From 7679a30c47d69f2217e64344536c0d2edc40c043 Mon Sep 17 00:00:00 2001
From: rolyon <35980532+rolyon@users.noreply.github.com>
Date: Tue, 2 Jan 2024 10:53:37 -0800
Subject: [PATCH 1/5] Groups in restricted management admin units
---
.../admin-units-restricted-management.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/identity/role-based-access-control/admin-units-restricted-management.md b/docs/identity/role-based-access-control/admin-units-restricted-management.md
index 61da38a470c..3637eb5b87f 100644
--- a/docs/identity/role-based-access-control/admin-units-restricted-management.md
+++ b/docs/identity/role-based-access-control/admin-units-restricted-management.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.topic: conceptual
ms.subservice: roles
ms.workload: identity
-ms.date: 06/22/2023
+ms.date: 01/02/2024
ms.author: rolyon
ms.reviewer:
ms.custom: oldportal;it-pro;
@@ -83,7 +83,7 @@ Only administrators with an explicit assignment at the scope of a restricted man
Here are some of the limits and constraints for restricted management administrative units.
- The restricted management setting must be applied during administrative unit creation and can't be changed once the administrative unit is created.
-- Groups in a restricted management administrative unit can't be managed with [Microsoft Entra Privileged Identity Management](~/id-governance/privileged-identity-management/groups-discover-groups.md).
+- Groups in a restricted management administrative unit can't be managed with Microsoft Entra ID Governance features such as [Microsoft Entra Privileged Identity Management](../../id-governance/privileged-identity-management/groups-discover-groups.md) or [Microsoft Entra entitlement management](../../id-governance/entitlement-management-overview.md).
- Role-assignable groups, when added to a restricted management administrative unit, can't have their membership modified. Group owners aren't allowed to manage groups in restricted management administrative units and only Global Administrators and Privileged Role Administrators (neither of which can be assigned at administrative unit scope) can modify membership.
- Certain actions may not be possible when an object is in a restricted management administrative unit, if the required role isn't one of the roles that can be assigned at administrative unit scope. For example, a Global Administrator in a restricted management administrative unit can't have their password reset by any other administrator in the system, because there's no admin role that can be assigned at the administrative unit scope that can reset the password of a Global Administrator. In such scenarios, the Global Administrator would need to be removed from the restricted management administrative unit first, and then have their password reset by another Global Administrator or Privileged Role Administrator.
- When deleting a restricted management administrative unit, it can take up to 30 minutes to remove all protections from the former members.
From 44c8f59b80c66cde8747f6c1d0bb6d3f2784e626 Mon Sep 17 00:00:00 2001
From: rolyon <35980532+rolyon@users.noreply.github.com>
Date: Tue, 2 Jan 2024 11:02:32 -0800
Subject: [PATCH 2/5] Update check mark icons
---
.../admin-units-restricted-management.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/docs/identity/role-based-access-control/admin-units-restricted-management.md b/docs/identity/role-based-access-control/admin-units-restricted-management.md
index 3637eb5b87f..07d68e61b8e 100644
--- a/docs/identity/role-based-access-control/admin-units-restricted-management.md
+++ b/docs/identity/role-based-access-control/admin-units-restricted-management.md
@@ -54,15 +54,15 @@ For administrators not explicitly assigned at the restricted management administ
| Operation type | Blocked | Allowed |
| --- | :---: | :---: |
-| Read standard properties like user principal name, user photo | | :heavy_check_mark: |
+| Read standard properties like user principal name, user photo | | :white_check_mark: |
| Modify any Microsoft Entra properties of the user, group, or device | :x: | |
| Delete the user, group, or device | :x: | |
| Update password for a user | :x: | |
| Modify owners or members of the group in the restricted management administrative unit | :x: | |
-| Add users, groups, or devices in a restricted management administrative unit to groups in Microsoft Entra ID | | :heavy_check_mark: |
-| Modify email & mailbox settings in Exchange for the user in the restricted management administrative unit | | :heavy_check_mark: |
-| Apply policies to a device in a restricted management administrative unit using Intune | | :heavy_check_mark: |
-| Add or remove a group as a site owner in SharePoint | | :heavy_check_mark: |
+| Add users, groups, or devices in a restricted management administrative unit to groups in Microsoft Entra ID | | :white_check_mark: |
+| Modify email & mailbox settings in Exchange for the user in the restricted management administrative unit | | :white_check_mark: |
+| Apply policies to a device in a restricted management administrative unit using Intune | | :white_check_mark: |
+| Add or remove a group as a site owner in SharePoint | | :white_check_mark: |
## Who can modify objects?
@@ -72,8 +72,8 @@ Only administrators with an explicit assignment at the scope of a restricted man
| --- | :---: | :---: |
| Global Administrator | :x: | |
| Tenant-scoped administrators (including Global Administrator) | :x: | |
-| Administrators assigned at the scope of restricted management administrative unit | | :heavy_check_mark: |
-| Administrators assigned at the scope of another restricted management administrative unit of which the object is a member | | :heavy_check_mark: |
+| Administrators assigned at the scope of restricted management administrative unit | | :white_check_mark: |
+| Administrators assigned at the scope of another restricted management administrative unit of which the object is a member | | :white_check_mark: |
| Administrators assigned at the scope of another regular administrative unit of which the object is a member | :x: | |
| Groups Administrator, User Administrator, and other role assigned at the scope of a resource | :x: | |
| Owners of groups or devices added to restricted management administrative units | :x: | |
From 5b578eb279601749d6177ca06f5e9af80072fcf4 Mon Sep 17 00:00:00 2001
From: jamesw-msft <112523612+jamesw-msft@users.noreply.github.com>
Date: Tue, 2 Jan 2024 12:30:11 -0800
Subject: [PATCH 3/5] Update sla for 2023-12
---
docs/identity/monitoring-health/reference-sla-performance.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/identity/monitoring-health/reference-sla-performance.md b/docs/identity/monitoring-health/reference-sla-performance.md
index a0ccda1fdb7..ab97165a1ce 100644
--- a/docs/identity/monitoring-health/reference-sla-performance.md
+++ b/docs/identity/monitoring-health/reference-sla-performance.md
@@ -53,7 +53,7 @@ The SLA attainment is truncated at three places after the decimal. Numbers aren'
| September | 99.999% | 99.998% | 99.999% |
| October | 99.999% | 99.999% | 99.999% |
| November | 99.998% | 99.999% | 99.999% |
-| December | 99.978% | 99.999% | |
+| December | 99.978% | 99.999% | 99.999% |
From cb6f02aa7d8f08786db30d14829d6d6f922e7b77 Mon Sep 17 00:00:00 2001
From: Justinha
Date: Tue, 2 Jan 2024 13:26:25 -0800
Subject: [PATCH 4/5] reverted footnote for macOS
---
docs/identity/authentication/fido2-compatibility.md | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/docs/identity/authentication/fido2-compatibility.md b/docs/identity/authentication/fido2-compatibility.md
index 3fe61a3ac37..8efd602ca3e 100644
--- a/docs/identity/authentication/fido2-compatibility.md
+++ b/docs/identity/authentication/fido2-compatibility.md
@@ -6,7 +6,7 @@ services: active-directory
ms.service: active-directory
ms.subservice: authentication
ms.topic: conceptual
-ms.date: 12/06/2023
+ms.date: 01/02/2024
author: justinha
ms.author: justinha
@@ -26,10 +26,8 @@ Microsoft applications provide native support for FIDO2 authentication in previe
| Operating system | Authentication broker | Supports FIDO2 |
|------------------|---------------------------------|----------------|
| iOS | Microsoft Authenticator | ✅ |
-| macOS | Microsoft Intune Company Portal 1 | ✅ |
-| Android2 | Authenticator or Company Portal | ❌ |
-
-1On macOS, the [Microsoft Enterprise SSO plug-in](/entra/identity-platform/apple-sso-plugin) is required to enable Company Portal as an authentication broker. macOS devices must meet SSO plug-in requirements, including enrollment in mobile device management. In addition, FIDO2 authentication for initial sign-in to the Company Portal app is not currently supported.
+| macOS | Microsoft Intune Company Portal | ❌ |
+| Android1 | Authenticator or Company Portal | ❌ |
2Native app support for FIDO2 on Android is in development.
From 0e151089a9319e7bbada814be2a2064137a07e84 Mon Sep 17 00:00:00 2001
From: rolyon <35980532+rolyon@users.noreply.github.com>
Date: Tue, 2 Jan 2024 13:27:48 -0800
Subject: [PATCH 5/5] Custom security attribute audit logs link
---
docs/fundamentals/whats-new.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md
index 75c3f5aa6f9..b5efc5579d5 100644
--- a/docs/fundamentals/whats-new.md
+++ b/docs/fundamentals/whats-new.md
@@ -133,7 +133,7 @@ For more information, see:
Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. Custom security attributes can be used with [Azure attribute-based access control (Azure ABAC)](/azure/role-based-access-control/conditions-overview). For more information, see: [What are custom security attributes in Microsoft Entra ID?](./custom-security-attributes-overview.md).
-Changes were made to custom security attribute audit logs for general availability that might impact your daily operations. If you have been using custom security attribute audit logs during the preview, there are the actions you must take before February 2024 to ensure your audit log operations aren't disrupted. For more information, see: [Custom security attribute audit logs](./custom-security-attributes-manage.md#step-6-assign-roles).
+Changes were made to custom security attribute audit logs for general availability that might impact your daily operations. If you have been using custom security attribute audit logs during the preview, there are the actions you must take before February 2024 to ensure your audit log operations aren't disrupted. For more information, see: [Custom security attribute audit logs](./custom-security-attributes-manage.md#custom-security-attribute-audit-logs).
---