Merge pull request #5872 from MicrosoftDocs/main

11/7/2024 PM Publish

docs/global-secure-access/how-to-configure-kerberos-sso.md

@@ -57,6 +57,8 @@ The Domain Controller ports are required to enable SSO to on-premises resources.
 |----------|-----------|------------|
 |88        |User Datagram Protocol (UDP) / Transmission Control Protocol (TCP)  |Kerberos    |
 |389       |UDP        |DC locator  |
+|464       |UDP/TCP        |Password Change Request  |
+|123       |UDP        |Time Synchronization  |
 
 > [!NOTE]
 > The guide focuses on enabling SSO to on-premises resources and excludes configuration required for Windows domain-joined clients to perform domain operations (password change, Group Policy, etc.).

docs/id-governance/entitlement-management-external-users.md

@@ -7,7 +7,7 @@ editor: markwahl-msft
 ms.service: entra-id-governance
 ms.subservice: entitlement-management
 ms.topic: how-to
-ms.date: 07/15/2024
+ms.date: 11/07/2024
 ms.author: owinfrey
 ms.reviewer: mwahl
 #Customer intent: As an administrator, I want understand how I can govern access for external users in entitlement management.
@@ -75,7 +75,7 @@ To ensure people outside of your organization can request access packages and ge
 
     ![Edit catalog settings](./media/entitlement-management-shared/catalog-edit.png)
 
-  If you're an administrator or catalog owner, you can view the list of catalogs currently enabled for external users in the Microsoft Entra admin center list of catalogs, by changing the filter setting for **Enabled for external users** to **Yes**. If any of those catalogs shown in that filtered view have a non-zero number of access packages, those access packages might have a policy [for users not in your directory](entitlement-management-access-package-request-policy.md#for-users-not-in-your-directory) that allow external users to request.
+  If you're an administrator or catalog owner, you can view the list of catalogs currently enabled for external users in the Microsoft Entra admin center list of catalogs, by changing the filter setting for **Enabled for external users** to **Yes**. If any of those catalogs shown in that filtered view have a nonzero number of access packages, those access packages might have a policy [for users not in your directory](entitlement-management-access-package-request-policy.md#for-users-not-in-your-directory) that allow external users to request.
 
 <a name='configure-your-azure-ad-b2b-external-collaboration-settings'></a>
 
@@ -98,7 +98,7 @@ To ensure people outside of your organization can request access packages and ge
 
 - Make sure to exclude the Entitlement Management app from any Conditional Access policies that impact guest users. Otherwise, a Conditional Access policy could block them from accessing MyAccess or being able to sign in to your directory. For example, guests likely don't have a registered device, aren't in a known location, and don't want to re-register for multifactor authentication (MFA), so adding these requirements in a Conditional Access policy will block guests from using entitlement management. For more information, see [What are conditions in Microsoft Entra Conditional Access?](~/identity/conditional-access/concept-conditional-access-conditions.md).
 
-- A common policy for Entitlement Management customers is to block all apps from guests except Entitlement Management for guests. This policy allows guests to enter My Access and request an access package. This package should contain a group (it's called Guests from My Access in the following example), which should be excluded from the block all apps policy. Once the package is approved, the guest is in the directory. Given that the end user has the access package assignment and is part of the group, the end user is able to access all other apps. Other common policies include excluding Entitlement Management app from MFA and compliant device.   
+- If the conditional access is blocking all cloud applications, in addition to excluding the Entitlement Management App, ensure that the *Request Approvals Read Platform* is also excluded in your Conditional Access (CA) policy. Start by confirming that you have the necessary roles: Conditional Access Administrator, Application Administrator, Attribute Assignment Administrator, and Attribute Definition Administrator. Then, create a custom security attribute with a suitable name and values. Locate the service principal for *Request Approvals Read Platform* in Enterprise Applications, and assign the custom attribute with the chosen value to this application. In your CA policy, apply a filter to exclude selected applications based on the custom attribute name and value assigned to *Request Approvals Read Platform*. For more details on filtering applications in CA policies, refer to : [Conditional Access: Filter for applications](../identity/conditional-access/concept-filter-for-applications.md)
 
     :::image type="content" source="media/entitlement-management-external-users/exclude-app-guests.png" alt-text="Screenshot of exclude app options.":::
 
@@ -134,7 +134,7 @@ To ensure people outside of your organization can request access packages and ge
 [!INCLUDE [portal updates](~/includes/portal-update.md)]
 
 
-You can select what happens when an external user, who was invited to your directory through making an access package request, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they're blocked from signing in to your directory. After 30 days, their guest user account is removed from your directory.  You can also configure that an external user isn't blocked from sign in or deleted, or that an external user isn't blocked from sign in but is deleted.
+You can select what happens when an external user, who was invited to your directory through making an access package request, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they're blocked from signing in to your directory. After 30 days, their guest user account is removed from your directory. You can also configure that an external user isn't blocked from sign in or deleted, or that an external user isn't blocked from sign in but is deleted.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](~/identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 

docs/id-protection/concept-workload-identity-risk.md

@@ -24,20 +24,21 @@ A [workload identity](../workload-id/workload-identities-overview.md) is an iden
 These differences make workload identities harder to manage and put them at higher risk for compromise.
 
 > [!IMPORTANT]
-> Detections are visible only to [Workload Identities Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz) customers. Customers without Workload Identities Premium licenses still receive all detections but the reporting of details is limited. 
+> Full risk details and risk-based access controls are available to Workload Identities Premium customers; however, customers without the [Workload Identities Premium](https://entra.microsoft.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) licenses still receive all detections with limited reporting details. 
 
 > [!NOTE]
 > ID Protection detects risk on single tenant, third party SaaS, and multi-tenant apps. Managed Identities are not currently in scope. 
 
 ## Prerequisites
 
-To make use of workload identity risk, including the new **Risky workload identities** blade and the **Workload identity detections** tab in the **Risk detections** blade in the portal, you must have the following.
+To make use of workload identity risk reports, including the new **Risky workload identities** blade and the **Workload identity detections** tab in the **Risk detections** blade in the portal, you must have the following.
 
-- Workload Identities Premium licensing: You can view and acquire licenses on the [Workload Identities blade](https://portal.azure.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade).
 - One of the following administrator roles assigned
    - Security Administrator
    - Security Operator
    - Security Reader Users assigned the Conditional Access administrator role can create policies that use risk as a condition.
+
+To take action on risky workload identities we recommend setting up risk-based Conditional Access policies, which does require [Workload Identities Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz) licensing: You can view, start a trial and acquire licenses on the [Workload Identities blade](https://portal.azure.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade).
 
 ## Workload identity risk detections
 
@@ -52,7 +53,7 @@ We detect risk on workload identities across sign-in behavior and offline indica
 | Malicious application | Offline | This detection combines alerts from ID Protection and Microsoft Defender for Cloud Apps to indicate when Microsoft disables an application for violating our terms of service. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application. Note: These applications show `DisabledDueToViolationOfServicesAgreement` on the `disabledByMicrosoftStatus` property on the related [application](/graph/api/resources/application) and [service principal](/graph/api/resources/serviceprincipal) resource types in Microsoft Graph. To prevent them from being instantiated in your organization again in the future, you can't delete these objects. |
 | Suspicious application | Offline | This detection indicates that ID Protection or Microsoft Defender for Cloud Apps identified an application that might be violating our terms of service but hasn't disabled it. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.|
 | Anomalous service principal activity | Offline | This risk detection baselines normal administrative service principal behavior in Microsoft Entra ID, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrative service principal making the change or the object that was changed. |
-| Suspicious API Traffic | Offline | This risk detection is reported when abnormal GraphAPI traffic or directory enumeration of a service principal is observed. The Suspicious API Traffic for service principals detection may indicate abnormal reconnaissance or data exfiltration. |
+| Suspicious API Traffic | Offline | This risk detection is reported when abnormal GraphAPI traffic or directory enumeration of a service principal is observed. The Suspicious API Traffic detection may indicate abnormal reconnaissance or data exfiltration by a service principal. |
 
 
 ## Identify risky workload identities

docs/identity-platform/signing-key-rollover.md

@@ -76,20 +76,33 @@ The .NET implementation of this algorithm is available from [BaseConfigurationMa
 #### KeyRefresh procedure (pseudo code):
 This procedure uses a global (lastSuccessfulRefreshTime timestamp) to prevent conditions that refresh keys too often.
 * [OpenID Connect (OIDC)](v2-protocols-oidc.md)
+
 ```csharp
-  if (lastSuccessfulRefreshTime is set and more recent than 5 minutes ago) 
+KeyRefresh(issuer)
+{
+  // Store cache entries and last successful refresh timestamp per distinct 'issuer'
+ 
+  if (LastSuccessfulRefreshTime is set and more recent than 5 minutes ago) 
     return // without refreshing
-
-  // Load keys URL using the, see OpenID Connect (OIDC)
-  // Fetch the list of keys from the tenant-specific keys URL discovered above
-
-  foreach(key in the list) {
-    if (key id (kid) exists in cache) // cache[tid][kid]
-      set TTL = now + 24 h
+ 
+  // Load keys URI using the tenant-specific OIDC configuration endpoint ('issuer' is the input parameter)
+  oidcConfiguration = download JSON from "{issuer}/.well-known/openid-configuration"
+
+  // Load list of keys from keys URI
+  keyList = download JSON from jwks_uri property of oidcConfiguration
+
+  foreach (key in keyList) 
+  {
+    cache entry = lookup in cache by kid property of key
+    if (cache entry found) 
+      set expiration of cache entry to now + 24h 
     else 
-      add key to the cache with TTL = now + 24 h
+      add key to cache with expiration set to now + 24h
   }
-  set lastSuccessfulRefreshTime to now (current timestamp)
+
+  set LastSuccessfulRefreshTime to now // current timestamp
+}
+
 ```
 
 #### Service Startup procedure:
@@ -98,19 +111,30 @@ This procedure uses a global (lastSuccessfulRefreshTime timestamp) to prevent co
 
 ### TokenValidation procedure for validating the key (pseudo code):
 ```csharp
-  Get token from input request (input token)
-  Get key id from input token (**kid** / **tid** header claim for JWT)
-  if (key id is found in cache) { // cache[tid][kid]
-    validate token according to the key and return
+ValidateToken(token)
+{
+  kid = token.header.kid // get key id from token header
+  issuer = token.body.iss // get issuer from 'iss' claim in token body
+ 
+  key = lookup in cache by issuer and kid
+  if (key found)
+  {
+     validate token with key and return
   }
-  else (key is not found cache) {
-    Call KeyRefresh to opportunistically refresh the cache 
-      if (key id is found in cache) {
-      validate token according to the key and return
+  else // key is not found in the cache
+  {
+    call KeyRefresh(issuer) // to opportunistically refresh the keys for the issuer
+    key = lookup in cache by issuer and kid
+    if (key found)
+    {
+      validate token with key and return
+    }
+    else // key is not found in the cache even after refresh
+    {
+      return token validation error
     }
-    else 
-      return token validation failure
   }
+}
 ```
 
 ## How to assess if your application will be affected and what to do about it

docs/identity/enterprise-apps/f5-bigip-deployment-guide.md

@@ -8,7 +8,7 @@ ms.service: entra-id
 ms.subservice: enterprise-apps
 ms.topic: how-to
 
-ms.date: 12/13/2022
+ms.date: 11/07/2024
 ms.author: gasinh
 ms.collection: M365-identity-device-management 
 ms.reviewer: miccohen
@@ -215,7 +215,7 @@ To resolve your published SHA services to your BIG-IP-VM public IP(s), configure
 
     * **Subscription**: Same subscription as the BIG-IP-VM
     * **DNS zone**: DNS zone authoritative for the verified domain suffix your published websites use, for example, www.contoso.com
-    * **Name**: The hostname you specify resolves to the public IP associated with the selected secondary IP. Define DNS-to IP-mappings. For example, intranet.contoso.com to 13.77.148.215
+    * **Name**: The hostname you specify resolves to the public IP associated with the selected secondary IP. Define DNS-to IP-mappings. For example, intranet.contoso.com to 11.22.333.444
     * **TTL**: 1
     * **TTL units**: Hours
 

docs/identity/saas-apps/saml-toolkit-tutorial.md

@@ -136,9 +136,7 @@ In this section, you'll enable B.Simon to use single sign-on by granting access
 
 	![Microsoft Entra SAML Toolkit Register](./media/saml-toolkit-tutorial/register.png)
 
-1. Click on the **SAML Configuration**.
-
-	![Microsoft Entra SAML Toolkit SAML Configuration](./media/saml-toolkit-tutorial/saml-configure.png)
+1. In the **SAML Toolkit** window, select **SAML Configuration**.
 
 1. Click **Create**.
 

docs/identity/saas-apps/servicenow-tutorial.md

@@ -220,8 +220,6 @@ In this section, you'll enable B.Simon to use single sign-on by granting access
 
 6. You can have Microsoft Entra ID automatically configure ServiceNow for SAML-based authentication. To enable this service, go to the **Set up ServiceNow** section, and select **View step-by-step instructions** to open the **Configure sign-on** window.
 
-	![Screenshot of Set up ServiceNow section, with View step-by-step instructions highlighted](./media/servicenow-tutorial/tutorial-servicenow-configure.png)
-
 7. In the **Configure sign-on** form, enter your ServiceNow instance name, admin username, and admin password. Select **Configure Now**. The admin username provided must have the **security_admin** role assigned in ServiceNow for this to work. Otherwise, to manually configure ServiceNow to use Microsoft Entra ID as a SAML Identity Provider, select **Manually configure single sign-on**. Copy the **Logout URL, Microsoft Entra Identifier, and Login URL** from the Quick Reference section.
 
 	![Screenshot of Configure sign-on form, with Configure Now highlighted](./media/servicenow-tutorial/configure.png "Configure app URL")

docs/identity/saas-apps/settlingmusic-tutorial.md

@@ -93,9 +93,10 @@ Follow these steps to enable Microsoft Entra SSO.
 
 	![Copy configuration URLs](./media/settlingmusic-tutorial/copy-configuration-urls.png)
 
-	> [!NOTE]
-	> Please use the below URL for the Logout URL.
-	```Logout URL https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
+	Use the below URL for the Logout URL.
+
+	```text
+    Logout URL https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
     ```
 
 <a name='create-an-azure-ad-test-user'></a>

docs/identity/saas-apps/sharepoint-on-premises-tutorial.md

@@ -323,8 +323,6 @@ Now, the configuration of EntraCP needs to be updated to reflect that change and
 1. In the section **User identifier property**: Set the **User identifier for 'Guest' users:** to **UserPrincipalName**.
 1. Click Ok
 
-![Screenshot of EntraCP guests accounts configuration.](./media/sharepoint-on-premises-tutorial/sp-entracp-attribute-for-guests.png)
-
 You can now invite any guest user in the SharePoint sites.
 
 ## Configure the federation for multiple web applications

docs/identity/saas-apps/skysite-tutorial.md

@@ -95,11 +95,9 @@ Follow these steps to enable Microsoft Entra SSO.
 
 	![Screenshot shows User claims with the option to Add new claim.](./media/skysite-tutorial/claims.png)
 
-	![Screenshot shows the Manage user claims dialog box where you can enter the values described.](./media/skysite-tutorial/groups.png)
+	b. Select **All groups** from the radio list.
 
-	b. Select **All Groups** from the radio list.
-
-	c. Select **Source Attribute** of **Group ID**.
+	c. Select **Source attribute** of **Group ID**.
 
 	d. Click **Save**.
 

docs/identity/saas-apps/slack-tutorial.md

@@ -173,8 +173,6 @@ In this section, you'll enable B.Simon to use single sign-on by granting access
 
 4. On the **Configure SAML authentication for Azure** dialog, perform the below steps:
 
-    ![Screenshot of Configure single sign-on On SAML Authentication Settings.](./media/slack-tutorial/tutorial-slack-save-authentication.png)
-
     a. In the top right, toggle **Test** mode on.
 
     b.  In the **SAML SSO URL** textbox, paste the value of **Login URL**.

docs/identity/saas-apps/solarwinds-orion-tutorial.md

@@ -105,11 +105,8 @@ application integration page, find the **Manage** section and select **single si
     | LastName | user.surname |
     | Email |user.mail |
 
-1. In **User Attributes & Claims** section, click the pencil icon to edit and click **Add a group claim**.
-
-    ![Screenshot for User Attributes & Claims.](./media/solarwinds-orion-tutorial/group-claim.png)
-
-1. Choose **Security groups**.
+1. In **User Attributes & Claims** section, select **Add a group claim**.
+1. In **Group Claims**, choose **Security groups**.
 1. If you have Microsoft Entra ID synchronized with your on-premises AD, change **Source attribute** to **sAMAccountName**. Otherwise, leave it as Group ID.
 
 1. In the **Advanced options**, tick mark **Customize the name of the group claim** and give OrionGroups as the name.