Merge pull request #6226 from MicrosoftDocs/main

12/6/2024 PM Publish

docs/global-secure-access/how-to-install-windows-client.md

@@ -3,7 +3,7 @@ title: The Global Secure Access client for Windows
 description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the Windows client.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 11/12/2024
+ms.date: 12/06/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -157,6 +157,9 @@ Since QUIC isn't yet supported for Internet Access, traffic to ports 80 UDP and
 
 Administrators can disable QUIC protocol triggering clients to fall back to HTTPS over TCP, which is fully supported in Internet Access. For more information, see [QUIC not supported for Internet Access](troubleshoot-global-secure-access-client-diagnostics-health-check.md#quic-not-supported-for-internet-access).
 
+### WSL 2 connectivity
+When the Global Secure Access client for Windows is enabled on the host machine, outgoing connections from the Windows Subsystem for Linux (WSL) 2 environment might be blocked. To mitigate this occurrence, create a `.wslconfig` file that sets dnsTunneling to **false**. This way, all traffic from the WSL bypasses Global Secure Access and goes directly to the network. For more information, see [Advanced settings configuration in WSL](/windows/wsl/wsl-config#wslconfig).
+
 ## Troubleshooting
 To troubleshoot the Global Secure Access client, right-click the client icon in the taskbar and select one of the troubleshooting options: **Collect logs** or **Advanced diagnostics**.
 

docs/id-protection/concept-identity-protection-risks.md

@@ -44,7 +44,7 @@ Detections triggered in real-time take 5-10 minutes to surface details in the re
 > Our system might detect that the risk event that contributed to the risk user risk score was either: 
 > 
 > - A false positive
-> - The user risk was [remediated by policy](howto-identity-protection-remediate-unblock.md) by either: 
+> - The user risk was [remediated by policy](howto-identity-protection-remediate-unblock.md) by either: 
 >    - Completing multifactor authentication
 >    - Secure password change
 > 
@@ -62,7 +62,7 @@ These fields are essential for real-time monitoring, threat response, and mainta
 | [Activity from anonymous IP address](#activity-from-anonymous-ip-address) | Offline | Premium | riskyIPAddress |
 | [Additional risk detected (sign-in)](#additional-risk-detected-sign-in) | Real-time or Offline | Nonpremium | generic = Premium detection classification for non-P2 tenants |
 | [Admin confirmed user compromised](#admin-confirmed-user-compromised) | Offline | Nonpremium | adminConfirmedUserCompromised |
-| [Anomalous Token](#anomalous-token) | Real-time or Offline | Premium | anomalousToken | 
+| [Anomalous Token (sign-in)](#anomalous-token-sign-in) | Real-time or Offline | Premium | anomalousToken | 
 | [Anonymous IP address](#anonymous-ip-address) | Real-time | Nonpremium | anonymizedIPAddress |
 | [Atypical travel](#atypical-travel) | Offline | Premium | unlikelyTravel |
 | [Impossible travel](#impossible-travel) | Offline | Premium | mcasImpossibleTravel |
@@ -79,6 +79,7 @@ These fields are essential for real-time monitoring, threat response, and mainta
 | [Verified threat actor IP](#verified-threat-actor-ip) | Real-time | Premium | nationStateIP |
 | **User risk detections** | | | |
 | [Additional risk detected (user)](#additional-risk-detected-user) | Real-time or Offline | Nonpremium | generic = Premium detection classification for non-P2 tenants |
+| [Anomalous Token (user)](#anomalous-token-user) | Real-time or Offline | Premium | anomalousToken | 
 | [Anomalous user activity](#anomalous-user-activity) | Offline | Premium | anomalousUserActivity |
 | [Attacker in the Middle](#attacker-in-the-middle) | Offline | Premium | attackerinTheMiddle |
 | [Leaked credentials](#leaked-credentials) | Offline | Nonpremium | leakedCredentials |
@@ -100,7 +101,9 @@ The following premium detections are visible only to Microsoft Entra ID P2 custo
 
 Calculated offline. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/anomaly-detection-policy#activity-from-anonymous-ip-addresses). This detection identifies that users were active from an IP address identified as an anonymous proxy IP address. 
 
-#### Anomalous token 
+<a name='anomalous-token'></a>
+
+#### Anomalous token (sign-in)
 
 Calculated in real-time or offline. This detection indicates abnormal characteristics in the token, such as an unusual lifetime or a token played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. 
 
@@ -176,6 +179,14 @@ Calculated in real-time. This risk detection type indicates sign-in activity tha
 
 ### Premium user risk detections 
 
+#### Anomalous token (user)
+
+Calculated in real-time or offline. This detection indicates abnormal characteristics in the token, such as an unusual lifetime or a token played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. 
+
+Anomalous token is tuned to incur more noise than other detections at the same risk level. This tradeoff is chosen to increase the likelihood of detecting replayed tokens that might otherwise go unnoticed. There's a higher than normal chance that some of the sessions flagged by this detection are false positives. We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. If the location, application, IP address, User Agent, or other characteristics are unexpected for the user, the administrator should consider this risk as an indicator of potential token replay. 
+
+[Tips for investigating anomalous token detections.](howto-identity-protection-investigate-risk.md#investigating-anomalous-token-and-token-issuer-anomaly-detections)
+
 #### Anomalous user activity 
 
 Calculated offline. This risk detection baselines normal administrative user behavior in Microsoft Entra ID, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. 

docs/identity/app-provisioning/known-issues.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id
 ms.subservice: app-provisioning
 ms.topic: troubleshooting
-ms.date: 07/17/2024
+ms.date: 12/06/2024
 ms.reviewer: arvinh
 zone_pivot_groups: app-provisioning-cross-tenant-synchronization
 ---
@@ -34,7 +34,7 @@ This article discusses known issues to be aware of when you work with app provis
 
 ProxyAddresses is a [read-only property in Microsoft Graph](https://go.microsoft.com/fwlink/?linkid=2272551). It can be included as a source attribute in your mappings, but cannot be set as a target attribute. 
 
-### Provisioning users
+### SMS sign-in enabled users are skipped
 
 An external user from the source (home) tenant can't be provisioned into another tenant. Internal guest users from the source tenant can't be provisioned into another tenant. Only internal member users from the source tenant can be provisioned into the target tenant. For more information, see [Properties of a Microsoft Entra B2B collaboration user](~/external-id/user-properties.md).
 
@@ -53,6 +53,9 @@ Where [GuestUserUPN] is the calculated UserPrincipalName. Example:
 
 For more information, see [About the Exchange Online PowerShell module](/powershell/exchange/exchange-online-powershell-v2).
 
+### Mail attribute is not updated
+If the user in the target tenant is assigned an exchange license, cross-tenant synchronization will not be able to update the mail attribute. To work around this, remove the exchange license for the user, update the mail attribute, and assign the license to the user again. 
+
 ### Configuring synchronization from target tenant
 
 Configuring synchronization from the target tenant isn't supported. All configurations must be done in the source tenant. The target administrator is able to turn off cross-tenant synchronization at any time.

docs/identity/conditional-access/reference-office-365-application-contents.md

@@ -19,7 +19,6 @@ The following list is provided as a reference and includes a detailed list of se
 
 - App Studio for Microsoft Teams
 - Augmentation Loop
-- Augmentation Loop
 - Call Recorder
 - Connectors
 - DataSecurityInvestigation
@@ -41,7 +40,6 @@ The following list is provided as a reference and includes a detailed list of se
 - make.gov.powerapps.us
 - make.powerapps.com
 - Media Analysis and Transformation Service
-- Media Analysis and Transformation Service
 - Message Recall
 - Messaging Async Media
 - MessagingAsyncMediaProd
@@ -84,7 +82,6 @@ The following list is provided as a reference and includes a detailed list of se
 - Natural Language Editor
 - O365 Diagnostic Service
 - O365 Suite UX
-- O365 Suite UX
 - O365 Suite UX PathFinder
 - OCPS Checkin Service
 - Office 365
@@ -93,11 +90,9 @@ The following list is provided as a reference and includes a detailed list of se
 - Office 365 Search Service
 - Office 365 SharePoint Online
 - Office Delve
-- Office Delve
 - Office Hive
 - Office Hive Fairfax
 - Office MRO Device Manager Service
-- Office MRO Device Manager Service
 - Office Online Add-in SSO
 - Office Online Augmentation Loop SSO
 - Office Online Core SSO
@@ -115,12 +110,10 @@ The following list is provided as a reference and includes a detailed list of se
 - Office.com
 - Office365 Shell DoD WCSS-Client
 - Office365 Shell WCSS-Client
-- Office365 Shell WCSS-Client
 - OfficeClientService
 - OfficeHome
 - OfficePowerPointSGS
 - OfficeServicesManager
-- OfficeServicesManager
 - One Outlook Web
 - OneDrive
 - OneDrive SyncEngine
@@ -136,7 +129,6 @@ The following list is provided as a reference and includes a detailed list of se
 - SharePoint eSignature
 - SharePoint eSignature PPE
 - SharePoint Online Web Client Extensibility
-- SharePoint Online Web Client Extensibility
 - SharePoint Online Web Client Extensibility Isolated
 - Skype and Teams Tenant Admin API
 - Skype for Business

docs/identity/hybrid/connect/how-to-connect-fed-single-adfs-multitenant-federation.md

@@ -1,6 +1,6 @@
 ---
-title: Federating multiple Microsoft Entra ID with single AD FS
-description: In this document, you will learn how to federate multiple Microsoft Entra ID with a single AD FS.
+title: Federating multiple Microsoft Entra IDs with single AD FS
+description: In this document, you'll learn how to federate multiple Microsoft Entra IDs with a single AD FS.
 keywords: federate, ADFS, AD FS, multiple tenants, single AD FS, one ADFS, multi-tenant federation, multi-forest adfs, aad connect, federation, cross-tenant federation
 
 author: billmath
@@ -9,15 +9,15 @@ ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.custom: has-azure-ad-ps-ref
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 
 ---
 
 # Federate multiple instances of Microsoft Entra ID with single instance of AD FS
 
-A single high available AD FS farm can federate multiple forests if they have 2-way trust between them. These multiple forests may or may not correspond to the same Microsoft Entra ID. This article provides instructions on how to configure federation between a single AD FS deployment and multiple instances of Microsoft Entra ID.
+A single high available AD FS farm can federate multiple forests if they have two-way trust between them. These multiple forests may or may not correspond to the same Microsoft Entra ID. This article provides instructions on how to configure federation between a single AD FS deployment and multiple instances of Microsoft Entra ID.
 
 ![Multi-tenant federation with single AD FS](./media/how-to-connect-fed-single-adfs-multitenant-federation/concept.png)
 
@@ -29,7 +29,7 @@ A single high available AD FS farm can federate multiple forests if they have 2-
 
 <a name='steps-for-federating-ad-fs-with-multiple-azure-ad'></a>
 
-## Steps for federating AD FS with multiple Microsoft Entra ID
+## Steps for federating AD FS with multiple Microsoft Entra IDs
 
 Consider a domain contoso.com in Microsoft Entra contoso.onmicrosoft.com is already federated with the AD FS on-premises installed in contoso.com on-premises Active Directory environment. Fabrikam.com is a domain in fabrikam.onmicrosoft.com Microsoft Entra ID.
 
@@ -39,7 +39,7 @@ For AD FS in contoso.com to be able to authenticate users in fabrikam.com, a two
 
 ## Step 2: Modify contoso.com federation settings 
 
-The default issuer set for a single domain federated to AD FS is "http\://ADFSServiceFQDN/adfs/services/trust", for example, `http://fs.contoso.com/adfs/services/trust`. Microsoft Entra ID requires unique issuer for each federated domain. Because AD FS is going to federate two domains, the issuer value needs to be modified so that it is unique. 
+The default issuer set for a single domain federated to AD FS is "http\://ADFSServiceFQDN/adfs/services/trust", for example, `http://fs.contoso.com/adfs/services/trust`. Microsoft Entra ID requires unique issuer for each federated domain. Because AD FS is going to federate two domains, the issuer value needs to be modified so that it's unique. 
 
 [!INCLUDE [Azure AD PowerShell deprecation note](~/../docs/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
 
@@ -53,7 +53,7 @@ Update the federation settings for `contoso.com`:
 
   `Update-MsolFederatedDomain -DomainName contoso.com –SupportMultipleDomain`
 
-Issuer in the domain federation setting will be changed to `http://contoso.com/adfs/services/trust` and an issuance claim rule will be added for the Microsoft Entra ID Relying Party Trust to issue the correct issuerId value based on the UPN suffix.
+Issuer in the domain federation setting is changed to `http://contoso.com/adfs/services/trust` and an issuance claim rule is added for the Microsoft Entra ID Relying Party Trust to issue the correct issuerId value based on the UPN suffix.
 
 ## Step 3: Federate fabrikam.com with AD FS
 
@@ -69,7 +69,7 @@ Convert the fabrikam.com managed domain to federated:
 Convert-MsolDomainToFederated -DomainName fabrikam.com -Verbose -SupportMultipleDomain
 ```
 
-The above operation will federate the domain fabrikam.com with the same AD FS. You can verify the domain settings by using Get-MsolDomainFederationSettings for both domains.
+The prior operation federates the domain fabrikam.com with the same AD FS. You can verify the domain settings by using Get-MsolDomainFederationSettings for both domains.
 
 ## Next steps
 [Connect Active Directory with Microsoft Entra ID](../whatis-hybrid-identity.md)

docs/identity/hybrid/connect/how-to-connect-fed-ssl-update.md

@@ -8,7 +8,7 @@ ms.assetid: 7c781f61-848a-48ad-9863-eb29da78f53c
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.subservice: hybrid-connect
 author: billmath
 ms.author: billmath

docs/identity/hybrid/connect/how-to-connect-fed-whatis.md

@@ -8,7 +8,7 @@ ms.assetid: f9107cf5-0131-499a-9edf-616bf3afef4d
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-fix-default-rules.md

@@ -8,7 +8,7 @@ ms.reviewer: darora10
 ms.service: entra-id
 ms.topic: how-to
 ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-group-writeback-disable.md

@@ -6,7 +6,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-group-writeback-enable.md

@@ -6,7 +6,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-health-ad-fs-sign-in.md

@@ -8,7 +8,7 @@ ms.service: entra-id
 ms.subservice: hybrid-connect
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.author: billmath
 
 ---

docs/identity/hybrid/connect/how-to-connect-health-adds.md

@@ -10,7 +10,7 @@ ms.service: entra-id
 ms.subservice: hybrid-connect
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.author: billmath
 
 

docs/identity/hybrid/connect/how-to-connect-health-adfs-risky-ip-workbook.md

@@ -8,7 +8,7 @@ ms.service: entra-id
 ms.subservice: hybrid-connect
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.author: billmath
 ms.custom:
 ms.collection:

docs/identity/hybrid/connect/how-to-connect-health-adfs-risky-ip.md

@@ -9,7 +9,7 @@ ms.service: entra-id
 ms.subservice: hybrid-connect
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.author: billmath
 ms.custom: H1Hack27Feb2017
 

docs/identity/hybrid/connect/how-to-connect-health-adfs.md

@@ -10,7 +10,7 @@ ms.service: entra-id
 ms.subservice: hybrid-connect
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.author: billmath
 ms.custom: H1Hack27Feb2017
 

docs/identity/hybrid/connect/how-to-connect-health-data-freshness.md

@@ -1,26 +1,26 @@
 ---
-title: Microsoft Entra Connect Health - Health service data is not up to date alert
-description: This document describes the cause of "Health service data is not up to date" alert and how to troubleshoot it.
+title: Microsoft Entra Connect Health - Health service data isn't up to date alert
+description: This document describes the cause of "Health service data isn't up to date" alert and how to troubleshoot it.
 
 author: billmath
 manager: amycolannino
 ms.service: entra-id
 ms.subservice: hybrid-connect
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 12/05/2024
 ms.author: billmath
 
 ---
 
-# Health service data is not up to date alert
+# Health service data isn't up to date alert
 
 ## Overview
 
-The agents on the on-premises machines that Microsoft Entra Connect Health monitors periodically upload data to the Microsoft Entra Connect Health Service. If the service does not receive data from an agent, the information the portal presents will be stale. To highlight the issue, the service will raise the **Health service data is not up to date** alert. This alert is generated when the service has not received complete data in the past two hours.  
+The agents on the on-premises machines that Microsoft Entra Connect Health monitors periodically upload data to the Microsoft Entra Connect Health Service. If the service doesn't receive data from an agent, the information the portal presents will be stale. To highlight the issue, the service raises the **Health service data isn't up to date** alert. This alert is generated when the service hasn't received complete data in the past two hours.  
 
-- The **Warning** status alert fires if the Health Service has received only **partial** data types sent from the server in the past two hours. The warning status alert does not trigger email notifications to configured recipients. 
-- The **Error** status alert fires if the Health Service has not received any data types from the server in the past two hours. The error status alert triggers email notifications to configured recipients.
+- The **Warning** status alert fires if the Health Service received only **partial** data types sent from the server in the past two hours. The warning status alert doesn't trigger email notifications to configured recipients. 
+- The **Error** status alert fires if the Health Service hasn't received any data types from the server in the past two hours. The error status alert triggers email notifications to configured recipients.
 
 The service gets the data from agents that are running on the on-premises machines, depending on the service type. The following table lists the agents that run on the machine, what they do, and the data types that the service generates. In some cases, there are multiple services involved in the process, so any of them could be the culprit. 
 
@@ -59,7 +59,7 @@ The steps required to diagnose the issue is given below. The first is a set of b
 
 
 ## Next steps
-If any of the above steps identified an issue, fix it and wait for the alert to resolve. The alert background process runs every 2 hours, so it will take up to 2 hours to resolve the alert. 
+If any of the above steps identified an issue, fix it and wait for the alert to resolve. The alert background process runs every 2 hours, so it can take up to 2 hours to resolve the alert. 
 
 * [Microsoft Entra Connect Health data retention policy](reference-connect-health-user-privacy.md#data-retention-policy)
 * [Microsoft Entra Connect Health FAQ](reference-connect-health-faq.yml)