Merge pull request #5511 from MicrosoftDocs/main

10/9/2024 PM Publish

.docutune/config/docutune-unattended.json

@@ -24,6 +24,7 @@
       "name": "Default",
       "command": "Fix",
       "configType": "full",
+      "termFiles": [ "Security-GUIDs.ps1" ],
       "include": [
         // "docs/external-id/",
         // "docs/fundamentals/",

docs/identity/devices/troubleshoot-macos-platform-single-sign-on-extension.md

@@ -83,6 +83,30 @@ Confirm that a previously registered device (with a Workplace Join key in Keycha
 
 No, macOS PSSO is only supported in Microsoft Entra join deployments. There are no plans to support hybrid-join deployments, as we recommend that Mac users go fully cloud based.
 
+### How can I change my password when using Platform SSO?
+
+Users can change their password using Self-Service Password Reset (SSPR) on their device. 
+
+If SSPR is done on another machine users will be allowed to sign-in to the Mac device using either the old or the new password. Using the old password will unlock the device and then prompt the user for the new password to continue syncing data. Using the new password will unlock the device and sync data immediately.
+
+We recommend that IT Admins should use [Managed Apple IDs](https://support.apple.com/guide/deployment/depcaa668a58/web) where possible as this does give organizations more options for password management.
+
+### What should I do if I forget my password?
+
+#### Password Sync
+If users are at lock screen or login screen they can reset their password from there. If the user received a temporary password from an IT admin they should use another device to log in, set up a new password and use that new password at to log in to their own device. For more info refer [Apple's documentation on forgotten passwords](https://support.apple.com/102633).
+
+> [!IMPORTANT] 
+> There is currently a known issue with PSSO that is causing registration removal during recovery and may prompt users to re-register after recovery. This is expected behavior.
+
+IT Admins should also enable keyvault recovery to ensure data can be recovered in case of a forgotten password. To learn more refer to [Configure Platform SSO for macOS devices in Microsoft Intune](/mem/intune/configuration/platform-sso-macos#password).
+
+> [!NOTE] 
+> If the device is booted and there is FileVault encryption the new Entra password will work on macOS15 only. 
+
+#### Secure Enclave
+Users can reset the local password via Apple ID or an admin recovery key. 
+
 ## Known issues
 
 ### Passcode policy complexity mismatches

docs/identity/enterprise-apps/v2-howto-app-gallery-listing.md

@@ -8,7 +8,7 @@ ms.service: entra-id
 ms.subservice: enterprise-apps
 ms.topic: how-to
 
-ms.date: 07/24/2024
+ms.date: 10/09/2024
 ms.author: jomondi
 ms.reviewer: ergreenl
 ms.custom: kr2b-contr-experiment, enterprise-apps-article
@@ -27,13 +27,17 @@ To publish your application in the Microsoft Entra application gallery, you need
 - Submit your application.
 - Join the Microsoft partner network.
 
+> [!NOTE]
+> We are currently not accepting new SSO or provisioning requests while we focus on the [Secure Future Initiative](https://www.microsoft.com/security/blog/topic/secure-future-initiative/). Update requests will be processed on a case-by-case basis.
+
 ## Prerequisites
 To publish your application in the gallery, you must first read and agree to specific [terms and conditions](https://azure.microsoft.com/support/legal/active-directory-app-gallery-terms/).
 - Implement support for *single sign-on (SSO)*. To learn more about supported options, see [Plan a single sign-on deployment](plan-sso-deployment.md).
     - For password SSO, make sure that your application supports form authentication so that password vaulting can be used.
 	- For federated applications (SAML/WS-Fed), the application should preferably support [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/) but it is not mandatory and it can be an on-premises application as well. Enterprise gallery applications must support multiple user configurations and not any specific user.
 
 	- For OpenID Connect, most applications work well as a multitenant application implementing the [Microsoft Entra consent framework](~/identity-platform/application-consent-experience.md). Refer to [this](~/identity-platform/howto-convert-app-to-be-multi-tenant.md) link to convert the application into multitenant. If your application requires additional per-instance configuration, such as customers needing to control their own secrets and certificates, you can publish a single-tenant Open ID Connect application.
+
 - Provisioning is optional yet highly recommended. To learn more about Microsoft Entra SCIM, see [build a SCIM endpoint and configure user provisioning with Microsoft Entra ID](~/identity/app-provisioning/use-scim-to-provision-users-and-groups.md).
 
 You can sign up for a free, test Development account. It's free for 90 days and you get all of the premium Microsoft Entra features with it. You can also extend the account if you use it for development work: [Join the Microsoft 365 Developer Program](/office/developer-program/microsoft-365-developer-program).
@@ -75,9 +79,6 @@ If you see a "Request Access" page, then fill in the business justification and
 
 After your account is added, you can sign in to the Microsoft Application Network portal and submit the request by selecting the **Submit Request (ISV)** tile on the home page. If you see the "Your sign-in was blocked" error while logging in, see [Troubleshoot sign-in to the Microsoft Application Network portal](troubleshoot-app-publishing.md).
 
-> [!NOTE]
-> Currently we are not onboarding new applications in FY25 due to SFI (Security Future Initiatives). Only the update listing requests can be submitted.
-
 ### Implementation-specific options
 
 On the application **Registration** form, select the feature that you want to enable. Select **OpenID Connect & OAuth 2.0**, **SAML 2.0/WS-Fed**, or **Password SSO(UserName & Password)** depending on the feature that your application supports.
@@ -88,24 +89,6 @@ If you wish to register an MDM application in the Microsoft Entra application ga
 
 You can track application requests by customer name at the Microsoft Application Network portal. For more information, see [Application requests by Customers](https://microsoft.sharepoint.com/teams/apponboarding/Apps/SitePages/AppRequestsByCustomers.aspx).
 
-### Timelines
-
-Listing an **SAML 2.0 or WS-Fed application** in the gallery takes 12 to 15 business days.
-
-:::image type="content" source="./media/howto-app-gallery-listing/timeline.png" alt-text="Screenshot that shows the timeline for listing a SAML application.":::
-
-Listing an **OpenID Connect application** in the gallery takes 7 to 10 business days.
-
-:::image type="content" source="./media/howto-app-gallery-listing/timeline-2.png" alt-text="Screenshot that shows the timeline for listing an OpenID Connect application.":::
-
-Listing an **SCIM provisioning application** in the gallery varies, depending on numerous factors.
-
-Not all applications are onboarded. Per the terms and conditions, a decision can be made not to list an application. Onboarding applications is at the sole discretion of the onboarding team.
-
-Here's the flow of customer-requested applications.
-
-:::image type="content" source="./media/howto-app-gallery-listing/customer-request-2.png" alt-text="Screenshot that shows the customer-requested apps flow.":::
-
 ## Update or Remove the application from the Gallery
 
 You can submit your application update request in the [Microsoft Application Network portal](https://microsoft.sharepoint.com/teams/apponboarding/Apps).
@@ -114,22 +97,20 @@ If you see a "Request Access" page, then fill in the business justification and
 
 After the account is added, you can sign in to the Microsoft Application Network portal and submit the request by selecting the **Submit Request (ISV)** tile on the home page and select **Update my application’s listing in the gallery** and select one of the following options as per your choice -
 
-* If you want to update applications SSO feature, select **Update my application’s Federated SSO feature**.
+* If you want to update an application's SSO feature, select **Update my application’s Federated SSO feature**.
 
 * If you want to update Password SSO feature, select **Update my application’s Password SSO feature**.
 
 * If you want to upgrade your listing from Password SSO to Federated SSO, select **Upgrade my application from Password SSO to Federated SSO**.
 
-* If you want to update MDM listing, select **Update my MDM app**.
+* If you want to update an MDM listing, select **Update my MDM app**.
 
-* If you want to improve User Provisioning feature, select **Improve my application’s User Provisioning feature**.
+* If you want to update an existing User Provisioning integration, select **Improve my application’s User Provisioning feature**.
 
 * If you want to remove the application from Microsoft Entra application gallery, select **Remove my application listing from the gallery**.
 
 If you see the **Your sign-in was blocked** error while logging in, see [Troubleshoot sign-in to the Microsoft Application Network portal](troubleshoot-app-publishing.md).
 
-
-
 ## Join the Microsoft partner network
 
 The Microsoft Partner Network provides instant access to exclusive programs, tools, connections, and resources. To join the network and create your go-to-market plan, see [Reach commercial customers](https://partner.microsoft.com/explore/commercial#gtm).

docs/identity/hybrid/connect/harden-update-ad-fs-pingfederate.md

@@ -12,13 +12,8 @@ ms.author: billmath
 
 # Hardening update to Microsoft Entra Connect Sync AD FS and PingFederate configuration 
 
-In October 2024, we released a [new version (2.4.18.0) of Microsoft Entra Connect Sync](reference-connect-version-history.md#24180) in which contains a back-end service change that further hardens our services. **All customers are required to upgrade** to the latest version by **April 7, 2025**. 
+In October 2024, we released new versions (2.4.xx.0) of Microsoft Entra Connect Sync. These versions contain a back-end service change that further hardens our services. **All customers are required to upgrade** to the [minimum versions](#minimum-versions) by **April 7, 2025**. 
 
-## 2.4.18.0 Warning
->[!WARNING]
->If you are a customer using a [non-commercial cloud](~/identity-platform/authentication-national-cloud.md) (such as [Azure Government](/azure/azure-government/documentation-government-welcome) or [Azure in China](/azure/china/overview-operations)), please wait until our next update before you attempt to upgrade. There is an installation issue with version [2.4.18.0](reference-connect-version-history.md#24180) that affects customers in non-commercial clouds. Previous versions [2.3.20.0](reference-connect-version-history.md#23200) and below are unimpacted.
- 
-We are currently working on a fix, which we will release as part of an updated version as soon as possible. Customers in our commercial cloud are unaffected and can proceed to upgrade to version [2.4.18.0](reference-connect-version-history.md#24180).
 
 ## Expected impacts 
 
@@ -30,15 +25,18 @@ If you aren’t upgraded to the minimum required version, you may encounter the
 >[!NOTE]
 > If you’re unable to upgrade by the deadline, you can restore the impacted functionalities by upgrading to the latest version. However, you would **lose the ability to configurate AD FS and PingFederate** during the time period between **April 7, 2025 and when you upgrade**. 
 
-### Minimum version 
+### Minimum versions 
 
 To avoid any service impact, customers should be on version by April 7, 2025. 
 - Customers in commercial clouds: [2.4.18.0](reference-connect-version-history.md#24180) or higher.
-- Customers in non-commercial clouds:  x.x.xx.x or higher.  [Learn more](reference-connect-version-history.md#24180-warning)
+- Customers in non-commercial clouds: [2.4.21.0](reference-connect-version-history.md#24210) or higher. 
 
+To upgrade to the latest version.
+> [!div class="nextstepaction"]
+> [Install Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594)
 
 >[!IMPORTANT]
-> Make sure you familiarize yourself with the [minimum requirements](how-to-connect-install-prerequisites.md) for the version, including but not limited to: 
+> Make sure you familiarize yourself with the [minimum requirements](how-to-connect-install-prerequisites.md) for the versions, including but not limited to: 
 >
 >  - [.NET 4.7.2](https://dotnet.microsoft.com/download/dotnet-framework/net472#:~:text=Downloads%20for%20building%20and%20running%20applications%20with%20.NET%20Framework%204.7.2)
 >  - [TLS 1. 2](reference-connect-tls-enforcement.md)

docs/identity/hybrid/connect/reference-connect-version-history.md

@@ -19,11 +19,6 @@ The Microsoft Entra team regularly updates Microsoft Entra Connect with new feat
 
 This article helps you keep track of the versions that have been released and understand what the changes are in the latest version.
 
-## 2.4.18.0 Warning
->[!WARNING]
->If you are a customer using a [non-commercial cloud](~/identity-platform/authentication-national-cloud.md) (such as [Azure Government](/azure/azure-government/documentation-government-welcome) or [Azure in China](/azure/china/overview-operations)), please wait until our next update before you attempt to upgrade. There is an installation issue with version [2.4.18.0](#24180) that affects customers in non-commercial clouds. Previous versions [2.3.20.0](#2320) and below are unimpacted.
- 
-We are currently working on a fix, which we will release as part of an updated version as soon as possible. Customers in our commercial cloud are unaffected and can proceed to upgrade to version [2.4.18.0](#24180).
 
 ## Looking for the latest versions?
 
@@ -73,7 +68,8 @@ Required permissions | For permissions required to apply an update, see [Microso
 |[2.3.6.0](#2360)|1 Apr 2025 (12 months after release of 2.3.8.0)|
 |[2.3.8.0](#2380)|25 Jul 2025 (12 months after release of 2.3.20.0)|
 |[2.3.20.0](#23200)|7 Oct 2025 (12 months after release of 2.4.18.0)|
-|[2.4.18.0](#24180)|TBD|
+|[2.4.18.0](#24180)|9 Oct 2025 (12 months after release of 2.4.21.0)|
+|[2.4.21.0](#24210)|TBD|
 
 **All other versions are not supported**
 
@@ -97,6 +93,18 @@ If you want all the latest features and updates, check this page and install wha
 
 To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
 
+## 2.4.21.0
+
+### Release status
+
+10/09/2024: Released for download
+
+### Bug fixes
+
+- Fixed an issue with non-commercial clouds.
+
+
+
 ## 2.4.18.0
 
 ### Release status

docs/identity/saas-apps/workday-writeback-tutorial.md

@@ -300,7 +300,7 @@ Once the Workday provisioning app configurations are complete, you can turn on t
    > ![Select Writeback scope](./media/sap-successfactors-inbound-provisioning/select-writeback-scope.png)
 
    > [!NOTE]
-   > The Workday Writeback provisioning app doesn't support the option **Sync only assigned users and groups**.
+   > The Workday Writeback provisioning app doesn't support the option **Sync only assigned users and groups** and will always operate as if the "Sync all users and groups" option is selected.
  
 
 2. Click **Save**.