Merge pull request #5602 from MicrosoftDocs/main

10/18/2024 PM Publish

Author: Daidihuang

.docutune/dictionaries/known-guids.json

@@ -3335,7 +3335,7 @@
   "SubstrateDirectoryEventProcessor": "26abc9a8-24f0-4b11-8234-e86ede698878",
   "Transcript Ingestion": "97cb1f73-50df-47d1-8fb0-0271f2728514",
   "Universal Store Native Client": "268761a2-03f3-40df-8a8b-c3db24145b6b",
-  "Vortex [wsfed enabled]": "5572c4c0-d078-44ce-b81c-6cbf8d3ed39e",
+  "Vortex [WSFed enabled]": "5572c4c0-d078-44ce-b81c-6cbf8d3ed39e",
   "WeveEngine": "3c896ded-22c5-450f-91f6-3d1ef0848f6e",
   "Windows Search": "26a7ee05-5602-4d76-a7ba-eae8b7b67941",
   "Windows Spotlight": "1b3c667f-cde3-4090-b60b-3d2abd0117f0",
@@ -3645,5 +3645,21 @@
   "EA Purchaser" : "da6647fb-7651-49ee-be91-c43c4877f0c4",
   "Department Admin" : "fb2cf67f-be5b-42e7-8025-4683c668f840",
   "Department Reader" : "db609904-a47f-4794-9be8-9bd86fbffd8a",
-  "Account Owner" : "c15c22c0-9faf-424c-9b7e-bd91c06a240b"
+  "Account Owner" : "c15c22c0-9faf-424c-9b7e-bd91c06a240b",
+  "DefaultChannelAuthTenant (botframework.com)" : "d6d49420-f39b-4df7-a1dc-d59a935871db",
+  "Microsoft tenant ID" : "72f988bf-86f1-41af-91ab-2d7cd011db47",
+  "PME tenant ID" : "975f013f-7f24-47e8-a7d3-abc4752bf346",
+  "Torus tenant ID" : "cdc5aeea-15c5-4db6-b079-fcadd2505dc2",
+  "AME tenant ID" : "33e01921-4d64-4f8c-a055-5bdaffd5e33d",
+  "Azure AI Bot Service token store app ID" : "5b404cf4-a79d-4cfe-b866-24bf8e1a4921",
+  "Azure Communication Services app ID" : "c880d6fb-5c66-49ef-9cf5-e53e31900be5",
+  "Omnichannel for Customer Service" : "a950df6d-e658-48fc-b494-ec69d8d9731b",
+  "CRM online instance for testing" : "51f81489-12ee-4a9e-aaae-a2591f45987d",
+  "Copilot transcript example" : "56d56813-04f5-ed11-8849-000d3a35dbfc",
+  "Dynamics 365 customer service basic session template" : "fac04293-1ab0-eb11-8236-000d3a5c49ed",
+  "Dynamics 365 customer service basic session template - not in focus" : "0e0e6c4f-cbb6-eb11-8236-000d3a5ab8b9",
+  "Dynamics 365 customer service new tab" : "09e68a6e-b7ef-eb11-bacb-000d3a373d11",
+  "Dynamics 365 Omnichanel sample payload" : "87b4d06c-abc2-e811-a9b0-000d3a10e09e",
+  "Dynamics 365 customer service custom action" : "c3356c37-bba6-4067-b1a1-8c66e1c203a1",
+  "Dynamics 365 customer service sample code resource ID" : "268e3d0d-5e0c-eb11-a822-000d3aaf102a"
 }

docs/global-secure-access/how-to-configure-kerberos-sso.md

@@ -64,7 +64,7 @@ The Domain Controller ports are required to enable SSO to on-premises resources.
 1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application administrator](reference-role-based-permissions.md#application-administrator).
 1. Browse to **Global Secure Access** > **Applications** > **Enterprise Applications**.
 1. Select **New Application** to create a new application to publish your Domain Controllers.
-1. Select **Add application segment** and then add all of your Domain Controllers’ IPs or Fully Qualified Domain Names (FQDNs) and ports as per the table. Don't add both IPs and FQDNs. Only the Domain Controllers in the Active Directory site where the Private Access connectors are located should be published.
+1. Select **Add application segment** and then add all of your Domain Controllers’ IPs or Fully Qualified Domain Names (FQDNs) and ports as per the table. Only the Domain Controllers in the Active Directory site where the Private Access connectors are located should be published.
 
 > [!NOTE]
 > Make sure you don’t use wildcard FQDNs to publish your domain controllers, instead add their specific IPs or FQDNs.

docs/identity/app-provisioning/inbound-provisioning-api-powershell.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id
 ms.subservice: app-provisioning
 ms.topic: how-to
-ms.date: 09/20/2024
+ms.date: 10/18/2024
 ms.author: jfields
 ms.reviewer: cmmdesai
 ---
@@ -60,7 +60,7 @@ The PowerShell sample script published in the [Microsoft Entra inbound provision
 |1 | Read worker data from the CSV file. | [Download the PowerShell script](#download-the-powershell-script). It has out-of-the-box logic to read data from any CSV file. Refer to [CSV2SCIM PowerShell usage details](#csv2scim-powershell-usage-details) to get familiar with the different execution modes of this script.  | If your system of record is different, check guidance provided in the section [Integration scenario variations](#integration-scenario-variations) on how you can customize the PowerShell script. |
 |2 | Pre-process and convert data to SCIM format.  | By default, the PowerShell script converts each record in the CSV file to a SCIM Core User + Enterprise User representation. Follow the steps in the section [Generate bulk request payload with standard schema](#generate-bulk-request-payload-with-standard-schema) to get familiar with this process.  | If your CSV file has different fields, tweak the [AttributeMapping.psd file](#attributemappingpsd-file) to generate a valid SCIM user. You can also [generate bulk request with custom SCIM schema](#generate-bulk-request-with-custom-scim-schema). Update the PowerShell script to include any custom CSV data validation logic.|
 |3 | Use a certificate for authentication to Microsoft Entra ID. | [Create a service principal that can access](inbound-provisioning-api-grant-access.md) the inbound provisioning API. Refer to steps in the section [Configure client certificate for service principal authentication](#configure-client-certificate-for-service-principal-authentication) to learn how to use client certificate for authentication. | If you'd like to use managed identity instead of a service principal for authentication, then review the use of `Connect-MgGraph` in the sample script and update it to use [managed identities](/powershell/microsoftgraph/authentication-commands#using-managed-identity). |
-|4 | Provision accounts in on-premises Active Directory or Microsoft Entra ID.  | Configure [API-driven inbound provisioning app](inbound-provisioning-api-configure-app.md). This generates a unique [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint. Refer to the steps in the section [Generate and upload bulk request payload as admin user](#generate-and-upload-bulk-request-payload-as-admin-user) to learn how to upload data to this endpoint. Validate the attribute flow and customize the attribute mappings per your integration requirements. To run the script using a service principal with certificate-based authentication, refer to the steps in the section [Upload bulk request payload using client certificate authentication](#upload-bulk-request-payload-using-client-certificate-authentication) | If you plan to [use bulk request with custom SCIM schema](#generate-bulk-request-with-custom-scim-schema), then [extend the provisioning app schema](#extending-provisioning-job-schema) to include your custom SCIM schema elements.|
+|4 | Provision accounts in on-premises Active Directory or Microsoft Entra ID.  | Configure [API-driven inbound provisioning app](inbound-provisioning-api-configure-app.md). This generates a unique [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint. To run the script using a service principal with certificate-based authentication, refer to the steps in the section [Upload bulk request payload using client certificate authentication](#upload-bulk-request-payload-using-client-certificate-authentication). Validate the attribute flow and customize the attribute mappings per your integration requirements. | If you plan to [use bulk request with custom SCIM schema](#generate-bulk-request-with-custom-scim-schema), then [extend the provisioning app schema](#extending-provisioning-job-schema) to include your custom SCIM schema elements.|
 |5 | Scan the provisioning logs and retry provisioning for failed records.  |  Refer to the steps in the section [Get provisioning logs of the latest sync cycles](#get-provisioning-logs-of-the-latest-sync-cycles)  to learn how to fetch and analyze provisioning log data. Identify failed user records and include them in the next upload cycle.  | - |
 |6 | Deploy your PowerShell based automation to production.  |  Once you have verified your API-driven provisioning flow and customized the PowerShell script to meet your requirements, you can deploy the automation as a [PowerShell Workflow runbook in Azure Automation](/azure/automation/learn/automation-tutorial-runbook-textual) or as a server process [scheduled to run on a Windows server](/troubleshoot/windows-server/system-management-components/schedule-server-process). | - |
 
@@ -174,22 +174,6 @@ To illustrate the procedure, let's use the CSV file `Samples/csv-with-2-records.
 1. To directly upload the generated payload to the API endpoint using the same PowerShell script refer to the next section. 
 
 
-## Generate and upload bulk request payload as admin user
-
-This section explains how to send the generated bulk request payload to your inbound provisioning API endpoint. 
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
-1. Browse to **Provisioning App** > **Properties** > **Object ID** and copy the `ServicePrincipalId` associated with your provisioning app.
-
-   :::image type="content" border="true" source="./media/inbound-provisioning-api-powershell/object-id.png" alt-text="Screenshot of the Object ID." lightbox="./media/inbound-provisioning-api-powershell/object-id.png":::
-
-1. As user with Global Administrator role, run the following command by providing the correct values for `ServicePrincipalId` and `TenantId`. It will prompt you for authentication if an authenticated session doesn't already exist for this tenant. Provide your consent to permissions prompted during authentication.  
-
-   ```powershell
-   .\CSV2SCIM.ps1 -Path '..\Samples\csv-with-2-records.csv' -AttributeMapping $AttributeMapping -ServicePrincipalId <servicePrincipalId> -TenantId "contoso.onmicrosoft.com"
-   ```
-1. Visit the **Provisioning logs** blade of your provisioning app to verify the processing of the above request. 
-
 
 ## Configure client certificate for service principal authentication
 

docs/identity/authentication/concept-mfa-regional-opt-in.md

@@ -204,6 +204,13 @@ For voice verification, the following region codes require an opt-in.
 | 226         |  Burina Faso                                   | 10                              |  30                                      |
 | 252         |  Somalia                                       | 10                              |  30                                      |  
 | 501         |  Belize                                        | 10                              |  30                                      |
+| 855         |  Cambodia                                      | 50                              |  200                                     |
+| 84         |  Vietnam                                       | 50                              |  200                                     |
+| 94         |  Sri Lanka                                     | 50                              |  200                                     |
+| 63         |  Philippines                                   | 50                              |  200                                     |
+| 62         |  Indonesia                                     | 50                              |  200                                     |
+| 7         |  Russia                                        | 50                              |  200                                     |
+| 258         |  Mozambique                                    | 50                              |  200                                     |
 
 ## Next steps
 

docs/identity/saas-apps/sap-netweaver-tutorial.md

@@ -436,6 +436,10 @@ To request an access token from the SAP system using Azure Active Directory (Azu
    - Set the token endpoint and other relevant OAuth2 parameters.
 
 ### Step 4: Request Access Token
+
+> [!TIP]
+> Consider using Azure API Management to streamline the SAP Principal Propagation process for all client apps in Azure, Power Platform, M365 and more, in a single place including smart token caching, secure token handling and governance options like request throttling. [Learn more about SAP Principal Propagation with Azure API Management](https://community.powerplatform.com/blogs/post/?postid=c6a609ab-3556-ef11-a317-6045bda95bf0). In case SAP Business Technology Platform is preferred, see [this article](https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/integrating-low-code-solutions-with-microsoft-using-sap-integration-suite/ba-p/13789298).
+
 1. **Prepare the token request**:
    - Construct a token request using the following details:
      - **Token Endpoint**: This is typically `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token`.
@@ -467,4 +471,5 @@ To request an access token from the SAP system using Azure Active Directory (Azu
 
 ## Next Steps
 
-Once you configure Microsoft Entra SAP NetWeaver you can enforce Session Control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+- Configure Microsoft Entra SAP NetWeaver to enforce Session Control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+- Configure SAP Principal Propagation (OAuth2) using Azure API Management to govern and secure access to SAP systems from client apps in Azure, Power Platform, Microsoft 365 and others. [Learn more about SAP Principal Propagation with Azure API Management](https://community.powerplatform.com/blogs/post/?postid=c6a609ab-3556-ef11-a317-6045bda95bf0).