Merge pull request #5476 from MicrosoftDocs/main

10/07/2024 PM Publish

.docutune/dictionaries/known-guids.json

@@ -3349,6 +3349,13 @@
   "Change password": "AB721A53-1E2F-11D0-9819-00AA0040529B",
   "ID of the Prevhost.exe surrogate host GUID" : "6d2b5079-2f0b-48dd-ab7f-97cec514d30b",
   "32-bit preview handlers GUID" : "534A1E02-D58F-44f0-B58B-36CBED287C7C",
+  "Microsoft Graph Object ID" : "7ea9e944-71ce-443d-811c-71e8047b557a",
+  "Partner Customer Delegated Administration" : "2832473f-ec63-45fb-976f-5d45a7d4bb91",
+  "Microsoft Graph Explorer" : "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+  "Designated empty GUID" : "00000000-0000-0000-0000-000000000000",
+  "Sign in and start apps from the My Apps portal support page GUID" : "2f3b1bae-0e5a-4a86-a33e-876fbd2a4510",
   "Business Central Test Toolkit - Library Assert" : "dd0be2ea-f733-4d65-bb34-a28f4624fb14",
-  "Business Central Test Toolkit - Test Libraries" : "5d86850b-0d76-4eca-bd7b-951ad998e997"
+  "Business Central Test Toolkit - Test Libraries" : "5d86850b-0d76-4eca-bd7b-951ad998e997",
+  "Custom workpace Policy ID" : "64def556-fbad-4622-930e-72d1d5589bf5",
+  "Custom workpace Policy ID 2" : "708b60a6-d253-4fe0-9114-4be4c00f012c"
 }

docs/external-id/customers/concept-multifactor-authentication-customers.md

@@ -9,7 +9,7 @@ ms.service: entra-external-id
 ms.subservice: customers
 
 ms.topic: concept-article
-ms.date: 09/06/2024
+ms.date: 10/07/2024
 ms.author: mimart
 ms.custom: it-pro, references_regions
 
@@ -23,7 +23,7 @@ ms.custom: it-pro, references_regions
 [Multifactor authentication (MFA)](~/identity/authentication/concept-mfa-howitworks.md) adds a layer of security to your applications by requiring users to provide a second method for verifying their identity during sign-up or sign-in. External tenants support two methods for authentication as a second factor:
 
 - Email one-time passcode
-- SMS based authentication, available as an add-on [see details](#sms-based-authentication).
+- SMS-based authentication, available as an add-on ([see details](#sms-based-authentication)).
 
 Enforcing MFA enhances your organization's security by adding an extra layer of verification, making it more difficult for unauthorized users to gain access.
 
@@ -69,7 +69,7 @@ External ID mitigates fraudulent sign-ups and sign-ins via SMS by enforcing the
 
 The following table provides details about the different pricing tiers for SMS based authentication services across various countries or regions. For pricing details, see [Microsoft Entra External ID pricing](https://aka.ms/ExternalIDPricing).
 
-The SMS feature requires a [linked subscription](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription) and the External ID SMS Phone Authentication add-on. If your subscription expires or is cancelled, the feature will be disabled.
+SMS is an add-on feature and requires a [linked subscription](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription). If your subscription expires or is cancelled, end users will no longer be able to authenticate using SMS, which could block them from signing in depending on your MFA policy.
 
 |Tier                               |Countries/Regions  |
 |-----------------------------------|-------------------|

docs/external-id/customers/concept-supported-features-customers.md

@@ -8,7 +8,7 @@ ms.service: entra-external-id
 
 ms.subservice: customers
 ms.topic: concept-article
-ms.date: 09/26/2024
+ms.date: 10/07/2024
 ms.author: mimart
 ms.custom: it-pro, seo-july-2024
 
@@ -172,4 +172,3 @@ The following table compares the features available for token customization in e
 ## Next steps
 
 - [Planning for CIAM](concept-planning-your-solution.md)
-- 

docs/external-id/customers/how-to-multifactor-authentication-customers.md

@@ -8,7 +8,7 @@ ms.service: entra-external-id
 
 ms.subservice: customers
 ms.topic: how-to
-ms.date: 08/08/2024
+ms.date: 10/07/2024
 ms.author: mimart
 ms.custom: it-pro
 
@@ -22,8 +22,7 @@ ms.custom: it-pro
 [Multifactor authentication (MFA)](~/identity/authentication/concept-mfa-howitworks.md) adds a layer of security to your applications by requiring users to provide a second method for verifying their identity during sign-up or sign-in. External tenants support two methods for authentication as a second factor:
 
 - **Email one-time passcode**: After the user signs in with their email and password, they are prompted for a passcode that is sent to their email. To allow the use of email one-time passcodes for MFA, set your local account authentication method to *Email with password*. If you choose *Email with one-time passcode*, customers who use this method for primary sign-in won't be able to use it for MFA secondary verification.
-- **SMS-based authentication**: While SMS isn't an option for first factor authentication, it's available as a second factor for MFA. Users who sign in with email and password, email and one-time passcode, or social identities like Google or Facebook, are prompted for second verification using SMS. Our SMS MFA includes automatic fraud checks. If we suspect fraud, we'll ask the user to complete a CAPTCHA to confirm they're not a robot before sending the SMS code for verification. SMS is an add-on feature. Your tenant must be [linked](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription) to an active, valid subscription. ([Learn more](concept-multifactor-authentication-customers.md#sms-based-authentication))
-
+- **SMS-based authentication**: While SMS isn't an option for first factor authentication, it's available as a second factor for MFA. Users who sign in with email and password, email and one-time passcode, or social identities like Google or Facebook, are prompted for second verification using SMS. Our SMS MFA includes automatic fraud checks. If we suspect fraud, we'll ask the user to complete a CAPTCHA to confirm they're not a robot before sending the SMS code for verification. SMS is an add-on feature. Your tenant must be [linked](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription) to an active, valid subscription. [Learn more](concept-multifactor-authentication-customers.md#sms-based-authentication)
 
 This article describes how to enforce MFA for your customers by creating a Microsoft Entra Conditional Access policy and adding MFA to your sign-up and sign-in user flow.
 
@@ -38,7 +37,7 @@ This article describes how to enforce MFA for your customers by creating a Micro
 - A [sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md).
 - An app that's registered in your external tenant and added to the sign-up and sign-in user flow.
 - An account with at least the Security Administrator role to configure Conditional Access policies and MFA.
-- For SMS-based authentication, the add-on for External ID SMS Phone Authentication. Your tenant must be [linked](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription) to an active, valid subscription.
+- SMS is an add-on feature and requires a [linked subscription](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription). If your subscription expires or is cancelled, end users will no longer be able to authenticate using SMS, which could block them from signing in depending on your MFA policy.
 
 ## Create a Conditional Access policy
 

docs/external-id/customers/reference-service-limits.md

@@ -8,7 +8,7 @@ ms.service: entra-external-id
 
 ms.subservice: customers
 ms.topic: reference
-ms.date: 09/06/2024
+ms.date: 10/07/2024
 ms.author: cmulligan
 ms.custom: it-pro
 
@@ -100,4 +100,3 @@ The following table lists the service limits we implement to prevent outages and
 
 - [Start a free trial without an Azure subscription](quickstart-trial-setup.md)
 - [Create a tenant with an Azure subscription](quickstart-tenant-setup.md)
-- 

docs/fundamentals/how-to-create-delete-users.yml

@@ -23,6 +23,7 @@ introduction: |
 
   This article explains how to create a new user, invite an external guest, and delete a user in your workforce tenant. It also includes information about creating users in an external tenant for [Microsoft Entra External ID](~/external-id/customers/overview-customers-ciam.md) scenarios.
 
+  [!INCLUDE [GDPR-related guidance](~/includes/azure-docs-pr/gdpr-hybrid-note.md)]
 
   ## Types of users
 

docs/identity/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md

@@ -20,7 +20,7 @@ Microsoft Entra ID has multiple settings that determine how often users need to
 
 The Microsoft Entra ID default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt.
 
-It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions by using Microsoft Graph PowerShell](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession).
+It might sound alarming to not ask for a user to sign back in; however, any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions by using Microsoft Graph PowerShell](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession).
 
 This article details recommended configurations and how different settings work and interact with each other.
 
@@ -90,7 +90,7 @@ More information, see [Remember multifactor authentication](howto-mfa-mfasetting
 
 **Sign-in frequency** allows the administrator to choose sign-in frequency that applies for both first and second factor in both client and browser. We recommend using these settings, along with using managed devices, in scenarios when you have a need to restrict authentication session, such as for critical business applications.
 
-**Persistent browser session** allows users to remain signed in after closing and reopening their browser window. Similar to the *Remain signed-in* setting, it sets a persistent cookie on the browser. However, since it's configured by the admin, it doesn't require the user select **Yes** in the *Stay signed-in?* option so provides a better user experience. If you use the *Remain signed-in?* option, we recommend you enable the **Persistent browser session** policy instead.
+**Persistent browser session** allows users to remain signed in after closing and reopening their browser window. Similar to the *Remain signed-in* setting, it sets a persistent cookie on the browser. However, since it's configured by the admin, it doesn't require the user select **Yes** in the *Stay signed-in?* option so it provides a better user experience. If you use the *Remain signed-in?* option, we recommend you enable the **Persistent browser session** policy instead.
 
 For more information. see [Configure authentication session management with Conditional Access](~/identity/conditional-access/howto-conditional-access-session-lifetime.md).
 

docs/identity/authentication/how-to-authentication-methods-manage.md

@@ -5,7 +5,7 @@ description: Learn about how to centrally manage multifactor authentication and
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 10/04/2024
+ms.date: 10/07/2024
 
 
 ms.author: justinha
@@ -82,7 +82,7 @@ For each method, note whether or not it's enabled for the tenant. The following
 
 ### Review the legacy SSPR policy
 
-To get the authentication methods available in the legacy SSPR policy, go to **Identity** > **Users** > **Password reset** > **Authentication methods**. The following table lists the available methods in the legacy SSPR policy and corresponding methods in the Authentication method policy. 
+To get the authentication methods available in the legacy SSPR policy, go to **Identity** > **Protection** > **Password reset** > **Authentication methods**. The following table lists the available methods in the legacy SSPR policy and corresponding methods in the Authentication method policy. 
 
 :::image type="content" border="false" source="media/how-to-authentication-methods-manage/legacy-sspr-policy.png" alt-text="Screenshot that shows the legacy Microsoft Entra SSPR policy." lightbox="media/how-to-authentication-methods-manage/legacy-sspr-policy.png":::
 

docs/identity/conditional-access/concept-session-lifetime.md

@@ -49,7 +49,7 @@ Sign-in frequency (SIF) works with third-party SAML applications and apps that i
 
 ### User sign-in frequency and multifactor authentication
 
-Sign-in frequency previously applied to only to the first factor authentication on devices that were Microsoft Entra joined, Microsoft Entra hybrid joined, and Microsoft Entra registered. There was no easy way for our customers to re-enforce multifactor authentication on those devices. Based on customer feedback, sign-in frequency applies for MFA as well.
+Sign-in frequency previously applied only to the first factor authentication on devices that were Microsoft Entra joined, Microsoft Entra hybrid joined, and Microsoft Entra registered. There was no easy way for our customers to re-enforce multifactor authentication on those devices. Based on customer feedback, sign-in frequency applies for MFA as well.
 
 [![A diagram showing how Sign in frequency and MFA work together.](media/howto-conditional-access-session-lifetime/conditional-access-flow-chart.png)](media/howto-conditional-access-session-lifetime/conditional-access-flow-chart.png#lightbox)
 

docs/identity/domain-services/notifications.md

@@ -8,7 +8,7 @@ ms.assetid: b9af1792-0b7f-4f3e-827a-9426cdb33ba6
 ms.service: entra-id
 ms.subservice: domain-services
 ms.topic: how-to
-ms.date: 09/15/2023
+ms.date: 10/07/2024
 ms.author: justinha
 ---
 # Configure email notifications for issues in Microsoft Entra Domain Services
@@ -44,13 +44,13 @@ The list of email recipients for Domain Services should be composed of people wh
 
 You can add up to five more recipients for email notifications. If you want more than five recipients for email notifications, create a distribution list and add that to the notification list instead.
 
-You can also choose to have all *Global Administrators* of the Microsoft Entra directory and every member of the *AAD DC Administrators* group receive email notifications. Domain Services only sends notification to up to 100 email addresses, including the list of Global Administrators and AAD DC Administrators.
+You can also choose to have highly privileged roles in the Microsoft Entra directory and every member of the *AAD DC Administrators* group receive email notifications. Domain Services only sends notification to up to 100 email addresses, including the list of highly privileged role holders and AAD DC Administrators.
 
 ## Configure email notifications
 
 To review the existing email notification recipients, or add recipients, complete the following steps:
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](/azure/active-directory/roles/permissions-reference#authentication-policy-administrator).
+1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)] 
 1. Search for and select **Microsoft Entra Domain Services**.
 1. Select your managed domain, such as *aaddscontoso.com*.
 1. On the left-hand side of the Domain Services resource window, select **Notification settings**. The existing recipients for email notifications are shown.
@@ -68,7 +68,7 @@ If an alert is resolved, the alert is cleared from the Microsoft Entra admin cen
 
 ### Why can I not edit the notification settings?
 
-If you're unable to access the notification settings page in the Microsoft Entra admin center, you don't have the permissions to edit the managed domain. Contact a Global Administrator to either get permissions to edit Domain Services resource or be removed from the recipient list.
+If you're unable to access the notification settings page in the Microsoft Entra admin center, you don't have the permissions to edit the managed domain. Contact a highly privileged administrator to either get permissions to edit Domain Services resource or be removed from the recipient list.
 
 ### I don't seem to be receiving email notifications even though I provided my email address. Why?
 

docs/identity/domain-services/powershell-create-instance.md

@@ -8,7 +8,7 @@ ms.assetid: d4bc5583-6537-4cd9-bc4b-7712fdd9272a
 ms.service: entra-id
 ms.subservice: domain-services
 ms.topic: sample
-ms.date: 03/13/2024
+ms.date: 10/07/2024
 ms.author: justinha
 ms.reviewer: wanjikumugo
 ms.custom: devx-track-azurepowershell, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
@@ -32,8 +32,8 @@ To complete this article, you need the following resources:
 * Install and configure MS Graph PowerShell.
    - If needed, follow the instructions to [install the MS Graph PowerShell module and connect to Microsoft Entra ID](/powershell/microsoftgraph/installation).
     * Make sure that you sign in to your Microsoft Entra tenant using the [Connect-MgGraph][Connect-MgGraph] cmdlet.
-* You need *Global Administrator* privileges in your Microsoft Entra tenant to enable Domain Services.
-* You need *Contributor* privileges in your Azure subscription to create the required Domain Services resources.
+* [!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)]
+* *Contributor* privileges for the Azure subscription are required for this feature.
 
   > [!IMPORTANT]
   > While the **Az.ADDomainServices** PowerShell module is in preview, you must install it separately
@@ -78,7 +78,7 @@ if (!$GroupObject) {
 }
 ```
 
-With the *AAD DC Administrators* group created, get the desired user's object ID using the [Get-MgUser][Get-MgUser] cmdlet, then add the user to the group using the [New-MgGroupMember][New-MgGroupMember] cmdlet.
+With the *AAD DC Administrators* group created, get the desired user's object ID using the [Get-MgUser][Get-MgUser] cmdlet, then add the user to the group using the [New-MgGroupMemberByRef][New-MgGroupMemberByRef] cmdlet.
 
 In the following example, the user object ID for the account with a UPN of `admin@contoso.onmicrosoft.com`. Replace this user account with the UPN of the user you wish to add to the *AAD DC Administrators* group:
 
@@ -231,8 +231,9 @@ When the Microsoft Entra admin center shows that the managed domain has finished
 
 The following complete PowerShell script combines all of the tasks shown in this article. Copy the script and save it to a file with a `.ps1` extension. For Azure Global, use AppId value *2565bd9d-da50-47d4-8b85-4c97f669dc36*. For other Azure clouds, use AppId value *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. Run the script in a local PowerShell console or the [Azure Cloud Shell][cloud-shell].
 
-> [!NOTE]
-> To enable Domain Services, you must be a Global Administrator for the Microsoft Entra tenant. You also need at least *Contributor* privileges in the Azure subscription.
+[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)]
+
+*Contributor* privileges for the Azure subscription are required for this feature.
 
 ```azurepowershell-interactive
 # Change the following values to match your deployment.
@@ -391,7 +392,7 @@ To see the managed domain in action, you can [domain-join a Windows VM][windows-
 
 [New-MgGroup]: /powershell/module/microsoft.graph.groups/new-mggroup
 
-[New-MgGroupMember]: /powershell/module/microsoft.graph.groups/new-mggroupmember
+[New-MgGroupMemberByRef]: /powershell/module/microsoft.graph.groups/new-mggroupmemberbyref
 
 [Get-MgGroup]: /powershell/module/microsoft.graph.groups/get-mggroup