From e6058ac43dc95d7ca204e2b199a30295e6d5faea Mon Sep 17 00:00:00 2001 From: Jason Johnston Date: Tue, 8 Aug 2023 13:18:23 -0400 Subject: [PATCH 01/76] Recreated changes from 21608 --- .../api/federatedtokenvalidationpolicy-get.md | 61 ++++++++ .../federatedtokenvalidationpolicy-post.md | 68 +++++++++ api-reference/beta/resources/enums.md | 144 ++++++++++-------- .../federationtokenvalidationpolicy.md | 80 ++++++++++ .../beta/resources/policy-overview.md | 1 + api-reference/beta/toc.yml | 10 +- 6 files changed, 297 insertions(+), 67 deletions(-) create mode 100644 api-reference/beta/api/federatedtokenvalidationpolicy-get.md create mode 100644 api-reference/beta/api/federatedtokenvalidationpolicy-post.md create mode 100644 api-reference/beta/resources/federationtokenvalidationpolicy.md diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md new file mode 100644 index 00000000000..5e3ce00d36b --- /dev/null +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md @@ -0,0 +1,61 @@ +--- +title: "Get federatedTokenValidation Policy" +description: "Gets verified domains for which AAD will validate whether federated account's root domain matches with mapped AAD account's root domain." +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: apiPageType +--- + +# GET federatedTokenValidation Policy +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +Read the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedTokenValidationPolicy.md) object. + +## Permissions + +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). + +### API re-uses existing Graph permissions + +| Permissions | Type | Entities/APIs covered | +| :-- | :-- | :-- | +| `Policy.Read.All` | Delegated | All | +| `Policy.Read.All` | Application | All | + +### New permission scopes + +| ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | +| :-- | :-- | :-- | :-- | :-- | :-- | +| `Policy.ReadWrite.FederatedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | +| `Policy.ReadWrite.FederatedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Yes | All | + +### Actions + +| Permission | Action | Description | +| :-- | :-- | :-- | +| `Policy.ReadWrite.FederatedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | +| `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | + +## HTTP request + +Get the verified managed or federated root domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. + +```http +GET /policies/federatedTokenValidationPolicy/ +``` + +## Request headers + +|Name|Description| +|:---|:---| +|Content-Type|application/json. Required.| + +## Response + +If successful, this method returns a `200 OK` response code and a [federatedTokenValidationPolicy](../resources/federatedTokenValidationPolicy.md) object in the response body. + +[!Note]: +> In case a GET is executed on the policy before the policy is created using a POST this method returns a `404 Not Found` response code with a message `Resource does not exist or one of its queried reference-property objects are not present`. diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md new file mode 100644 index 00000000000..dfafcb5188b --- /dev/null +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md @@ -0,0 +1,68 @@ +--- +title: "POst federatedTokenValidation Policy" +description: "Create or update verified domains for which AAD will validate whether federated account's root domain matches with mapped AAD account's root domain." +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: apiPageType +--- + +# POST federatedTokenValidation Policy +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +Create or update the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedTokenValidationPolicy.md) object. + +## Permissions + +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). + +### API re-uses existing Graph permissions + +| Permissions | Type | Entities/APIs covered | +| :-- | :-- | :-- | +| `Policy.Read.All` | Delegated | All | +| `Policy.Read.All` | Application | All | + +### New permission scopes + +| ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | +| :-- | :-- | :-- | :-- | :-- | :-- | +| `Policy.ReadWrite.FederatedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | +| `Policy.ReadWrite.FederatedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Yes | All | + +### Actions + +| Permission | Action | Description | +| :-- | :-- | :-- | +| `Policy.ReadWrite.FederatedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | +| `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | + +## HTTP request + +Create or update the verified managed or federated root domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. + +```http +POST /policies/federatedTokenValidationPolicy/ +``` + +## Request headers + +|Name|Description| +|:---|:---| +|Content-Type|application/json. Required.| + +## Request body +|Property|Type|Description| +|:---|:---|:---| +| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified AAD domains for which AAD will validate that federated account's root domain matches with mapped AAD account's root domain. | +| `rootDomains` | `graph.rootDomains` | Defines to which domains the validation will apply to. Possible values are `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, or `unknownFutureValue`. | +| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which AAD will perform the validation. | + +## Response + +If successful, this method returns a `201 Created` response code if it is created for the first time or `204 No Content` response code on successful update. It does not return anything in the response body. + +[!Note]: +> In case a GET is executed on the policy before the policy is created using a POST this method returns a `404 Not Found` response code with a message `Resource does not exist or one of its queried reference-property objects are not present`. diff --git a/api-reference/beta/resources/enums.md b/api-reference/beta/resources/enums.md index a3f5389fa8a..707a6cf622f 100644 --- a/api-reference/beta/resources/enums.md +++ b/api-reference/beta/resources/enums.md @@ -40,7 +40,7 @@ Namespace: microsoft.graph | certificate | | unknownFutureValue | -### applicationKeyOrigin values +### applicationKeyOrigin values | Member | |:-------------------| @@ -48,7 +48,7 @@ Namespace: microsoft.graph | servicePrincipal | | unknownFutureValue | -### authenticationAttributeCollectionInputType values +### authenticationAttributeCollectionInputType values |Member| |:---| @@ -58,7 +58,7 @@ Namespace: microsoft.graph |boolean| |unknownFutureValue| -### userType values +### userType values |Member| |:---| @@ -104,7 +104,7 @@ Namespace: microsoft.graph | others | | unknownFutureValue | -### recommendationCategory values +### recommendationCategory values | Member | | :------------------- | @@ -112,7 +112,7 @@ Namespace: microsoft.graph | identitySecureScore | | unknownFutureValue | -### recommendationFeatureAreas values +### recommendationFeatureAreas values | Member | | :----------------- | @@ -125,7 +125,7 @@ Namespace: microsoft.graph | governance | | unknownFutureValue | -### recommendationPriority values +### recommendationPriority values | Member | | :----- | @@ -133,7 +133,7 @@ Namespace: microsoft.graph | medium | | high | -### recommendationStatus values +### recommendationStatus values | Member | | :----------------- | @@ -144,7 +144,7 @@ Namespace: microsoft.graph | postponed | | unknownFutureValue | -### recommendationType values +### recommendationType values | Member | | :-------------------------- | @@ -219,7 +219,7 @@ Namespace: microsoft.graph | public | | unknownFutureValue | -### decisionItemPrincipalResourceMembershipType values +### decisionItemPrincipalResourceMembershipType values | Member | | :----------------- | @@ -276,7 +276,7 @@ Namespace: microsoft.graph | outOfOffice | | unknownFutureValue | -### accessPackageCustomExtensionHandlerStatus values +### accessPackageCustomExtensionHandlerStatus values | Member | | :----------------- | @@ -304,7 +304,7 @@ Namespace: microsoft.graph | waitingForCallback | | unknownFutureValue | -### accessPackageCustomExtensionStage values +### accessPackageCustomExtensionStage values | Member | | :------------------------------------- | @@ -371,14 +371,14 @@ Namespace: microsoft.graph | allowedRequestor | | unknownFutureValue | -### userSignInRecommendationScope values +### userSignInRecommendationScope values | Member | | :---------- | | tenant | | application | -### incomingTokenType values +### incomingTokenType values | Member | | :------------------ | @@ -389,7 +389,7 @@ Namespace: microsoft.graph | unknownFutureValue | | remoteDesktopToken | -### protocolType values +### protocolType values | Member | | :----------------- | @@ -401,21 +401,21 @@ Namespace: microsoft.graph | deviceCode | | unknownFutureValue | -### accessReviewInstanceDecisionItemFilterByCurrentUserOptions values +### accessReviewInstanceDecisionItemFilterByCurrentUserOptions values | Member | | :----------------- | | reviewer | | unknownFutureValue | -### accessReviewStageFilterByCurrentUserOptions values +### accessReviewStageFilterByCurrentUserOptions values | Member | | :----------------- | | reviewer | | unknownFutureValue | -### continuousAccessEvaluationMode values +### continuousAccessEvaluationMode values | Member | | :----------------- | @@ -423,7 +423,7 @@ Namespace: microsoft.graph | disabled | | unknownFutureValue | -### msiType values +### msiType values | Member | | :----------------- | @@ -517,7 +517,7 @@ Namespace: microsoft.graph | TestReferences | | ConnectionString | -### synchronizationScheduleState values +### synchronizationScheduleState values | Member | | :------- | @@ -535,7 +535,7 @@ Namespace: microsoft.graph | Paused | | Quarantine | -### synchronizationTaskExecutionResult values +### synchronizationTaskExecutionResult values | Member | | :--------------- | @@ -543,7 +543,7 @@ Namespace: microsoft.graph | Failed | | EntryLevelErrors | -### quarantineReason values +### quarantineReason values | Member | | :----------------------------------- | @@ -556,7 +556,7 @@ Namespace: microsoft.graph | TooManyDeletes | | IngestionInterrupted | -### attributeMappingSourceType values +### attributeMappingSourceType values | Member | | :-------- | @@ -651,14 +651,14 @@ Namespace: microsoft.graph | Boolean | | DateTime | -### scopeOperatorType values +### scopeOperatorType values | Member | | :----- | | Binary | | Unary | -### synchronizationJobRestartScope values +### synchronizationJobRestartScope values |Member| |:---| @@ -670,7 +670,7 @@ Namespace: microsoft.graph |Full| |ForceDeletes| -### synchronizationMetadata values +### synchronizationMetadata values |Member| |:---| @@ -704,7 +704,7 @@ Namespace: microsoft.graph | ReferenceAttributes | | UnknownFutureValue | -### objectDefinitionMetadata values +### objectDefinitionMetadata values |Member| |:---| @@ -958,7 +958,7 @@ Namespace: microsoft.graph | unknownFutureValue | -### defaultMfaMethodType values +### defaultMfaMethodType values @@ -973,7 +973,7 @@ Namespace: microsoft.graph | unknownFutureValue | -### clientCredentialType values +### clientCredentialType values @@ -1149,7 +1149,7 @@ Namespace: microsoft.graph | unknownFutureValue | -### signInIdentifierType values +### signInIdentifierType values | Member | | :-------------------------- | @@ -1161,7 +1161,7 @@ Namespace: microsoft.graph | unknownFutureValue | -### signInUserType values +### signInUserType values | Member | | :----------------- | @@ -1169,7 +1169,7 @@ Namespace: microsoft.graph | guest | | unknownFutureValue | -### requirementProvider values +### requirementProvider values | Member | @@ -2428,7 +2428,7 @@ Possible values for user account types (group membership), per Windows definitio | restId | | restImmutableEntryId | -### attributeDefinitionMetadata values +### attributeDefinitionMetadata values |Member| |:---| @@ -2442,14 +2442,14 @@ Possible values for user account types (group membership), per Windows definitio |MaximumLength| |ReferencedProperty| -### attributeFlowBehavior values +### attributeFlowBehavior values |Member| |:---| |FlowWhenChanged| |FlowAlways| -### attributeFlowType values +### attributeFlowType values | Member | | :---------------- | @@ -2665,7 +2665,7 @@ Possible values for user account types (group membership), per Windows definitio | passwordChange | | unknownFutureValue | -### conditionalAccessRule values +### conditionalAccessRule values | Member | | :-------------------------------- | @@ -2704,7 +2704,7 @@ Possible values for user account types (group membership), per Windows definitio | serviceProvider | | microsoftAdminPortals | -### signInAccessType values +### signInAccessType values | Member | | :----------------- | @@ -3364,14 +3364,14 @@ Possible values for user account types (group membership), per Windows definitio | screenShare | | unknownFutureValue | -### binaryOperator values +### binaryOperator values | Member | | :----- | | or | | and | -### subjectRightsRequestStage values +### subjectRightsRequestStage values | Member | | :----------------- | @@ -3382,7 +3382,7 @@ Possible values for user account types (group membership), per Windows definitio | caseResolved | | unknownFutureValue | -### subjectRightsRequestStageStatus values +### subjectRightsRequestStageStatus values | Member | | :----------------- | @@ -3392,7 +3392,7 @@ Possible values for user account types (group membership), per Windows definitio | failed | | unknownFutureValue | -### subjectRightsRequestStatus values +### subjectRightsRequestStatus values | Member | | :----------------- | @@ -3400,7 +3400,7 @@ Possible values for user account types (group membership), per Windows definitio | closed | | unknownFutureValue | -### subjectRightsRequestType values +### subjectRightsRequestType values | Member | | :----------------- | @@ -3410,7 +3410,7 @@ Possible values for user account types (group membership), per Windows definitio | tagForAction | | unknownFutureValue | -### dataSubjectType values +### dataSubjectType values | Member | | :------------------ | @@ -3465,7 +3465,7 @@ Possible values for user account types (group membership), per Windows definitio | notSet | | unknownFutureValue | -### bookingStaffRole values +### bookingStaffRole values | Member | | :----------------- | @@ -3477,7 +3477,7 @@ Possible values for user account types (group membership), per Windows definitio | scheduler | | teamMember | -### bookingReminderRecipients values +### bookingReminderRecipients values | Member | | :----------------- | @@ -3560,7 +3560,7 @@ Possible values for user account types (group membership), per Windows definitio | failed | | unknownFutureValue | -### delegatedAdminAccessAssignmentStatus values +### delegatedAdminAccessAssignmentStatus values | Member | | :----------------- | @@ -3571,21 +3571,21 @@ Possible values for user account types (group membership), per Windows definitio | error | | unknownFutureValue | -### delegatedAdminAccessContainerType values +### delegatedAdminAccessContainerType values | Member | | :----------------- | | securityGroup | | unknownFutureValue | -### delegatedAdminRelationshipOperationType values +### delegatedAdminRelationshipOperationType values | Member | | :----------------------------------- | | delegatedAdminAccessAssignmentUpdate | | unknownFutureValue | -### delegatedAdminRelationshipRequestAction values +### delegatedAdminRelationshipRequestAction values | Member | | :----------------- | @@ -3593,7 +3593,7 @@ Possible values for user account types (group membership), per Windows definitio | terminate | | unknownFutureValue | -### delegatedAdminRelationshipRequestStatus values +### delegatedAdminRelationshipRequestStatus values | Member | | :----------------- | @@ -3603,7 +3603,7 @@ Possible values for user account types (group membership), per Windows definitio | failed | | unknownFutureValue | -### delegatedAdminRelationshipStatus values +### delegatedAdminRelationshipStatus values | Member | | :------------------- | @@ -3619,7 +3619,7 @@ Possible values for user account types (group membership), per Windows definitio | terminationRequested | | unknownFutureValue | -### featureTargetType values +### featureTargetType values | Member | | :----------------- | @@ -3628,7 +3628,7 @@ Possible values for user account types (group membership), per Windows definitio | role | | unknownFutureValue | -### longRunningOperationStatus values +### longRunningOperationStatus values | Member | | :----------------- | @@ -3639,7 +3639,7 @@ Possible values for user account types (group membership), per Windows definitio | skipped | | unknownFutureValue | -### submissionCategory values +### submissionCategory values | Member | | :----------------- | @@ -3649,7 +3649,7 @@ Possible values for user account types (group membership), per Windows definitio | malware | | unknownFutureValue | -### submissionClientSource values +### submissionClientSource values | Member | | :----------------- | @@ -3657,7 +3657,7 @@ Possible values for user account types (group membership), per Windows definitio | other | | unknownFutureValue | -### submissionContentType values +### submissionContentType values | Member | | :----------------- | @@ -3667,7 +3667,7 @@ Possible values for user account types (group membership), per Windows definitio | app | | unknownFutureValue | -### submissionResultCategory values +### submissionResultCategory values | Member | | :----------------- | @@ -3682,7 +3682,7 @@ Possible values for user account types (group membership), per Windows definitio | noResultAvailable | | unknownFutureValue | -### submissionSource values +### submissionSource values | Member | | :----------------- | @@ -3690,14 +3690,14 @@ Possible values for user account types (group membership), per Windows definitio | administrator | | unknownFutureValue | -### weakAlgorithms values +### weakAlgorithms values | Member | | :----------------- | | rsaSha1 | | unknownFutureValue | -### tenantAllowBlockListAction values +### tenantAllowBlockListAction values | Member | | :----------------- | @@ -3705,7 +3705,7 @@ Possible values for user account types (group membership), per Windows definitio | block | | unknownFutureValue | -### tenantAllowBlockListEntryType values +### tenantAllowBlockListEntryType values | Member | | :----------------- | @@ -3715,14 +3715,14 @@ Possible values for user account types (group membership), per Windows definitio | recipient | | unknownFutureValue | -### outlierMemberType values +### outlierMemberType values | Member | | :----------------- | | user | | unknownFutureValue | -### outlierContainerType values +### outlierContainerType values | Member | | :----------------- | @@ -3873,7 +3873,7 @@ Possible values for user account types (group membership), per Windows definitio | federation | | unknownFutureValue | -### searchContent values +### searchContent values | Member | | :----------------- | @@ -3881,7 +3881,7 @@ Possible values for user account types (group membership), per Windows definitio | sharedContent | | unknownFutureValue | -### chatMessageActions values +### chatMessageActions values | Member | | :----------------- | @@ -3966,7 +3966,7 @@ Possible values for user account types (group membership), per Windows definitio | outlookMobile | | unknownFutureValue | -### userDefaultAuthenticationMethodType values +### userDefaultAuthenticationMethodType values |Member| |:---| @@ -3978,7 +3978,7 @@ Possible values for user account types (group membership), per Windows definitio |sms| |unknownFutureValue| -### verifiableCredentialPresentationStatusCode values +### verifiableCredentialPresentationStatusCode values | Member | | :-------------------- | @@ -3994,3 +3994,15 @@ Possible values for user account types (group membership), per Windows definitio |servicePrincipal| |group| |unknownFutureValue| + +### rootDomains values + +| Property | Value | Description | +| :------------------------------- | :---- | ------------------------------------------------------------------- | +| none | 0 | Dont perform validation for any domain. | +| all | 1 | Perform validation for all domains | +| allFederated | 2 | Perform validation for all federated domains | +| allManaged | 3 | Perform validation for all managed domains | +| enumerated | 4 | Perform validation for all enumerated domains | +| allManagedAndEnumeratedFederated | 5 | Perform validation for all managed and enumerated federated domains | +| unknownFutureValue | 6 | Unknown future value for evolvable enums. | diff --git a/api-reference/beta/resources/federationtokenvalidationpolicy.md b/api-reference/beta/resources/federationtokenvalidationpolicy.md new file mode 100644 index 00000000000..280897ba449 --- /dev/null +++ b/api-reference/beta/resources/federationtokenvalidationpolicy.md @@ -0,0 +1,80 @@ +--- +title: "federatedTokenValidationPolicy resource type" +description: "Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped AAD account's root domains." +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: resourcePageType +--- + +# federatedTokenValidationPolicy resource type (Preview) + +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped AAD account's root domains. If enabled AAD will reject auth request if on-prem federated account and mapped AAD account's root domains dont match. + +## Scenarios + +### Reject auth request if on-prem federated account and mapped AAD account's root domains dont match + +This new policy will allow customers to enable the above mentioned validation. If enabled AAD will reject auth request if on-prem federated account and mapped AAD account's root domains dont match. + +The APIs will allow administrators to: + +1. Update the user verified root domains in AAD for which the new token validation will be applied. +2. Get the user verified domains in AAD for which the new validation is enabled. + +#### Properties + +| Property | Type | Description | Key | Required | ReadOnly | +| :-- | :-- | :-- | :-- | :-- | :-- | +| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified AAD domains for which AAD will validate that federated account's root domain matches with mapped AAD account's root domain. | Yes | Yes | No | + +## New complex types + +### validatingDomains + +A abstract complex type that defines verified root domains for which AAD will validate whether federated account's root domain matches with mapped AAD account's root domain. + +#### Sub-Properties + +| Property | Type | Description | Required | ReadOnly | +| :-- | :-- | :-- | :-- | :-- | +| `rootDomains` | `graph.rootDomains` | Defines whether the validation will apply to 'all', 'all federated', 'all managed', 'enumerated', 'all managed + enumerated', or 'no' domains. | Yes | No | + +### allDomains + +A derived complex type that defines that AAD will perform validation (whether federated account's root domain matches with mapped AAD account's root domain) for all root domains if root domains is 'all' or for all Managed if root domains is 'allManaged' or for all Federated if root domains is 'allFederated' or for none if root domains is 'none'. + +### enumeratedDomains + +A derived complex type that defines that AAD will perform validation (whether federated account's root domain matches with mapped AAD account's root domain) for all specified Azure AD domains if root domains is 'enumerated' or for all Managed and specified Azure AD domains if root domains is 'allManagedAndEnumeratedFederated'. + +#### Sub-Properties + +| Property | Type | Description | Required | ReadOnly | +| :-- | :-- | :-- | :-- | :-- | +| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which AAD will perform the validation. | Yes | No | + +## Error conditions and messages + +| Scenario | Method | Code | Message | +| :-- | :-- | :-- | :-- | +| User or application does not have the appropriate permission scope. | All | 403 | Your account does not have access to this data. Please contact your Global Administrator to request access. | +| User or application provides invalid user root domains as the input. | PUT | 204/201 | You can only assign this policy to verified root domains. The list you provided containes one or more invalid domain. | + +## JSON Representation + +The following is a JSON representation of the resource. + +```json +{ +"validatingDomains": { + "@odata.type":"String", + "rootDomains": "String", + "domainNames": ["String"] + } +} +``` diff --git a/api-reference/beta/resources/policy-overview.md b/api-reference/beta/resources/policy-overview.md index 1c3a1331b42..7937c4b2f1b 100644 --- a/api-reference/beta/resources/policy-overview.md +++ b/api-reference/beta/resources/policy-overview.md @@ -26,6 +26,7 @@ Azure Active Directory (Azure AD) uses policies to control Azure AD feature beha | [authorizationPolicy](authorizationpolicy.md) | Represents a policy that can control authorization settings of Azure Active Directory. | Configure Azure AD to block MSOL PowerShell in the tenant. | | [claimsMappingPolicies](claimsMappingPolicy.md) | Represents the claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application. | Create and assign a policy to omit the basic claims from tokens issued to a service principal. | | [deviceRegistrationPolicy](deviceregistrationpolicy.md) | Represents the policy scope that controls quota restrictions, additional authentication, and authorization policies to register device identities to your organization. | Limit the number of devices that can be registered to a user in your organization or, specify users or groups that are allowed to register devices using **Azure AD Join** or **Azure AD registered**. | +| [federatedTokenValidationPolicy](federatedTokenValidationPolicy.md) | Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped AAD account's root domains. | Configure validatation on tenants to check if the domain in the mapped AAD account matches the token issuer domain in a token post authentication from the federated IdP. | | [homeRealmDiscoveryPolicies](homeRealmDiscoveryPolicy.md) | Represents a policy to control Azure Active Directory authentication behavior for federated users, in particular for auto-acceleration and user authentication restrictions in federated domains. | Configure all users to skip home realm discovery and be routed directly to ADFS for authentication. | | [tokenLifetimePolicies](tokenlifetimepolicy.md) | Represents the lifetime duration of access tokens used to access protected resources. | Configure a particularly sensitive application with a shorter than default token lifetime. | | [tokenIssuancePolicy](tokenIssuancePolicy.md) | Represents the policy to specify the characteristics of SAML tokens issued by Azure AD. | Configure the signing algorithm or SAML token version to be used to issue the SAML token. | diff --git a/api-reference/beta/toc.yml b/api-reference/beta/toc.yml index dd988a13d47..5423efbd0fd 100644 --- a/api-reference/beta/toc.yml +++ b/api-reference/beta/toc.yml @@ -13560,6 +13560,14 @@ items: href: api/internaldomainfederation-update.md - name: Delete href: api/internaldomainfederation-delete.md + - name: Federated Token Validation (preview) + items: + - name: Federated Token Validation Policy + href: resources/federatedtokenvalidationpolicy.md + - name: Get + href: api/federatedtokenvalidationpolicy-get.md + - name: Post + href: api/federatedtokenvalidationpolicy-post.md - name: Identity provider (deprecated) items: - name: Identity provider type @@ -17151,7 +17159,7 @@ items: - name: List href: api/onlinemeeting-list-recordings.md - name: Get - href: api/callrecording-get.md + href: api/callrecording-get.md - name: Call transcript (preview) items: - name: Call transcript (preview) From b57f6cae17f4c7ea1bab8f1d715b27aa3b6997b9 Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:58:31 +0100 Subject: [PATCH 02/76] Update federatedtokenvalidationpolicy-get.md --- .../beta/api/federatedtokenvalidationpolicy-get.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md index 5e3ce00d36b..0f9635616b4 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md @@ -29,14 +29,14 @@ One of the following permissions is required to call this API. To learn more, in | ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | | :-- | :-- | :-- | :-- | :-- | :-- | -| `Policy.ReadWrite.FederatedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | -| `Policy.ReadWrite.FederatedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Yes | All | +| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | +| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Yes | All | ### Actions | Permission | Action | Description | | :-- | :-- | :-- | -| `Policy.ReadWrite.FederatedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | +| `Policy.ReadWrite.FedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | | `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | ## HTTP request From f6e911680adf84cdeb02dbedd34cf74d72e61264 Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:59:03 +0100 Subject: [PATCH 03/76] Update federatedtokenvalidationpolicy-post.md --- .../beta/api/federatedtokenvalidationpolicy-post.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md index dfafcb5188b..6c11c5e6cfd 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md @@ -29,14 +29,14 @@ One of the following permissions is required to call this API. To learn more, in | ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | | :-- | :-- | :-- | :-- | :-- | :-- | -| `Policy.ReadWrite.FederatedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | -| `Policy.ReadWrite.FederatedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Yes | All | +| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | +| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Yes | All | ### Actions | Permission | Action | Description | | :-- | :-- | :-- | -| `Policy.ReadWrite.FederatedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | +| `Policy.ReadWrite.FedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | | `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | ## HTTP request From db12db3a28a3fd8b8beedc63cbb58228d09c586f Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:59:16 +0100 Subject: [PATCH 04/76] Update federatedtokenvalidationpolicy-post.md --- api-reference/beta/api/federatedtokenvalidationpolicy-post.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md index 6c11c5e6cfd..c2910e08415 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md @@ -1,5 +1,5 @@ --- -title: "POst federatedTokenValidation Policy" +title: "Post federatedTokenValidation Policy" description: "Create or update verified domains for which AAD will validate whether federated account's root domain matches with mapped AAD account's root domain." author: "rahul-nagraj" ms.localizationpriority: medium From 2d08cc53fc04a24e1a464ddfa42ce9a4d416b27a Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:26:49 +0000 Subject: [PATCH 05/76] Update federatedtokenvalidationpolicy-get.md --- api-reference/beta/api/federatedtokenvalidationpolicy-get.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md index 0f9635616b4..8862d012cc8 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md @@ -12,7 +12,7 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -Read the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedTokenValidationPolicy.md) object. +Read the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. ## Permissions @@ -55,7 +55,7 @@ GET /policies/federatedTokenValidationPolicy/ ## Response -If successful, this method returns a `200 OK` response code and a [federatedTokenValidationPolicy](../resources/federatedTokenValidationPolicy.md) object in the response body. +If successful, this method returns a `200 OK` response code and a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object in the response body. [!Note]: > In case a GET is executed on the policy before the policy is created using a POST this method returns a `404 Not Found` response code with a message `Resource does not exist or one of its queried reference-property objects are not present`. From 34e25722da5604f3df7588aafd9abb424282e32f Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:27:42 +0000 Subject: [PATCH 06/76] Update federatedtokenvalidationpolicy-post.md --- api-reference/beta/api/federatedtokenvalidationpolicy-post.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md index c2910e08415..e48e79c0317 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md @@ -12,7 +12,7 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -Create or update the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedTokenValidationPolicy.md) object. +Create or update the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. ## Permissions From cfa20aa60b737219d28a21105268ca2282a4dc55 Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:28:05 +0000 Subject: [PATCH 07/76] Update policy-overview.md --- api-reference/beta/resources/policy-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api-reference/beta/resources/policy-overview.md b/api-reference/beta/resources/policy-overview.md index f4cffe403d0..9ff0eb595bd 100644 --- a/api-reference/beta/resources/policy-overview.md +++ b/api-reference/beta/resources/policy-overview.md @@ -26,7 +26,7 @@ Microsoft Entra ID uses policies to control Microsoft Entra feature behaviors in | [authorizationPolicy](authorizationpolicy.md) | Represents a policy that can control authorization settings of Microsoft Entra ID. | Configure Microsoft Entra ID to block MSOL PowerShell in the tenant. | | [claimsMappingPolicies](claimsMappingPolicy.md) | Represents the claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application. | Create and assign a policy to omit the basic claims from tokens issued to a service principal. | | [deviceRegistrationPolicy](deviceregistrationpolicy.md) | Represents the policy scope that controls quota restrictions, additional authentication, and authorization policies to register device identities to your organization. | Limit the number of devices that can be registered to a user in your organization or, specify users or groups that are allowed to register devices using **Microsoft Entra join** or **Microsoft Entra registered**. | -| [federatedTokenValidationPolicy](federatedTokenValidationPolicy.md) | Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped AAD account's root domains. | Configure validatation on tenants to check if the domain in the mapped AAD account matches the token issuer domain in a token post authentication from the federated IdP. | +| [federatedTokenValidationPolicy](federatedtokenvalidationpolicy.md) | Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped AAD account's root domains. | Configure validatation on tenants to check if the domain in the mapped AAD account matches the token issuer domain in a token post authentication from the federated IdP. | | [homeRealmDiscoveryPolicies](homeRealmDiscoveryPolicy.md) | Represents a policy to control Microsoft Entra authentication behavior for federated users, in particular for auto-acceleration and user authentication restrictions in federated domains. | Configure all users to skip home realm discovery and be routed directly to ADFS for authentication. | | [tokenLifetimePolicies](tokenlifetimepolicy.md) | Represents the lifetime duration of access tokens used to access protected resources. | Configure a particularly sensitive application with a shorter than default token lifetime. | | [tokenIssuancePolicy](tokenIssuancePolicy.md) | Represents the policy to specify the characteristics of SAML tokens issued by Microsoft Entra ID. | Configure the signing algorithm or SAML token version to be used to issue the SAML token. | From 42c23e2e8aea9e7bf4dc9cddfab05efb77c6dade Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:46:34 +0000 Subject: [PATCH 08/76] File renamed --- ...tokenvalidationpolicy.md => federatedtokenvalidationpolicy.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename api-reference/beta/resources/{federationtokenvalidationpolicy.md => federatedtokenvalidationpolicy.md} (100%) diff --git a/api-reference/beta/resources/federationtokenvalidationpolicy.md b/api-reference/beta/resources/federatedtokenvalidationpolicy.md similarity index 100% rename from api-reference/beta/resources/federationtokenvalidationpolicy.md rename to api-reference/beta/resources/federatedtokenvalidationpolicy.md From 4879f66e56d77b2c4eacc54d2bb41032c5e0f0ea Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:53:29 +0000 Subject: [PATCH 09/76] Permissions updated --- api-reference/beta/api/federatedtokenvalidationpolicy-get.md | 1 - api-reference/beta/api/federatedtokenvalidationpolicy-post.md | 1 - 2 files changed, 2 deletions(-) diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md index 8862d012cc8..73ab9a5f09a 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md @@ -30,7 +30,6 @@ One of the following permissions is required to call this API. To learn more, in | ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | | :-- | :-- | :-- | :-- | :-- | :-- | | `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | -| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Yes | All | ### Actions diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md index e48e79c0317..29718ebd120 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md @@ -30,7 +30,6 @@ One of the following permissions is required to call this API. To learn more, in | ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | | :-- | :-- | :-- | :-- | :-- | :-- | | `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | -| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Yes | All | ### Actions From 8088752fd91c9e506e814d8d8e0b56f6d66ef73f Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Mon, 6 Nov 2023 12:25:33 +0000 Subject: [PATCH 10/76] Acrolynx Updates --- .../api/federatedtokenvalidationpolicy-get.md | 12 +++++------ .../federatedtokenvalidationpolicy-post.md | 20 +++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md index 73ab9a5f09a..4e7f8f3bb65 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md @@ -1,6 +1,6 @@ --- title: "Get federatedTokenValidation Policy" -description: "Gets verified domains for which AAD will validate whether federated account's root domain matches with mapped AAD account's root domain." +description: "Gets verified domains for which Entra Id validates whether federated account's root domain matches with mapped Entra Id account's root domain." author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" @@ -18,7 +18,7 @@ Read the properties and relationships of a [federatedTokenValidationPolicy](../r One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). -### API re-uses existing Graph permissions +### API reuses existing Graph permissions | Permissions | Type | Entities/APIs covered | | :-- | :-- | :-- | @@ -29,18 +29,18 @@ One of the following permissions is required to call this API. To learn more, in | ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | | :-- | :-- | :-- | :-- | :-- | :-- | -| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | +| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have the validation enabled | Delegated | Yes | All | ### Actions | Permission | Action | Description | | :-- | :-- | :-- | -| `Policy.ReadWrite.FedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | -| `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | +| `Policy.ReadWrite.FedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. | +| `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. | ## HTTP request -Get the verified managed or federated root domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. +Get the verified managed or federated root domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. ```http GET /policies/federatedTokenValidationPolicy/ diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md index 29718ebd120..c3b74eb63fc 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md @@ -1,6 +1,6 @@ --- title: "Post federatedTokenValidation Policy" -description: "Create or update verified domains for which AAD will validate whether federated account's root domain matches with mapped AAD account's root domain." +description: "Create or update verified domains for which Entra Id validates whether federated account's root domain matches with mapped Entra Id account's root domain." author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" @@ -18,7 +18,7 @@ Create or update the properties and relationships of a [federatedTokenValidation One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). -### API re-uses existing Graph permissions +### API reuses existing Graph permissions | Permissions | Type | Entities/APIs covered | | :-- | :-- | :-- | @@ -29,18 +29,18 @@ One of the following permissions is required to call this API. To learn more, in | ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | | :-- | :-- | :-- | :-- | :-- | :-- | -| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have enabled the validation | Delegated | Yes | All | +| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have the validation enabled | Delegated | Yes | All | ### Actions | Permission | Action | Description | | :-- | :-- | :-- | -| `Policy.ReadWrite.FedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | -| `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. | +| `Policy.ReadWrite.FedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. | +| `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. | ## HTTP request -Create or update the verified managed or federated root domains for which AAD will perform validation (matching federated account's root domain matches with mapped AAD account's root domain) before granting access. +Create or update the verified managed or federated root domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. ```http POST /policies/federatedTokenValidationPolicy/ @@ -55,13 +55,13 @@ POST /policies/federatedTokenValidationPolicy/ ## Request body |Property|Type|Description| |:---|:---|:---| -| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified AAD domains for which AAD will validate that federated account's root domain matches with mapped AAD account's root domain. | -| `rootDomains` | `graph.rootDomains` | Defines to which domains the validation will apply to. Possible values are `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, or `unknownFutureValue`. | -| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which AAD will perform the validation. | +| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified Entra Id domains for which Entra Id validates that federated account's root domain matches with mapped Entra Id account's root domain. | +| `rootDomains` | `graph.rootDomains` | Defines to which domains the validation applies to. Possible values are `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, or `unknownFutureValue`. | +| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which Entra Id performs the validation. | ## Response -If successful, this method returns a `201 Created` response code if it is created for the first time or `204 No Content` response code on successful update. It does not return anything in the response body. +If successful, this method returns a `201 Created` response code if it's created for the first time or `204 No Content` response code on successful update. It doesn't return anything in the response body. [!Note]: > In case a GET is executed on the policy before the policy is created using a POST this method returns a `404 Not Found` response code with a message `Resource does not exist or one of its queried reference-property objects are not present`. From 7775eac48a8f4fcafb4d6b1ecd91abe8a6883f2e Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Mon, 6 Nov 2023 12:49:13 +0000 Subject: [PATCH 11/76] Acrolynx Updates --- .../federatedtokenvalidationpolicy.md | 34 ++++++++++--------- .../beta/resources/policy-overview.md | 4 +-- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/api-reference/beta/resources/federatedtokenvalidationpolicy.md b/api-reference/beta/resources/federatedtokenvalidationpolicy.md index 280897ba449..5c347dc4ecb 100644 --- a/api-reference/beta/resources/federatedtokenvalidationpolicy.md +++ b/api-reference/beta/resources/federatedtokenvalidationpolicy.md @@ -1,6 +1,6 @@ --- title: "federatedTokenValidationPolicy resource type" -description: "Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped AAD account's root domains." +description: "Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped Entra Id account's root domains." author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" @@ -13,61 +13,63 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped AAD account's root domains. If enabled AAD will reject auth request if on-prem federated account and mapped AAD account's root domains dont match. +Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped Entra Id account's root domains. If enabled Entra Id rejects auth request if on-prem federated account and mapped Entra Id account's root domains don't match. ## Scenarios -### Reject auth request if on-prem federated account and mapped AAD account's root domains dont match +### Reject auth request if on-prem federated account and mapped Entra Id account's root domains do not match -This new policy will allow customers to enable the above mentioned validation. If enabled AAD will reject auth request if on-prem federated account and mapped AAD account's root domains dont match. +This new policy allows the admin to control the federated token validation behaviour. If enabled Entra Id rejects auth request if on-prem federated account and mapped Entra Id account's root domains do not match. -The APIs will allow administrators to: +The APIs allows administrators to: -1. Update the user verified root domains in AAD for which the new token validation will be applied. -2. Get the user verified domains in AAD for which the new validation is enabled. +1. Update the user verified root domains in Entra Id for which the new token validation is applied. +2. Get the user verified domains in Entra Id for which the new validation is enabled. #### Properties | Property | Type | Description | Key | Required | ReadOnly | | :-- | :-- | :-- | :-- | :-- | :-- | -| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified AAD domains for which AAD will validate that federated account's root domain matches with mapped AAD account's root domain. | Yes | Yes | No | +| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified Entra Id domains for which Entra Id validates that federated account's root domain matches with mapped Entra Id account's root domain. | Yes | Yes | No | ## New complex types ### validatingDomains -A abstract complex type that defines verified root domains for which AAD will validate whether federated account's root domain matches with mapped AAD account's root domain. +An abstract complex type that defines verified root domains for which Entra Id validates whether federated account's root domain matches with mapped Entra Id account's root domain. #### Sub-Properties | Property | Type | Description | Required | ReadOnly | | :-- | :-- | :-- | :-- | :-- | -| `rootDomains` | `graph.rootDomains` | Defines whether the validation will apply to 'all', 'all federated', 'all managed', 'enumerated', 'all managed + enumerated', or 'no' domains. | Yes | No | +| `rootDomains` | `graph.rootDomains` | Defines whether the validation applies to 'all', 'all federated', 'all managed', 'enumerated', 'all managed + enumerated', or 'no' domains. | Yes | No | ### allDomains -A derived complex type that defines that AAD will perform validation (whether federated account's root domain matches with mapped AAD account's root domain) for all root domains if root domains is 'all' or for all Managed if root domains is 'allManaged' or for all Federated if root domains is 'allFederated' or for none if root domains is 'none'. +A derived complex type which defines that Entra Id performs validation for all root domains if root domain is 'all' or for all managed if root domain is 'allManaged' or for all Federated if root domain is 'allFederated' or for none if root domain is 'none'. +When enabled, Entra Id will validate whether federated account's root domain matches with mapped Entra Id account's root domain. ### enumeratedDomains -A derived complex type that defines that AAD will perform validation (whether federated account's root domain matches with mapped AAD account's root domain) for all specified Azure AD domains if root domains is 'enumerated' or for all Managed and specified Azure AD domains if root domains is 'allManagedAndEnumeratedFederated'. +A derived complex type which defines that Entra Id performs validation for all specified Azure AD domains if root domain is 'enumerated' or for all managed and specified Azure AD domains if root domain is 'allManagedAndEnumeratedFederated'. +When enabled, Entra Id will validate whether federated account's root domain matches with mapped Entra Id account's root domain. #### Sub-Properties | Property | Type | Description | Required | ReadOnly | | :-- | :-- | :-- | :-- | :-- | -| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which AAD will perform the validation. | Yes | No | +| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which Entra Id performs the validation. | Yes | No | ## Error conditions and messages | Scenario | Method | Code | Message | | :-- | :-- | :-- | :-- | -| User or application does not have the appropriate permission scope. | All | 403 | Your account does not have access to this data. Please contact your Global Administrator to request access. | -| User or application provides invalid user root domains as the input. | PUT | 204/201 | You can only assign this policy to verified root domains. The list you provided containes one or more invalid domain. | +| User or application does not have the appropriate permission scope. | All | 403 | Your account does not have access to this data. Contact your Global Administrator to request access. | +| User or application provides invalid user root domains as the input. | PUT | 204/201 | You can only assign this policy to verified root domains. The list you provided contains one or more invalid domains. | ## JSON Representation -The following is a JSON representation of the resource. +JSON representation of the resource: ```json { diff --git a/api-reference/beta/resources/policy-overview.md b/api-reference/beta/resources/policy-overview.md index 9ff0eb595bd..533654484b7 100644 --- a/api-reference/beta/resources/policy-overview.md +++ b/api-reference/beta/resources/policy-overview.md @@ -14,7 +14,7 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -Microsoft Entra ID uses policies to control Microsoft Entra feature behaviors in your organization. Policies are custom rules that you can enforce on applications, service principals, groups, or on the entire organization they are assigned to. +Microsoft Entra ID uses policies to control Microsoft Entra feature behaviors in your organization. Policies are custom rules that you can enforce on applications, service principals, groups, or on the entire organization they're assigned to. ## What policies are available? @@ -26,7 +26,7 @@ Microsoft Entra ID uses policies to control Microsoft Entra feature behaviors in | [authorizationPolicy](authorizationpolicy.md) | Represents a policy that can control authorization settings of Microsoft Entra ID. | Configure Microsoft Entra ID to block MSOL PowerShell in the tenant. | | [claimsMappingPolicies](claimsMappingPolicy.md) | Represents the claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application. | Create and assign a policy to omit the basic claims from tokens issued to a service principal. | | [deviceRegistrationPolicy](deviceregistrationpolicy.md) | Represents the policy scope that controls quota restrictions, additional authentication, and authorization policies to register device identities to your organization. | Limit the number of devices that can be registered to a user in your organization or, specify users or groups that are allowed to register devices using **Microsoft Entra join** or **Microsoft Entra registered**. | -| [federatedTokenValidationPolicy](federatedtokenvalidationpolicy.md) | Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped AAD account's root domains. | Configure validatation on tenants to check if the domain in the mapped AAD account matches the token issuer domain in a token post authentication from the federated IdP. | +| [federatedTokenValidationPolicy](federatedtokenvalidationpolicy.md) | Represents a policy to control enabling/disabling federation token auth validation - matching on-premises federated account and mapped Entra Id account's root domains. | Configure validation on tenants to check if the domain in the mapped Entra Id account matches the token issuer domain in a token post authentication from the federated IdP. | | [homeRealmDiscoveryPolicies](homeRealmDiscoveryPolicy.md) | Represents a policy to control Microsoft Entra authentication behavior for federated users, in particular for auto-acceleration and user authentication restrictions in federated domains. | Configure all users to skip home realm discovery and be routed directly to ADFS for authentication. | | [tokenLifetimePolicies](tokenlifetimepolicy.md) | Represents the lifetime duration of access tokens used to access protected resources. | Configure a particularly sensitive application with a shorter than default token lifetime. | | [tokenIssuancePolicy](tokenIssuancePolicy.md) | Represents the policy to specify the characteristics of SAML tokens issued by Microsoft Entra ID. | Configure the signing algorithm or SAML token version to be used to issue the SAML token. | From e140870524683198735ff4e1c3e9d7dc2d1852c0 Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Mon, 6 Nov 2023 13:49:24 +0000 Subject: [PATCH 12/76] Acrolynx updates --- .../federatedtokenvalidationpolicy.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/api-reference/beta/resources/federatedtokenvalidationpolicy.md b/api-reference/beta/resources/federatedtokenvalidationpolicy.md index 5c347dc4ecb..d8b58af1072 100644 --- a/api-reference/beta/resources/federatedtokenvalidationpolicy.md +++ b/api-reference/beta/resources/federatedtokenvalidationpolicy.md @@ -1,6 +1,6 @@ --- title: "federatedTokenValidationPolicy resource type" -description: "Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped Entra Id account's root domains." +description: "Represents a policy to control enabling/disabling federation token auth validation - matching on-premises federated account and mapped Microsoft Entra ID account's root domains." author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" @@ -13,58 +13,58 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -Represents a policy to control enabling/disabling federation token auth validation - matching on-prem federated account and mapped Entra Id account's root domains. If enabled Entra Id rejects auth request if on-prem federated account and mapped Entra Id account's root domains don't match. +Represents a policy to control enabling/disabling federation token auth validation - matching on-premises federated account and mapped Microsoft Entra ID account's root domains. When enabled Microsoft Entra ID rejects auth request if on-premises federated account and mapped Microsoft Entra ID account's root domains don't match. ## Scenarios -### Reject auth request if on-prem federated account and mapped Entra Id account's root domains do not match +### Reject auth request if on-premises federated account and mapped Microsoft Entra ID account's root domains don't match -This new policy allows the admin to control the federated token validation behaviour. If enabled Entra Id rejects auth request if on-prem federated account and mapped Entra Id account's root domains do not match. +This new policy allows the admin to control the federated token validation behavior. When enabled Microsoft Entra ID rejects auth request if on-premises federated account and mapped Microsoft Entra ID account's root domains don't match. The APIs allows administrators to: -1. Update the user verified root domains in Entra Id for which the new token validation is applied. -2. Get the user verified domains in Entra Id for which the new validation is enabled. +1. Update the user verified root domains in Microsoft Entra ID for which the new token validation is applied. +2. Get the user verified domains in Microsoft Entra ID for which the new validation is enabled. #### Properties | Property | Type | Description | Key | Required | ReadOnly | | :-- | :-- | :-- | :-- | :-- | :-- | -| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified Entra Id domains for which Entra Id validates that federated account's root domain matches with mapped Entra Id account's root domain. | Yes | Yes | No | +| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified Microsoft Entra ID domains for which Microsoft Entra ID validates that federated account's root domain matches with mapped Microsoft Entra ID account's root domain. | Yes | Yes | No | ## New complex types ### validatingDomains -An abstract complex type that defines verified root domains for which Entra Id validates whether federated account's root domain matches with mapped Entra Id account's root domain. +An abstract complex type that defines verified root domains for which Microsoft Entra ID validates whether federated account's root domain matches with mapped Microsoft Entra ID account's root domain. #### Sub-Properties | Property | Type | Description | Required | ReadOnly | | :-- | :-- | :-- | :-- | :-- | -| `rootDomains` | `graph.rootDomains` | Defines whether the validation applies to 'all', 'all federated', 'all managed', 'enumerated', 'all managed + enumerated', or 'no' domains. | Yes | No | +| `rootDomains` | `graph.rootDomains` | Defines whether the validation applies to 'all','all federated','all managed','enumerated','all managed+enumerated' or 'no' domains. | Yes | No | ### allDomains -A derived complex type which defines that Entra Id performs validation for all root domains if root domain is 'all' or for all managed if root domain is 'allManaged' or for all Federated if root domain is 'allFederated' or for none if root domain is 'none'. -When enabled, Entra Id will validate whether federated account's root domain matches with mapped Entra Id account's root domain. +A derived complex type, which defines that Microsoft Entra ID performs validation for all root domains if root domain is 'all' or for all managed if root domain is 'allManaged' or for all Federated if root domain is 'allFederated' or for none if root domain is 'none'. +When enabled, Microsoft Entra ID validates whether federated account's root domain matches with mapped Microsoft Entra ID account's root domain. ### enumeratedDomains -A derived complex type which defines that Entra Id performs validation for all specified Azure AD domains if root domain is 'enumerated' or for all managed and specified Azure AD domains if root domain is 'allManagedAndEnumeratedFederated'. -When enabled, Entra Id will validate whether federated account's root domain matches with mapped Entra Id account's root domain. +A derived complex type, which defines that Microsoft Entra ID performs validation for all specified Azure AD domains if root domain is 'enumerated' or for all managed and specified Azure AD domains if root domain is 'allManagedAndEnumeratedFederated'. +When enabled, Microsoft Entra ID validates whether federated account's root domain matches with mapped Microsoft Entra ID account's root domain. #### Sub-Properties | Property | Type | Description | Required | ReadOnly | | :-- | :-- | :-- | :-- | :-- | -| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which Entra Id performs the validation. | Yes | No | +| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which Microsoft Entra ID performs the validation. | Yes | No | ## Error conditions and messages | Scenario | Method | Code | Message | | :-- | :-- | :-- | :-- | -| User or application does not have the appropriate permission scope. | All | 403 | Your account does not have access to this data. Contact your Global Administrator to request access. | +| User or application does not have the appropriate permission scope. | All | 403 | Your account doesn't have access to this data. Contact your Global Administrator to request access. | | User or application provides invalid user root domains as the input. | PUT | 204/201 | You can only assign this policy to verified root domains. The list you provided contains one or more invalid domains. | ## JSON Representation From 18da827505b721493fe95002aa22cadfe1371dcd Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Wed, 8 Nov 2023 23:50:23 +0000 Subject: [PATCH 13/76] PR review updates --- .../api/federatedtokenvalidationpolicy-get.md | 91 ++++++++++----- .../federatedtokenvalidationpolicy-post.md | 67 ----------- .../federatedtokenvalidationpolicy-update.md | 100 ++++++++++++++++ ...t-delete-federatedtokenvalidationpolicy.md | 74 ++++++++++++ ...oot-list-federatedtokenvalidationpolicy.md | 107 ++++++++++++++++++ ...oot-post-federatedtokenvalidationpolicy.md | 98 ++++++++++++++++ .../federatedtokenvalidationpolicy.md | 107 ++++++++---------- 7 files changed, 484 insertions(+), 160 deletions(-) delete mode 100644 api-reference/beta/api/federatedtokenvalidationpolicy-post.md create mode 100644 api-reference/beta/api/federatedtokenvalidationpolicy-update.md create mode 100644 api-reference/beta/api/policyroot-delete-federatedtokenvalidationpolicy.md create mode 100644 api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md create mode 100644 api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md index 4e7f8f3bb65..9e9c31d547a 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md @@ -1,13 +1,13 @@ --- -title: "Get federatedTokenValidation Policy" -description: "Gets verified domains for which Entra Id validates whether federated account's root domain matches with mapped Entra Id account's root domain." +title: "Get federatedTokenValidationPolicy" +description: "Read the properties and relationships of a federatedTokenValidationPolicy object." author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" doc_type: apiPageType --- -# GET federatedTokenValidation Policy +# Get federatedTokenValidationPolicy Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] @@ -15,46 +15,75 @@ Namespace: microsoft.graph Read the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. ## Permissions - One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). -### API reuses existing Graph permissions - -| Permissions | Type | Entities/APIs covered | -| :-- | :-- | :-- | -| `Policy.Read.All` | Delegated | All | -| `Policy.Read.All` | Application | All | - -### New permission scopes - -| ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | -| :-- | :-- | :-- | :-- | :-- | :-- | -| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have the validation enabled | Delegated | Yes | All | - -### Actions - -| Permission | Action | Description | -| :-- | :-- | :-- | -| `Policy.ReadWrite.FedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. | -| `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. | + +[!INCLUDE [permissions-table](../includes/permissions/federatedtokenvalidationpolicy-get-permissions.md)] ## HTTP request -Get the verified managed or federated root domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. - -```http -GET /policies/federatedTokenValidationPolicy/ + +``` http +GET /policies/federatedTokenValidationPolicy ``` -## Request headers +## Optional query parameters +This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters). +## Request headers |Name|Description| |:---|:---| -|Content-Type|application/json. Required.| +|Authorization|Bearer {token}. Required.| + +## Request body +Do not supply a request body for this method. ## Response If successful, this method returns a `200 OK` response code and a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object in the response body. -[!Note]: -> In case a GET is executed on the policy before the policy is created using a POST this method returns a `404 Not Found` response code with a message `Resource does not exist or one of its queried reference-property objects are not present`. +## Examples + +### Request +The following is an example of a request. + +``` http +GET https://graph.microsoft.com/beta/policies/federatedTokenValidationPolicy +``` + + +### Response +The following is an example of the response +>**Note:** The response object shown here might be shortened for readability. + +``` http +HTTP/1.1 200 OK +Content-Type: application/json + +{ + "value": { + "@odata.type": "#Microsoft.DirectoryServices.federatedTokenValidationPolicy", + "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", + "deletedDateTime": "String (timestamp)", + "validatingDomains": { + "@odata.type": "microsoft.graph.validatingDomains" + } + } +} +``` diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md b/api-reference/beta/api/federatedtokenvalidationpolicy-post.md deleted file mode 100644 index c3b74eb63fc..00000000000 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-post.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: "Post federatedTokenValidation Policy" -description: "Create or update verified domains for which Entra Id validates whether federated account's root domain matches with mapped Entra Id account's root domain." -author: "rahul-nagraj" -ms.localizationpriority: medium -ms.prod: "identity-and-sign-in" -doc_type: apiPageType ---- - -# POST federatedTokenValidation Policy -Namespace: microsoft.graph - -[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] - -Create or update the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. - -## Permissions - -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). - -### API reuses existing Graph permissions - -| Permissions | Type | Entities/APIs covered | -| :-- | :-- | :-- | -| `Policy.Read.All` | Delegated | All | -| `Policy.Read.All` | Application | All | - -### New permission scopes - -| ScopeName | DisplayName | Description | Type | Admin Consent? | Entities/APIs covered | -| :-- | :-- | :-- | :-- | :-- | :-- | -| `Policy.ReadWrite.FedTokenValidation` | Read and write Federated Token Validation Policy | This role can read and write Federated Token Validation Policy that determines which domains have the validation enabled | Delegated | Yes | All | - -### Actions - -| Permission | Action | Description | -| :-- | :-- | :-- | -| `Policy.ReadWrite.FedTokenValidation` | `/policies/federatedTokenValidationPolicy` | Update verified domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. | -| `Policy.Read.All` | `/policies/federatedTokenValidationPolicy` | Get verified domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. | - -## HTTP request - -Create or update the verified managed or federated root domains for which Entra Id performs validation (matching federated account's root domain matches with mapped Entra Id account's root domain) before granting access. - -```http -POST /policies/federatedTokenValidationPolicy/ -``` - -## Request headers - -|Name|Description| -|:---|:---| -|Content-Type|application/json. Required.| - -## Request body -|Property|Type|Description| -|:---|:---|:---| -| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified Entra Id domains for which Entra Id validates that federated account's root domain matches with mapped Entra Id account's root domain. | -| `rootDomains` | `graph.rootDomains` | Defines to which domains the validation applies to. Possible values are `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, or `unknownFutureValue`. | -| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which Entra Id performs the validation. | - -## Response - -If successful, this method returns a `201 Created` response code if it's created for the first time or `204 No Content` response code on successful update. It doesn't return anything in the response body. - -[!Note]: -> In case a GET is executed on the policy before the policy is created using a POST this method returns a `404 Not Found` response code with a message `Resource does not exist or one of its queried reference-property objects are not present`. diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-update.md b/api-reference/beta/api/federatedtokenvalidationpolicy-update.md new file mode 100644 index 00000000000..bd26a1b49cf --- /dev/null +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-update.md @@ -0,0 +1,100 @@ +--- +title: "Update federatedTokenValidationPolicy" +description: "Update the properties of a federatedTokenValidationPolicy object." +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: apiPageType +--- + +# Update federatedTokenValidationPolicy +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +Update the properties of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). + + +[!INCLUDE [permissions-table](../includes/permissions/federatedtokenvalidationpolicy-update-permissions.md)] + +## HTTP request + + +``` http +PATCH /policies/federatedTokenValidationPolicy +``` + +## Request headers +|Name|Description| +|:---|:---| +|Authorization|Bearer {token}. Required.| +|Content-Type|application/json. Required.| + +## Request body +[!INCLUDE [table-intro](../../includes/update-property-table-intro.md)] + +|Property|Type|Description| +|:---|:---|:---| +|validatingDomains|[Microsoft.DirectoryServices.validatingDomains](../resources/validatingdomains.md)|Verified Microsoft Entra ID domains for which Microsoft Entra validates that federated account's root domain matches with mapped Microsoft Entra account's root domain. Required.| + + + +## Response + +If successful, this method returns a `200 OK` response code and an updated [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object in the response body. + +## Examples + +### Request +The following is an example of a request. + +``` http +PATCH https://graph.microsoft.com/beta/policies/federatedTokenValidationPolicy +Content-Type: application/json + +{ + "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", + "deletedDateTime": "String (timestamp)", + "validatingDomains": { + "@odata.type": "microsoft.graph.validatingDomains" + } +} +``` + + +### Response +The following is an example of the response +>**Note:** The response object shown here might be shortened for readability. + +``` http +HTTP/1.1 200 OK +Content-Type: application/json + +{ + "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", + "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", + "deletedDateTime": "String (timestamp)", + "validatingDomains": { + "@odata.type": "microsoft.graph.validatingDomains" + } +} +``` + diff --git a/api-reference/beta/api/policyroot-delete-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-delete-federatedtokenvalidationpolicy.md new file mode 100644 index 00000000000..1581f4f69ce --- /dev/null +++ b/api-reference/beta/api/policyroot-delete-federatedtokenvalidationpolicy.md @@ -0,0 +1,74 @@ +--- +title: "Delete federatedTokenValidationPolicy" +description: "Delete a federatedTokenValidationPolicy object." +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: apiPageType +--- + +# Delete federatedTokenValidationPolicy +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +Delete a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). + + +[!INCLUDE [permissions-table](../includes/permissions/policyroot-delete-federatedtokenvalidationpolicy-permissions.md)] + +## HTTP request + + +``` http +DELETE /policies/federatedTokenValidationPolicy/$ref +``` + +## Request headers +|Name|Description| +|:---|:---| +|Authorization|Bearer {token}. Required.| + +## Request body +Do not supply a request body for this method. + +## Response + +If successful, this method returns a `204 No Content` response code. + +## Examples + +### Request +The following is an example of a request. + +``` http +DELETE https://graph.microsoft.com/beta/policies/federatedTokenValidationPolicy +``` + + +### Response +The following is an example of the response +>**Note:** The response object shown here might be shortened for readability. + +``` http +HTTP/1.1 204 No Content +``` + diff --git a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md new file mode 100644 index 00000000000..6431c507c9e --- /dev/null +++ b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md @@ -0,0 +1,107 @@ +--- +title: "List federatedTokenValidationPolicies" +description: "Get a list of the federatedTokenValidationPolicy objects and their properties." +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: apiPageType +--- + +# List federatedTokenValidationPolicies +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +Get a list of the [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) objects and their properties. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). + + +[!INCLUDE [permissions-table](../includes/permissions/policyroot-list-federatedtokenvalidationpolicy-permissions.md)] +# List federatedTokenValidationPolicies +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +Get a list of the [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) objects and their properties. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). + + +[!INCLUDE [permissions-table](../includes/permissions/policyroot-list-federatedtokenvalidationpolicy-permissions.md)] + +## HTTP request + + +``` http +GET ** Collection URI for Microsoft.DirectoryServices.federatedTokenValidationPolicy not found +``` + +## Optional query parameters +This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters). + +## Request headers +|Name|Description| +|:---|:---| +|Authorization|Bearer {token}. Required.| + +## Request body +Do not supply a request body for this method. + +## Response + +If successful, this method returns a `200 OK` response code and a collection of [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) objects in the response body. + +## Examples + +### Request +The following is an example of a request. + +``` http +GET https://graph.microsoft.com/beta** Collection URI for Microsoft.DirectoryServices.federatedTokenValidationPolicy not found +``` + +### Response +The following is an example of the response +>**Note:** The response object shown here might be shortened for readability. + +``` http +HTTP/1.1 200 OK +Content-Type: application/json + +{ + "value": [ + { + "@odata.type": "#Microsoft.DirectoryServices.federatedTokenValidationPolicy", + "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", + "deletedDateTime": "String (timestamp)", + "validatingDomains": { + "@odata.type": "microsoft.graph.validatingDomains" + } + } + ] +} +``` + diff --git a/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md new file mode 100644 index 00000000000..449e62090e2 --- /dev/null +++ b/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md @@ -0,0 +1,98 @@ +--- +title: "Create federatedTokenValidationPolicy" +description: "Create a new federatedTokenValidationPolicy object." +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: apiPageType +--- + +# Create federatedTokenValidationPolicy +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +Create a new [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). + + +[!INCLUDE [permissions-table](../includes/permissions/policyroot-post-federatedtokenvalidationpolicy-permissions.md)] + +## HTTP request + + +``` http +POST ** Collection URI for Microsoft.DirectoryServices.federatedTokenValidationPolicy not found +``` + +## Request headers +|Name|Description| +|:---|:---| +|Authorization|Bearer {token}. Required.| +|Content-Type|application/json. Required.| + +## Request body +In the request body, supply a JSON representation of the [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. + +You can specify the following properties when creating a **federatedTokenValidationPolicy**. + +|Property|Type|Description| +|:---|:---|:---| +|validatingDomains|[Microsoft.DirectoryServices.validatingDomains](../resources/validatingdomains.md)|Verified Microsoft Entra ID domains for which Microsoft Entra validates that federated account's root domain matches with mapped Microsoft Entra account's root domain. Required.| + +## Response + +If successful, this method returns a `201 Created` response code and a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object in the response body. + +## Examples + +### Request +The following is an example of a request. + +``` http +POST https://graph.microsoft.com/beta** Collection URI for Microsoft.DirectoryServices.federatedTokenValidationPolicy not found +Content-Type: application/json + +{ + "@odata.type": "#Microsoft.DirectoryServices.federatedTokenValidationPolicy", + "validatingDomains": { + "@odata.type": "microsoft.graph.validatingDomains" + } +} +``` + + +### Response +The following is an example of the response +>**Note:** The response object shown here might be shortened for readability. + +``` http +HTTP/1.1 201 Created +Content-Type: application/json + +{ + "@odata.type": "#Microsoft.DirectoryServices.federatedTokenValidationPolicy", + "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", + "validatingDomains": { + "@odata.type": "microsoft.graph.validatingDomains" + } +} +``` diff --git a/api-reference/beta/resources/federatedtokenvalidationpolicy.md b/api-reference/beta/resources/federatedtokenvalidationpolicy.md index d8b58af1072..2f57ed11564 100644 --- a/api-reference/beta/resources/federatedtokenvalidationpolicy.md +++ b/api-reference/beta/resources/federatedtokenvalidationpolicy.md @@ -7,76 +7,59 @@ ms.prod: "identity-and-sign-in" doc_type: resourcePageType --- -# federatedTokenValidationPolicy resource type (Preview) +# federatedTokenValidationPolicy resource type Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] +Represents a policy to control enabling or disabling validation of federation authentication tokens, thereby matching an on-premises federated account and a mapped Microsoft Entra ID account's root domain. When enabled, Microsoft Entra ID rejects an authentication request if the on-premises federated account and the mapped Microsoft Entra ID account's root domain don't match. Represents a policy to control enabling/disabling federation token auth validation - matching on-premises federated account and mapped Microsoft Entra ID account's root domains. When enabled Microsoft Entra ID rejects auth request if on-premises federated account and mapped Microsoft Entra ID account's root domains don't match. -## Scenarios - -### Reject auth request if on-premises federated account and mapped Microsoft Entra ID account's root domains don't match - -This new policy allows the admin to control the federated token validation behavior. When enabled Microsoft Entra ID rejects auth request if on-premises federated account and mapped Microsoft Entra ID account's root domains don't match. - -The APIs allows administrators to: - -1. Update the user verified root domains in Microsoft Entra ID for which the new token validation is applied. -2. Get the user verified domains in Microsoft Entra ID for which the new validation is enabled. - -#### Properties - -| Property | Type | Description | Key | Required | ReadOnly | -| :-- | :-- | :-- | :-- | :-- | :-- | -| `validatingDomains` | `microsoft.graph.validatingDomains` | Verified Microsoft Entra ID domains for which Microsoft Entra ID validates that federated account's root domain matches with mapped Microsoft Entra ID account's root domain. | Yes | Yes | No | - -## New complex types - -### validatingDomains - -An abstract complex type that defines verified root domains for which Microsoft Entra ID validates whether federated account's root domain matches with mapped Microsoft Entra ID account's root domain. - -#### Sub-Properties - -| Property | Type | Description | Required | ReadOnly | -| :-- | :-- | :-- | :-- | :-- | -| `rootDomains` | `graph.rootDomains` | Defines whether the validation applies to 'all','all federated','all managed','enumerated','all managed+enumerated' or 'no' domains. | Yes | No | - -### allDomains - -A derived complex type, which defines that Microsoft Entra ID performs validation for all root domains if root domain is 'all' or for all managed if root domain is 'allManaged' or for all Federated if root domain is 'allFederated' or for none if root domain is 'none'. -When enabled, Microsoft Entra ID validates whether federated account's root domain matches with mapped Microsoft Entra ID account's root domain. - -### enumeratedDomains - -A derived complex type, which defines that Microsoft Entra ID performs validation for all specified Azure AD domains if root domain is 'enumerated' or for all managed and specified Azure AD domains if root domain is 'allManagedAndEnumeratedFederated'. -When enabled, Microsoft Entra ID validates whether federated account's root domain matches with mapped Microsoft Entra ID account's root domain. - -#### Sub-Properties - -| Property | Type | Description | Required | ReadOnly | -| :-- | :-- | :-- | :-- | :-- | -| `domainNames` | `Collection(Edm.String)` | List of federated and/or managed root domains for which Microsoft Entra ID performs the validation. | Yes | No | - -## Error conditions and messages - -| Scenario | Method | Code | Message | -| :-- | :-- | :-- | :-- | -| User or application does not have the appropriate permission scope. | All | 403 | Your account doesn't have access to this data. Contact your Global Administrator to request access. | -| User or application provides invalid user root domains as the input. | PUT | 204/201 | You can only assign this policy to verified root domains. The list you provided contains one or more invalid domains. | - -## JSON Representation - -JSON representation of the resource: - -```json +Inherits from [directoryObject](../resources/directoryobject.md). + +## Methods + +|Method|Return type|Description| +|:---|:---|:---| +|[List federatedTokenValidationPolicies](../api/policyroot-list-federatedtokenvalidationpolicy.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) collection|Get a list of the [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) objects and their properties.| +|[Create federatedTokenValidationPolicy](../api/policyroot-post-federatedtokenvalidationpolicy.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md)|Create a new [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| +|[Get federatedTokenValidationPolicy](../api/federatedtokenvalidationpolicy-get.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md)|Read the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| +|[Update federatedTokenValidationPolicy](../api/federatedtokenvalidationpolicy-update.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md)|Update the properties of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| +|[Delete federatedTokenValidationPolicy](../api/policyroot-delete-federatedtokenvalidationpolicy.md)|None|Delete a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| +|[checkMemberGroups](../api/federatedtokenvalidationpolicy-checkmembergroups.md)|String collection|Check for membership in a specified list of groups, and return from that list those groups of which the specified user, group, service principal, organizational contact, or directory object is a member. The check is transitive.| +|[checkMemberObjects](../api/federatedtokenvalidationpolicy-checkmemberobjects.md)|String collection|Check for membership in a list of group, administrative units, or directory roles for the specified user, group, device, organizational contact, or directory object. This method is transitive.| +|[getMemberGroups](../api/federatedtokenvalidationpolicy-getmembergroups.md)|String collection|Return all groups that the user, group, service principal, organizational contact, device, or directory object is a member of. The check is transitive.| +|[getMemberObjects](../api/federatedtokenvalidationpolicy-getmemberobjects.md)|String collection|Return all groups, administrative units, and directory roles that the user, group, device, organizational contact, or directory object is a member of. The check is transitive.| +|[restore](../api/federatedtokenvalidationpolicy-restore.md)|[directoryObject](../resources/directoryobject.md)|**TODO: Add Description**| + +## Properties +|Property|Type|Description| +|:---|:---|:---| +|deletedDateTime|DateTimeOffset|Date and time when this object was deleted. Always `null` when the object hasn't been deleted. Inherited from [directoryObject](../resources/directoryobject.md).| +|id|String|The unique identifier for the object. For example, 12345678-9abc-def0-1234-56789abcde. The value of the **id** property is often but not exclusively in the form of a GUID; treat it as an opaque identifier and do not rely on it being a GUID. Key. Not nullable. Read-only. Inherited from [directoryObject](../resources/directoryobject.md).| +|validatingDomains|[validatingDomains](../resources/validatingdomains.md)|Verified Microsoft Entra ID domains for which Microsoft Entra validates that federated account's root domain matches with mapped Microsoft Entra account's root domain.| + +## Relationships +None. + +## JSON representation +The following is a JSON representation of the resource. + +``` json { -"validatingDomains": { - "@odata.type":"String", - "rootDomains": "String", - "domainNames": ["String"] + "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", + "id": "String (identifier)", + "deletedDateTime": "String (timestamp)", + "validatingDomains": { + "@odata.type": "microsoft.graph.validatingDomains" } } ``` From 92b532d747f0d1d9dc33c82f83c4ff4e47450bf6 Mon Sep 17 00:00:00 2001 From: joespinozac <117751648+joespinozac@users.noreply.github.com> Date: Fri, 5 Jan 2024 17:01:27 -0600 Subject: [PATCH 14/76] Update App Registration details for Scope selection --- concepts/app-registration.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/concepts/app-registration.md b/concepts/app-registration.md index 221ac63e520..bfec4404240 100644 --- a/concepts/app-registration.md +++ b/concepts/app-registration.md @@ -79,10 +79,20 @@ If you select SQL for **Storage Account**, the **Uri** project detail field is d After you complete the **Registration Info** page, specify the datasets that the app registration needs to query. This step is crucial for authorization. Only the datasets that you select are transferred for administrator authorization. For details about datasets, see [Datasets, regions, and sinks](./data-connect-datasets.md). -The wizard shows a table that allows the entry of multiple datasets, the selection of columns in the datasets, and more details if applicable, such as scope and scope options. For details about scopes, see [User selection and filtering capabilities in Microsoft Graph Data Connect](./data-connect-filtering.md). You can select each dataset that the app will request for authorization, and all or several columns from the dataset, depending on the level of granularity and privacy required. +The wizard shows a table that allows the entry of multiple datasets, the selection of columns in the datasets, and more details if applicable, such as scope and scope options. You can select each dataset that the app will request for authorization, and all or several columns from the dataset, depending on the level of granularity and privacy required. ![Screenshot showing the Datasets column selected while running the Data Connect app registration wizard.](images/app-registration-create-datasets.png) +##### Scope Selection + +There are three ways to configure the scope for each dataset: + +1. **All information**: This is the default option. By leaving the field blank, all of the dataset's scope will be registered. +2. **Select users or groups within the organization**: Enter the object Ids of the users or groups separated by commas. Learn more about (Entra Groups)[https://learn.microsoft.com/en-us/entra/fundamentals/groups-view-azure-portal] +3. **Specific predicates**: Follow the filtering mechanism as for Microsoft Graph APIs to specify a scope within a column of the dataset. [Learn more](./data-connect-filtering.md#user-selection). + +For details about scopes, see [User selection and filtering capabilities in Microsoft Graph Data Connect](./data-connect-filtering.md). + When you're finished, choose **Next : Review + create**. > [!IMPORTANT] From 21123ef4fb02e3859cb921256c39c3a0afee06f3 Mon Sep 17 00:00:00 2001 From: Jarbas Horst Date: Thu, 11 Jan 2024 05:55:36 +0100 Subject: [PATCH 15/76] Update app-registration.md Edit. --- concepts/app-registration.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/concepts/app-registration.md b/concepts/app-registration.md index bfec4404240..03076aff0e6 100644 --- a/concepts/app-registration.md +++ b/concepts/app-registration.md @@ -1,6 +1,6 @@ --- title: "Microsoft Graph Data Connect app registration" -description: "Learn how to register your Microsoft Graph Data Connect app" +description: "Learn how to register your Microsoft Graph Data Connect app." author: "michaelvenables" ms.localizationpriority: high ms.custom: scenarios:getting-started @@ -17,7 +17,7 @@ In the [Azure portal](https://aka.ms/mgdcinazure) experience, developers and ten ### Landing page > [!IMPORTANT] -> If Microsoft Graph Data Connect hasn't been enabled by your admin, the portal experience is disabled. For details about how global administrators can enable Data Connect, see [Enable Microsoft Graph Data Connect in your Microsoft 365 tenant](https://github.com/microsoftgraph/microsoft-graph-docs/blob/45b4b22b5db4a87be256b59130e74bf49c2e7fd1/includes/data-connect-quickstart-02.md?plain=1#L45) +> If Microsoft Graph Data Connect hasn't been enabled by your admin, the portal experience is disabled. For more information about how global administrators can enable Data Connect, see [Enable Microsoft Graph Data Connect in your Microsoft 365 tenant](https://github.com/microsoftgraph/microsoft-graph-docs/blob/45b4b22b5db4a87be256b59130e74bf49c2e7fd1/includes/data-connect-quickstart-02.md?plain=1#L45) The first screen of the Azure portal experience prompts you to register your first app with Data Connect, or load existing registrations into a summary table view. @@ -55,7 +55,7 @@ Then specify the project details—a process that's similar to creating a resour - **Resource Group** (required) - Select the group location for the data storage. - **Destination Type** - Select the type of storage from Azure Storage Account or Azure SQL Database Server. - >**Note:** If you select SQL Database Server, the app will only support `Mapping Data Flows` types. For details, see [Mapping Data Flows in Azure Data Factory](/azure/data-factory/concepts-data-flow-overview). + >**Note:** If you select SQL Database Server, the app only supports `Mapping Data Flows` types. For more information, see [Mapping Data Flows in Azure Data Factory](/azure/data-factory/concepts-data-flow-overview). - **Storage Account** (required) - Select the storage account where the data to provision with Data Connect will be located, or create a new Azure Storage Account. - **Storage Account Uri** (required) - From the storage account you selected, select the URI to use (Distributed File System (DFS) or blob). @@ -77,21 +77,21 @@ If you select SQL for **Storage Account**, the **Uri** project detail field is d #### Datasets -After you complete the **Registration Info** page, specify the datasets that the app registration needs to query. This step is crucial for authorization. Only the datasets that you select are transferred for administrator authorization. For details about datasets, see [Datasets, regions, and sinks](./data-connect-datasets.md). +After you complete the **Registration Info** page, specify the datasets that the app registration needs to query. This step is crucial for authorization. Only the datasets that you select are transferred for administrator authorization. For more information about datasets, see [Datasets, regions, and sinks](./data-connect-datasets.md). The wizard shows a table that allows the entry of multiple datasets, the selection of columns in the datasets, and more details if applicable, such as scope and scope options. You can select each dataset that the app will request for authorization, and all or several columns from the dataset, depending on the level of granularity and privacy required. -![Screenshot showing the Datasets column selected while running the Data Connect app registration wizard.](images/app-registration-create-datasets.png) +![Screenshot that shows the Datasets column selected while running the Data Connect app registration wizard.](images/app-registration-create-datasets.png) -##### Scope Selection +##### Scope selection -There are three ways to configure the scope for each dataset: +You can configure the scope for each dataset in three ways: -1. **All information**: This is the default option. By leaving the field blank, all of the dataset's scope will be registered. -2. **Select users or groups within the organization**: Enter the object Ids of the users or groups separated by commas. Learn more about (Entra Groups)[https://learn.microsoft.com/en-us/entra/fundamentals/groups-view-azure-portal] -3. **Specific predicates**: Follow the filtering mechanism as for Microsoft Graph APIs to specify a scope within a column of the dataset. [Learn more](./data-connect-filtering.md#user-selection). +- **All information**: The default option. By leaving the field blank, the entire scope of the dataset is registered. +- **Select users or groups within the organization**: Enter the object IDs of the users or groups separated by commas. Learn more about [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal). +- **Specific predicates**: Use the filtering mechanism similar to that of Microsoft Graph APIs to specify a scope within a column of the dataset. Learn more about [user selection](./data-connect-filtering.md#user-selection). -For details about scopes, see [User selection and filtering capabilities in Microsoft Graph Data Connect](./data-connect-filtering.md). +For more information about scopes, see [User selection and filtering capabilities in Microsoft Graph Data Connect](./data-connect-filtering.md). When you're finished, choose **Next : Review + create**. From bb6b3651e202cb6b9c13afeb620130906a8c33cc Mon Sep 17 00:00:00 2001 From: Jarbas Horst Date: Thu, 11 Jan 2024 05:57:26 +0100 Subject: [PATCH 16/76] Update app-registration.md Edit. --- concepts/app-registration.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/concepts/app-registration.md b/concepts/app-registration.md index 03076aff0e6..95bf8c87aa5 100644 --- a/concepts/app-registration.md +++ b/concepts/app-registration.md @@ -45,19 +45,19 @@ The Registration Info page outlines standard requirements for app registrations. - **Application ID** (required) - Select from Microsoft Entra apps in the tenant, or create a new one. - **Description** (required) - Provide details in the text field for app registration such as project goal, unique identifier, and organization project name. - **Publish Type** (required) - Select from multi-tenant or single-tenant fields. -- **Key Vault** (required **only** for multi-tenant app registrations) - Specify the key vault that will enable communication between tenants. +- **Key Vault** (required **only** for multi-tenant app registrations) - Specify the key vault that enables communication between tenants. - **Compute Type** (required) - Select the Azure product offering for this application. -- **Activity Type** (required) - Select the Data Factory/Synapse/Fabric activity that will be used to copy over the data. +- **Activity Type** (required) - Select the Data Factory/Synapse/Fabric activity that is used to copy over the data. Then specify the project details—a process that's similar to creating a resource in Azure. The following are the project detail fields: -- **Subscription** (required) - Select a subscription in the tenant that will be used exclusively to filter the next four sections that relate to data destination configuration. +- **Subscription** (required) - Select a subscription in the tenant that is used exclusively to filter the next four sections that relate to data destination configuration. - **Resource Group** (required) - Select the group location for the data storage. - **Destination Type** - Select the type of storage from Azure Storage Account or Azure SQL Database Server. >**Note:** If you select SQL Database Server, the app only supports `Mapping Data Flows` types. For more information, see [Mapping Data Flows in Azure Data Factory](/azure/data-factory/concepts-data-flow-overview). -- **Storage Account** (required) - Select the storage account where the data to provision with Data Connect will be located, or create a new Azure Storage Account. +- **Storage Account** (required) - Select the storage account where the data to provision with Data Connect is located, or create a new Azure Storage Account. - **Storage Account Uri** (required) - From the storage account you selected, select the URI to use (Distributed File System (DFS) or blob). > [!NOTE] @@ -68,7 +68,7 @@ If you select SQL for **Storage Account**, the **Uri** project detail field is d ![Screenshot of the registration page for adding applications on Data Connect, including fields related to the Project Details and Instance Details sections.](images/app-registration-create-registration-info-including-compute-type.png) > [!NOTE] -> If you select Microsoft Fabric as the Compute Type, the app will only support Copy Activity type. +> If you select Microsoft Fabric as the Compute Type, the app only supports Copy Activity type. - **Workspace** (required) - Select the Fabric workspace for your application. For more information, see [Fabric Workspaces](/fabric/get-started/workspaces). - **Lakehouse** (required) - Select the OneLake instance to copy the data into. For more information, see [Fabric OneLake](/fabric/onelake/onelake-overview). @@ -79,7 +79,7 @@ If you select SQL for **Storage Account**, the **Uri** project detail field is d After you complete the **Registration Info** page, specify the datasets that the app registration needs to query. This step is crucial for authorization. Only the datasets that you select are transferred for administrator authorization. For more information about datasets, see [Datasets, regions, and sinks](./data-connect-datasets.md). -The wizard shows a table that allows the entry of multiple datasets, the selection of columns in the datasets, and more details if applicable, such as scope and scope options. You can select each dataset that the app will request for authorization, and all or several columns from the dataset, depending on the level of granularity and privacy required. +The wizard shows a table that allows the entry of multiple datasets, the selection of columns in the datasets, and more details if applicable, such as scope and scope options. You can select each dataset that the app requests for authorization, and all or several columns from the dataset, depending on the level of granularity and privacy required. ![Screenshot that shows the Datasets column selected while running the Data Connect app registration wizard.](images/app-registration-create-datasets.png) From 55e2b6d71ff8a22fcdaecef72b8148597ab0dbc1 Mon Sep 17 00:00:00 2001 From: Jarbas Horst Date: Thu, 11 Jan 2024 05:59:10 +0100 Subject: [PATCH 17/76] Update app-registration.md Edit. --- concepts/app-registration.md | 38 ++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/concepts/app-registration.md b/concepts/app-registration.md index 95bf8c87aa5..5fc24dbbd90 100644 --- a/concepts/app-registration.md +++ b/concepts/app-registration.md @@ -25,12 +25,12 @@ The first screen of the Azure portal experience prompts you to register your fir The table includes the following column fields: -- **Name** — The app registration name -- **App ID** — The Microsoft Entra application ID -- **Registered On** — The date the app was registered -- **Developer** — The developer who registered the application -- **Multi-tenant** — Whether the app is multi-tenant or single tenant -- **Last modified** — The most recent date when the application was changed +- **Name**:The app registration name +- **App ID**: The Microsoft Entra application ID +- **Registered On**: The date the app was registered +- **Developer**: The developer who registered the application +- **Multi-tenant**: Whether the app is multi-tenant or single tenant +- **Last modified**: The most recent date when the application was changed At the top of the table, three buttons are enabled by default: **Add**, **Refresh**, and **Delete**. **Add** starts an action for a new app registration. **Refresh** queries existing app registrations in the tenant again, and refreshes the table. **Delete** is only enabled for single selections, and initiates a deletion process. @@ -42,23 +42,23 @@ When adding a new app registration with Data Connect, follow the add wizard to c The Registration Info page outlines standard requirements for app registrations. App registration requires you to select entries that affect default behaviors, such as the following fields: -- **Application ID** (required) - Select from Microsoft Entra apps in the tenant, or create a new one. -- **Description** (required) - Provide details in the text field for app registration such as project goal, unique identifier, and organization project name. -- **Publish Type** (required) - Select from multi-tenant or single-tenant fields. -- **Key Vault** (required **only** for multi-tenant app registrations) - Specify the key vault that enables communication between tenants. -- **Compute Type** (required) - Select the Azure product offering for this application. -- **Activity Type** (required) - Select the Data Factory/Synapse/Fabric activity that is used to copy over the data. +- **Application ID** (required): Select from Microsoft Entra apps in the tenant, or create a new one. +- **Description** (required): Provide details in the text field for app registration such as project goal, unique identifier, and organization project name. +- **Publish Type** (required): Select from multi-tenant or single-tenant fields. +- **Key Vault** (required **only** for multi-tenant app registrations): Specify the key vault that enables communication between tenants. +- **Compute Type** (required): Select the Azure product offering for this application. +- **Activity Type** (required): Select the Data Factory/Synapse/Fabric activity that is used to copy over the data. Then specify the project details—a process that's similar to creating a resource in Azure. The following are the project detail fields: -- **Subscription** (required) - Select a subscription in the tenant that is used exclusively to filter the next four sections that relate to data destination configuration. -- **Resource Group** (required) - Select the group location for the data storage. -- **Destination Type** - Select the type of storage from Azure Storage Account or Azure SQL Database Server. +- **Subscription** (required): Select a subscription in the tenant that is used exclusively to filter the next four sections that relate to data destination configuration. +- **Resource Group** (required): Select the group location for the data storage. +- **Destination Type**: Select the type of storage from Azure Storage Account or Azure SQL Database Server. >**Note:** If you select SQL Database Server, the app only supports `Mapping Data Flows` types. For more information, see [Mapping Data Flows in Azure Data Factory](/azure/data-factory/concepts-data-flow-overview). -- **Storage Account** (required) - Select the storage account where the data to provision with Data Connect is located, or create a new Azure Storage Account. -- **Storage Account Uri** (required) - From the storage account you selected, select the URI to use (Distributed File System (DFS) or blob). +- **Storage Account** (required): Select the storage account where the data to provision with Data Connect is located, or create a new Azure Storage Account. +- **Storage Account Uri** (required): From the storage account you selected, select the URI to use (Distributed File System (DFS) or blob). > [!NOTE] > The linked service that you create during pipeline setup should align with what you selected in previous steps on the Registration Info page. If you choose DFS, use an Azure Data Lake Storage Gen2 Linked Service, and if you choose blob, use Azure Blob Storage Linked Service. @@ -70,8 +70,8 @@ If you select SQL for **Storage Account**, the **Uri** project detail field is d > [!NOTE] > If you select Microsoft Fabric as the Compute Type, the app only supports Copy Activity type. -- **Workspace** (required) - Select the Fabric workspace for your application. For more information, see [Fabric Workspaces](/fabric/get-started/workspaces). -- **Lakehouse** (required) - Select the OneLake instance to copy the data into. For more information, see [Fabric OneLake](/fabric/onelake/onelake-overview). +- **Workspace** (required): Select the Fabric workspace for your application. For more information, see [Fabric Workspaces](/fabric/get-started/workspaces). +- **Lakehouse** (required): Select the OneLake instance to copy the data into. For more information, see [Fabric OneLake](/fabric/onelake/onelake-overview). ![Screenshot of the registration page for adding applications on Data Connect, including fields related to Lakehouse and its workspace.](images/app-registration-create-registration-info-including-lakehouse-workspace.png) From 47a57f716795e9dea4201f3798a79ea3001b2ba8 Mon Sep 17 00:00:00 2001 From: Jarbas Horst Date: Thu, 11 Jan 2024 06:00:24 +0100 Subject: [PATCH 18/76] Update app-registration.md Edit. --- concepts/app-registration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/concepts/app-registration.md b/concepts/app-registration.md index 5fc24dbbd90..a2485ff8775 100644 --- a/concepts/app-registration.md +++ b/concepts/app-registration.md @@ -87,7 +87,7 @@ The wizard shows a table that allows the entry of multiple datasets, the selecti You can configure the scope for each dataset in three ways: -- **All information**: The default option. By leaving the field blank, the entire scope of the dataset is registered. +- **All information**: The default option. If you leave the field blank, the entire scope of the dataset is registered. - **Select users or groups within the organization**: Enter the object IDs of the users or groups separated by commas. Learn more about [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal). - **Specific predicates**: Use the filtering mechanism similar to that of Microsoft Graph APIs to specify a scope within a column of the dataset. Learn more about [user selection](./data-connect-filtering.md#user-selection). From aaf59fae6a0a427aba386aace70896c2cdf160ac Mon Sep 17 00:00:00 2001 From: Jarbas Horst Date: Thu, 11 Jan 2024 06:06:14 +0100 Subject: [PATCH 19/76] Update app-registration.md Edit. --- concepts/app-registration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/concepts/app-registration.md b/concepts/app-registration.md index a2485ff8775..c03c3a42a87 100644 --- a/concepts/app-registration.md +++ b/concepts/app-registration.md @@ -25,7 +25,7 @@ The first screen of the Azure portal experience prompts you to register your fir The table includes the following column fields: -- **Name**:The app registration name +- **Name**: The app registration name - **App ID**: The Microsoft Entra application ID - **Registered On**: The date the app was registered - **Developer**: The developer who registered the application From f6bab66bdffcef910da368dcde6e35c6178ec262 Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Tue, 16 Jan 2024 16:20:10 +0000 Subject: [PATCH 20/76] Federated Token Validation Policy Public Preview API update --- .../beta/resources/federatedtokenvalidationpolicy.md | 6 ++++-- api-reference/beta/resources/policy-overview.md | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/api-reference/beta/resources/federatedtokenvalidationpolicy.md b/api-reference/beta/resources/federatedtokenvalidationpolicy.md index 2f57ed11564..c0bff35bf90 100644 --- a/api-reference/beta/resources/federatedtokenvalidationpolicy.md +++ b/api-reference/beta/resources/federatedtokenvalidationpolicy.md @@ -1,6 +1,6 @@ --- title: "federatedTokenValidationPolicy resource type" -description: "Represents a policy to control enabling/disabling federation token auth validation - matching on-premises federated account and mapped Microsoft Entra ID account's root domains." +description: "Represents a policy to control enabling or disabling validation of federation authentication tokens, thereby matching an on-premises federated account and a mapped Microsoft Entra ID account's root domain." author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" @@ -14,7 +14,6 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] Represents a policy to control enabling or disabling validation of federation authentication tokens, thereby matching an on-premises federated account and a mapped Microsoft Entra ID account's root domain. When enabled, Microsoft Entra ID rejects an authentication request if the on-premises federated account and the mapped Microsoft Entra ID account's root domain don't match. -Represents a policy to control enabling/disabling federation token auth validation - matching on-premises federated account and mapped Microsoft Entra ID account's root domains. When enabled Microsoft Entra ID rejects auth request if on-premises federated account and mapped Microsoft Entra ID account's root domains don't match. Inherits from [directoryObject](../resources/directoryobject.md). @@ -27,11 +26,14 @@ Inherits from [directoryObject](../resources/directoryobject.md). |[Get federatedTokenValidationPolicy](../api/federatedtokenvalidationpolicy-get.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md)|Read the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| |[Update federatedTokenValidationPolicy](../api/federatedtokenvalidationpolicy-update.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md)|Update the properties of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| |[Delete federatedTokenValidationPolicy](../api/policyroot-delete-federatedtokenvalidationpolicy.md)|None|Delete a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| + + ## Properties |Property|Type|Description| diff --git a/api-reference/beta/resources/policy-overview.md b/api-reference/beta/resources/policy-overview.md index 533654484b7..6762cbdce37 100644 --- a/api-reference/beta/resources/policy-overview.md +++ b/api-reference/beta/resources/policy-overview.md @@ -26,7 +26,7 @@ Microsoft Entra ID uses policies to control Microsoft Entra feature behaviors in | [authorizationPolicy](authorizationpolicy.md) | Represents a policy that can control authorization settings of Microsoft Entra ID. | Configure Microsoft Entra ID to block MSOL PowerShell in the tenant. | | [claimsMappingPolicies](claimsMappingPolicy.md) | Represents the claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application. | Create and assign a policy to omit the basic claims from tokens issued to a service principal. | | [deviceRegistrationPolicy](deviceregistrationpolicy.md) | Represents the policy scope that controls quota restrictions, additional authentication, and authorization policies to register device identities to your organization. | Limit the number of devices that can be registered to a user in your organization or, specify users or groups that are allowed to register devices using **Microsoft Entra join** or **Microsoft Entra registered**. | -| [federatedTokenValidationPolicy](federatedtokenvalidationpolicy.md) | Represents a policy to control enabling/disabling federation token auth validation - matching on-premises federated account and mapped Entra Id account's root domains. | Configure validation on tenants to check if the domain in the mapped Entra Id account matches the token issuer domain in a token post authentication from the federated IdP. | +| [federatedTokenValidationPolicy](federatedtokenvalidationpolicy.md) | Represents a policy to control enabling or disabling validation of federation authentication tokens - matching an on-premises federated account and a mapped Microsoft Entra ID account's root domain. | Configure validation on tenants to check if the domain in the mapped Entra Id account matches the token issuer domain in a token post authentication from the federated IdP. | | [homeRealmDiscoveryPolicies](homeRealmDiscoveryPolicy.md) | Represents a policy to control Microsoft Entra authentication behavior for federated users, in particular for auto-acceleration and user authentication restrictions in federated domains. | Configure all users to skip home realm discovery and be routed directly to ADFS for authentication. | | [tokenLifetimePolicies](tokenlifetimepolicy.md) | Represents the lifetime duration of access tokens used to access protected resources. | Configure a particularly sensitive application with a shorter than default token lifetime. | | [tokenIssuancePolicy](tokenIssuancePolicy.md) | Represents the policy to specify the characteristics of SAML tokens issued by Microsoft Entra ID. | Configure the signing algorithm or SAML token version to be used to issue the SAML token. | From a7b3013f4a88d77099d4573f123d7102d587d07d Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Tue, 16 Jan 2024 16:24:24 +0000 Subject: [PATCH 21/76] Update toc.yml --- api-reference/beta/toc.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/api-reference/beta/toc.yml b/api-reference/beta/toc.yml index 7e64b2da9a4..ef6bcbc7e3f 100644 --- a/api-reference/beta/toc.yml +++ b/api-reference/beta/toc.yml @@ -13768,10 +13768,16 @@ items: items: - name: Federated Token Validation Policy href: resources/federatedtokenvalidationpolicy.md + - name: List + href: api/policyroot-list-federatedtokenvalidationpolicy.md + - name: Create + href: api/policyroot-post-federatedtokenvalidationpolicy.md - name: Get href: api/federatedtokenvalidationpolicy-get.md - - name: Post - href: api/federatedtokenvalidationpolicy-post.md + - name: Update + href: api/federatedtokenvalidationpolicy-update.md + - name: Delete + href: api/policyroot-delete-federatedtokenvalidationpolicy.md - name: Identity provider (deprecated) items: - name: Identity provider type From 77bcc9afbe48c8afccf46c6621b00cca716c31b1 Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Tue, 16 Jan 2024 16:55:10 +0000 Subject: [PATCH 22/76] Updates to PR Errors --- ...oot-list-federatedtokenvalidationpolicy.md | 16 -------- ...edtokenvalidationpolicy-get-permissions.md | 5 +++ ...okenvalidationpolicy-update-permissions.md | 5 +++ ...eratedtokenvalidationpolicy-permissions.md | 5 +++ ...eratedtokenvalidationpolicy-permissions.md | 5 +++ ...eratedtokenvalidationpolicy-permissions.md | 6 +++ .../beta/resources/validatingdomains.md | 40 +++++++++++++++++++ 7 files changed, 66 insertions(+), 16 deletions(-) create mode 100644 api-reference/beta/includes/permissions/federatedtokenvalidationpolicy-get-permissions.md create mode 100644 api-reference/beta/includes/permissions/federatedtokenvalidationpolicy-update-permissions.md create mode 100644 api-reference/beta/includes/permissions/policyroot-delete-federatedtokenvalidationpolicy-permissions.md create mode 100644 api-reference/beta/includes/permissions/policyroot-list-federatedtokenvalidationpolicy-permissions.md create mode 100644 api-reference/beta/includes/permissions/policyroot-post-federatedtokenvalidationpolicy-permissions.md create mode 100644 api-reference/beta/resources/validatingdomains.md diff --git a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md index 6431c507c9e..18deb178f6a 100644 --- a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md +++ b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md @@ -17,22 +17,6 @@ Get a list of the [federatedTokenValidationPolicy](../resources/federatedtokenva ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). - -[!INCLUDE [permissions-table](../includes/permissions/policyroot-list-federatedtokenvalidationpolicy-permissions.md)] -# List federatedTokenValidationPolicies -Namespace: microsoft.graph - -[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] - -Get a list of the [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) objects and their properties. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). - +``` json +{ + "@odata.type": "#microsoft.graph.validatingDomains", + "rootDomains": "String" +} +``` + From 9e1a3503653b22dad98334a5e6038e7b17f5bb2f Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Tue, 16 Jan 2024 18:13:07 +0000 Subject: [PATCH 23/76] Acrolinx suggestions fixed --- .../policyroot-delete-federatedtokenvalidationpolicy.md | 6 +++--- .../beta/resources/federatedtokenvalidationpolicy.md | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/api-reference/beta/api/policyroot-delete-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-delete-federatedtokenvalidationpolicy.md index 1581f4f69ce..afbac15181b 100644 --- a/api-reference/beta/api/policyroot-delete-federatedtokenvalidationpolicy.md +++ b/api-reference/beta/api/policyroot-delete-federatedtokenvalidationpolicy.md @@ -40,7 +40,7 @@ DELETE /policies/federatedTokenValidationPolicy/$ref |Authorization|Bearer {token}. Required.| ## Request body -Do not supply a request body for this method. +Don't supply a request body for this method. ## Response @@ -49,7 +49,7 @@ If successful, this method returns a `204 No Content` response code. ## Examples ### Request -The following is an example of a request. +This is an example of a request. ``` http @@ -78,7 +78,7 @@ Content-Type: application/json { "value": { - "@odata.type": "#Microsoft.DirectoryServices.federatedTokenValidationPolicy", + "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", "deletedDateTime": "String (timestamp)", "validatingDomains": { diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-update.md b/api-reference/beta/api/federatedtokenvalidationpolicy-update.md index bd26a1b49cf..f1250b8f615 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-update.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-update.md @@ -45,7 +45,7 @@ PATCH /policies/federatedTokenValidationPolicy |Property|Type|Description| |:---|:---|:---| -|validatingDomains|[Microsoft.DirectoryServices.validatingDomains](../resources/validatingdomains.md)|Verified Microsoft Entra ID domains for which Microsoft Entra validates that federated account's root domain matches with mapped Microsoft Entra account's root domain. Required.| +|validatingDomains|[microsoft.graph.validatingDomains](../resources/validatingdomains.md)|Verified Microsoft Entra ID domains for which Microsoft Entra validates that federated account's root domain matches with mapped Microsoft Entra account's root domain. Required.| @@ -81,7 +81,8 @@ The following is an example of the response >**Note:** The response object shown here might be shortened for readability. ``` http diff --git a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md index 18deb178f6a..ca8a44322f7 100644 --- a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md +++ b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md @@ -31,7 +31,7 @@ One of the following permissions is required to call this API. To learn more, in } --> ``` http -GET ** Collection URI for Microsoft.DirectoryServices.federatedTokenValidationPolicy not found +GET ** Collection URI for microsoft.graph.federatedTokenValidationPolicy not found ``` ## Optional query parameters @@ -59,7 +59,7 @@ The following is an example of a request. } --> ``` http -GET https://graph.microsoft.com/beta** Collection URI for Microsoft.DirectoryServices.federatedTokenValidationPolicy not found +GET https://graph.microsoft.com/beta** Collection URI for microsoft.graph.federatedTokenValidationPolicy not found ``` ### Response @@ -68,7 +68,7 @@ The following is an example of the response ``` http @@ -78,7 +78,7 @@ Content-Type: application/json { "value": [ { - "@odata.type": "#Microsoft.DirectoryServices.federatedTokenValidationPolicy", + "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", "deletedDateTime": "String (timestamp)", "validatingDomains": { diff --git a/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md index 449e62090e2..9a9ff9311d9 100644 --- a/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md +++ b/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md @@ -31,7 +31,7 @@ One of the following permissions is required to call this API. To learn more, in } --> ``` http -POST ** Collection URI for Microsoft.DirectoryServices.federatedTokenValidationPolicy not found +POST ** Collection URI for microsoft.graph.federatedTokenValidationPolicy not found ``` ## Request headers @@ -47,7 +47,7 @@ You can specify the following properties when creating a **federatedTokenValidat |Property|Type|Description| |:---|:---|:---| -|validatingDomains|[Microsoft.DirectoryServices.validatingDomains](../resources/validatingdomains.md)|Verified Microsoft Entra ID domains for which Microsoft Entra validates that federated account's root domain matches with mapped Microsoft Entra account's root domain. Required.| +|validatingDomains|[microsoft.graph.validatingDomains](../resources/validatingdomains.md)|Verified Microsoft Entra ID domains for which Microsoft Entra validates that federated account's root domain matches with mapped Microsoft Entra account's root domain. Required.| ## Response @@ -63,11 +63,11 @@ The following is an example of a request. } --> ``` http -POST https://graph.microsoft.com/beta** Collection URI for Microsoft.DirectoryServices.federatedTokenValidationPolicy not found +POST https://graph.microsoft.com/beta** Collection URI for microsoft.graph.federatedTokenValidationPolicy not found Content-Type: application/json { - "@odata.type": "#Microsoft.DirectoryServices.federatedTokenValidationPolicy", + "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", "validatingDomains": { "@odata.type": "microsoft.graph.validatingDomains" } @@ -81,7 +81,7 @@ The following is an example of the response ``` http @@ -89,7 +89,7 @@ HTTP/1.1 201 Created Content-Type: application/json { - "@odata.type": "#Microsoft.DirectoryServices.federatedTokenValidationPolicy", + "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", "validatingDomains": { "@odata.type": "microsoft.graph.validatingDomains" diff --git a/api-reference/beta/resources/federatedtokenvalidationpolicy.md b/api-reference/beta/resources/federatedtokenvalidationpolicy.md index 41db9105b05..f519a274ac9 100644 --- a/api-reference/beta/resources/federatedtokenvalidationpolicy.md +++ b/api-reference/beta/resources/federatedtokenvalidationpolicy.md @@ -51,7 +51,7 @@ This is a JSON representation of the resource. "blockType": "resource", "keyProperty": "id", "@odata.type": "microsoft.graph.federatedTokenValidationPolicy", - "baseType": "Microsoft.DirectoryServices.directoryObject", + "baseType": "microsoft.graph.directoryObject", "openType": false } --> From 88f40ba4fd9ea2cec7aa3cc24be66435d280006d Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Fri, 2 Feb 2024 17:38:39 +0000 Subject: [PATCH 28/76] Changelogs updated --- changelog/Microsoft.DirectoryServices.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/changelog/Microsoft.DirectoryServices.json b/changelog/Microsoft.DirectoryServices.json index 20f67a13106..74ac382034f 100644 --- a/changelog/Microsoft.DirectoryServices.json +++ b/changelog/Microsoft.DirectoryServices.json @@ -8967,7 +8967,7 @@ { "ChangeList": [ { - "Id": "2803ca0f-2e02-4a42-9a4b-859ea3760c8f", + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "ApiChange": "Resource", "ChangedApiName": "federatedTokenValidationPolicy", "ChangeType": "Addition", @@ -8975,7 +8975,7 @@ "Target": "federatedTokenValidationPolicy" }, { - "Id": "2803ca0f-2e02-4a42-9a4b-859ea3760c8f", + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "ApiChange": "Property", "ChangedApiName": "validatingDomains", "ChangeType": "Addition", @@ -8983,7 +8983,7 @@ "Target": "federatedTokenValidationPolicy" }, { - "Id": "2803ca0f-2e02-4a42-9a4b-859ea3760c8f", + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "ApiChange": "Method", "ChangedApiName": "LIST", "ChangeType": "Addition", @@ -8991,7 +8991,7 @@ "Target": "federatedTokenValidationPolicy" }, { - "Id": "2803ca0f-2e02-4a42-9a4b-859ea3760c8f", + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "ApiChange": "Method", "ChangedApiName": "CREATE", "ChangeType": "Addition", @@ -8999,7 +8999,7 @@ "Target": "federatedTokenValidationPolicy" }, { - "Id": "2803ca0f-2e02-4a42-9a4b-859ea3760c8f", + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "ApiChange": "Method", "ChangedApiName": "GET", "ChangeType": "Addition", @@ -9007,7 +9007,7 @@ "Target": "federatedTokenValidationPolicy" }, { - "Id": "2803ca0f-2e02-4a42-9a4b-859ea3760c8f", + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "ApiChange": "Method", "ChangedApiName": "UPDATE", "ChangeType": "Addition", @@ -9015,7 +9015,7 @@ "Target": "federatedTokenValidationPolicy" }, { - "Id": "2803ca0f-2e02-4a42-9a4b-859ea3760c8f", + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "ApiChange": "Method", "ChangedApiName": "DELETE", "ChangeType": "Addition", @@ -9023,7 +9023,7 @@ "Target": "federatedTokenValidationPolicy" } ], - "Id": "2803ca0f-2e02-4a42-9a4b-859ea3760c8f", + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "Cloud": "Prod", "Version": "beta", "CreatedDateTime": "2024-01-02T23:45:05.2808371Z", From c796cdd0f4f71b512e4be708f79f49bef2a18f45 Mon Sep 17 00:00:00 2001 From: Faith Moraa Ombongi Date: Thu, 8 Feb 2024 12:33:28 +0300 Subject: [PATCH 29/76] Fixes --- .../api/federatedtokenvalidationpolicy-get.md | 10 ++--- .../federatedtokenvalidationpolicy-update.md | 6 +-- ...t-delete-federatedtokenvalidationpolicy.md | 7 ++-- ...oot-list-federatedtokenvalidationpolicy.md | 10 ++--- ...oot-post-federatedtokenvalidationpolicy.md | 8 ++-- .../federatedtokenvalidationpolicy.md | 4 +- .../beta/resources/validatingdomains.md | 2 +- changelog/Microsoft.DirectoryServices.json | 40 ------------------- 8 files changed, 23 insertions(+), 64 deletions(-) diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md index 9e9c31d547a..7e5072e14d7 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-get.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-get.md @@ -15,7 +15,7 @@ Namespace: microsoft.graph Read the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). +Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference). ``` http diff --git a/api-reference/beta/api/federatedtokenvalidationpolicy-update.md b/api-reference/beta/api/federatedtokenvalidationpolicy-update.md index bd26a1b49cf..6c8bbf6ee4d 100644 --- a/api-reference/beta/api/federatedtokenvalidationpolicy-update.md +++ b/api-reference/beta/api/federatedtokenvalidationpolicy-update.md @@ -15,7 +15,7 @@ Namespace: microsoft.graph Update the properties of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). +Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference). ``` http diff --git a/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md index 449e62090e2..b3f19678309 100644 --- a/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md +++ b/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md @@ -15,7 +15,7 @@ Namespace: microsoft.graph Create a new [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). +Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference). ``` http diff --git a/api-reference/beta/resources/federatedtokenvalidationpolicy.md b/api-reference/beta/resources/federatedtokenvalidationpolicy.md index 41db9105b05..7a27f1d022f 100644 --- a/api-reference/beta/resources/federatedtokenvalidationpolicy.md +++ b/api-reference/beta/resources/federatedtokenvalidationpolicy.md @@ -46,12 +46,12 @@ Inherits from [directoryObject](../resources/directoryobject.md). None. ## JSON representation -This is a JSON representation of the resource. +The following JSON representation shows the resource type. diff --git a/api-reference/beta/resources/validatingdomains.md b/api-reference/beta/resources/validatingdomains.md index 944813d7ca4..0bb96730082 100644 --- a/api-reference/beta/resources/validatingdomains.md +++ b/api-reference/beta/resources/validatingdomains.md @@ -25,7 +25,7 @@ This is an abstract type. None. ## JSON representation -The following is a JSON representation of the resource. +The following JSON representation shows the resource type. ``` http -PATCH /policies/federatedTokenValidationPolicy +PUT /policies/federatedTokenValidationPolicy ``` ## Request headers @@ -63,19 +63,20 @@ The following example shows a request. } --> ``` http -PATCH https://graph.microsoft.com/beta/policies/federatedTokenValidationPolicy +PUT https://graph.microsoft.com/beta/policies/federatedTokenValidationPolicy Content-Type: application/json { "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", "deletedDateTime": "String (timestamp)", "validatingDomains": { - "@odata.type": "microsoft.graph.validatingDomains" + "@odata.type": "microsoft.graph.validatingDomains", + "rootDomains": "enumerated", + "domainNames": ["contoso.com","fabrikam.com"] } } ``` - ### Response The following example shows the response >**Note:** The response object shown here might be shortened for readability. @@ -92,7 +93,7 @@ Content-Type: application/json { "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", - "deletedDateTime": "String (timestamp)", + "deletedDateTime": "2023-08-25T07:44:46.2616778Z", "validatingDomains": { "@odata.type": "microsoft.graph.validatingDomains" } diff --git a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md index 4636f88344c..7037857899c 100644 --- a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md +++ b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md @@ -31,11 +31,11 @@ Choose the permission or permissions marked as least privileged for this API. Us } --> ``` http -GET ** Collection URI for microsoft.graph.federatedTokenValidationPolicy not found +GET /policies/federatedTokenValidationPolicy ``` ## Optional query parameters -This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters). +This method does not support OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters). ## Request headers |Name|Description| @@ -59,7 +59,7 @@ The following example shows a request. } --> ``` http -GET https://graph.microsoft.com/beta** Collection URI for microsoft.graph.federatedTokenValidationPolicy not found +GET https://graph.microsoft.com/beta/policies/federatedTokenValidationPolicy ``` ### Response @@ -80,7 +80,7 @@ Content-Type: application/json { "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", - "deletedDateTime": "String (timestamp)", + "deletedDateTime": "2023-08-25T07:44:46.2616778Z", "validatingDomains": { "@odata.type": "microsoft.graph.validatingDomains" } diff --git a/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md deleted file mode 100644 index 3e9f909f217..00000000000 --- a/api-reference/beta/api/policyroot-post-federatedtokenvalidationpolicy.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -title: "Create federatedTokenValidationPolicy" -description: "Create a new federatedTokenValidationPolicy object." -author: "rahul-nagraj" -ms.localizationpriority: medium -ms.prod: "identity-and-sign-in" -doc_type: apiPageType ---- - -# Create federatedTokenValidationPolicy -Namespace: microsoft.graph - -[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] - -Create a new [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. - -## Permissions -Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference). - - -[!INCLUDE [permissions-table](../includes/permissions/policyroot-post-federatedtokenvalidationpolicy-permissions.md)] - -## HTTP request - - -``` http -POST ** Collection URI for microsoft.graph.federatedTokenValidationPolicy not found -``` - -## Request headers -|Name|Description| -|:---|:---| -|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).| -|Content-Type|application/json. Required.| - -## Request body -In the request body, supply a JSON representation of the [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object. - -You can specify the following properties when creating a **federatedTokenValidationPolicy**. - -|Property|Type|Description| -|:---|:---|:---| -|validatingDomains|[microsoft.graph.validatingDomains](../resources/validatingdomains.md)|Verified Microsoft Entra ID domains for which Microsoft Entra validates that federated account's root domain matches with mapped Microsoft Entra account's root domain. Required.| - -## Response - -If successful, this method returns a `201 Created` response code and a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object in the response body. - -## Examples - -### Request -The following example shows a request. - -``` http -POST https://graph.microsoft.com/beta** Collection URI for microsoft.graph.federatedTokenValidationPolicy not found -Content-Type: application/json - -{ - "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", - "validatingDomains": { - "@odata.type": "microsoft.graph.validatingDomains" - } -} -``` - - -### Response -The following example shows the response ->**Note:** The response object shown here might be shortened for readability. - -``` http -HTTP/1.1 201 Created -Content-Type: application/json - -{ - "@odata.type": "#microsoft.graph.federatedTokenValidationPolicy", - "id": "932b8f7f-68c1-6fe5-59ab-56e1ff752f30", - "validatingDomains": { - "@odata.type": "microsoft.graph.validatingDomains" - } -} -``` diff --git a/api-reference/beta/resources/alldomains.md b/api-reference/beta/resources/alldomains.md new file mode 100644 index 00000000000..76a46cc12a1 --- /dev/null +++ b/api-reference/beta/resources/alldomains.md @@ -0,0 +1,40 @@ +--- +title: "allDomains resource type" +description: "A derived complex type which defines that Entra Id will perform validation for all root domains" +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: resourcePageType +--- + +# allDomains resource type + +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +A derived complex type which defines that Entra Id will perform validation (whether federated account's root domain matches with mapped Entra Id account's root domain) for all root domains based on the value for 'rootDomains' property. + +Inherits from [validatingDomains](../resources/validatingdomains.md). + +## Properties +|Property|Type|Description| +|:---|:---|:---| +|rootDomains|rootDomains|Defines the types of domains to which the validation applies. Inherited from [validatingDomains](../resources/validatingdomains.md).The possible values are: `none`, `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, `unknownFutureValue`.| + +## Relationships +None. + +## JSON representation +The following is a JSON representation of the resource. + +``` json +{ + "@odata.type": "#microsoft.graph.allDomains", + "rootDomains": "String" +} +``` diff --git a/api-reference/beta/resources/enumerateddomains.md b/api-reference/beta/resources/enumerateddomains.md new file mode 100644 index 00000000000..2c9f8b80d06 --- /dev/null +++ b/api-reference/beta/resources/enumerateddomains.md @@ -0,0 +1,44 @@ +--- +title: "enumeratedDomains resource type" +description: "A derived complex type which defines that Entra Id will perform validation for specified Entra Id domains" +author: "rahul-nagraj" +ms.localizationpriority: medium +ms.prod: "identity-and-sign-in" +doc_type: resourcePageType +--- + +# enumeratedDomains resource type + +Namespace: microsoft.graph + +[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] + +A derived complex type which defines that Entra Id will perform validation (whether federated account's root domain matches with mapped AAD account's root domain) for all specified Entra Id domains if root domains is 'enumerated' or for all Managed and specified Entra Id domains if root domains is 'allManagedAndEnumeratedFederated' + +Inherits from [validatingDomains](../resources/validatingdomains.md). + +## Properties +|Property|Type|Description| +|:---|:---|:---| +|domainNames|String collection|List of federated and/or managed root domains for which Entra Id will perform the validation.| +|rootDomains|rootDomains|Defines the types of domains to which the validation applies. Inherited from [validatingDomains](../resources/validatingdomains.md).The possible values are: `none`, `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, `unknownFutureValue`.| + +## Relationships +None. + +## JSON representation +The following is a JSON representation of the resource. + +``` json +{ + "@odata.type": "#microsoft.graph.enumeratedDomains", + "rootDomains": "String", + "domainNames": [ + "String" + ] +} +``` diff --git a/api-reference/beta/resources/enums.md b/api-reference/beta/resources/enums.md index 08028e88c92..9c2c03e5281 100644 --- a/api-reference/beta/resources/enums.md +++ b/api-reference/beta/resources/enums.md @@ -4285,15 +4285,15 @@ Possible values for user account types (group membership), per Windows definitio ### rootDomains values -| Property | Value | Description | -| :------------------------------- | :---- | ------------------------------------------------------------------- | -| none | 0 | Dont perform validation for any domain. | -| all | 1 | Perform validation for all domains | -| allFederated | 2 | Perform validation for all federated domains | -| allManaged | 3 | Perform validation for all managed domains | -| enumerated | 4 | Perform validation for all enumerated domains | -| allManagedAndEnumeratedFederated | 5 | Perform validation for all managed and enumerated federated domains | -| unknownFutureValue | 6 | Unknown future value for evolvable enums. | +| Member| +|:---| +|none| +|all| +|allFederated| +|allManaged| +|enumerated| +|allManagedAndEnumeratedFederated| +|unknownFutureValue| ### allowedRolePrincipalTypes values diff --git a/api-reference/beta/resources/federatedtokenvalidationpolicy.md b/api-reference/beta/resources/federatedtokenvalidationpolicy.md index 12182cc8019..ed9e9706ca1 100644 --- a/api-reference/beta/resources/federatedtokenvalidationpolicy.md +++ b/api-reference/beta/resources/federatedtokenvalidationpolicy.md @@ -22,18 +22,8 @@ Inherits from [directoryObject](../resources/directoryobject.md). |Method|Return type|Description| |:---|:---|:---| |[List federatedTokenValidationPolicies](../api/policyroot-list-federatedtokenvalidationpolicy.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) collection|Get a list of the [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) objects and their properties.| -|[Create federatedTokenValidationPolicy](../api/policyroot-post-federatedtokenvalidationpolicy.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md)|Create a new [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| |[Get federatedTokenValidationPolicy](../api/federatedtokenvalidationpolicy-get.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md)|Read the properties and relationships of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| |[Update federatedTokenValidationPolicy](../api/federatedtokenvalidationpolicy-update.md)|[federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md)|Update the properties of a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| -|[Delete federatedTokenValidationPolicy](../api/policyroot-delete-federatedtokenvalidationpolicy.md)|None|Delete a [federatedTokenValidationPolicy](../resources/federatedtokenvalidationpolicy.md) object.| - - ## Properties |Property|Type|Description| diff --git a/api-reference/beta/resources/validatingdomains.md b/api-reference/beta/resources/validatingdomains.md index c962ac0125d..4a6e7fc7ef9 100644 --- a/api-reference/beta/resources/validatingdomains.md +++ b/api-reference/beta/resources/validatingdomains.md @@ -1,6 +1,6 @@ --- title: "validatingDomains resource type" -description: "**TODO: Add Description**" +description: "Defines the types of domains to which the federated token validation applies." author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" @@ -19,7 +19,7 @@ This object is an abstract type from which the [allDomains](../resources/alldoma ## Properties |Property|Type|Description| |:---|:---|:---| -|rootDomains|rootDomains|Defines the types of domains to which the validation will apply. The possible values are: `none`, `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, `unknownFutureValue`.| +|rootDomains|rootDomains|Defines the types of domains to which the validation applies. The possible values are: `none`, `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, `unknownFutureValue`.| ## Relationships None. @@ -36,5 +36,4 @@ The following JSON representation shows the resource type. "@odata.type": "#microsoft.graph.validatingDomains", "rootDomains": "String" } -``` - +``` \ No newline at end of file diff --git a/changelog/Microsoft.DirectoryServices.json b/changelog/Microsoft.DirectoryServices.json index 69336fbd805..4fcb0ac5f49 100644 --- a/changelog/Microsoft.DirectoryServices.json +++ b/changelog/Microsoft.DirectoryServices.json @@ -9083,6 +9083,22 @@ "Description": "Added the [federatedTokenValidationPolicy](https://learn.microsoft.com/en-us/graph/api/resources/federatedTokenValidationPolicy?view=graph-rest-beta) resource type and associated methods.", "Target": "federatedTokenValidationPolicy" }, + { + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", + "ApiChange": "Resource", + "ChangedApiName": "federatedTokenValidationPolicy", + "ChangeType": "Addition", + "Description": "Added the [alldomains](https://learn.microsoft.com/en-us/graph/api/resources/allDomains?view=graph-rest-beta) resource type and associated properties.", + "Target": "federatedTokenValidationPolicy" + }, + { + "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", + "ApiChange": "Resource", + "ChangedApiName": "federatedTokenValidationPolicy", + "ChangeType": "Addition", + "Description": "Added the [enumerateddomains](https://learn.microsoft.com/en-us/graph/api/resources/enumerateddomains?view=graph-rest-beta) resource type and associated properties.", + "Target": "federatedTokenValidationPolicy" + }, { "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", "ApiChange": "Property", @@ -9090,8 +9106,6 @@ "ChangeType": "Addition", "Description": "Added the `validatingDomains` property to the [federatedTokenValidationPolicy](https://learn.microsoft.com/en-us/graph/api/resources/federatedTokenValidationPolicy?view=graph-rest-beta) resource.", "Target": "federatedTokenValidationPolicy" -<<<<<<< HEAD -======= }, { "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", @@ -9132,7 +9146,6 @@ "ChangeType": "Addition", "Description": "Added the [DELETE](https://learn.microsoft.com/en-us/graph/api/policyroot-delete-federatedtokenvalidationpolicy?view=graph-rest-beta) operation to the [federatedTokenValidationPolicy](https://learn.microsoft.com/en-us/graph/api/resources/federatedTokenValidationPolicy?view=graph-rest-beta).", "Target": "federatedTokenValidationPolicy" ->>>>>>> 61aebbbfe149c2326d4d44b976dac5ee4cacfe5c } ], "Id": "b14bfb9f-1af6-4f90-9a1e-6ec20665c29d", From e195c6dc09a249f1f617f93054bec12d42d7381e Mon Sep 17 00:00:00 2001 From: Rahul Nagraj <108932345+rahul-nagraj@users.noreply.github.com> Date: Tue, 27 Feb 2024 16:38:16 +0000 Subject: [PATCH 44/76] Acrolynx updates --- api-reference/beta/resources/alldomains.md | 8 ++++---- api-reference/beta/resources/enumerateddomains.md | 8 ++++---- .../beta/resources/federatedtokenvalidationpolicy.md | 6 +++--- api-reference/beta/resources/policyroot.md | 1 + api-reference/beta/toc.yml | 4 ---- 5 files changed, 12 insertions(+), 15 deletions(-) diff --git a/api-reference/beta/resources/alldomains.md b/api-reference/beta/resources/alldomains.md index 76a46cc12a1..fe0716d1ec0 100644 --- a/api-reference/beta/resources/alldomains.md +++ b/api-reference/beta/resources/alldomains.md @@ -1,6 +1,6 @@ --- title: "allDomains resource type" -description: "A derived complex type which defines that Entra Id will perform validation for all root domains" +description: "A derived complex type, which defines that Microsoft Entra ID performs validation for all root domains" author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" @@ -13,20 +13,20 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -A derived complex type which defines that Entra Id will perform validation (whether federated account's root domain matches with mapped Entra Id account's root domain) for all root domains based on the value for 'rootDomains' property. +A derived complex type, which defines that Microsoft Entra ID performs validation for all root domains based on the value for `rootDomains` property. Inherits from [validatingDomains](../resources/validatingdomains.md). ## Properties |Property|Type|Description| |:---|:---|:---| -|rootDomains|rootDomains|Defines the types of domains to which the validation applies. Inherited from [validatingDomains](../resources/validatingdomains.md).The possible values are: `none`, `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, `unknownFutureValue`.| +|rootDomains|rootDomains|Defines the types of domains to which the validation applies. Inherited from [validatingDomains](../resources/validatingdomains.md). The possible values are: `none`, `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, `unknownFutureValue`.| ## Relationships None. ## JSON representation -The following is a JSON representation of the resource. +This is a JSON representation of the resource. -[!INCLUDE [permissions-table](../includes/permissions/policyroot-delete-federatedtokenvalidationpolicy-permissions.md)] - -## HTTP request - - -``` http -DELETE /policies/federatedTokenValidationPolicy/$ref -``` - -## Request headers -|Name|Description| -|:---|:---| -|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).| - -## Request body -Don't supply a request body for this method. - -## Response - -If successful, this method returns a `204 No Content` response code. - -## Examples - -### Request -The following example shows a request. - -``` http -DELETE https://graph.microsoft.com/beta/policies/federatedTokenValidationPolicy -``` - - -### Response -The following example shows the response - -``` http -HTTP/1.1 204 No Content -``` - diff --git a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md index 7037857899c..99fc52fe00b 100644 --- a/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md +++ b/api-reference/beta/api/policyroot-list-federatedtokenvalidationpolicy.md @@ -1,5 +1,5 @@ --- -title: "List federatedTokenValidationPolicies" +title: "List federatedTokenValidationPolicy" description: "Get a list of the federatedTokenValidationPolicy objects and their properties." author: "rahul-nagraj" ms.localizationpriority: medium @@ -7,7 +7,7 @@ ms.prod: "identity-and-sign-in" doc_type: apiPageType --- -# List federatedTokenValidationPolicies +# List federatedTokenValidationPolicy Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] diff --git a/api-reference/beta/includes/permissions/policyroot-delete-federatedtokenvalidationpolicy-permissions.md b/api-reference/beta/includes/permissions/policyroot-delete-federatedtokenvalidationpolicy-permissions.md deleted file mode 100644 index 582944c42ad..00000000000 --- a/api-reference/beta/includes/permissions/policyroot-delete-federatedtokenvalidationpolicy-permissions.md +++ /dev/null @@ -1,5 +0,0 @@ -|Permission type|Least privileged permission|Higher privileged permissions| -|:---|:---|:---| -|Delegated (work or school account)|Not supported.|Not supported.| -|Delegated (personal Microsoft account)|Not supported.|Not supported.| -|Application|Not supported.|Not supported.| diff --git a/api-reference/beta/resources/alldomains.md b/api-reference/beta/resources/alldomains.md index fe0716d1ec0..93ac3313464 100644 --- a/api-reference/beta/resources/alldomains.md +++ b/api-reference/beta/resources/alldomains.md @@ -1,6 +1,6 @@ --- title: "allDomains resource type" -description: "A derived complex type, which defines that Microsoft Entra ID performs validation for all root domains" +description: "A derived complex type that defines the type of domains that Microsoft Entra ID validates." author: "rahul-nagraj" ms.localizationpriority: medium ms.prod: "identity-and-sign-in" @@ -13,20 +13,20 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -A derived complex type, which defines that Microsoft Entra ID performs validation for all root domains based on the value for `rootDomains` property. +A derived complex type that defines the type of domains that Microsoft Entra ID validates. Inherits from [validatingDomains](../resources/validatingdomains.md). ## Properties |Property|Type|Description| |:---|:---|:---| -|rootDomains|rootDomains|Defines the types of domains to which the validation applies. Inherited from [validatingDomains](../resources/validatingdomains.md). The possible values are: `none`, `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, `unknownFutureValue`.| +|rootDomains|rootDomains|Defines the types of domains that Microsoft Entra ID validates. Inherited from [validatingDomains](../resources/validatingdomains.md). The possible values are: `none`, `all`, `allFederated`, `allManaged`, `enumerated`, `allManagedAndEnumeratedFederated`, `unknownFutureValue`.| ## Relationships None. ## JSON representation -This is a JSON representation of the resource. +The following JSON representation shows the resource type. + +Profile card properties APIs are available in the following [national cloud deployments](/graph/deployments). + +| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet | +|--------------------|--------------------|------------------------|----------------------------| +| :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | From f2f7019285e43697a2c010c429ef1e6ec6267c6b Mon Sep 17 00:00:00 2001 From: Arish Ojaswi Date: Fri, 1 Mar 2024 19:43:52 +0530 Subject: [PATCH 55/76] Update security-auditlogquery-get.md Updated the recordTypeFilter property to recordTypeFilters. This was incorrect in the documentation. No change to the actual API. --- api-reference/beta/api/security-auditlogquery-get.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/api-reference/beta/api/security-auditlogquery-get.md b/api-reference/beta/api/security-auditlogquery-get.md index 61d8540dff6..4636767d438 100644 --- a/api-reference/beta/api/security-auditlogquery-get.md +++ b/api-reference/beta/api/security-auditlogquery-get.md @@ -126,7 +126,9 @@ Content-Type: application/json "displayName": "String", "filterStartDateTime": "String (timestamp)", "filterEndDateTime": "String (timestamp)", - "recordTypeFilter": "String", + "recordTypeFilters": [ + "String" + ], "keywordFilter": "String", "serviceFilter": "String", "operationFilters": [ From 9c3e0f14dc2307521e469bdf99e88d9e010b8b31 Mon Sep 17 00:00:00 2001 From: Arish Ojaswi Date: Fri, 1 Mar 2024 19:55:40 +0530 Subject: [PATCH 56/76] Update security-auditlogquery.md --- api-reference/beta/resources/security-auditlogquery.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api-reference/beta/resources/security-auditlogquery.md b/api-reference/beta/resources/security-auditlogquery.md index 9560710503a..8fffacc6f13 100644 --- a/api-reference/beta/resources/security-auditlogquery.md +++ b/api-reference/beta/resources/security-auditlogquery.md @@ -37,7 +37,7 @@ Inherits from [microsoft.graph.entity](../resources/entity.md). |keywordFilter|String|Free text field to search non-indexed properties of the audit log.| |objectIdFilters|String collection|For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.| |operationFilters|String collection|The name of the user or admin activity. For a description of the most common operations/activities, see [Search the audit log in the Office 365 Protection Center](https://go.microsoft.com/fwlink/p/?LinkId=708432).| -|recordTypeFilter|microsoft.graph.security.auditLogRecordType|The type of operation indicated by the record. The possible values are: `exchangeAdmin`, `exchangeItem`, `exchangeItemGroup`, `sharePoint`, `syntheticProbe`, `sharePointFileOperation`, `oneDrive`, `azureActiveDirectory`, `azureActiveDirectoryAccountLogon`, `dataCenterSecurityCmdlet`, `complianceDLPSharePoint`, `sway`, `complianceDLPExchange`, `sharePointSharingOperation`, `azureActiveDirectoryStsLogon`, `skypeForBusinessPSTNUsage`, `skypeForBusinessUsersBlocked`, `securityComplianceCenterEOPCmdlet`, `exchangeAggregatedOperation`, `powerBIAudit`, `crm`, `yammer`, `skypeForBusinessCmdlets`, `discovery`, `microsoftTeams`, `threatIntelligence`, `mailSubmission`, `microsoftFlow`, `aeD`, `microsoftStream`, `complianceDLPSharePointClassification`, `threatFinder`, `project`, `sharePointListOperation`, `sharePointCommentOperation`, `dataGovernance`, `kaizala`, `securityComplianceAlerts`, `threatIntelligenceUrl`, `securityComplianceInsights`, `mipLabel`, `workplaceAnalytics`, `powerAppsApp`, `powerAppsPlan`, `threatIntelligenceAtpContent`, `labelContentExplorer`, `teamsHealthcare`, `exchangeItemAggregated`, `hygieneEvent`, `dataInsightsRestApiAudit`, `informationBarrierPolicyApplication`, `sharePointListItemOperation`, `sharePointContentTypeOperation`, `sharePointFieldOperation`, `microsoftTeamsAdmin`, `hrSignal`, `microsoftTeamsDevice`, `microsoftTeamsAnalytics`, `informationWorkerProtection`, `campaign`, `dlpEndpoint`, `airInvestigation`, `quarantine`, `microsoftForms`, `applicationAudit`, `complianceSupervisionExchange`, `customerKeyServiceEncryption`, `officeNative`, `mipAutoLabelSharePointItem`, `mipAutoLabelSharePointPolicyLocation`, `microsoftTeamsShifts`, `secureScore`, `mipAutoLabelExchangeItem`, `cortanaBriefing`, `search`, `wdatpAlerts`, `powerPlatformAdminDlp`, `powerPlatformAdminEnvironment`, `mdatpAudit`, `sensitivityLabelPolicyMatch`, `sensitivityLabelAction`, `sensitivityLabeledFileAction`, `attackSim`, `airManualInvestigation`, `securityComplianceRBAC`, `userTraining`, `airAdminActionInvestigation`, `mstic`, `physicalBadgingSignal`, `teamsEasyApprovals`, `aipDiscover`, `aipSensitivityLabelAction`, `aipProtectionAction`, `aipFileDeleted`, `aipHeartBeat`, `mcasAlerts`, `onPremisesFileShareScannerDlp`, `onPremisesSharePointScannerDlp`, `exchangeSearch`, `sharePointSearch`, `privacyDataMinimization`, `labelAnalyticsAggregate`, `myAnalyticsSettings`, `securityComplianceUserChange`, `complianceDLPExchangeClassification`, `complianceDLPEndpoint`, `mipExactDataMatch`, `msdeResponseActions`, `msdeGeneralSettings`, `msdeIndicatorsSettings`, `ms365DCustomDetection`, `msdeRolesSettings`, `mapgAlerts`, `mapgPolicy`, `mapgRemediation`, `privacyRemediationAction`, `privacyDigestEmail`, `mipAutoLabelSimulationProgress`, `mipAutoLabelSimulationCompletion`, `mipAutoLabelProgressFeedback`, `dlpSensitiveInformationType`, `mipAutoLabelSimulationStatistics`, `largeContentMetadata`, `microsoft365Group`, `cdpMlInferencingResult`, `filteringMailMetadata`, `cdpClassificationMailItem`, `cdpClassificationDocument`, `officeScriptsRunAction`, `filteringPostMailDeliveryAction`, `cdpUnifiedFeedback`, `tenantAllowBlockList`, `consumptionResource`, `healthcareSignal`, `dlpImportResult`, `cdpCompliancePolicyExecution`, `multiStageDisposition`, `privacyDataMatch`, `filteringDocMetadata`, `filteringEmailFeatures`, `powerBIDlp`, `filteringUrlInfo`, `filteringAttachmentInfo`, `coreReportingSettings`, `complianceConnector`, `powerPlatformLockboxResourceAccessRequest`, `powerPlatformLockboxResourceCommand`, `cdpPredictiveCodingLabel`, `cdpCompliancePolicyUserFeedback`, `webpageActivityEndpoint`, `omePortal`, `cmImprovementActionChange`, `filteringUrlClick`, `mipLabelAnalyticsAuditRecord`, `filteringEntityEvent`, `filteringRuleHits`, `filteringMailSubmission`, `labelExplorer`, `microsoftManagedServicePlatform`, `powerPlatformServiceActivity`, `scorePlatformGenericAuditRecord`, `filteringTimeTravelDocMetadata`, `alert`, `alertStatus`, `alertIncident`, `incidentStatus`, `case`, `caseInvestigation`, `recordsManagement`, `privacyRemediation`, `dataShareOperation`, `cdpDlpSensitive`, `ehrConnector`, `filteringMailGradingResult`, `publicFolder`, `privacyTenantAuditHistoryRecord`, `aipScannerDiscoverEvent`, `eduDataLakeDownloadOperation`, `m365ComplianceConnector`, `microsoftGraphDataConnectOperation`, `microsoftPurview`, `filteringEmailContentFeatures`, `powerPagesSite`, `powerAppsResource`, `plannerPlan`, `plannerCopyPlan`, `plannerTask`, `plannerRoster`, `plannerPlanList`, `plannerTaskList`, `plannerTenantSettings`, `projectForTheWebProject`, `projectForTheWebTask`, `projectForTheWebRoadmap`, `projectForTheWebRoadmapItem`, `projectForTheWebProjectSettings`, `projectForTheWebRoadmapSettings`, `quarantineMetadata`, `microsoftTodoAudit`, `timeTravelFilteringDocMetadata`, `teamsQuarantineMetadata`, `sharePointAppPermissionOperation`, `microsoftTeamsSensitivityLabelAction`, `filteringTeamsMetadata`, `filteringTeamsUrlInfo`, `filteringTeamsPostDeliveryAction`, `mdcAssessments`, `mdcRegulatoryComplianceStandards`, `mdcRegulatoryComplianceControls`, `mdcRegulatoryComplianceAssessments`, `mdcSecurityConnectors`, `mdaDataSecuritySignal`, `vivaGoals`, `filteringRuntimeInfo`, `attackSimAdmin`, `microsoftGraphDataConnectConsent`, `filteringAtpDetonationInfo`, `privacyPortal`, `managedTenants`, `unifiedSimulationMatchedItem`, `unifiedSimulationSummary`, `updateQuarantineMetadata`, `ms365DSuppressionRule`, `purviewDataMapOperation`, `filteringUrlPostClickAction`, `irmUserDefinedDetectionSignal`, `teamsUpdates`, `plannerRosterSensitivityLabel`, `ms365DIncident`, `filteringDelistingMetadata`, `complianceDLPSharePointClassificationExtended`, `microsoftDefenderForIdentityAudit`, `supervisoryReviewDayXInsight`, `defenderExpertsforXDRAdmin`, `cdpEdgeBlockedMessage`, `hostedRpa`, `cdpContentExplorerAggregateRecord`, `cdpHygieneAttachmentInfo`, `cdpHygieneSummary`, `cdpPostMailDeliveryAction`, `cdpEmailFeatures`, `cdpHygieneUrlInfo`, `cdpUrlClick`, `cdpPackageManagerHygieneEvent`, `filteringDocScan`, `timeTravelFilteringDocScan`, `mapgOnboard`, `unknownFutureValue`.| +|recordTypeFilters|String collection of microsoft.graph.security.auditLogRecordType|The type of operation indicated by the record. The possible values are: `exchangeAdmin`, `exchangeItem`, `exchangeItemGroup`, `sharePoint`, `syntheticProbe`, `sharePointFileOperation`, `oneDrive`, `azureActiveDirectory`, `azureActiveDirectoryAccountLogon`, `dataCenterSecurityCmdlet`, `complianceDLPSharePoint`, `sway`, `complianceDLPExchange`, `sharePointSharingOperation`, `azureActiveDirectoryStsLogon`, `skypeForBusinessPSTNUsage`, `skypeForBusinessUsersBlocked`, `securityComplianceCenterEOPCmdlet`, `exchangeAggregatedOperation`, `powerBIAudit`, `crm`, `yammer`, `skypeForBusinessCmdlets`, `discovery`, `microsoftTeams`, `threatIntelligence`, `mailSubmission`, `microsoftFlow`, `aeD`, `microsoftStream`, `complianceDLPSharePointClassification`, `threatFinder`, `project`, `sharePointListOperation`, `sharePointCommentOperation`, `dataGovernance`, `kaizala`, `securityComplianceAlerts`, `threatIntelligenceUrl`, `securityComplianceInsights`, `mipLabel`, `workplaceAnalytics`, `powerAppsApp`, `powerAppsPlan`, `threatIntelligenceAtpContent`, `labelContentExplorer`, `teamsHealthcare`, `exchangeItemAggregated`, `hygieneEvent`, `dataInsightsRestApiAudit`, `informationBarrierPolicyApplication`, `sharePointListItemOperation`, `sharePointContentTypeOperation`, `sharePointFieldOperation`, `microsoftTeamsAdmin`, `hrSignal`, `microsoftTeamsDevice`, `microsoftTeamsAnalytics`, `informationWorkerProtection`, `campaign`, `dlpEndpoint`, `airInvestigation`, `quarantine`, `microsoftForms`, `applicationAudit`, `complianceSupervisionExchange`, `customerKeyServiceEncryption`, `officeNative`, `mipAutoLabelSharePointItem`, `mipAutoLabelSharePointPolicyLocation`, `microsoftTeamsShifts`, `secureScore`, `mipAutoLabelExchangeItem`, `cortanaBriefing`, `search`, `wdatpAlerts`, `powerPlatformAdminDlp`, `powerPlatformAdminEnvironment`, `mdatpAudit`, `sensitivityLabelPolicyMatch`, `sensitivityLabelAction`, `sensitivityLabeledFileAction`, `attackSim`, `airManualInvestigation`, `securityComplianceRBAC`, `userTraining`, `airAdminActionInvestigation`, `mstic`, `physicalBadgingSignal`, `teamsEasyApprovals`, `aipDiscover`, `aipSensitivityLabelAction`, `aipProtectionAction`, `aipFileDeleted`, `aipHeartBeat`, `mcasAlerts`, `onPremisesFileShareScannerDlp`, `onPremisesSharePointScannerDlp`, `exchangeSearch`, `sharePointSearch`, `privacyDataMinimization`, `labelAnalyticsAggregate`, `myAnalyticsSettings`, `securityComplianceUserChange`, `complianceDLPExchangeClassification`, `complianceDLPEndpoint`, `mipExactDataMatch`, `msdeResponseActions`, `msdeGeneralSettings`, `msdeIndicatorsSettings`, `ms365DCustomDetection`, `msdeRolesSettings`, `mapgAlerts`, `mapgPolicy`, `mapgRemediation`, `privacyRemediationAction`, `privacyDigestEmail`, `mipAutoLabelSimulationProgress`, `mipAutoLabelSimulationCompletion`, `mipAutoLabelProgressFeedback`, `dlpSensitiveInformationType`, `mipAutoLabelSimulationStatistics`, `largeContentMetadata`, `microsoft365Group`, `cdpMlInferencingResult`, `filteringMailMetadata`, `cdpClassificationMailItem`, `cdpClassificationDocument`, `officeScriptsRunAction`, `filteringPostMailDeliveryAction`, `cdpUnifiedFeedback`, `tenantAllowBlockList`, `consumptionResource`, `healthcareSignal`, `dlpImportResult`, `cdpCompliancePolicyExecution`, `multiStageDisposition`, `privacyDataMatch`, `filteringDocMetadata`, `filteringEmailFeatures`, `powerBIDlp`, `filteringUrlInfo`, `filteringAttachmentInfo`, `coreReportingSettings`, `complianceConnector`, `powerPlatformLockboxResourceAccessRequest`, `powerPlatformLockboxResourceCommand`, `cdpPredictiveCodingLabel`, `cdpCompliancePolicyUserFeedback`, `webpageActivityEndpoint`, `omePortal`, `cmImprovementActionChange`, `filteringUrlClick`, `mipLabelAnalyticsAuditRecord`, `filteringEntityEvent`, `filteringRuleHits`, `filteringMailSubmission`, `labelExplorer`, `microsoftManagedServicePlatform`, `powerPlatformServiceActivity`, `scorePlatformGenericAuditRecord`, `filteringTimeTravelDocMetadata`, `alert`, `alertStatus`, `alertIncident`, `incidentStatus`, `case`, `caseInvestigation`, `recordsManagement`, `privacyRemediation`, `dataShareOperation`, `cdpDlpSensitive`, `ehrConnector`, `filteringMailGradingResult`, `publicFolder`, `privacyTenantAuditHistoryRecord`, `aipScannerDiscoverEvent`, `eduDataLakeDownloadOperation`, `m365ComplianceConnector`, `microsoftGraphDataConnectOperation`, `microsoftPurview`, `filteringEmailContentFeatures`, `powerPagesSite`, `powerAppsResource`, `plannerPlan`, `plannerCopyPlan`, `plannerTask`, `plannerRoster`, `plannerPlanList`, `plannerTaskList`, `plannerTenantSettings`, `projectForTheWebProject`, `projectForTheWebTask`, `projectForTheWebRoadmap`, `projectForTheWebRoadmapItem`, `projectForTheWebProjectSettings`, `projectForTheWebRoadmapSettings`, `quarantineMetadata`, `microsoftTodoAudit`, `timeTravelFilteringDocMetadata`, `teamsQuarantineMetadata`, `sharePointAppPermissionOperation`, `microsoftTeamsSensitivityLabelAction`, `filteringTeamsMetadata`, `filteringTeamsUrlInfo`, `filteringTeamsPostDeliveryAction`, `mdcAssessments`, `mdcRegulatoryComplianceStandards`, `mdcRegulatoryComplianceControls`, `mdcRegulatoryComplianceAssessments`, `mdcSecurityConnectors`, `mdaDataSecuritySignal`, `vivaGoals`, `filteringRuntimeInfo`, `attackSimAdmin`, `microsoftGraphDataConnectConsent`, `filteringAtpDetonationInfo`, `privacyPortal`, `managedTenants`, `unifiedSimulationMatchedItem`, `unifiedSimulationSummary`, `updateQuarantineMetadata`, `ms365DSuppressionRule`, `purviewDataMapOperation`, `filteringUrlPostClickAction`, `irmUserDefinedDetectionSignal`, `teamsUpdates`, `plannerRosterSensitivityLabel`, `ms365DIncident`, `filteringDelistingMetadata`, `complianceDLPSharePointClassificationExtended`, `microsoftDefenderForIdentityAudit`, `supervisoryReviewDayXInsight`, `defenderExpertsforXDRAdmin`, `cdpEdgeBlockedMessage`, `hostedRpa`, `cdpContentExplorerAggregateRecord`, `cdpHygieneAttachmentInfo`, `cdpHygieneSummary`, `cdpPostMailDeliveryAction`, `cdpEmailFeatures`, `cdpHygieneUrlInfo`, `cdpUrlClick`, `cdpPackageManagerHygieneEvent`, `filteringDocScan`, `timeTravelFilteringDocScan`, `mapgOnboard`, `unknownFutureValue`.| |serviceFilter|String|The Office 365 service where the activity occurred.| |status|microsoft.graph.security.auditLogQueryStatus|Describes the current status of the query. The possible values are: `notStarted`, `running`, `succeeded`, `failed`, `cancelled`, `unknownFutureValue`.| |userPrincipalNameFilters|String collection|The UPN (user principal name) of the user who performed the action (specified in the operation property) that resulted in the record being logged; for example, _my_name@my_domain_name_.| @@ -86,4 +86,4 @@ The following JSON representation shows the resource type. ], "status": "String" } -``` \ No newline at end of file +``` From d40563cc3f326e80265a72b688beeadd0345e220 Mon Sep 17 00:00:00 2001 From: Arish Ojaswi Date: Fri, 1 Mar 2024 20:04:13 +0530 Subject: [PATCH 57/76] Update security-auditcoreroot-list-auditlogqueries.md --- .../beta/api/security-auditcoreroot-list-auditlogqueries.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/api-reference/beta/api/security-auditcoreroot-list-auditlogqueries.md b/api-reference/beta/api/security-auditcoreroot-list-auditlogqueries.md index 29dd7a5f9a3..6611f6d3d56 100644 --- a/api-reference/beta/api/security-auditcoreroot-list-auditlogqueries.md +++ b/api-reference/beta/api/security-auditcoreroot-list-auditlogqueries.md @@ -126,7 +126,9 @@ Content-Type: application/json "displayName": "String", "filterStartDateTime": "String (timestamp)", "filterEndDateTime": "String (timestamp)", - "recordTypeFilter": "String", + "recordTypeFilters": [ + "String" + ], "keywordFilter": "String", "serviceFilter": "String", "operationFilters": [ From 0a68c03846b0164e2a66383c27cae9b37bedf75f Mon Sep 17 00:00:00 2001 From: Arish Ojaswi Date: Fri, 1 Mar 2024 20:05:52 +0530 Subject: [PATCH 58/76] Update security-auditcoreroot-post-auditlogqueries.md --- .../beta/api/security-auditcoreroot-post-auditlogqueries.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/api-reference/beta/api/security-auditcoreroot-post-auditlogqueries.md b/api-reference/beta/api/security-auditcoreroot-post-auditlogqueries.md index a4a555a8909..665bd6cc02a 100644 --- a/api-reference/beta/api/security-auditcoreroot-post-auditlogqueries.md +++ b/api-reference/beta/api/security-auditcoreroot-post-auditlogqueries.md @@ -94,7 +94,9 @@ Content-Type: application/json "displayName": "String", "filterStartDateTime": "String (timestamp)", "filterEndDateTime": "String (timestamp)", - "recordTypeFilter": "String", + "recordTypeFilters": [ + "String" + ], "keywordFilter": "String", "serviceFilter": "String", "operationFilters": [ From 3c90e8077a468ad174b1aacd9138eba40194669d Mon Sep 17 00:00:00 2001 From: Jarbas Horst Date: Sat, 2 Mar 2024 22:55:10 +0100 Subject: [PATCH 59/76] Update delegatedadmincustomer-list-servicemanagementdetails.md Applied standards to API topic. --- ...atedadmincustomer-list-servicemanagementdetails.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/api-reference/v1.0/api/delegatedadmincustomer-list-servicemanagementdetails.md b/api-reference/v1.0/api/delegatedadmincustomer-list-servicemanagementdetails.md index 4ddd0df475f..40727e4c2a9 100644 --- a/api-reference/v1.0/api/delegatedadmincustomer-list-servicemanagementdetails.md +++ b/api-reference/v1.0/api/delegatedadmincustomer-list-servicemanagementdetails.md @@ -10,7 +10,7 @@ doc_type: apiPageType # List serviceManagementDetails Namespace: microsoft.graph -Get a list of the [delegatedAdminServiceManagementDetail](../resources/delegatedAdminServiceManagementDetail.md) objects and their properties. +Get a list of the [delegatedAdminServiceManagementDetail](../resources/delegatedadminservicemanagementdetail.md) objects and their properties. [!INCLUDE [national-cloud-support](../../includes/global-only.md)] @@ -31,7 +31,7 @@ GET /tenantRelationships/delegatedAdminCustomers/{delegatedAdminCustomerId}/serv ``` ## Optional query parameters -This method does not support OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters). +This method doesn't support OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters). ## Request headers |Name|Description| @@ -43,12 +43,14 @@ Don't supply a request body for this method. ## Response -If successful, this method returns a `200 OK` response code and a collection of [delegatedAdminServiceManagementDetail](../resources/delegatedAdminServiceManagementDetail.md) objects in the response body. +If successful, this method returns a `200 OK` response code and a collection of [delegatedAdminServiceManagementDetail](../resources/delegatedadminservicemanagementdetail.md) objects in the response body. ## Examples ### Request +The following example shows a request. + # [HTTP](#tab/http) ```json { - "id": "string", - "name": "string" + "id": "String (identifier)", + "name": "String" } ``` -## Properties - -| Property | Type | Description | -| :------- | :----- | :-------------------------------------------- | -| **id** | string | The unique identifier for the column. | -| **name** | string | The name of the column in this content type. | ```http -HTTP/1.1 200 Ok +HTTP/1.1 200 OK { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#educationModule", From 0c13136b4b0e6737d0394149ee8c03f7455fe6be Mon Sep 17 00:00:00 2001 From: Jarbas Horst Date: Sat, 2 Mar 2024 23:28:29 +0100 Subject: [PATCH 71/76] Update educationmodule-unpin.md Applied standards to API topic. --- api-reference/beta/api/educationmodule-unpin.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/api-reference/beta/api/educationmodule-unpin.md b/api-reference/beta/api/educationmodule-unpin.md index 89b93f275e3..34d54850505 100644 --- a/api-reference/beta/api/educationmodule-unpin.md +++ b/api-reference/beta/api/educationmodule-unpin.md @@ -13,7 +13,7 @@ Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -Unpin an [educationModule](../resources/educationmodule.md) in the classwork list. This action sets the **isPinned** property to **false** for an [educationModule](../resources/educationmodule.md). +Unpin an [educationModule](../resources/educationmodule.md) in the classwork list. This action sets the **isPinned** property to `false` for an [educationModule](../resources/educationmodule.md). Only teachers in the class can perform this operation. @@ -29,8 +29,8 @@ Choose the permission or permissions marked as least privileged for this API. Us ```http POST /education/classes/{id}/modules/{id}/unpin - ``` + ## Request headers | Header | Value | |:---------------|:--------| @@ -40,13 +40,13 @@ POST /education/classes/{id}/modules/{id}/unpin Don't supply a request body for this method. ## Response -If successful, this method returns a `200 Ok` response code and an [educationModule](../resources/educationmodule.md) object in the response body. +If successful, this method returns a `200 OK` response code and an [educationModule](../resources/educationmodule.md) object in the response body. ## Example The following example shows how to call this API. ### Request -The following is an example of a request. +The following example shows a request. # [HTTP](#tab/http) ```http -HTTP/1.1 200 Ok +HTTP/1.1 200 OK { "@odata.context": "https://graph.microsoft.com/$metadata#educationModule", From bc66f8bea3b2e3c3b2d3f7b437d5c4ef827df7ae Mon Sep 17 00:00:00 2001 From: Faith Moraa Ombongi Date: Mon, 4 Mar 2024 11:50:45 +0300 Subject: [PATCH 72/76] Add what's new backlog for Identity --- .../conditionalaccessconditionset.md | 2 +- concepts/whats-new-overview.md | 23 ++++++++++++++----- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/api-reference/beta/resources/conditionalaccessconditionset.md b/api-reference/beta/resources/conditionalaccessconditionset.md index 9ed01132c6b..16e06d8880e 100644 --- a/api-reference/beta/resources/conditionalaccessconditionset.md +++ b/api-reference/beta/resources/conditionalaccessconditionset.md @@ -21,7 +21,7 @@ Represents the type of conditions that govern when the policy applies. | Property | Type | Description | |:-------------|:------------|:------------| |applications|[conditionalAccessApplications](conditionalaccessapplications.md)| Applications and user actions included in and excluded from the policy. Required. | -|authenticationFlows|[conditionalAccessAuthenticationFlows](conditionalaccessauthenticationflows.md)| Authentication flows included in the policy scope. | +|authenticationFlows|[conditionalAccessAuthenticationFlows](conditionalaccessauthenticationflows.md)| Authentication flows included in the policy scope. For more information, see [Conditional Access: Authentication flows](/entra/identity/conditional-access/concept-authentication-flows). | |users|[conditionalAccessUsers](conditionalaccessusers.md)| Users, groups, and roles included in and excluded from the policy. Either **users** or **clientApplications** is required. | |clientApplications|[conditionalAccessClientApplications](../resources/conditionalaccessclientapplications.md)|Client applications (service principals and workload identities) included in and excluded from the policy. Either **users** or **clientApplications** is required. | |clientAppTypes|conditionalAccessClientApp collection| Client application types included in the policy. Possible values are: `all`, `browser`, `mobileAppsAndDesktopClients`, `exchangeActiveSync`, `easSupported`, `other`. Required.

The `easUnsupported` enumeration member will be deprecated in favor of `exchangeActiveSync`, which includes EAS supported and unsupported platforms.| diff --git a/concepts/whats-new-overview.md b/concepts/whats-new-overview.md index db6b53a8957..f61fecea93b 100644 --- a/concepts/whats-new-overview.md +++ b/concepts/whats-new-overview.md @@ -7,7 +7,7 @@ ms.localizationpriority: high # What's new in Microsoft Graph -Microsoft Graph provides a unified programmability model that you can use to access data in Microsoft 365, Windows, and Enterprise Mobility + Security. This topic provides information about what's new in Microsoft Graph APIs, documentation, SDKs, and more. +Microsoft Graph provides a unified programmability model that you can use to access data in Microsoft 365, Windows, and Enterprise Mobility + Security. This article provides information about what's new in Microsoft Graph APIs, documentation, SDKs, and more. For more detailed API-level updates, see the [Microsoft Graph API changelog](https://developer.microsoft.com/graph/changelog/). @@ -22,6 +22,12 @@ For details about previous updates to Microsoft Graph, see [Microsoft Graph what Microsoft Graph Toolkit v4 is now available. For details about changes in the latest release, see [Upgrade to the latest version of Microsoft Graph Toolkit](/graph/toolkit/upgrade). +### Identity and access | Identity and sign-in + +- Introduced the following more granular delegated and application permissions for managing tenant branding through the [organizationalBranding](/graph/api/resources/organizationalbranding?view=graph-rest-beta&preserve-view=true)and [organizationalBrandingLocalization](/graph/api/resources/organizationalbrandinglocalization?view=graph-rest-beta&preserve-view=true) resource types: + - Use *OrganizationalBranding.Read.All* permission for read operations instead of the *Organization.Read.All* permission. + - Use *OrganizationalBranding.ReadWrite.All* permission for read and write operations instead of the *Organization.ReadWrite.All* permission. + ## February 2024: New in preview only ### Calendars @@ -30,12 +36,17 @@ Use the **iCalUId** property on [event](/graph/api/resources/event?view=graph-re ### Education -- Teachers can [activate](/graph/api/educationassignment-activate) an inactive [assignment](/graph/api/resources/educationassignment) to signal that the assignment has further action items for teachers or students. -- Teachers can [deactivate](/graph/api/educationassignment-deactivate) and mark an assignment as inactive to signal that the assignment has no further action items for teachers and students. +- Teachers can [activate](/graph/api/educationassignment-activate?view=graph-rest-beta&preserve-view=true) an inactive [assignment](/graph/api/resources/educationassignment?view=graph-rest-beta&preserve-view=true) to signal that the assignment has further action items for teachers or students. +- Teachers can [deactivate](/graph/api/educationassignment-deactivate?view=graph-rest-beta&preserve-view=true) and mark an assignment as inactive to signal that the assignment has no further action items for teachers and students. ### Identity and access | Directory management -Updated the descriptions of the **model** and **manufacturer** properties in the [device](/graph/api/resources/device?view=graph-rest-beta&preserve-view=true) resource to clarify their read-only status, replacing the outdated descriptions related to Project Rome sign-ins. +- Updated the descriptions of the **model** and **manufacturer** properties in the [device](/graph/api/resources/device?view=graph-rest-beta&preserve-view=true) resource to clarify their read-only status, replacing the outdated descriptions related to Project Rome sign-ins. +- Enabled tenants to [update](/graph/api/organization-update?view=graph-rest-beta&preserve-view=true) the following properties of the [organization](/graph/api/resources/organization?view=graph-rest-beta&preserve-view=true) entity: **businessPhones**, **city**, **postalCode**, **preferredLanguage**, **state**, **street**. +- You can now invite external users to Teams and manage the lifecycle of their invitation through the [pendingExternalUserProfile resource type](/graph/api/resources/pendingexternaluserprofile?view=graph-rest-beta&preserve-view=true) and its associated methods. After the user redeems their pending profile, you can manage their profile in your tenant through the [externalUserProfile resource type](/graph/api/resources/externaluserprofile?view=graph-rest-beta&preserve-view=true) and its associated methods. + +### Identity and access | Identity and sign-in +- Added the ability to target the device code authentication flow using Microsoft Entra Conditional Access. Configure the [conditionalAccessPolicy](/graph/api/resources/conditionalaccesspolicy?view=graph-rest-beta&preserve-view=true) > **conditions** property > **authenticationFlows** property of [conditionalAccessConditionSet complex type](/graph/api/resources/conditionalaccessconditionset?view=graph-rest-beta&preserve-view=true) > **transferMethods** property of [conditionalAccessAuthenticationFlows complex type](/graph/api/resources/conditionalaccessauthenticationflows?view=graph-rest-beta&preserve-view=true). ### Reports | Partner billing reports @@ -58,7 +69,7 @@ Microsoft Teams custom meeting templates allow you to specify values for many of - Added the ability to [get shifts](/graph/api/team-getshifts?view=graph-rest-beta&preserve-view=true) and [get time offs](/graph/api/team-gettimesoff?view=graph-rest-beta&preserve-view=true) across all teams that a user is a direct member of. - Added the **isCrossLocationShiftRequestApprovalRequired** and **isCrossLocationShiftsEnabled** properties on [schedule](/graph/api/resources/schedule?view=graph-rest-beta&preserve-view=true) to support two cross location scenarios. -- Added the ability to [get](/graph/api/shiftsroledefinition-get) and [update](/graph/api/shiftsroledefinition-update) front-line managers' capabilities in a Shifts schedule. +- Added the ability to [get](/graph/api/shiftsroledefinition-get) and [update](/graph/api/shiftsroledefinition-update) frontline managers' capabilities in a Shifts schedule. ## January 2024: New and generally available @@ -143,7 +154,7 @@ Are there scenarios you'd like Microsoft Graph to support? - Suggest and vote for new features by using the [Microsoft Graph Feedback Portal](https://aka.ms/graphfeedback). Some new features originate as popular requests from the developer community. The Microsoft Graph team regularly evaluates customer needs and releases new features to the beta (`https://graph.microsoft.com/beta`) and v1.0 (`https://graph.microsoft.com/v1.0`) endpoints. -- [Join](https://aka.ms/m365-dev-call) the weekly Microsoft 365 platform community call and become an active member of the Microsoft Graph community. +- [Join](https://aka.ms/m365-dev-call) the weekly Microsoft 365 platform community call and become an active member of the Microsoft Graph community. Visit the [Microsoft 365 and Power Platform community page](https://aka.ms/community/calls) to discover the full calendar of developer calls. - [Join](https://ux.microsoft.com/Panel/M365Devs?utm_source=graphDocs) our research panel to provide your input on our developer experiences. From f00417530f3f49381bd467ed58991fe4a0d131b4 Mon Sep 17 00:00:00 2001 From: Faith Moraa Ombongi Date: Mon, 4 Mar 2024 13:04:58 +0300 Subject: [PATCH 73/76] Remove CRR for ZT include file --- .openpublishing.publish.config.json | 6 ------ .../delegatedadminrelationships-api-overview.md | 3 +-- .../beta/resources/identitygovernance-overview.md | 3 +-- ...tworkaccess-global-secure-access-api-overview.md | 1 - .../beta/resources/partners-billing-api-overview.md | 3 +-- .../permissions-management-api-overview.md | 2 +- ...gedidentitymanagement-for-groups-api-overview.md | 2 +- .../privilegedidentitymanagementv3-overview.md | 2 +- .../delegatedadminrelationships-api-overview.md | 3 +-- .../v1.0/resources/identitygovernance-overview.md | 3 +-- .../v1.0/resources/partners-billing-api-overview.md | 3 +-- ...gedidentitymanagement-for-groups-api-overview.md | 2 +- .../privilegedidentitymanagementv3-overview.md | 2 +- ...d-identity-access-management-concept-overview.md | 2 +- includes/identity-zero-trust.md | 13 +++++++++++++ 15 files changed, 25 insertions(+), 25 deletions(-) create mode 100644 includes/identity-zero-trust.md diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index d89796f58c9..ff261c08868 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -47,12 +47,6 @@ "branch": "main", "branch_mapping": {} }, - { - "path_to_root": "azure_docs", - "url": "https://github.com/MicrosoftDocs/azure-docs/", - "branch": "main", - "branch_mapping": {} - }, { "path_to_root": "entra_docs", "url": "https://github.com/MicrosoftDocs/entra-docs/", diff --git a/api-reference/beta/resources/delegatedadminrelationships-api-overview.md b/api-reference/beta/resources/delegatedadminrelationships-api-overview.md index f84f0740b55..a010f7076ea 100644 --- a/api-reference/beta/resources/delegatedadminrelationships-api-overview.md +++ b/api-reference/beta/resources/delegatedadminrelationships-api-overview.md @@ -5,7 +5,6 @@ author: "koravvams" ms.localizationpriority: medium ms.prod: partner-customer-administration doc_type: resourcePageType -ms.custom: zt-include --- # Granular delegated admin privileges (GDAP) API overview @@ -109,7 +108,7 @@ To manage delegated admin relationships, the calling principal must be in the pa -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/beta/resources/identitygovernance-overview.md b/api-reference/beta/resources/identitygovernance-overview.md index 25195b602fa..aafd707431c 100644 --- a/api-reference/beta/resources/identitygovernance-overview.md +++ b/api-reference/beta/resources/identitygovernance-overview.md @@ -6,7 +6,6 @@ author: "markwahl-msft" ms.prod: "governance" doc_type: conceptualPageType ms.date: 11/29/2022 -ms.custom: zt-include --- # Overview of Microsoft Entra ID Governance using Microsoft Graph @@ -63,7 +62,7 @@ The [terms of use APIs](/graph/api/resources/agreement) in Microsoft Graph allow -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/beta/resources/networkaccess-global-secure-access-api-overview.md b/api-reference/beta/resources/networkaccess-global-secure-access-api-overview.md index 61c26d289ff..adc635ac7fc 100644 --- a/api-reference/beta/resources/networkaccess-global-secure-access-api-overview.md +++ b/api-reference/beta/resources/networkaccess-global-secure-access-api-overview.md @@ -5,7 +5,6 @@ author: Moti-ba ms.localizationpriority: medium ms.prod: global-secure-access doc_type: resourcePageType -ms.custom: zt-include --- # Secure access to cloud, public, and private apps using Microsoft Graph network access APIs (preview) diff --git a/api-reference/beta/resources/partners-billing-api-overview.md b/api-reference/beta/resources/partners-billing-api-overview.md index d07d51f9ad1..b7adac429bc 100644 --- a/api-reference/beta/resources/partners-billing-api-overview.md +++ b/api-reference/beta/resources/partners-billing-api-overview.md @@ -5,7 +5,6 @@ author: "sourishdeb" ms.localizationpriority: medium ms.prod: "reports" doc_type: resourcePageType -ms.custom: zt-include --- # Use the Microsoft Graph API to export partner billing data @@ -29,7 +28,7 @@ To export reconciliation data, the calling principal must be in the partner tena -[!INCLUDE [zero-trust](~/../azure_docs/includes/active-directory-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/beta/resources/permissions-management-api-overview.md b/api-reference/beta/resources/permissions-management-api-overview.md index 6504a688d0a..7636f278cfa 100644 --- a/api-reference/beta/resources/permissions-management-api-overview.md +++ b/api-reference/beta/resources/permissions-management-api-overview.md @@ -90,7 +90,7 @@ Other findings include: -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/beta/resources/privilegedidentitymanagement-for-groups-api-overview.md b/api-reference/beta/resources/privilegedidentitymanagement-for-groups-api-overview.md index 22dac9ea86a..2a610db1b91 100644 --- a/api-reference/beta/resources/privilegedidentitymanagement-for-groups-api-overview.md +++ b/api-reference/beta/resources/privilegedidentitymanagement-for-groups-api-overview.md @@ -114,7 +114,7 @@ When a principal's *temporary active* membership or ownership of a group expires -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/beta/resources/privilegedidentitymanagementv3-overview.md b/api-reference/beta/resources/privilegedidentitymanagementv3-overview.md index ff72a6a013e..0c2c324b2da 100644 --- a/api-reference/beta/resources/privilegedidentitymanagementv3-overview.md +++ b/api-reference/beta/resources/privilegedidentitymanagementv3-overview.md @@ -125,7 +125,7 @@ All activities made through PIM for Microsoft Entra roles are logged in Microsof -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/v1.0/resources/delegatedadminrelationships-api-overview.md b/api-reference/v1.0/resources/delegatedadminrelationships-api-overview.md index 114ef200247..629cef29d03 100644 --- a/api-reference/v1.0/resources/delegatedadminrelationships-api-overview.md +++ b/api-reference/v1.0/resources/delegatedadminrelationships-api-overview.md @@ -5,7 +5,6 @@ author: "koravvams" ms.localizationpriority: medium ms.prod: partner-customer-administration doc_type: resourcePageType -ms.custom: zt-include --- # Granular delegated admin privileges (GDAP) API overview @@ -108,7 +107,7 @@ To manage delegated admin relationships, the calling principal must be in the pa -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/v1.0/resources/identitygovernance-overview.md b/api-reference/v1.0/resources/identitygovernance-overview.md index 31e0c2f05c9..a31722bbfe6 100644 --- a/api-reference/v1.0/resources/identitygovernance-overview.md +++ b/api-reference/v1.0/resources/identitygovernance-overview.md @@ -6,7 +6,6 @@ author: "markwahl-msft" ms.prod: "governance" doc_type: conceptualPageType ms.date: 11/15/2023 -ms.custom: zt-include --- # Overview of Microsoft Entra ID Governance using Microsoft Graph @@ -61,7 +60,7 @@ The [terms of use APIs](/graph/api/resources/agreement) in Microsoft Graph allow -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/v1.0/resources/partners-billing-api-overview.md b/api-reference/v1.0/resources/partners-billing-api-overview.md index c26ad368900..4fb4f4c965e 100644 --- a/api-reference/v1.0/resources/partners-billing-api-overview.md +++ b/api-reference/v1.0/resources/partners-billing-api-overview.md @@ -5,7 +5,6 @@ author: "sourishdeb" ms.localizationpriority: medium ms.prod: "reports" doc_type: resourcePageType -ms.custom: zt-include --- # Use the Microsoft Graph API to export partner billing data @@ -27,7 +26,7 @@ To export reconciliation data, the calling principal must be in the partner tena -[!INCLUDE [zero-trust](~/../azure_docs/includes/active-directory-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/v1.0/resources/privilegedidentitymanagement-for-groups-api-overview.md b/api-reference/v1.0/resources/privilegedidentitymanagement-for-groups-api-overview.md index 2593c4e7394..964560cc16a 100644 --- a/api-reference/v1.0/resources/privilegedidentitymanagement-for-groups-api-overview.md +++ b/api-reference/v1.0/resources/privilegedidentitymanagement-for-groups-api-overview.md @@ -114,7 +114,7 @@ When a principal's *temporary active* membership or ownership of a group expires -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/api-reference/v1.0/resources/privilegedidentitymanagementv3-overview.md b/api-reference/v1.0/resources/privilegedidentitymanagementv3-overview.md index a19cf73cdd1..8a8bbde28af 100644 --- a/api-reference/v1.0/resources/privilegedidentitymanagementv3-overview.md +++ b/api-reference/v1.0/resources/privilegedidentitymanagementv3-overview.md @@ -89,7 +89,7 @@ For more information about using Microsoft Graph to configure rules, see [Overvi -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] -[!INCLUDE [zero-trust](~/../entra_docs/docs/includes/entra-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/includes/identity-zero-trust.md b/includes/identity-zero-trust.md new file mode 100644 index 00000000000..361790a0691 --- /dev/null +++ b/includes/identity-zero-trust.md @@ -0,0 +1,13 @@ +--- +ms.service: entra-id +ms.topic: include +--- +## Zero Trust + +This feature helps organizations to align their [identities](/security/zero-trust/deploy/identity) with the three guiding principles of a Zero Trust architecture: + +- Verify explicitly +- Use least privilege +- Assume breach + +To find out more about Zero Trust and other ways to align your organization to the guiding principles, see the [Zero Trust Guidance Center](/security/zero-trust/). From 332661e9a50b3bbf73af9e9ca30079dab204bf19 Mon Sep 17 00:00:00 2001 From: Faith Moraa Ombongi Date: Mon, 4 Mar 2024 13:25:59 +0300 Subject: [PATCH 74/76] Fix links --- .../networkaccess-global-secure-access-api-overview.md | 2 +- concepts/azuread-identity-access-management-concept-overview.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/api-reference/beta/resources/networkaccess-global-secure-access-api-overview.md b/api-reference/beta/resources/networkaccess-global-secure-access-api-overview.md index adc635ac7fc..aeaf3284184 100644 --- a/api-reference/beta/resources/networkaccess-global-secure-access-api-overview.md +++ b/api-reference/beta/resources/networkaccess-global-secure-access-api-overview.md @@ -102,7 +102,7 @@ The Global Secure Access services enable you to enrich the [Microsoft 365 audit -[!INCLUDE [zero-trust](~/../azure_docs/includes/active-directory-zero-trust.md)] +[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] diff --git a/concepts/azuread-identity-access-management-concept-overview.md b/concepts/azuread-identity-access-management-concept-overview.md index bf956d2a9fa..d5d07a921af 100644 --- a/concepts/azuread-identity-access-management-concept-overview.md +++ b/concepts/azuread-identity-access-management-concept-overview.md @@ -85,7 +85,7 @@ Use the **Global Secure Access APIs** for identity-centric configurations to sec -[!INCLUDE [zero-trust](../../../includes/identity-zero-trust.md)] +[!INCLUDE [identity-zero-trust](../includes/identity-zero-trust.md)] From f46c81f36e0d4d0dd8f2ed26e69ce94f46166da3 Mon Sep 17 00:00:00 2001 From: Laura Graham Date: Mon, 4 Mar 2024 14:36:30 -0800 Subject: [PATCH 75/76] Update verifieddomain.md --- api-reference/beta/resources/verifieddomain.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/api-reference/beta/resources/verifieddomain.md b/api-reference/beta/resources/verifieddomain.md index 34ea5aeddd1..8a45cc03599 100644 --- a/api-reference/beta/resources/verifieddomain.md +++ b/api-reference/beta/resources/verifieddomain.md @@ -17,6 +17,7 @@ Specifies a domain for a tenant. The **verifiedDomains** property of the [organi ## Properties + | Property | Type | Description | |:-------------|:--------|:-------------------------------------------------------------------------------------| | capabilities | String | For example, `Email`, `OfficeCommunicationsOnline`. | @@ -27,7 +28,7 @@ Specifies a domain for a tenant. The **verifiedDomains** property of the [organi ## JSON representation -Here's a JSON representation of the resource +The following JSON representation shows the resource type.