Merge pull request #6334 from MicrosoftDocs/main

Publish to live, Tuesday 4 AM PST, 12/17

.docutune/dictionaries/known-guids.json

@@ -3652,10 +3652,8 @@
   "Department Reader" : "db609904-a47f-4794-9be8-9bd86fbffd8a",
   "Account Owner" : "c15c22c0-9faf-424c-9b7e-bd91c06a240b",
   "DefaultChannelAuthTenant (botframework.com)" : "d6d49420-f39b-4df7-a1dc-d59a935871db",
-  "Microsoft tenant ID" : "72f988bf-86f1-41af-91ab-2d7cd011db47",
   "PME tenant ID" : "975f013f-7f24-47e8-a7d3-abc4752bf346",
   "Torus tenant ID" : "cdc5aeea-15c5-4db6-b079-fcadd2505dc2",
-  "AME tenant ID" : "33e01921-4d64-4f8c-a055-5bdaffd5e33d",
   "Azure AI Bot Service token store app ID" : "5b404cf4-a79d-4cfe-b866-24bf8e1a4921",
   "Azure Communication Services app ID" : "c880d6fb-5c66-49ef-9cf5-e53e31900be5",
   "Omnichannel for Customer Service" : "a950df6d-e658-48fc-b494-ec69d8d9731b",

docs/external-id/customers/toc.yml

@@ -302,6 +302,12 @@ items:
       href: concept-authentication-methods-customers.md
     - name: Multifactor authentication (MFA)
       href: concept-multifactor-authentication-customers.md
+    - name: Custom authentication extensions
+      items:
+        - name: Overview
+          href: ~/identity-platform/custom-extension-overview.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
+        - name: Custom claims provider
+          href: ~/identity-platform/custom-claims-provider-overview.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
     - name: Native authentication
       items:
         - name: Native authentication
@@ -318,8 +324,6 @@ items:
       href: concept-custom-url-domain.md
     - name: Get started guide features explained
       href: concept-guide-explained.md
-    - name: Adding your own business logic
-      href: concept-custom-extensions.md
     - name: Security and governance
       href: concept-security-customers.md
     - name: Frequently asked questions (FAQ)
@@ -407,24 +411,30 @@ items:
           href: how-to-custom-url-domain.md
         - name: Configure optional claims
           href: /entra/identity-platform/optional-claims?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json 
-        - name: Advanced extensions
+        - name: Custom authentication extensions
           items:
-            - name: Add logic to attribute collection
+            - name: Custom claims provider
               items:
+                - name: Create REST API for token issuance event
+                  href: ~/identity-platform/custom-extension-tokenissuancestart-setup.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
+                - name: Configure a custom claims provider token issuance event
+                  href: ~/identity-platform/custom-extension-tokenissuancestart-configuration.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
+                - name: Configure a SAML app to call a custom claims provider
+                  href: ~/identity-platform/custom-extension-configure-saml-app.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
+                - name: Custom claims provider reference
+                  href: ~/identity-platform/custom-claims-provider-reference.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
+            - name: Attribute collection
+              items: 
                 - name: Create attribute collection start and submit events
                   href: ~/identity-platform/custom-extension-attribute-collection.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
                 - name: OnAttributeCollectionStart event reference
                   href: ~/identity-platform/custom-extension-OnAttributeCollectionStart-reference.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
                 - name: OnAttributeCollectionSubmit event reference
                   href: ~/identity-platform/custom-extension-OnAttributeCollectionSubmit-reference.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
-            - name: Add claims from external systems
-              items:
-                - name: About custom authentication extensions
-                  href: ~/identity-platform/custom-extension-overview.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
-                - name: Token issuance start event
-                  href: ~/identity-platform/custom-extension-tokenissuancestart-configuration.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
-                - name: Troubleshoot your custom claims provider API
-                  href: ~/identity-platform/custom-extension-troubleshoot.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
+            - name: Configure a custom email provider for one time code send events
+              href: ~/identity-platform/custom-extension-email-otp-get-started.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
+            - name: Troubleshoot your custom authentication extension
+              href: ~/identity-platform/custom-extension-troubleshoot.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json
     - name: Secure
       items:
       - name: Multifactor authentication

docs/global-secure-access/how-to-application-discovery.md

@@ -3,7 +3,7 @@ title: Application Discovery (Preview) for Global Secure Access
 description: Use Application discovery to detect the applications accessed by users and create separate private applications.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 12/09/2024
+ms.date: 12/16/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -13,6 +13,10 @@ ms.reviewer: lirazbarak
 # Customer intent: As an administrator, I want to use Application discovery to detect the applications accessed by users and create separate private applications.
 ---
 # Application discovery (Preview) for Global Secure Access
+> [!IMPORTANT]
+> Application discovery is currently in PREVIEW.
+> This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
 Application discovery enables administrators to gain comprehensive visibility into application usage within their corporate network. By identifying which applications are accessed and by whom, administrators can create private applications with precise segmentation and least privilege access, which minimizes unnecessary access. 
 
 With Quick Access, you can quickly onboard to Private Access by publishing wide IP ranges and wildcard FQDNs, as you would with traditional VPN solutions. You can then transition from Quick Access to per-application publishing for better control and granularity over each application. For example, you can create a conditional access policy and set user assignments per application.  
@@ -94,3 +98,6 @@ Before you decide to create a private application, you might want to review othe
 :::image type="content" source="media/how-to-application-discovery/users-tab.png" alt-text="Screenshot of the Users tab showing the list of users.":::
 > [!IMPORTANT]
 > Use the list of users to inform the decisions you make regarding the users and groups that you plan to assign to the Entra application once you onboard the selected application segment.  
+
+## Related content
+* [How to configure Quick Access for Global Secure Access](how-to-configure-quick-access.md)

docs/global-secure-access/how-to-install-android-client.md

@@ -3,7 +3,7 @@ title: The Global Secure Access client for Android
 description: Install the Global Secure Access Android client.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 09/09/2024
+ms.date: 12/16/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -33,7 +33,7 @@ This article explains the prerequisites and how to deploy the client onto Androi
 - Tunneling IPv6 traffic isn't currently supported.
 - Private Domain Name System (DNS) must be disabled on the device. This setting is often found in the System > Network and Internet options.
 - Running non-Microsoft endpoint protection products alongside Microsoft Defender for Endpoint might cause performance problems and unpredictable system errors.
-- Global Secure Access (GSA) coexistence with Microsoft Tunnel is not currently supported. For more information, see [Prerequisites for the Microsoft Tunnel in Intune](/mem/intune/protect/microsoft-tunnel-prerequisites).
+- Global Secure Access (GSA) coexistence with Microsoft Tunnel isn't currently supported. For more information, see [Prerequisites for the Microsoft Tunnel in Intune](/mem/intune/protect/microsoft-tunnel-prerequisites).
 
 ## Supported scenarios
 
@@ -156,7 +156,9 @@ The Global Secure Access tile doesn't appear after onboarding the tenant to the
 When attempting to access a Private Access application, the connection might time out after a successful interactive sign-in. Reloading the application through a web browser refresh should resolve the issue.
 
 ## Related content
-
 - [About Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android)
 - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune)
 - [Learn about managed Google Play apps and Android Enterprise devices with Intune](/mem/intune/apps/apps-add-android-for-work)
+- [Global Secure Access client for Microsoft Windows](how-to-install-windows-client.md)
+- [Global Secure Access client for macOS](how-to-install-macos-client.md)
+- [Global Secure Access client for iOS](how-to-install-ios-client.md)

docs/global-secure-access/how-to-install-ios-client.md

@@ -3,7 +3,7 @@ title: The Global Secure Access client for iOS (Preview)
 description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the iOS client app.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 11/18/2024
+ms.date: 12/16/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -13,6 +13,9 @@ ms.reviewer: dhruvinrshah
 # Customer intent: As an administrator, I want to set up and deploy the Global Secure Access mobile client for iOS devices.
 ---
 # Global Secure Access client for iOS (Preview)
+> [!IMPORTANT]
+> The Global Secure Access client for iOS is currently in PREVIEW.
+> This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
 This article explains how to set up and deploy the Global Secure Access client app onto iOS and iPadOS devices. For simplicity, this article refers to both iOS and iPadOS as **iOS**.  
 
@@ -141,4 +144,7 @@ If the client is unable to connect, a toggle appears to disable the service. Use
 
 ## Related content
 - [Microsoft Defender for Endpoint on iOS](/defender-endpoint/microsoft-defender-endpoint-ios)
-- [Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune](/defender-endpoint/ios-install)
+- [Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune](/defender-endpoint/ios-install)
+- [Global Secure Access client for macOS](how-to-install-macos-client.md)
+- [Global Secure Access client for Microsoft Windows](how-to-install-windows-client.md)
+- [Global Secure Access client for Android](how-to-install-android-client.md)

docs/global-secure-access/how-to-install-macos-client.md

@@ -3,7 +3,7 @@ title: The Global Secure Access client for macOS
 description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the macOS client.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 11/26/2024
+ms.date: 12/16/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -13,6 +13,10 @@ ms.reviewer: lirazbarak
 # Customer intent: macOS users, I want to download and install the Global Secure Access client.
 ---
 # Global Secure Access client for macOS (Preview)
+> [!IMPORTANT]
+> The Global Secure Access client for macOS is currently in PREVIEW.
+> This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
 The Global Secure Access client, an essential component of Global Secure Access, helps organizations manage and secure network traffic on end-user devices. The client's main role is to route traffic that needs to be secured by Global Secure Access to the cloud service. All other traffic goes directly to the network. The [Forwarding Profiles](concept-traffic-forwarding.md), configured in the portal, determine which traffic the Global Secure Access client routes to the cloud service.
 
 This article describes how to download and install the Global Secure Access client for macOS.
@@ -244,3 +248,8 @@ Since QUIC isn't yet supported for Internet Access, traffic to ports 80 UDP and
 > [!TIP]
 > QUIC is currently supported in Private Access and Microsoft 365 workloads.
 Administrators can disable QUIC protocol on browsers, triggering clients to fall back to HTTPS over TCP, which is fully supported in Internet Access. For more information, see [QUIC not supported for Internet Access](troubleshoot-global-secure-access-client-diagnostics-health-check.md#quic-not-supported-for-internet-access).
+
+## Related content
+- [Global Secure Access client for Microsoft Windows](how-to-install-windows-client.md)
+- [Global Secure Access client for iOS](how-to-install-ios-client.md)
+- [Global Secure Access client for Android](how-to-install-android-client.md)

docs/global-secure-access/how-to-install-windows-client.md

@@ -3,7 +3,7 @@ title: The Global Secure Access client for Windows
 description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the Windows client.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/16/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -218,3 +218,8 @@ The administrator can show or hide specific buttons in the client system tray ic
 :::image type="content" source="media/how-to-install-windows-client/global-secure-access-registry-key-private-hide-signout.png" alt-text="Screenshot showing the Registry Editor with the HideSignOutButton and HideDisablePrivateAccessButton registry keys highlighted.":::
 
 For more information, see [Guidance for configuring IPv6 in Windows for advanced users](/troubleshoot/windows-server/networking/configure-ipv6-in-windows).
+
+## Related content
+- [Global Secure Access client for macOS](how-to-install-macos-client.md)
+- [Global Secure Access client for Android](how-to-install-android-client.md)
+- [Global Secure Access client for iOS](how-to-install-ios-client.md)

docs/identity-platform/TOC.yml

@@ -497,8 +497,16 @@
                   href: custom-extension-tokenissuancestart-configuration.md
                 - name: Configure a SAML app to call a custom claims provider
                   href: custom-extension-configure-saml-app.md
-            - name: Create attribute collection start and submit events
-              href: custom-extension-attribute-collection.md
+                - name: Custom claims provider reference
+                  href: custom-claims-provider-reference.md
+            - name: Attribute collection
+              items: 
+                - name: Create attribute collection start and submit events
+                  href: custom-extension-attribute-collection.md
+                - name: Attribute collection start custom extension reference
+                  href: custom-extension-OnAttributeCollectionStart-reference.md
+                - name: Attribute collection submit custom extension reference
+                  href: custom-extension-OnAttributeCollectionSubmit-reference.md
             - name: Configure a custom email provider for one time code send events
               href: custom-extension-email-otp-get-started.md
             - name: Troubleshoot your custom authentication extension
@@ -771,14 +779,6 @@
           href: reply-url.md
         - name: Validation differences by supported account types
           href: supported-accounts-validation.md
-    - name: Custom authentication extensions reference
-      items:
-        - name: Custom claims provider reference
-          href: custom-claims-provider-reference.md
-        - name: Attribute collection start custom extension reference
-          href: custom-extension-OnAttributeCollectionStart-reference.md
-        - name: Attribute collection submit custom extension reference
-          href: custom-extension-OnAttributeCollectionSubmit-reference.md
     - name: Endpoint reference
       items: 
         - name: Admin consent URI

docs/identity-platform/custom-claims-provider-overview.md

@@ -17,6 +17,7 @@ titleSuffix: Microsoft identity platform
 # Custom claims provider
 
 This article provides an overview to the Microsoft Entra custom claims provider.
+
 When a user authenticates to an application, a custom claims provider can be used to add  claims into the token. A custom claims provider is made up of a custom authentication extension that calls an external REST API, to fetch claims from external systems. A custom claims provider can be assigned to one or many applications in your directory.
 
 Key data about a user is often stored in systems external to Microsoft Entra ID. For example, secondary email, billing tier, or sensitive information. Some applications may rely on these attributes for the application to function as designed. For example, the application may block access to certain features based on a claim in the token.

docs/identity-platform/custom-extension-email-otp-get-started.md

@@ -123,7 +123,7 @@ You can access your Communication Services connection strings and service endpoi
 
     | Setting      | Value (Example) | Description |
     | ------------ | ---------------- | ----------- |
-    | **mail_connectionString** | A1bC2dE3fH4iJ5kL6mN7oP8qR9sT0u | The Azure Communication Services Primary Key. | 
+    | **mail_connectionString** | `https://ciamotpcommsrvc.unitedstates.communication.azure.com/:accesskey=A1bC2dE3fH4iJ5kL6mN7oP8qR9sT0u` | The Azure Communication Services endpoint | 
     | **mail_sender** | <[email protected]> | The from email address. |
     | **mail_subject** | CIAM Demo | The subject of the email. |