms.reviewer: mwahl
 ---

docs/id-governance/configure-logic-app-lifecycle-workflows.md

@@ -6,7 +6,7 @@ ms.author: owinfrey
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 06/22/2023
+ms.date: 12/10/2024
 ms.custom: template-how-to
 ---
 

docs/id-governance/create-lifecycle-workflow.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 06/22/2023
+ms.date: 12/10/2024
 ms.custom: template-how-to
 ---
 

docs/id-governance/custom-entitlement-report-with-adx-and-entra-id.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: overview
-ms.date: 01/05/2023
+ms.date: 12/10/2024
 ms.author: billmath
 ---
 

docs/id-governance/customize-workflow-email.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 06/22/2023
+ms.date: 12/10/2024
 ms.custom: template-how-to
 ---
 

docs/id-governance/customize-workflow-schedule.md

@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 05/31/2023
+ms.date: 12/10/2024
 ms.author: owinfrey
 ms.reviewer: krbain
 ---

docs/id-governance/delete-lifecycle-workflow.md

@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 05/31/2023
+ms.date: 12/10/2024
 ms.author: owinfrey
 ms.reviewer: krbain
 ---

docs/id-governance/download-workflow-history.md

@@ -6,7 +6,7 @@ ms.author: owinfrey
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 11/17/2023
+ms.date: 12/10/2024
 
 #CustomerIntent: As an admin, I want to download history reports as a CSV.
 ---

docs/id-governance/governance-dashboard.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: how-to
-ms.date: 06/20/2023
+ms.date: 12/10/2024
 ms.author: billmath
 ms.custom:
 ---

docs/id-governance/governance-service-limits.md

@@ -6,7 +6,7 @@ ms.author: owinfrey
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: concept-article
-ms.date: 10/30/2023
+ms.date: 12/10/2024
 
 #CustomerIntent: As a customer, I want to become informed on service limits for offerings within Microsoft Entra ID Governance so that restraints are understood and can be accounted for.
 ---

docs/id-governance/identity-governance-applications-define.md

@@ -6,7 +6,7 @@ manager: amycolannino
 editor: markwahl-msft
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 06/28/2023
+ms.date: 12/10/2024
 ms.author: owinfrey
 ms.reviewer: markwahl-msft
 ---

docs/id-governance/identity-governance-organizational-roles.md

@@ -6,7 +6,7 @@ manager: amycolannino
 editor: markwahl-msft
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 05/26/2023
+ms.date: 12/10/2024
 ms.author: owinfrey
 ms.reviewer: markwahl-msft
 ---

docs/id-governance/lifecycle-workflow-audits.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: conceptual
-ms.date: 05/31/2023
+ms.date: 12/10/2024
 ms.custom: template-concept
 ---
 

docs/id-governance/lifecycle-workflow-extensibility.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: conceptual
-ms.date: 05/31/2023
+ms.date: 12/10/2024
 ms.custom: template-concept
 ---
 

docs/id-governance/lifecycle-workflow-versioning.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: conceptual
-ms.date: 05/31/2023
+ms.date: 12/10/2024
 ms.custom: template-concept
 ---
 

docs/id-governance/lifecycle-workflows-deployment.md

@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 10/12/2023
+ms.date: 12/10/2024
 ms.author: owinfrey
 ---
 

docs/id-governance/manage-guest-access-with-access-reviews.md

@@ -7,7 +7,7 @@ editor: markwahl-msft
 ms.service: entra-id-governance
 ms.subservice: access-reviews
 ms.topic: conceptual
-ms.date: 11/25/2024
+ms.date: 12/10/2024
 ms.author: owinfrey
 ms.reviewer: mwahl
 ---

docs/id-governance/manage-user-access-with-access-reviews.md

@@ -7,7 +7,7 @@ editor: markwahl-msft
 ms.service: entra-id-governance
 ms.subservice: access-reviews
 ms.topic: conceptual
-ms.date: 06/28/2023
+ms.date: 12/10/2024
 ms.author: owinfrey
 ms.reviewer: mwahl
 ---

docs/id-governance/manage-workflow-properties.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 05/31/2023
+ms.date: 12/10/2024
 ms.custom: template-how-to
 ---
 

docs/id-governance/my-access-portal-overview.md

@@ -5,7 +5,7 @@ author: owinfreyATL
 ms.author: owinfrey
 ms.service: entra-id-governance
 ms.topic: overview
-ms.date: 10/23/2023
+ms.date: 12/10/2024
 
 
 ---

docs/id-governance/on-demand-workflow.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: lifecycle-workflows
 ms.topic: how-to
-ms.date: 05/31/2023
+ms.date: 12/10/2024
 ms.custom: template-how-to
 ---
 

docs/id-governance/privileged-identity-management/pim-powershell-migration.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id-governance
 ms.subservice: privileged-identity-management
 ms.topic: how-to
-ms.date: 07/11/2023
+ms.date: 12/10/2024
 ms.author: billmath
 ms.reviewer: shaunliu
 ms.custom: pim, devx-track-azurepowershell

docs/id-governance/scenarios/govern-the-employee-lifecycle.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: overview
-ms.date: 12/20/2023
+ms.date: 12/10/2024
 ms.author: billmath
 ---
 
@@ -47,7 +47,7 @@ When planning identity lifecycle management for employees, or other individuals
 - Move - when an individual moves between boundaries that require additional access authorizations to be added or removed to their digital identity
 - Leave - when an individual leaves the scope of needing access, access may need to be removed, and subsequently the identity may no longer be required by applications other than for audit or forensics purposes
 
-So for example, if a new employee joins your organization and that employee has never been affiliated with your organization before, that employee will require a new digital identity, represented as a user account in Microsoft Entra ID. The creation of this account would fall into a "Joiner" process, which could be automated if there was a system of record such as Workday that could indicate when the new employee starts work. Later, if your organization has an employee move from say, Sales to Marketing, they would fall into a "Mover" process. This move would require removing the access rights they had in the Sales organization, which they no longer require, and granting them rights in the Marketing organization that they new require.
+So for example, if a new employee joins your organization and that employee has never been affiliated with your organization before, that employee requires a new digital identity, represented as a user account in Microsoft Entra ID. The creation of this account would fall into a "Joiner" process, which could be automated if there was a system of record such as Workday that could indicate when the new employee starts work. Later, if your organization has an employee move from say, Sales to Marketing, they would fall into a "Mover" process. This move would require removing the access rights they had in the Sales organization, which they no longer require, and granting them rights in the Marketing organization that they new require.
 
 ## Identity lifecycle management for guests
 

docs/id-governance/scenarios/least-privileged.md

@@ -9,7 +9,7 @@ manager: amycolannino
 
 
 ms.topic: conceptual
-ms.date: 07/28/2023
+ms.date: 12/10/2024
 ms.author: billmath
 ---
 

docs/id-governance/scenarios/provision-active-directory-to-entra-cloud-sync.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 11/06/2023
+ms.date: 12/10/2024
 ms.subservice:
 ms.author: billmath
 ---

docs/id-governance/scenarios/provision-active-directory-to-entra-connect-sync.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 11/06/2023
+ms.date: 12/10/2024
 ms.subservice:
 ms.author: billmath
 ---

docs/id-governance/scenarios/provision-entra-to-active-directory-groups.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 11/06/2023
+ms.date: 12/10/2024
 ms.subservice:
 ms.author: billmath
 ---

docs/id-governance/scenarios/provision-workday-to-active-directory.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 11/06/2023
+ms.date: 12/10/2024
 ms.subservice:
 ms.author: billmath
 ---

docs/id-governance/scenarios/provision-workday-to-entra.md

@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 11/06/2023
+ms.date: 12/10/2024
 ms.subservice:
 ms.author: billmath
 ---