Summary | CSV | This report provides a summary and details of **User entitlements and usage**.
**Data displayed on Usage Analytics** screen is downloaded as part of the **Summary** report. **Detailed permissions usage per User** is listed in the Detailed report. | AWS, Azure, or GCP | Yes | ## Next steps -- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](cloudknox-product-reports.md). -- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md). -- For information about how to create and view a custom report, see [Generate and view a custom report](cloudknox-report-create-custom-report.md). -- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md). +- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](product-reports.md). +- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](report-view-system-report.md). +- For information about how to create and view a custom report, see [Generate and view a custom report](report-create-custom-report.md). +- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-tenant.md b/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-tenant.md deleted file mode 100644 index d8c80ae7996f..000000000000 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-tenant.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -title: Enable CloudKnox Permissions Management in your organization -description: How to enable CloudKnox Permissions Management in your organization. -services: active-directory -author: kenwith -manager: rkarlin -ms.service: active-directory -ms.subservice: ciem -ms.workload: identity -ms.topic: how-to -ms.date: 04/20/2022 -ms.author: kenwith ---- - -# Enable CloudKnox in your organization - -> [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. -> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -> [!NOTE] -> The CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU). - - - -This article describes how to enable CloudKnox Permissions Management (CloudKnox) in your organization. Once you've enabled CloudKnox, you can connect it to your Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) platforms. - -> [!NOTE] -> To complete this task, you must have *global administrator* permissions as a user in that tenant. You can't enable CloudKnox as a user from other tenant who has signed in via B2B or via Azure Lighthouse. - -## Prerequisites - -To enable CloudKnox in your organization: - -- You must have an Azure AD tenant. If you don't already have one, [create a free account](https://azure.microsoft.com/free/). -- You must be eligible for or have an active assignment to the global administrator role as a user in that tenant. - -> [!NOTE] -> During public preview, CloudKnox doesn't perform a license check. - -## View a training video on enabling CloudKnox - -- To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo). -- To view a video on how to configure and onboard AWS accounts in CloudKnox, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE). -- To view a video on how to configure and onboard GCP accounts in CloudKnox, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28). - - -## How to enable CloudKnox on your Azure AD tenant - -1. In your browser: - 1. Go to [Azure services](https://portal.azure.com) and use your credentials to sign in to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview). - 1. If you aren't already authenticated, sign in as a global administrator user. - 1. If needed, activate the global administrator role in your Azure AD tenant. - 1. In the Azure AD portal, select **Features highlights**, and then select **CloudKnox Permissions Management**. - - 1. If you're prompted to select a sign in account, sign in as a global administrator for a specified tenant. - - The **Welcome to CloudKnox Permissions Management** screen appears, displaying information on how to enable CloudKnox on your tenant. - -1. To provide access to the CloudKnox application, create a service principal. - - An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. - - > [!NOTE] - > To complete this step, you must have Azure CLI or Azure PowerShell on your system, or an Azure subscription where you can run Cloud Shell. - - - To create a service principal that points to the CloudKnox application via Cloud Shell: - - 1. Copy the script on the **Welcome** screen: - - `az ad sp create --id b46c3ac5-9da6-418f-a849-0a07a10b3c6c` - - 1. If you have an Azure subscription, return to the Azure AD portal and select **Cloud Shell** on the navigation bar. - If you don't have an Azure subscription, open a command prompt on a Windows Server. - 1. If you have an Azure subscription, paste the script into Cloud Shell and press **Enter**. - - - For information on how to create a service principal through the Azure portal, see [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli). - - - For information on the **az** command and how to sign in with the no subscriptions flag, see [az login](/cli/azure/reference-index?view=azure-cli-latest#az-login&preserve-view=true). - - - For information on how to create a service principal via Azure PowerShell, see [Create an Azure service principal with Azure PowerShell](/powershell/azure/create-azure-service-principal-azureps?view=azps-7.1.0&preserve-view=true). - - 1. After the script runs successfully, the service principal attributes for CloudKnox display. Confirm the attributes. - - The **Cloud Infrastructure Entitlement Management** application displays in the Azure AD portal under **Enterprise applications**. - -1. Return to the **Welcome to CloudKnox** screen and select **Enable CloudKnox Permissions Management**. - - You have now completed enabling CloudKnox on your tenant. CloudKnox launches with the **Data Collectors** dashboard. - -## Configure data collection settings - -Use the **Data Collectors** dashboard in CloudKnox to configure data collection settings for your authorization system. - -1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches: - - - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. - -1. Select the authorization system you want: **AWS**, **Azure**, or **GCP**. - -1. For information on how to onboard an AWS account, Azure subscription, or GCP project into CloudKnox, select one of the following articles and follow the instructions: - - - [Onboard an AWS account](cloudknox-onboard-aws.md) - - [Onboard an Azure subscription](cloudknox-onboard-azure.md) - - [Onboard a GCP project](cloudknox-onboard-gcp.md) - -## Next steps - -- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md) -- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](cloudknox-faqs.md). -- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-reports.md b/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-reports.md deleted file mode 100644 index be79c6b0acb4..000000000000 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-reports.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -title: View system reports in the Reports dashboard in CloudKnox Permissions Management -description: How to view system reports in the Reports dashboard in CloudKnox Permissions Management. -services: active-directory -author: kenwith -manager: rkarlin -ms.service: active-directory -ms.subservice: ciem -ms.workload: identity -ms.topic: how-to -ms.date: 02/23/2022 -ms.author: kenwith ---- - -# View system reports in the Reports dashboard - -> [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. -> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -CloudKnox Permissions Management (CloudKnox) has various types of system report types available that capture specific sets of data. These reports allow management to: - -- Make timely decisions. -- Analyze trends and system/user performance. -- Identify trends in data and high risk areas so that management can address issues more quickly and improve their efficiency. - -## Explore the Reports dashboard - -The **Reports** dashboard provides a table of information with both system reports and custom reports. The **Reports** dashboard defaults to the **System Reports** tab, which has the following details: - -- **Report Name**: The name of the report. -- **Category**: The type of report. For example, **Permission**. -- **Authorization Systems**: Displays which authorizations the custom report applies to. -- **Format**: Displays the output format the report can be generated in. For example, comma-separated values (CSV) format, portable document format (PDF), or Microsoft Excel Open XML Spreadsheet (XLSX) format. - - - To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**. - - The following message displays across the top of the screen in green if the download is successful: **Successfully Started To Generate On Demand Report**. - -## Available system reports - -CloudKnox offers the following reports for management associated with the authorization systems noted in parenthesis: - -- **Access Key Entitlements And Usage**: - - **Summary of report**: Provides information about access key, for example, permissions, usage, and rotation date. - - **Applies to**: Amazon Web Services (AWS) and Microsoft Azure - - **Report output type**: CSV - - **Ability to collate report**: Yes - - **Type of report**: **Summary** or **Detailed** - - **Use cases**: - - The access key age, last rotation date, and last usage date is available in the summary report to help with key rotation. - - The granted task and Permissions creep index (PCI) score to take action on the keys. - -- **User Entitlements And Usage**: - - **Summary of report**: Provides information about the identities' permissions, for example, entitlement, usage, and PCI. - - **Applies to**: AWS, Azure, and Google Cloud Platform (GCP) - - **Report output type**: CSV - - **Ability to collate report**: Yes - - **Type of report**: **Summary** or **Detailed** - - **Use cases**: - - The data displayed on the **Usage Analytics** screen is downloaded as part of the **Summary** report. The user's detailed permissions usage is listed in the **Detailed** report. - -- **Group Entitlements And Usage**: - - **Summary of report**: Provides information about the group's permissions, for example, entitlement, usage, and PCI. - - **Applies to**: AWS, Azure, and GCP - - **Report output type**: CSV - - **Ability to collate report**: Yes - - **Type of report**: **Summary** - - **Use cases**: - - All group level entitlements and permission assignments, PCIs, and the number of members are listed as part of this report. - -- **Identity Permissions**: - - **Summary of report**: Report on identities that have specific permissions, for example, identities that have permission to delete any S3 buckets. - - **Applies to**: AWS, Azure, and GCP - - **Report output type**: CSV - - **Ability to collate report**: No - - **Type of report**: **Summary** - - **Use cases**: - - Any task usage or specific task usage via User/Group/Role/App can be tracked with this report. - -- **Identity privilege activity report** - - **Summary of report**: Provides information about permission changes that have occurred in the selected duration. - - **Applies to**: AWS, Azure, and GCP - - **Report output type**: PDF - - **Ability to collate report**: No - - **Type of report**: **Summary** - - **Use cases**: - - Any identity permission change can be captured using this report. - - The **Identity Privilege Activity** report has the following main sections: **User Summary**, **Group Summary**, **Role Summary**, and **Delete Task Summary**. - - The **User** summary lists the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted users, users with PCI change, and High-risk active/inactive users. - - The **Group** summary lists the administrator level groups with the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted groups, groups with PCI change, and High-risk active/inactive groups. - - The **Role summary** lists similar details as **Group Summary**. - - The **Delete Task summary** section lists the number of times the **Delete task** has been executed in the given time period. - -- **Permissions Analytics Report** - - **Summary of report**: Provides information about the violation of key security best practices. - - **Applies to**: AWS, Azure, and GCP - - **Report output type**: CSV - - **Ability to collate report**: Yes - - **Type of report**: **Detailed** - - **Use cases**: - - This report lists the different key findings in the selected auth systems. The key findings include super identities, inactive identities, over provisioned active identities, storage bucket hygiene, and access key age (for AWS only). The report helps administrators to visualize the findings across the organization. - - For more information about this report, see [Permissions analytics report](cloudknox-product-permissions-analytics-reports.md). - -- **Role/Policy Details** - - **Summary of report**: Provides information about roles and policies. - - **Applies to**: AWS, Azure, GCP - - **Report output type**: CSV - - **Ability to collate report**: No - - **Type of report**: **Summary** - - **Use cases**: - - Assigned/Unassigned, custom/system policy, and the used/unused condition is captured in this report for any specific, or all, AWS accounts. Similar data can be captured for Azure/GCP for the assigned/unassigned roles. - -- **PCI History** - - **Summary of report**: Provides a report of privilege creep index (PCI) history. - - **Applies to**: AWS, Azure, GCP - - **Report output type**: CSV - - **Ability to collate report**: Yes - - **Type of report**: **Summary** - - **Use cases**: - - This report plots the trend of the PCI by displaying the monthly PCI history for each authorization system. - -- **All Permissions for Identity** - - **Summary of report**: Provides results of all permissions for identities. - - **Applies to**: AWS, Azure, GCP - - **Report output type**: CSV - - **Ability to collate report**: Yes - - **Type of report**: **Detailed** - - **Use cases**: - - This report lists all the assigned permissions for the selected identities. - - - - -## Next steps - -- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md). -- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md). -- For information about how to create and view a custom report, see [Generate and view a custom report](cloudknox-report-create-custom-report.md). -- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-faqs.md b/articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md similarity index 84% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-faqs.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md index b06e14cd767e..26d8ebef64e7 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-faqs.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md @@ -1,5 +1,5 @@ --- -title: Frequently asked questions (FAQs) about CloudKnox Permissions Management +title: Frequently asked questions (FAQs) about CloudKnox Permissions Management description: Frequently asked questions (FAQs) about CloudKnox Permissions Management. services: active-directory author: kenwith @@ -18,7 +18,7 @@ ms.author: kenwith > CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -> [!NOTE] +> [!NOTE] > The CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU). @@ -26,26 +26,26 @@ This article answers frequently asked questions (FAQs) about CloudKnox Permissio ## What's CloudKnox Permissions Management? -CloudKnox is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). CloudKnox detects, automatically right-sizes, and continuously monitors unused and excessive permissions. It deepens the Zero Trust security strategy by augmenting the least privilege access principle. +CloudKnox is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). CloudKnox detects, automatically right-sizes, and continuously monitors unused and excessive permissions. It deepens the Zero Trust security strategy by augmenting the least privilege access principle. ## What are the prerequisites to use CloudKnox? CloudKnox supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use CloudKnox. -## Can a customer use CloudKnox if they have other identities with access to their IaaS platform that aren’t yet in Azure AD (for example, if part of their business has Okta or AWS Identity & Access Management (IAM))? +## Can a customer use CloudKnox if they have other identities with access to their IaaS platform that aren't yet in Azure AD (for example, if part of their business has Okta or AWS Identity & Access Management (IAM))? -Yes, a customer can detect, mitigate, and monitor the risk of ‘backdoor’ accounts that are local to AWS IAM, GCP, or from other identity providers such as Okta or AWS IAM. +Yes, a customer can detect, mitigate, and monitor the risk of 'backdoor' accounts that are local to AWS IAM, GCP, or from other identity providers such as Okta or AWS IAM. ## Where can customers access CloudKnox? -Customers can access the CloudKnox interface with a link from the Azure AD extension in the Azure portal. +Customers can access the CloudKnox interface with a link from the Azure AD extension in the Azure portal. ## Can non-cloud customers use CloudKnox on-premises? -No, CloudKnox is a hosted cloud offering. +No, CloudKnox is a hosted cloud offering. -## Can non-Azure customers use CloudKnox? +## Can non-Azure customers use CloudKnox? Yes, non-Azure customers can use our solution. CloudKnox is a multi-cloud solution so even customers who have no subscription to Azure can benefit from it. @@ -53,21 +53,21 @@ Yes, non-Azure customers can use our solution. CloudKnox is a multi-cloud soluti No, the CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU). -## If I’m already using Azure AD Privileged Identity Management (PIM) for Azure, what value does CloudKnox provide? +## If I'm already using Azure AD Privileged Identity Management (PIM) for Azure, what value does CloudKnox provide? -CloudKnox complements Azure AD PIM. Azure AD PIM provides just-in-time access for admin roles in Azure (as well as Microsoft Online Services and apps that use groups), while CloudKnox allows multi-cloud discovery, remediation, and monitoring of privileged access across Azure, AWS, and GCP. +CloudKnox complements Azure AD PIM. Azure AD PIM provides just-in-time access for admin roles in Azure (as well as Microsoft Online Services and apps that use groups), while CloudKnox allows multi-cloud discovery, remediation, and monitoring of privileged access across Azure, AWS, and GCP. ## What languages does CloudKnox support? -CloudKnox currently supports English. +CloudKnox currently supports English. ## What public cloud infrastructures are supported by CloudKnox? -CloudKnox currently supports the three major public clouds: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. +CloudKnox currently supports the three major public clouds: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. ## Does CloudKnox support hybrid environments? -CloudKnox currently doesn’t support hybrid environments. +CloudKnox currently doesn't support hybrid environments. ## What types of identities are supported by CloudKnox? @@ -79,11 +79,11 @@ CloudKnox is currently not GDPR compliant.---> ## Is CloudKnox available in Government Cloud? -No, CloudKnox is currently not available in Government clouds. +No, CloudKnox is currently not available in Government clouds. ## Is CloudKnox available for sovereign clouds? -No, CloudKnox is currently not available in sovereign Clouds. +No, CloudKnox is currently not available in sovereign Clouds. ## How does CloudKnox collect insights about permissions usage? @@ -95,7 +95,7 @@ CloudKnox offers granular visibility into all identities and their permissions g ## What is the Permissions Creep Index? -The Permissions Creep Index (PCI) is a quantitative measure of risk associated with an identity or role determined by comparing permissions granted versus permissions exercised. It allows users to instantly evaluate the level of risk associated with the number of unused or over-provisioned permissions across identities and resources. It measures how much damage identities can cause based on the permissions they have. +The Permissions Creep Index (PCI) is a quantitative measure of risk associated with an identity or role determined by comparing permissions granted versus permissions exercised. It allows users to instantly evaluate the level of risk associated with the number of unused or over-provisioned permissions across identities and resources. It measures how much damage identities can cause based on the permissions they have. ## How can customers use CloudKnox to delete unused or excessive permissions? @@ -107,11 +107,11 @@ For any break-glass or one-off scenarios where an identity needs to perform a sp ## What is the difference between permissions on-demand and just-in-time access? -Just-in-time (JIT) access is a method used to enforce the principle of least privilege to ensure identities are given the minimum level of permissions to perform the task at hand. Permissions on-demand are a type of JIT access that allows the temporary elevation of permissions, enabling identities to access resources on a by-request, timed basis. +Just-in-time (JIT) access is a method used to enforce the principle of least privilege to ensure identities are given the minimum level of permissions to perform the task at hand. Permissions on-demand are a type of JIT access that allows the temporary elevation of permissions, enabling identities to access resources on a by-request, timed basis. ## How can customers monitor permissions usage with CloudKnox? -Customers only need to track the evolution of their Permission Creep Index to monitor permissions usage. They can do this in the “Analytics” tab in their CloudKnox dashboard where they can see how the PCI of each identity or resource is evolving over time. +Customers only need to track the evolution of their Permission Creep Index to monitor permissions usage. They can do this in the "Analytics" tab in their CloudKnox dashboard where they can see how the PCI of each identity or resource is evolving over time. ## Can customers generate permissions usage reports? @@ -120,7 +120,7 @@ Yes, CloudKnox has various types of system report available that capture specifi - Analyze usage trends and system/user performance. - Identify high-risk areas. -For information about permissions usage reports, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md). +For information about permissions usage reports, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md). ## Does CloudKnox integrate with third-party ITSM (Information Technology Security Management) tools? @@ -141,9 +141,9 @@ Once fully onboarded with data collection set up, customers can access permissio ## Is CloudKnox collecting and storing sensitive personal data? -No, CloudKnox doesn’t have access to sensitive personal data. +No, CloudKnox doesn't have access to sensitive personal data. -## Where can I find more information about CloudKnox? +## Where can I find more information about CloudKnox? You can read our blog and visit our web page. You can also get in touch with your Microsoft point of contact to schedule a demo. @@ -156,5 +156,5 @@ You can read our blog and visit our web page. You can also get in touch with you ## Next steps -- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md). -- For information on how to onboard CloudKnox in your organization, see [Enable CloudKnox in your organization](cloudknox-onboard-enable-tenant.md). +- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](overview.md). +- For information on how to onboard CloudKnox in your organization, see [Enable CloudKnox in your organization](onboard-enable-tenant.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-add-remove-role-task.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-add-remove-role-task.md similarity index 76% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-add-remove-role-task.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-add-remove-role-task.md index c9f6dd44a309..d07250a8bd6e 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-add-remove-role-task.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-add-remove-role-task.md @@ -1,6 +1,6 @@ --- -title: Add and remove roles and tasks for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management -description: How to attach and detach permissions for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management. +title: Add and remove roles and tasks for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in Permissions Management +description: How to attach and detach permissions for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -12,27 +12,27 @@ ms.date: 02/23/2022 ms.author: kenwith --- -# Add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities +# Add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management (Entra) is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This article describes how you can add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities using the **Remediation** dashboard. > [!NOTE] -> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. ## View permissions -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search For** dropdown, select **Group**, **User**, or **APP**. 1. To search for more parameters, you can make a selection from the **User States**, **Permission Creep Index**, and **Task Usage** dropdowns. 1. Select **Apply**. - CloudKnox displays a list of groups, users, and service accounts that match your criteria. + Entra displays a list of groups, users, and service accounts that match your criteria. 1. In **Enter a username**, enter or select a user. 1. In **Enter a Group Name**, enter or select a group, then select **Apply**. 1. Make a selection from the results list. @@ -42,64 +42,64 @@ This article describes how you can add and remove roles and tasks for Microsoft ## Add a role -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**. 1. Make a selection from the results list. 1. To attach a role, select **Add role**. -1. In the **Add Role** page, from the **Available Roles** list, select the plus sign **(+)** to move the role to the **Selected Roles** list. +1. In the **Add Role** page, from the **Available Roles** list, select the plus sign **(+)** to move the role to the **Selected Roles** list. 1. When you have finished adding roles, select **Submit**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. ## Remove a role -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**. 1. Make a selection from the results list. 1. To remove a role, select **Remove Role**. -1. In the **Remove Role** page, from the **Available Roles** list, select the plus sign **(+)** to move the role to the **Selected Roles** list. +1. In the **Remove Role** page, from the **Available Roles** list, select the plus sign **(+)** to move the role to the **Selected Roles** list. 1. When you have finished selecting roles, select **Submit**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. ## Add a task -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**. 1. Make a selection from the results list. 1. To attach a role, select **Add Tasks**. -1. In the **Add Tasks** page, from the **Available Tasks** list, select the plus sign **(+)** to move the task to the **Selected Tasks** list. +1. In the **Add Tasks** page, from the **Available Tasks** list, select the plus sign **(+)** to move the task to the **Selected Tasks** list. 1. When you have finished adding tasks, select **Submit**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. ## Remove a task -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**. 1. Make a selection from the results list. 1. To remove a task, select **Remove Tasks**. -1. In the **Remove Tasks** page, from the **Available Tasks** list, select the plus sign **(+)** to move the task to the **Selected Tasks** list. +1. In the **Remove Tasks** page, from the **Available Tasks** list, select the plus sign **(+)** to move the task to the **Selected Tasks** list. 1. When you have finished selecting tasks, select **Submit**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. @@ -107,12 +107,12 @@ This article describes how you can add and remove roles and tasks for Microsoft ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to attach and detach permissions for Amazon Web Services (AWS) identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) -For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to attach and detach permissions for Amazon Web Services (AWS) identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) +For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-attach-detach-permissions.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-attach-detach-permissions.md similarity index 74% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-attach-detach-permissions.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-attach-detach-permissions.md index 6054e4c1c99c..fc27f2074090 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-attach-detach-permissions.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-attach-detach-permissions.md @@ -1,6 +1,6 @@ --- -title: Attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in CloudKnox Permissions Management -description: How to attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in CloudKnox Permissions Management. +title: Attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in Permissions Management +description: How to attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -12,27 +12,27 @@ ms.date: 02/23/2022 ms.author: kenwith --- -# Attach and detach policies for Amazon Web Services (AWS) identities +# Attach and detach policies for Amazon Web Services (AWS) identities > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This article describes how you can attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities using the **Remediation** dashboard. > [!NOTE] -> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. ## View permissions -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **AWS**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search For** dropdown, select **Group**, **User**, or **Role**. 1. To search for more parameters, you can make a selection from the **User States**, **Permission Creep Index**, and **Task Usage** dropdowns. 1. Select **Apply**. - CloudKnox displays a list of users, roles, or groups that match your criteria. + Permissions Management displays a list of users, roles, or groups that match your criteria. 1. In **Enter a username**, enter or select a user. 1. In **Enter a group name**, enter or select a group, then select **Apply**. 1. Make a selection from the results list. @@ -42,30 +42,30 @@ This article describes how you can attach and detach permissions for users, role ## Attach policies -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **AWS**. 1. In **Enter a username**, enter or select a user. 1. In **Enter a Group Name**, enter or select a group, then select **Apply**. 1. Make a selection from the results list. 1. To attach a policy, select **Attach Policies**. -1. In the **Attach Policies** page, from the **Available policies** list, select the plus sign **(+)** to move the policy to the **Selected policies** list. +1. In the **Attach Policies** page, from the **Available policies** list, select the plus sign **(+)** to move the policy to the **Selected policies** list. 1. When you have finished adding policies, select **Submit**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. ## Detach policies -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **AWS**. 1. In **Enter a username**, enter or select a user. 1. In **Enter a Group Name**, enter or select a group, then select **Apply**. 1. Make a selection from the results list. 1. To remove a policy, select **Detach Policies**. -1. In the **Detach Policies** page, from the **Available policies** list, select the plus sign **(+)** to move the policy to the **Selected policies** list. +1. In the **Detach Policies** page, from the **Available policies** list, select the plus sign **(+)** to move the policy to the **Selected policies** list. 1. When you have finished selecting policies, select **Submit**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. @@ -73,12 +73,11 @@ This article describes how you can attach and detach permissions for users, role ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) -For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). - +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) +For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-audit-trail-results.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-audit-trail-results.md similarity index 66% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-audit-trail-results.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-audit-trail-results.md index 8b383ad66a58..2f94f20e9795 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-audit-trail-results.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-audit-trail-results.md @@ -1,6 +1,6 @@ --- -title: Generate an on-demand report from a query in the Audit dashboard in CloudKnox Permissions Management -description: How to generate an on-demand report from a query in the **Audit** dashboard in CloudKnox Permissions Management. +title: Generate an on-demand report from a query in the Audit dashboard in Permissions Management +description: How to generate an on-demand report from a query in the **Audit** dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,10 +15,10 @@ ms.author: kenwith # Generate an on-demand report from a query > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can generate an on-demand report from a query in the **Audit** dashboard in CloudKnox Permissions Management (CloudKnox). You can: +This article describes how you can generate an on-demand report from a query in the **Audit** dashboard in Permissions Management. You can: - Run a report on-demand. - Schedule and run a report as often as you want. @@ -26,13 +26,13 @@ This article describes how you can generate an on-demand report from a query in ## Generate a custom report on-demand -1. In the CloudKnox home page, select the **Audit** tab. +1. In the Permissions Management home page, select the **Audit** tab. - CloudKnox displays the query options available to you. + Permissions Management displays the query options available to you. 1. In the **Audit** dashboard, select **Search** to run the query. 1. Select **Export**. - CloudKnox generates the report and exports it in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format. + Permissions Management generates the report and exports it in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format. ## Next steps -- For information on how to view how users access information, see [Use queries to see how users access information](cloudknox-ui-audit-trail.md). -- For information on how to filter and view user activity, see [Filter and query user activity](cloudknox-product-audit-trail.md). -- For information on how to create a query,see [Create a custom query](cloudknox-howto-create-custom-queries.md). +- For information on how to view how users access information, see [Use queries to see how users access information](ui-audit-trail.md). +- For information on how to filter and view user activity, see [Filter and query user activity](product-audit-trail.md). +- For information on how to create a query,see [Create a custom query](how-to-create-custom-queries.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-clone-role-policy.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-clone-role-policy.md similarity index 63% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-clone-role-policy.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-clone-role-policy.md index b922cd5fc904..9ae6da95198f 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-clone-role-policy.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-clone-role-policy.md @@ -1,5 +1,5 @@ --- -title: Clone a role/policy in the Remediation dashboard in CloudKnox Permissions Management +title: Clone a role/policy in the Remediation dashboard in Permissions Management description: How to clone a role/policy in the Just Enough Permissions (JEP) Controller. services: active-directory author: kenwith @@ -15,28 +15,28 @@ ms.author: kenwith # Clone a role/policy in the Remediation dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can use the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) to clone roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. +This article describes how you can use the **Remediation** dashboard in Permissions Management to clone roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. > [!NOTE] -> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. > [!NOTE] -> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. +> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. ## Clone a role/policy -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab. +1. On the Permissions Management Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** tab. 1. Select the role/policy you want to clone, and from the **Actions** column, select **Clone**. -1. **(AWS Only)** In the **Clone** box, the **Clone Resources** and **Clone Conditions** checkboxes are automatically selected. +1. **(AWS Only)** In the **Clone** box, the **Clone Resources** and **Clone Conditions** checkboxes are automatically selected. Deselect the boxes if the resources and conditions are different from what is displayed. 1. Enter a name for each authorization system that was selected in the **Policy Name** boxes, and then select **Next**. 1. If the data collector hasn't been given controller privileges, the following message displays: **Only online/controller-enabled authorization systems can be submitted for cloning.** - To clone this role manually, download the script and JSON file. + To clone this role manually, download the script and JSON file. 1. Select **Submit**. 1. Refresh the **Role/Policies** tab to see the role/policy you cloned. @@ -44,12 +44,12 @@ This article describes how you can use the **Remediation** dashboard in CloudKno ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) -- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). -- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md) +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) +- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). +- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md) diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-alert-trigger.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-alert-trigger.md similarity index 82% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-alert-trigger.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-alert-trigger.md index fb9489154277..aa7340f908e9 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-alert-trigger.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-alert-trigger.md @@ -1,6 +1,6 @@ --- -title: Create and view activity alerts and alert triggers in CloudKnox Permissions Management -description: How to create and view activity alerts and alert triggers in CloudKnox Permissions Management. +title: Create and view activity alerts and alert triggers in Permissions Management +description: How to create and view activity alerts and alert triggers in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,14 +15,14 @@ ms.author: kenwith # Create and view activity alerts and alert triggers > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can create and view activity alerts and alert triggers in CloudKnox Permissions Management (CloudKnox). +This article describes how you can create and view activity alerts and alert triggers in Permissions Management. ## Create an activity alert trigger -1. In the CloudKnox home page, select **Activity Triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity Triggers** (the bell icon). 1. In the **Activity** tab, select **Create Activity Trigger**. 1. In the **Alert Name** box, enter a name for your alert. 1. In **Authorization System Type**, select your authorization system: Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). @@ -31,7 +31,7 @@ This article describes how you can create and view activity alerts and alert tri 1. From the **Operator** dropdown, select an option: - **Is**/**Is Not**: Select in the value field to view a list of all available values. You can either select or enter the required value. - - **Contains**/**Not Contains**: Enter any text that the query parameter should or shouldn't contain, for example *CloudKnox*. + - **Contains**/**Not Contains**: Enter any text that the query parameter should or shouldn't contain, for example *Permissions Management*. - **In**/**Not In**: Select in the value field to view list of all available values. Select the required multiple values. 1. To add another parameter, select the plus sign **(+)**, then select an operator, and then enter a value. @@ -46,7 +46,7 @@ This article describes how you can create and view activity alerts and alert tri ## View an activity alert -1. In the CloudKnox home page, select **Activity Triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity Triggers** (the bell icon). 1. In the **Activity** tab, select the **Alerts** subtab. 1. From the **Alert Name** dropdown, select an alert. 1. From the **Date** dropdown, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**. @@ -60,14 +60,14 @@ This article describes how you can create and view activity alerts and alert tri ## View activity alert triggers -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. In the **Activity** tab, select the **Alert Triggers** subtab. 1. From the **Status** dropdown, select **All**, **Activated** or **Deactivated**, then select **Apply**. The **Triggers** table displays the following information: - **Alerts**: The name of the alert trigger. - - **# of users subscribed**: The number of users who have subscribed to a specific alert trigger. + - **# of users subscribed**: The number of users who have subscribed to a specific alert trigger. - Select a number in this column to view information about the user. @@ -79,13 +79,13 @@ This article describes how you can create and view activity alerts and alert tri - If the column displays **Off**, the current user isn't subscribed to that alert. Switch the toggle to **On** to subscribe to the alert. - The user who creates an alert trigger is automatically subscribed to the alert, and will receive emails about the alert. -1. To see only activated or only deactivated triggers, from the **Status** dropdown, select **Activated** or **Deactivated**, and then select **Apply**. +1. To see only activated or only deactivated triggers, from the **Status** dropdown, select **Activated** or **Deactivated**, and then select **Apply**. 1. To view other options available to you, select the ellipses (**...**), and then select from the available options. If the **Subscription** is **On**, the following options are available: - - **Edit**: Enables you to modify alert parameters + - **Edit**: Enables you to modify alert parameters > [!NOTE] > Only the user who created the alert can perform the following actions: edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved. @@ -94,12 +94,12 @@ This article describes how you can create and view activity alerts and alert tri - **Rename**: Enter the new name of the query, and then select **Save.** - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users. - **Activate**: Activate the alert trigger and start sending emails to subscribed users. - - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger and their **User Status**. + - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger and their **User Status**. - **Delete**: Delete the alert. If the **Subscription** is **Off**, the following options are available: - **View**: View details of the alert trigger. - - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger and their **User Status**. + - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger and their **User Status**. - **Duplicate**: Create a duplicate copy of the selected alert trigger. @@ -107,7 +107,7 @@ This article describes how you can create and view activity alerts and alert tri ## Next steps -- For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md). -- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md). -- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md). -- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md). +- For an overview on activity triggers, see [View information about activity triggers](ui-triggers.md). +- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](product-rule-based-anomalies.md). +- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](product-statistical-anomalies.md). +- For information on permission analytics triggers, see [Create and view permission analytics triggers](product-permission-analytics.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-approve-privilege-request.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-approve-privilege-request.md similarity index 73% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-approve-privilege-request.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-approve-privilege-request.md index 9cbe190dbef3..9b71b530ad17 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-approve-privilege-request.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-approve-privilege-request.md @@ -1,5 +1,5 @@ --- -title: Create or approve a request for permissions in the Remediation dashboard in CloudKnox Permissions Management +title: Create or approve a request for permissions in the Remediation dashboard in Permissions Management description: How to create or approve a request for permissions in the Remediation dashboard. services: active-directory author: kenwith @@ -15,49 +15,49 @@ ms.author: kenwith # Create or approve a request for permissions > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how to create or approve a request for permissions in the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox). You can create and approve requests for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. +This article describes how to create or approve a request for permissions in the **Remediation** dashboard in Permissions Management. You can create and approve requests for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. The **Remediation** dashboard has two privilege-on-demand (POD) workflows you can use: - **New Request**: The workflow used by a user to create a request for permissions for a specified duration. -- **Approver**: The workflow used by an approver to review and approve or reject a user’s request for permissions. +- **Approver**: The workflow used by an approver to review and approve or reject a user's request for permissions. > [!NOTE] -> To view the **Remediation** dashboard, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** dashboard, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. ## Create a request for permissions -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **My Requests** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **My Requests** subtab. The **My Requests** subtab displays the following options: - - **Pending**: A list of requests you’ve made but haven't yet been reviewed. + - **Pending**: A list of requests you've made but haven't yet been reviewed. - **Approved**: A list of requests that have been reviewed and approved by the approver. These requests have either already been activated or are in the process of being activated. - - **Processed**: A summary of the requests you’ve created that have been approved (**Done**), **Rejected**, and requests that have been **Canceled**. + - **Processed**: A summary of the requests you've created that have been approved (**Done**), **Rejected**, and requests that have been **Canceled**. 1. To create a request for permissions, select **New Request**. 1. In the **Roles/Tasks** page: 1. From the **Authorization System Type** dropdown, select the authorization system type you want to access: **AWS**, **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. - 1. From the **Identity** dropdown, select the identity on whose behalf you’re requesting access. + 1. From the **Identity** dropdown, select the identity on whose behalf you're requesting access. - - If the identity you select is a Security Assertions Markup Language (SAML) user, and since a SAML user accesses the system through assumption of a role, select the user’s role in **Role**. + - If the identity you select is a Security Assertions Markup Language (SAML) user, and since a SAML user accesses the system through assumption of a role, select the user's role in **Role**. - If the identity you select is a local user, to select the policies you want: 1. Select **Request Policy(s)**. 1. In **Available Policies**, select the policies you want. 1. To select a specific policy, select the plus sign, and then find and select the policy you want. - The policies you’ve selected appear in the **Selected policies** box. + The policies you've selected appear in the **Selected policies** box. - If the identity you select is a local user, to select the tasks you want: 1. Select **Request Task(s)**. 1. In **Available Tasks**, select the tasks you want. 1. To select a specific task, select the plus sign, and then select the task you want. - The tasks you’ve selected appear in the **Selected Tasks** box. + The tasks you've selected appear in the **Selected Tasks** box. If the user already has existing policies, they're displayed in **Existing Policies**. 1. Select **Next**. @@ -70,7 +70,7 @@ The **Remediation** dashboard has two privilege-on-demand (POD) workflows you ca - **No Resources** 1. In **Request Conditions**: 1. Select **JSON** to add a JSON block of code. - 1. Select **Done** to accept the code you’ve entered, or **Clear** to delete what you’ve entered and start again. + 1. Select **Done** to accept the code you've entered, or **Clear** to delete what you've entered and start again. 1. In **Effect**, select **Allow** or **Deny.** 1. Select **Next**. @@ -79,7 +79,7 @@ The **Remediation** dashboard has two privilege-on-demand (POD) workflows you ca 1. Optional: In **Note**, enter a note for the approver. 1. In **Schedule**, select when (how quickly) you want your request to be processed: - **ASAP** - - **Once** + - **Once** - In **Create Schedule**, select the **Frequency**, **Date**, **Time**, and **For** the required duration, then select **Schedule**. - **Daily** - **Weekly** @@ -92,7 +92,7 @@ The **Remediation** dashboard has two privilege-on-demand (POD) workflows you ca ## Approve or reject a request for permissions -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **My requests** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **My requests** subtab. 1. To view a list of requests that haven't yet been reviewed, select **Pending Requests**. 1. In the **Request Summary** list, select the ellipses **(…)** menu on the right of a request, and then select: @@ -109,12 +109,12 @@ The **Remediation** dashboard has two privilege-on-demand (POD) workflows you ca ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to attach and detach permissions for Amazon Web Services (AWS) identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Add and remove roles and tasks for Azure and GCP identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to attach and detach permissions for Amazon Web Services (AWS) identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Add and remove roles and tasks for Azure and GCP identities](how-to-attach-detach-permissions.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-custom-queries.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-custom-queries.md similarity index 74% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-custom-queries.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-custom-queries.md index 181f0988bfc9..c7b44d4bd6fe 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-custom-queries.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-custom-queries.md @@ -1,6 +1,6 @@ --- -title: Create a custom query in CloudKnox Permissions Management -description: How to create a custom query in the Audit dashboard in CloudKnox Permissions Management. +title: Create a custom query in Permissions Management +description: How to create a custom query in the Audit dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -12,19 +12,19 @@ ms.date: 02/23/2022 ms.author: kenwith --- -# Create a custom query +# Create a custom query > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can use the **Audit** dashboard in CloudKnox Permissions Management (CloudKnox) to create custom queries that you can modify, save, and run as often as you want. +This article describes how you can use the **Audit** dashboard in Permissions Management to create custom queries that you can modify, save, and run as often as you want. ## Open the Audit dashboard -- In the CloudKnox home page, select the **Audit** tab. +- In the Permissions Management home page, select the **Audit** tab. - CloudKnox displays the query options available to you. + Permissions Management displays the query options available to you. ## Create a custom query @@ -35,23 +35,23 @@ This article describes how you can use the **Audit** dashboard in CloudKnox Perm For example, to query by a date, select **Date** in the first box. In the second and third boxes, select the down arrow, and then select one of the date-related options. 1. To add parameters, select **Add**, select the down arrow in the first box to display a dropdown of available selections. Then select the parameter you want. -1. To add more parameters to the same query, select **Add** (the plus sign), and from the first box, select **And** or **Or**. +1. To add more parameters to the same query, select **Add** (the plus sign), and from the first box, select **And** or **Or**. Repeat this step for the second and third box to complete entering the parameters. 1. To change your query as you're creating it, select **Edit** (the pencil icon), and then change the query parameters. 1. To change the parameter options, select the down arrow in each box to display a dropdown of available selections. Then select the option you want. 1. To discard your selections, select **Reset Query** for the parameter you want to change, and then make your selections again. -1. When you’re ready to run your query, select **Search**. +1. When you're ready to run your query, select **Search**. 1. To save the query, select **Save**. - CloudKnox saves the query and adds it to the **Saved Queries** list. + Permissions Management saves the query and adds it to the **Saved Queries** list. ## Save the query under a new name 1. In the **Audit** dashboard, select the ellipses menu **(…)** on the far right and select **Save As**. 2. Enter a new name for the query, and then select **Save**. - CloudKnox saves the query under the new name. Both the new query and the original query display in the **Saved Queries** list. + Permissions Management saves the query under the new name. Both the new query and the original query display in the **Saved Queries** list. ## View a saved query @@ -63,7 +63,7 @@ This article describes how you can use the **Audit** dashboard in CloudKnox Perm 4. To open the query with the authorization systems you have currently selected (which may be different from the ones you originally saved), select **Load with the currently selected authorization systems**. 5. Select **Load Queries**. - CloudKnox displays details of the query in the **Activity** table. Select a query to see its details: + Permissions Management displays details of the query in the **Activity** table. Select a query to see its details: - The **Identity Details**. - The **Domain** name. @@ -86,22 +86,22 @@ This article describes how you can use the **Audit** dashboard in CloudKnox Perm 1. In the **Audit** dashboard, select the query you want to run. - CloudKnox displays the results of the query in the **Activity** table. + Permissions Management displays the results of the query in the **Activity** table. ## Delete a query 1. In the **Audit** dashboard, load the query you want to delete. 2. Select **Delete**. - CloudKnox deletes the query. Deleted queries don't display in the **Saved Queries** list. + Permissions Management deletes the query. Deleted queries don't display in the **Saved Queries** list. ## Rename a query 1. In the **Audit** dashboard, load the query you want to rename. -2. Select the ellipses menu **(…)** on the far right, and select **Rename**. +2. Select the ellipses menu **(…)** on the far right, and select **Rename**. 3. Enter a new name for the query, and then select **Save**. - CloudKnox saves the query under the new name. Both the new query and the original query display in the **Saved Queries** list. + Permissions Management saves the query under the new name. Both the new query and the original query display in the **Saved Queries** list. ## Duplicate a query @@ -116,6 +116,6 @@ This article describes how you can use the **Audit** dashboard in CloudKnox Perm ## Next steps -- For information on how to view how users access information, see [Use queries to see how users access information](cloudknox-ui-audit-trail.md). -- For information on how to filter and view user activity, see [Filter and query user activity](cloudknox-product-audit-trail.md). -- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](cloudknox-howto-audit-trail-results.md). +- For information on how to view how users access information, see [Use queries to see how users access information](ui-audit-trail.md). +- For information on how to filter and view user activity, see [Filter and query user activity](product-audit-trail.md). +- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](how-to-audit-trail-results.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-group-based-permissions.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-group-based-permissions.md similarity index 77% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-group-based-permissions.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-group-based-permissions.md index 731a60ed97e4..51cc754dc890 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-group-based-permissions.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-group-based-permissions.md @@ -1,6 +1,6 @@ --- -title: Select group-based permissions settings in CloudKnox Permissions Management with the User management dashboard -description: How to select group-based permissions settings in CloudKnox Permissions Management with the User management dashboard. +title: Select group-based permissions settings in Permissions Management with the User management dashboard +description: How to select group-based permissions settings in Permissions Management with the User management dashboard. services: active-directory author: kenwith manager: rkarlin @@ -15,12 +15,12 @@ ms.author: kenwith # Select group-based permissions settings > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can create and manage group-based permissions in CloudKnox Permissions Management (CloudKnox) with the User management dashboard. +This article describes how you can create and manage group-based permissions in Permissions Management with the User management dashboard. -[!NOTE] The CloudKnox Administrator for all authorization systems will be able to create the new group based permissions. +[!NOTE] The Permissions Management Administrator for all authorization systems will be able to create the new group based permissions. ## Select administrative permissions settings for a group @@ -29,7 +29,7 @@ This article describes how you can create and manage group-based permissions in 1. In the **Set Group Permission** box, begin typing the name of an **Azure Active Directory Security Group** in your tenant. 1. Select the permission setting you want: -2. +2. - **Admin for all Authorization System Types** provides **View**, **Control**, and **Approve** permissions for all authorization system types. - **Admin for selected Authorization System Types** provides **View**, **Control**, and **Approve** permissions for selected authorization system types. - **Custom** allows you to set **View**, **Control**, and **Approve** permissions for the authorization system types that you select. @@ -51,7 +51,6 @@ This article describes how you can create and manage group-based permissions in ## Next steps -- For information about how to manage user information, see [Manage users and groups with the User management dashboard](cloudknox-ui-user-management.md). -- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](cloudknox-ui-tasks.md). -- For information about how to view personal and organization information, see [View personal and organization information](cloudknox-product-account-settings.md). - +- For information about how to manage user information, see [Manage users and groups with the User management dashboard](ui-user-management.md). +- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](ui-tasks.md). +- For information about how to view personal and organization information, see [View personal and organization information](product-account-settings.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-role-policy.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-role-policy.md similarity index 78% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-role-policy.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-role-policy.md index 91218399c57d..cd2a8f0ab8be 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-role-policy.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-role-policy.md @@ -1,6 +1,6 @@ --- -title: Create a role/policy in the Remediation dashboard in CloudKnox Permissions Management -description: How to create a role/policy in the Remediation dashboard in CloudKnox Permissions Management. +title: Create a role/policy in the Remediation dashboard in Permissions Management +description: How to create a role/policy in the Remediation dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,24 +15,24 @@ ms.author: kenwith # Create a role/policy in the Remediation dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can use the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) to create roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. +This article describes how you can use the **Remediation** dashboard in Permissions Management to create roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. > [!NOTE] -> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. > [!NOTE] -> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. +> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. ## Create a policy for AWS -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab. +1. On the Entra home page, select the **Remediation** tab, and then select the **Role/Policies** tab. 1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**. 1. Select **Create Policy**. 1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings. - - To change the settings, make a selection from the dropdown. + - To change the settings, make a selection from the dropdown. 1. Under **How Would You Like To Create The Policy**, select the required option: - **Activity of User(s)**: Allows you to create a policy based on user activity. @@ -41,7 +41,7 @@ This article describes how you can use the **Remediation** dashboard in CloudKno - **Activity of Role**: Allows you to create a policy based on the aggregated activity of all the users that assumed the role. - **Activity of Tag(s)**: Allows you to create a policy based on the aggregated activity of all the tags. - **Activity of Lambda Function**: Allows you to create a new policy based on the Lambda function. - - **From Existing Policy**: Allows you to create a new policy based on an existing policy. + - **From Existing Policy**: Allows you to create a new policy based on an existing policy. - **New Policy**: Allows you to create a new policy from scratch. 1. In **Tasks performed in last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**. 1. Depending on your preference, select or deselect **Include Access Advisor data.** @@ -68,30 +68,30 @@ This article describes how you can use the **Remediation** dashboard in CloudKno A message confirms that your policy has been submitted for creation -1. The [**CloudKnox Tasks**](cloudknox-ui-tasks.md) pane appears on the right. - - The **Active** tab displays a list of the policies CloudKnox is currently processing. - - The **Completed** tab displays a list of the policies CloudKnox has completed. +1. The [**Permissions Management Tasks**](ui-tasks.md) pane appears on the right. + - The **Active** tab displays a list of the policies Permissions Management is currently processing. + - The **Completed** tab displays a list of the policies Permissions Management has completed. 1. Refresh the **Role/Policies** tab to see the policy you created. ## Create a role for Azure -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** tab. 1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**. 1. Select **Create Role**. 1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings. - - To change the settings, select the box and make a selection from the dropdown. + - To change the settings, select the box and make a selection from the dropdown. 1. Under **How Would You Like To Create The Role?**, select the required option: - **Activity of User(s)**: Allows you to create a role based on user activity. - **Activity of Group(s)**: Allows you to create a role based on the aggregated activity of all the users belonging to the group(s). - **Activity of App(s)**: Allows you to create a role based on the aggregated activity of all apps. - - **From Existing Role**: Allows you to create a new role based on an existing role. + - **From Existing Role**: Allows you to create a new role based on an existing role. - **New Role**: Allows you to create a new role from scratch. 1. In **Tasks performed in last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**. -1. Depending on your preference: +1. Depending on your preference: - Select or deselect **Ignore Non-Microsoft Read Actions**. - Select or deselect **Include Read-Only Tasks**. 1. In **Settings**, from the **Available** column, select the plus sign **(+)** to move the identity into the **Selected** column, and then select **Next**. @@ -113,24 +113,24 @@ This article describes how you can use the **Remediation** dashboard in CloudKno A message confirms that your role has been submitted for creation -1. The [**CloudKnox Tasks**](cloudknox-ui-tasks.md) pane appears on the right. - - The **Active** tab displays a list of the policies CloudKnox is currently processing. - - The **Completed** tab displays a list of the policies CloudKnox has completed. +1. The [**Permissions Management Tasks**](ui-tasks.md) pane appears on the right. + - The **Active** tab displays a list of the policies Permissions Management is currently processing. + - The **Completed** tab displays a list of the policies Permissions Management has completed. 1. Refresh the **Role/Policies** tab to see the role you created. ## Create a role for GCP -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** tab. 1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**. 1. Select **Create Role**. 1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings. - - To change the settings, select the box and make a selection from the dropdown. + - To change the settings, select the box and make a selection from the dropdown. 1. Under **How Would You Like To Create The Role?**, select the required option: - **Activity of User(s)**: Allows you to create a role based on user activity. - **Activity of Group(s)**: Allows you to create a role based on the aggregated activity of all the users belonging to the group(s). - **Activity of Service Account(s)**: Allows you to create a role based on the aggregated activity of all service accounts. - - **From Existing Role**: Allows you to create a new role based on an existing role. + - **From Existing Role**: Allows you to create a new role based on an existing role. - **New Role**: Allows you to create a new role from scratch. 1. In **Tasks performed in last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**. @@ -151,21 +151,21 @@ This article describes how you can use the **Remediation** dashboard in CloudKno 1. Select **Submit**. A message confirms that your role has been submitted for creation -1. The [**CloudKnox Tasks**](cloudknox-ui-tasks.md) pane appears on the right. +1. The [**Permissions Management Tasks**](ui-tasks.md) pane appears on the right. - - The **Active** tab displays a list of the policies CloudKnox is currently processing. - - The **Completed** tab displays a list of the policies CloudKnox has completed. + - The **Active** tab displays a list of the policies Permissions Management is currently processing. + - The **Completed** tab displays a list of the policies Permissions Management has completed. 1. Refresh the **Role/Policies** tab to see the role you created. ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to modify a role/policy, see [Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) -- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). -- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md) +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to modify a role/policy, see [Modify a role/policy](how-to-modify-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) +- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). +- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md) diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-rule.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-rule.md similarity index 78% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-rule.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-rule.md index 38c00f0e645a..d2da0287aecb 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-rule.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-rule.md @@ -1,6 +1,6 @@ --- -title: Create a rule in the Autopilot dashboard in CloudKnox Permissions Management -description: How to create a rule in the Autopilot dashboard in CloudKnox Permissions Management. +title: Create a rule in the Autopilot dashboard in Permissions Management +description: How to create a rule in the Autopilot dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,19 +15,19 @@ ms.author: kenwith # Create a rule in the Autopilot dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This article describes how to create a rule in the CloudKnox Permissions Management (CloudKnox) **Autopilot** dashboard. + +This article describes how to create a rule in the Permissions Management **Autopilot** dashboard. > [!NOTE] -> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don’t have these permissions, contact your system administrator. +> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don't have these permissions, contact your system administrator. -## Create a rule +## Create a rule -1. In the CloudKnox home page, select the **Autopilot** tab. +1. In the Permissions Management home page, select the **Autopilot** tab. 1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). -1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. +1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. 1. In the **Autopilot** dashboard, select **New Rule**. 1. In the **Rule Name** box, enter a name for your rule. 1. Select **AWS**, **Azure**, **GCP**, and then select **Next**. @@ -54,7 +54,7 @@ This article describes how to create a rule in the CloudKnox Permissions Managem - **Rule Name**: The name of the rule. - **State**: The status of the rule: idle (not being use) or active (being used). - - **Rule Type**: The type of rule being applied. + - **Rule Type**: The type of rule being applied. - **Mode**: The status of the mode: on-demand or not. - **Last Generated**: The date and time the rule was last generated. - **Created By**: The email address of the user who created the rule. @@ -66,6 +66,6 @@ This article describes how to create a rule in the CloudKnox Permissions Managem ## Next steps -- For more information about viewing rules, see [View roles in the Autopilot dashboard](cloudknox-ui-autopilot.md). -- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](cloudknox-howto-recommendations-rule.md). -- For information about notification settings for rules, see [View notification settings for a rule](cloudknox-howto-notifications-rule.md). +- For more information about viewing rules, see [View roles in the Autopilot dashboard](ui-autopilot.md). +- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](how-to-recommendations-rule.md). +- For information about notification settings for rules, see [View notification settings for a rule](how-to-notifications-rule.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-delete-role-policy.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-delete-role-policy.md similarity index 60% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-delete-role-policy.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-delete-role-policy.md index 5339d078bcdd..6cb3b89f7592 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-delete-role-policy.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-delete-role-policy.md @@ -1,5 +1,5 @@ --- -title: Delete a role/policy in the Remediation dashboard in CloudKnox Permissions Management +title: Delete a role/policy in the Remediation dashboard in Permissions Management description: How to delete a role/policy in the Just Enough Permissions (JEP) Controller. services: active-directory author: kenwith @@ -15,23 +15,23 @@ ms.author: kenwith # Delete a role/policy in the Remediation dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can use the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) to delete roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. +This article describes how you can use the **Remediation** dashboard in Permissions Management to delete roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. > [!NOTE] -> To view the **Remediation** dashboard, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** dashboard, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. > [!NOTE] -> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. +> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. ## Delete a role/policy -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** subtab. 1. Select the role/policy you want to delete, and from the **Actions** column, select **Delete**. - You can only delete a role/policy if it isn't assigned to an identity. + You can only delete a role/policy if it isn't assigned to an identity. You can't delete system roles/policies. @@ -40,12 +40,12 @@ This article describes how you can use the **Remediation** dashboard in CloudKno ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) -- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). -- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md) +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) +- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). +- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md) diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-modify-role-policy.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-modify-role-policy.md similarity index 61% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-modify-role-policy.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-modify-role-policy.md index b04e1e695c7f..8c51e75c7c2f 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-modify-role-policy.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-modify-role-policy.md @@ -1,6 +1,6 @@ --- -title: Modify a role/policy in the Remediation dashboard in CloudKnox Permissions Management -description: How to modify a role/policy in the Remediation dashboard in CloudKnox Permissions Management. +title: Modify a role/policy in the Remediation dashboard in Permissions Management +description: How to modify a role/policy in the Remediation dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,20 +15,20 @@ ms.author: kenwith # Modify a role/policy in the Remediation dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can use the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) to modify roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. +This article describes how you can use the **Remediation** dashboard in Permissions Management to modify roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. > [!NOTE] -> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. > [!NOTE] -> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. +> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. ## Modify a role/policy -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** tab. 1. Select the role/policy you want to modify, and from the **Actions** column, select **Modify**. You can't modify **System** policies and roles. @@ -39,12 +39,12 @@ This article describes how you can use the **Remediation** dashboard in CloudKno ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) -- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). -- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md) +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) +- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). +- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md) diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-notifications-rule.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-notifications-rule.md similarity index 63% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-notifications-rule.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-notifications-rule.md index 54d9c277b0b4..08e466861d3f 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-notifications-rule.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-notifications-rule.md @@ -1,6 +1,6 @@ --- -title: View notification settings for a rule in the Autopilot dashboard in CloudKnox Permissions Management -description: How to view notification settings for a rule in the Autopilot dashboard in CloudKnox Permissions Management. +title: View notification settings for a rule in the Autopilot dashboard in Permissions Management +description: How to view notification settings for a rule in the Autopilot dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,30 +15,30 @@ ms.author: kenwith # View notification settings for a rule in the Autopilot dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This article describes how to view notification settings for a rule in the CloudKnox Permissions Management (CloudKnox) **Autopilot** dashboard. + +This article describes how to view notification settings for a rule in the Permissions Management **Autopilot** dashboard. > [!NOTE] -> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don’t have these permissions, contact your system administrator. +> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don't have these permissions, contact your system administrator. -## View notification settings for a rule +## View notification settings for a rule -1. In the CloudKnox home page, select the **Autopilot** tab. +1. In the Permissions Management home page, select the **Autopilot** tab. 1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). -1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. +1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. 1. In the **Autopilot** dashboard, select a rule. 1. In the far right of the row, select the ellipses **(...)** -1. To view notification settings for a rule, select **Notification Settings**. +1. To view notification settings for a rule, select **Notification Settings**. - CloudKnox displays a list of subscribed users. These users are signed up to receive notifications for the selected rule. + Permissions Management displays a list of subscribed users. These users are signed up to receive notifications for the selected rule. 1. To close the **Notification Settings** box, select **Close**. ## Next steps -- For more information about viewing rules, see [View roles in the Autopilot dashboard](cloudknox-ui-autopilot.md). -- For information about creating rules, see [Create a rule](cloudknox-howto-create-rule.md). -- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](cloudknox-howto-recommendations-rule.md). +- For more information about viewing rules, see [View roles in the Autopilot dashboard](ui-autopilot.md). +- For information about creating rules, see [Create a rule](how-to-create-rule.md). +- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](how-to-recommendations-rule.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-recommendations-rule.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-recommendations-rule.md similarity index 67% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-recommendations-rule.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-recommendations-rule.md index f73e725c3909..2d83f8b4a469 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-recommendations-rule.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-recommendations-rule.md @@ -1,6 +1,6 @@ --- -title: Generate, view, and apply rule recommendations in the Autopilot dashboard in CloudKnox Permissions Management -description: How to generate, view, and apply rule recommendations in the Autopilot dashboard in CloudKnox Permissions Management. +title: Generate, view, and apply rule recommendations in the Autopilot dashboard in Permissions Management +description: How to generate, view, and apply rule recommendations in the Autopilot dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,67 +15,67 @@ ms.author: kenwith # Generate, view, and apply rule recommendations in the Autopilot dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This article describes how to generate and view rule recommendations in the CloudKnox Permissions Management (CloudKnox) **Autopilot** dashboard. + +This article describes how to generate and view rule recommendations in the Permissions Management **Autopilot** dashboard. > [!NOTE] -> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don’t have these permissions, contact your system administrator. +> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don't have these permissions, contact your system administrator. -## Generate rule recommendations +## Generate rule recommendations -1. In the CloudKnox home page, select the **Autopilot** tab. +1. In the Permissions Management home page, select the **Autopilot** tab. 1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). -1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. +1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. 1. In the **Autopilot** dashboard, select a rule. 1. In the far right of the row, select the ellipses **(...)**. -1. To generate recommendations for each user and the authorization system, select **Generate Recommendations**. +1. To generate recommendations for each user and the authorization system, select **Generate Recommendations**. Only the user who created the selected rule can generate a recommendation. 1. View your recommendations in the **Recommendations** subtab. 1. Select **Close** to close the **Recommendations** subtab. -## View rule recommendations +## View rule recommendations -1. In the CloudKnox home page, select the **Autopilot** tab. +1. In the Permissions Management home page, select the **Autopilot** tab. 1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). -1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. +1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. 1. In the **Autopilot** dashboard, select a rule. 1. In the far right of the row, select the ellipses **(...)** -1. To view recommendations for each user and the authorization system, select **View Recommendations**. +1. To view recommendations for each user and the authorization system, select **View Recommendations**. - CloudKnox displays the recommendations for each user and authorization system in the **Recommendations** subtab. + Permissions Management displays the recommendations for each user and authorization system in the **Recommendations** subtab. 1. Select **Close** to close the **Recommendations** subtab. -## Apply rule recommendations +## Apply rule recommendations -1. In the CloudKnox home page, select the **Autopilot** tab. +1. In the Permissions Management home page, select the **Autopilot** tab. 1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). -1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. +1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. 1. In the **Autopilot** dashboard, select a rule. 1. In the far right of the row, select the ellipses **(...)** -1. To view recommendations for each user and the authorization system, select **View Recommendations**. +1. To view recommendations for each user and the authorization system, select **View Recommendations**. - CloudKnox displays the recommendations for each user and authorization system in the **Recommendations** subtab. + Permissions Management displays the recommendations for each user and authorization system in the **Recommendations** subtab. 1. To apply a recommendation, select the **Apply Recommendations** subtab, and then select a recommendation. 1. Select **Close** to close the **Recommendations** subtab. -## Unapply rule recommendations +## Unapply rule recommendations -1. In the CloudKnox home page, select the **Autopilot** tab. +1. In the Permissions Management home page, select the **Autopilot** tab. 1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). -1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. +1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**. 1. In the **Autopilot** dashboard, select a rule. 1. In the far right of the row, select the ellipses **(...)** -1. To view recommendations for each user and the authorization system, select **View Recommendations**. +1. To view recommendations for each user and the authorization system, select **View Recommendations**. - CloudKnox displays the recommendations for each user and authorization system in the **Recommendations** subtab. + Permissions Management displays the recommendations for each user and authorization system in the **Recommendations** subtab. 1. To remove a recommendation, select the **Unapply Recommendations** subtab, and then select a recommendation. 1. Select **Close** to close the **Recommendations** subtab. @@ -83,6 +83,6 @@ This article describes how to generate and view rule recommendations in the Clou ## Next steps -- For more information about viewing rules, see [View roles in the Autopilot dashboard](cloudknox-ui-autopilot.md). -- For information about creating rules, see [Create a rule](cloudknox-howto-create-rule.md). -- For information about notification settings for rules, see [View notification settings for a rule](cloudknox-howto-notifications-rule.md). +- For more information about viewing rules, see [View roles in the Autopilot dashboard](ui-autopilot.md). +- For information about creating rules, see [Create a rule](how-to-create-rule.md). +- For information about notification settings for rules, see [View notification settings for a rule](how-to-notifications-rule.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-revoke-task-readonly-status.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-revoke-task-readonly-status.md similarity index 77% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-revoke-task-readonly-status.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-revoke-task-readonly-status.md index d2c5e51db065..85a0a4465fe8 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-revoke-task-readonly-status.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-revoke-task-readonly-status.md @@ -1,6 +1,6 @@ --- -title: Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management -description: How to revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management. +title: Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in Permissions Management +description: How to revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -16,24 +16,24 @@ ms.author: kenwith > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This article describes how you can revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities using the **Remediation** dashboard. > [!NOTE] -> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. ## View an identity's permissions -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search for** dropdown, select **Group**, **User**, or **APP/Service Account**. 1. To search for more parameters, you can make a selection from the **User States**, **Permission Creep Index**, and **Task Usage** dropdowns. 1. Select **Apply**. - CloudKnox displays a list of groups, users, and service accounts that match your criteria. + Permissions Management displays a list of groups, users, and service accounts that match your criteria. 1. In **Enter a username**, enter or select a user. 1. In **Enter a Group Name**, enter or select a group, then select **Apply**. 1. Make a selection from the results list. @@ -43,69 +43,69 @@ This article describes how you can revoke high-risk and unused tasks or assign r ## Revoke an identity's access to unused tasks -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search for** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**. 1. Make a selection from the results list. 1. To revoke an identity's access to tasks they aren't using, select **Revoke Unused Tasks**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. ## Revoke an identity's access to high-risk tasks -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**. 1. Make a selection from the results list. 1. To revoke an identity's access to high-risk tasks, select **Revoke High-Risk Tasks**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. ## Revoke an identity's ability to delete tasks -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**. 1. Make a selection from the results list. 1. To revoke an identity's ability to delete tasks, select **Revoke Delete Tasks**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. ## Assign read-only status to an identity -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab. 1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**. 1. From the **Authorization System** dropdown, select the accounts you want to access. 1. From the **Search for** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**. 1. Make a selection from the results list. 1. To assign read-only status to an identity, select **Assign Read-Only Status**. -1. When the following message displays: **Are you sure you want to change permission?**, select: +1. When the following message displays: **Are you sure you want to change permission?**, select: - **Generate Script** to generate a script where you can manually add/remove the permissions you selected. - **Execute** to change the permission. - **Close** to cancel the action. - + ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to add and remove roles and tasks for Azure and GCP identities, see [Add and remove roles and tasks for Azure and GCP identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to add and remove roles and tasks for Azure and GCP identities, see [Add and remove roles and tasks for Azure and GCP identities](how-to-attach-detach-permissions.md). +- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-view-role-policy.md b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-view-role-policy.md similarity index 63% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-view-role-policy.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/how-to-view-role-policy.md index a6574d3ae8d2..9c1e939b897f 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-view-role-policy.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-view-role-policy.md @@ -1,6 +1,6 @@ --- -title: View information about roles/ policies in the Remediation dashboard in CloudKnox Permissions Management -description: How to view and filter information about roles/ policies in the Remediation dashboard in CloudKnox Permissions Management. +title: View information about roles/ policies in the Remediation dashboard in Permissions Management +description: How to view and filter information about roles/ policies in the Remediation dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,41 +15,41 @@ ms.author: kenwith # View information about roles/ policies in the Remediation dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) enables system administrators to view, adjust, and remediate excessive permissions based on a user's activity data. You can use the **Roles/Policies** subtab in the dashboard to view information about roles and policies in the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. +The **Remediation** dashboard in Permissions Management enables system administrators to view, adjust, and remediate excessive permissions based on a user's activity data. You can use the **Roles/Policies** subtab in the dashboard to view information about roles and policies in the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems. > [!NOTE] -> To view the **Remediation dashboard** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation dashboard** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. > [!NOTE] -> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. +> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. ## View information about roles/policies -1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** subtab. +1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** subtab. The **Role/Policies list** displays a list of existing roles/policies and the following information about each role/policy - **Role/Policy Name**: The name of the roles/policies available to you. - - **Role/Policy Type**: **Custom**, **System**, or **CloudKnox Only** + - **Role/Policy Type**: **Custom**, **System**, or **Permissions Management Only** - **Actions**: The type of action you can perform on the role/policy, **Clone**, **Modify**, or **Delete** -1. To display details about the role/policy and view its assigned tasks and identities, select the arrow to the left of the role/policy name. +1. To display details about the role/policy and view its assigned tasks and identities, select the arrow to the left of the role/policy name. The **Tasks** list appears, displaying: - A list of **Tasks**. - - **For AWS:** + - **For AWS:** - The **Users**, **Groups**, and **Roles** the task is **Directly Assigned To**. - - The **Group Members** and **Role Identities** the task is **Indirectly Accessible By**. + - The **Group Members** and **Role Identities** the task is **Indirectly Accessible By**. - - **For Azure:** + - **For Azure:** - The **Users**, **Groups**, **Enterprise Applications** and **Managed Identities** the task is **Directly Assigned To**. - The **Group Members** the task is **Indirectly Accessible By**. - - **For GCP:** + - **For GCP:** - The **Users**, **Groups**, and **Service Accounts** the task is **Directly Assigned To**. - The **Group Members** the task is **Indirectly Accessible By**. @@ -57,11 +57,11 @@ The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) en ## Export information about roles/policies -- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file. +- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file. When the file is successfully exported, a message appears: **Exported Successfully.** - - Check your email for a message from the CloudKnox Customer Success Team. This email contains a link to: + - Check your email for a message from the Permissions Management Customer Success Team. This email contains a link to: - The **Role Policy Details** report in CSV format. - The **Reports** dashboard where you can configure how and when you can automatically receive reports. @@ -70,7 +70,7 @@ The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) en ## Filter information about roles/policies -1. On the CloudKnox home page, select the **Remediation** dashboard, and then select the **Role/Policies** tab. +1. On the Permissions Management home page, select the **Remediation** dashboard, and then select the **Role/Policies** tab. 1. To filter the roles/policies, select from the following options: - **Authorization System Type**: Select **AWS**, **Azure**, or **GCP**. @@ -78,9 +78,9 @@ The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) en - **Role/Policy Type**: Select from the following options: - **All**: All managed roles/policies. - - **Custom**: A customer-managed role/policy. - - **System**: A cloud service provider-managed role/policy. - - **CloudKnox Only**: A role/policy created by CloudKnox. + - **Custom**: A customer-managed role/policy. + - **System**: A cloud service provider-managed role/policy. + - **Permissions Management Only**: A role/policy created by Permissions Management. - **Role/Policy Status**: Select **All**, **Assigned**, or **Unassigned**. - **Role/Policy Usage**: Select **All** or **Unused**. @@ -91,12 +91,12 @@ The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) en ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- For information on how to attach and detach permissions AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) -- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). -- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md) +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md). +- For information on how to attach and detach permissions AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) +- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). +- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md) diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/index.yml b/articles/active-directory/cloud-infrastructure-entitlement-management/index.yml index ad09baeee4cf..89f86084a634 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/index.yml +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing -title: CloudKnox Permissions Management -summary: CloudKnox Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities (users and workloads), actions, and resources across cloud infrastructures. It detects, right-sizes, and monitors unused and excessive permissions and enables Zero Trust security through least privilege access in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). +title: Permissions Management +summary: Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities (users and workloads), actions, and resources across cloud infrastructures. It detects, right-sizes, and monitors unused and excessive permissions and enables Zero Trust security through least privilege access in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). metadata: - title: CloudKnox Permissions Management - description: Learn how to use CloudKnox Permissions Management and Cloud Infrastructure Entitlement Management (CIEM) + title: Permissions Management + description: Learn how to use Permissions Management and Cloud Infrastructure Entitlement Management (CIEM) services: active-directory author: kenwith manager: rkarlin @@ -15,8 +15,8 @@ metadata: ms.topic: landing-page ms.date: 03/09/2022 ms.author: kenwith - - + + # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new @@ -24,104 +24,102 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card - - title: What's CloudKnox Permissions Management? + - title: What's Permissions Management? linkLists: - linkListType: overview links: - text: Overview - url: cloudknox-overview.md + url: overview.md # Card - - title: Onboard CloudKnox Permissions Management + - title: Onboard Permissions Management linkLists: - linkListType: overview links: - - text: Enable CloudKnox - url: cloudknox-onboard-enable-tenant.md + - text: Enable Permissions Management + url: onboard-enable-tenant.md # Card - title: View risk metrics in your authorization system linkLists: - linkListType: overview links: - text: View key statistics and data about your authorization system - url: cloudknox-ui-dashboard.md + url: ui-dashboard.md # Card - title: Configure settings for data collection linkLists: - linkListType: overview links: - text: View and configure settings for data collection - url: cloudknox-product-data-sources.md + url: product-data-sources.md # Card # - title: Manage organizational and personal information # linkLists: # - linkListType: overview # links: # - text: Set personal information and preferences - # url: cloudknox-product-account-settings.md + # url: product-account-settings.md # Card - title: View information about identities linkLists: - linkListType: overview links: - text: View information about identities - url: cloudknox-usage-analytics-home.md + url: usage-analytics-home.md - text: View how users access information - url: cloudknox-ui-audit-trail.md + url: ui-audit-trail.md # Card - title: Manage roles/policies and permission requests linkLists: - linkListType: overview links: - text: View existing roles/policies and requests for permission - url: cloudknox-ui-remediation.md + url: ui-remediation.md # Card # - title: View how users access information # linkLists: # - linkListType: overview # links: # - text: View how users access information - # url: cloudknox-ui-audit-trail.md + # url: ui-audit-trail.md # Card - title: Set activity alerts and triggers linkLists: - linkListType: overview links: - text: View information about activity triggers - url: cloudknox-ui-triggers.md + url: ui-triggers.md # Card - title: Manage rules for authorization systems linkLists: - linkListType: overview links: - text: Create and view rules in the Autopilot dashboard - url: cloudknox-ui-autopilot.md + url: ui-autopilot.md # Card - title: Generate reports linkLists: - linkListType: overview links: - text: Generate and view a system report - url: cloudknox-report-view-system-report.md + url: report-view-system-report.md # Card - # - title: Learn with CloudKnox videos + # - title: Learn with Permissions Management videos # linkLists: # - linkListType: overview # links: - # - text: CloudKnox Permissions Management training videos - # url: cloudknox-training-videos.md + # - text: Permissions Management training videos + # url: training-videos.md # Card - title: FAQs linkLists: - linkListType: overview links: - text: FAQs - url: cloudknox-faqs.md + url: faqs.md # Card - title: Troubleshoot linkLists: - linkListType: overview links: - text: Troubleshoot - url: cloudknox-troubleshoot.md - - + url: troubleshoot.md diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-integration-api.md b/articles/active-directory/cloud-infrastructure-entitlement-management/integration-api.md similarity index 84% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-integration-api.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/integration-api.md index 2bcae5561976..75795ba23921 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-integration-api.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/integration-api.md @@ -1,6 +1,6 @@ --- -title: Set and view configuration settings in CloudKnox Permissions Management -description: How to view the CloudKnox Permissions Management API integration settings and create service accounts and roles. +title: Set and view configuration settings in Permissions Management +description: How to view the Permissions Management API integration settings and create service accounts and roles. services: active-directory author: kenwith manager: rkarlin @@ -15,10 +15,10 @@ ms.author: kenwith # Set and view configuration settings > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to view configuration settings, create and delete a service account, and create a role in CloudKnox Permissions Management (CloudKnox). +This topic describes how to view configuration settings, create and delete a service account, and create a role in Permissions Management. ## View configuration settings @@ -30,7 +30,7 @@ The **Integrations** dashboard displays the authorization systems available to y 1. Select an authorization system tile to view the following integration information: - 1. To find out more about the CloudKnox API, select **CloudKnox API**, and then select documentation. + 1. To find out more about the Permissions Management API, select **Permissions Management API**, and then select documentation. 1. To view information about service accounts, select **Integration**: @@ -43,7 +43,7 @@ The **Integrations** dashboard displays the authorization systems available to y 1. To view settings information, select **Settings**: - **Roles can create service account**: Lists the type of roles you can create. - - **Access Key Rotation Policy**: Lists notifications and actions you can set. + - **Access Key Rotation Policy**: Lists notifications and actions you can set. - **Access Key Usage Policy**: Lists notifications and actions you can set. ## Create a service account @@ -67,7 +67,7 @@ The **Integrations** dashboard displays the authorization systems available to y 1. On the **Integrations** dashboard, select **User**, and then select **Integrations.** 1. On the right of the email address, select **Delete Service Account**. - + On the **Validate OTP To Delete [Service Name] Integration** box, a message displays asking you to check your email for a code sent to the email address on file. If you don't receive the code, select **Resend OTP**. @@ -79,9 +79,9 @@ The **Integrations** dashboard displays the authorization systems available to y ## Create a role 1. On the **Integrations** dashboard, select **User**, and then select **Settings**. -2. Under **Roles can create service account**, select the role you want: +2. Under **Roles can create service account**, select the role you want: - **Super Admin** - - **Viewer** + - **Viewer** - **Controller** 3. In the **Access Key Rotation Policy** column, select options for the following: @@ -100,6 +100,6 @@ The **Integrations** dashboard displays the authorization systems available to y - - - \ No newline at end of file + + + \ No newline at end of file diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-multi-cloud-glossary.md b/articles/active-directory/cloud-infrastructure-entitlement-management/multi-cloud-glossary.md similarity index 67% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-multi-cloud-glossary.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/multi-cloud-glossary.md index c18ec28669bb..a23f7007f570 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-multi-cloud-glossary.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/multi-cloud-glossary.md @@ -1,6 +1,6 @@ --- -title: CloudKnox Permissions Management - The CloudKnox glossary -description: CloudKnox Permissions Management glossary +title: Permissions Management glossary +description: Permissions Management glossary services: active-directory author: kenwith manager: rkarlin @@ -12,13 +12,13 @@ ms.date: 02/23/2022 ms.author: kenwith --- -# The CloudKnox glossary +# The Permissions Management glossary > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This glossary provides a list of some of the commonly used cloud terms in CloudKnox Permissions Management (CloudKnox). These terms will help CloudKnox users navigate through cloud-specific terms and cloud-generic terms. +This glossary provides a list of some of the commonly used cloud terms in Permissions Management. These terms will help Permissions Management users navigate through cloud-specific terms and cloud-generic terms. ## Commonly-used acronyms and terms @@ -34,7 +34,7 @@ This glossary provides a list of some of the commonly used cloud terms in CloudK | CIEM | Cloud Infrastructure Entitlement Management. The next generation of solutions for enforcing least privilege in the cloud. It addresses cloud-native security challenges of managing identity access management in cloud environments. | | CIS | Cloud infrastructure security | | CWP | Cloud Workload Protection. A workload-centric security solution that targets the unique protection requirements of workloads in modern enterprise environments. | -| CNAPP | Cloud-Native Application Protection. The convergence of cloud security posture management (CSPM), cloud workload protection (CWP), cloud infrastructure entitlement management (CIEM), and cloud applications security broker (CASB). An integrated security approach that covers the entire lifecycle of cloud-native applications. | +| CNAPP | Cloud-Native Application Protection. The convergence of cloud security posture management (CSPM), cloud workload protection (CWP), cloud infrastructure entitlement management (CIEM), and cloud applications security broker (CASB). An integrated security approach that covers the entire lifecycle of cloud-native applications. | | CSPM | Cloud Security Posture Management. Addresses risks of compliance violations and misconfigurations in enterprise cloud environments. Also focuses on the resource level to identify deviations from best practice security settings for cloud governance and compliance. | | CWPP | Cloud Workload Protection Platform | | Data Collector | Virtual entity which stores the data collection configuration | @@ -43,40 +43,40 @@ This glossary provides a list of some of the commonly used cloud terms in CloudK | Entitlement | An abstract attribute that represents different forms of user permissions in a range of infrastructure systems and business applications.| | Entitlement management | Technology that grants, resolves, enforces, revokes, and administers fine-grained access entitlements (that is, authorizations, privileges, access rights, permissions and rules). Its purpose is to execute IT access policies to structured/unstructured data, devices, and services. It can be delivered by different technologies, and is often different across platforms, applications, network components, and devices. | | High-risk task | A task in which a user can cause data leakage, service disruption, or service degradation. | -| Hybrid cloud | Sometimes called a cloud hybrid. A computing environment that combines an on-premises data center (a private cloud) with a public cloud. It allows data and applications to be shared between them. | +| Hybrid cloud | Sometimes called a cloud hybrid. A computing environment that combines an on-premises data center (a private cloud) with a public cloud. It allows data and applications to be shared between them. | | hybrid cloud storage | A private or public cloud used to store an organization's data. | -| ICM | Incident Case Management | -| IDS | Intrusion Detection Service | +| ICM | Incident Case Management | +| IDS | Intrusion Detection Service | | Identity analytics | Includes basic monitoring and remediation, dormant and orphan account detection and removal, and privileged account discovery. | | Identity lifecycle management | Maintain digital identities, their relationships with the organization, and their attributes during the entire process from creation to eventual archiving, using one or more identity life cycle patterns. | | IGA | Identity governance and administration. Technology solutions that conduct identity management and access governance operations. IGA includes the tools, technologies, reports, and compliance activities required for identity lifecycle management. It includes every operation from account creation and termination to user provisioning, access certification, and enterprise password management. It looks at automated workflow and data from authoritative sources capabilities, self-service user provisioning, IT governance, and password management. | -| ITSM | Information Technology Security Management. Tools that enable IT operations organizations (infrastructure and operations managers), to better support the production environment. Facilitate the tasks and workflows associated with the management and delivery of quality IT services. | +| ITSM | Information Technology Security Management. Tools that enable IT operations organizations (infrastructure and operations managers), to better support the production environment. Facilitate the tasks and workflows associated with the management and delivery of quality IT services. | | JEP | Just Enough Permissions | -| JIT | Just in Time access can be seen as a way to enforce the principle of least privilege to ensure users and non-human identities are given the minimum level of privileges. It also ensures that privileged activities are conducted in accordance with an organization’s Identity Access Management (IAM), IT Service Management (ITSM), and Privileged Access Management (PAM) policies, with its entitlements and workflows. JIT access strategy enables organizations to maintain a full audit trail of privileged activities so they can easily identify who or what gained access to which systems, what they did at what time, and for how long. | +| JIT | Just in Time access can be seen as a way to enforce the principle of least privilege to ensure users and non-human identities are given the minimum level of privileges. It also ensures that privileged activities are conducted in accordance with an organization's Identity Access Management (IAM), IT Service Management (ITSM), and Privileged Access Management (PAM) policies, with its entitlements and workflows. JIT access strategy enables organizations to maintain a full audit trail of privileged activities so they can easily identify who or what gained access to which systems, what they did at what time, and for how long. | | Least privilege | Ensures that users only gain access to the specific tools they need to complete a task. | -| Multi-tenant | A single instance of the software and its supporting infrastructure serves multiple customers. Each customer shares the software application and also shares a single database. | -| OIDC | OpenID Connect. An authentication protocol that verifies user identity when a user is trying to access a protected HTTPs end point. OIDC is an evolutionary development of ideas implemented earlier in OAuth. | +| Multi-tenant | A single instance of the software and its supporting infrastructure serves multiple customers. Each customer shares the software application and also shares a single database. | +| OIDC | OpenID Connect. An authentication protocol that verifies user identity when a user is trying to access a protected HTTPs end point. OIDC is an evolutionary development of ideas implemented earlier in OAuth. | | PAM | Privileged access management. Tools that offer one or more of these features: discover, manage, and govern privileged accounts on multiple systems and applications; control access to privileged accounts, including shared and emergency access; randomize, manage, and vault credentials (password, keys, etc.) for administrative, service, and application accounts; single sign-on (SSO) for privileged access to prevent credentials from being revealed; control, filter, and orchestrate privileged commands, actions, and tasks; manage and broker credentials to applications, services, and devices to avoid exposure; and monitor, record, audit, and analyze privileged access, sessions, and actions. | | PASM | Privileged accounts are protected by vaulting their credentials. Access to those accounts is then brokered for human users, services, and applications. Privileged session management (PSM) functions establish sessions with possible credential injection and full session recording. Passwords and other credentials for privileged accounts are actively managed and changed at definable intervals or upon the occurrence of specific events. PASM solutions may also provide application-to-application password management (AAPM) and zero-install remote privileged access features for IT staff and third parties that don't require a VPN. | | PEDM | Specific privileges are granted on the managed system by host-based agents to logged-in users. PEDM tools provide host-based command control (filtering); application allow, deny, and isolate controls; and/or privilege elevation. The latter is in the form of allowing particular commands to be run with a higher level of privileges. PEDM tools execute on the actual operating system at the kernel or process level. Command control through protocol filtering is explicitly excluded from this definition because the point of control is less reliable. PEDM tools may also provide file integrity monitoring features. | -| Permission | Rights and privileges. Details given by users or network administrators that define access rights to files on a network. Access controls attached to a resource dictating which identities can access it and how. Privileges are attached to identities and are the ability to perform certain actions. An identity having the ability to perform an action on a resource. | -| POD | Permission on Demand. A type of JIT access that allows the temporary elevation of permissions, enabling identities to access resources on a by-request, timed basis. | -| Permissions creep index (PCI) | A number from 0 to 100 that represents the incurred risk of users with access to high-risk privileges. PCI is a function of users who have access to high-risk privileges but aren't actively using them. | +| Permission | Rights and privileges. Details given by users or network administrators that define access rights to files on a network. Access controls attached to a resource dictating which identities can access it and how. Privileges are attached to identities and are the ability to perform certain actions. An identity having the ability to perform an action on a resource. | +| POD | Permission on Demand. A type of JIT access that allows the temporary elevation of permissions, enabling identities to access resources on a by-request, timed basis. | +| Permissions creep index (PCI) | A number from 0 to 100 that represents the incurred risk of users with access to high-risk privileges. PCI is a function of users who have access to high-risk privileges but aren't actively using them. | | Policy and role management | Maintain rules that govern automatic assignment and removal of access rights. Provides visibility of access rights for selection in access requests, approval processes, dependencies, and incompatibilities between access rights, and more. Roles are a common vehicle for policy management. | -| Privilege | The authority to make changes to a network or computer. Both people and accounts can have privileges, and both can have different levels of privilege. | +| Privilege | The authority to make changes to a network or computer. Both people and accounts can have privileges, and both can have different levels of privilege. | | Privileged account | A login credential to a server, firewall, or other administrative account. Often referred to as admin accounts. Comprised of the actual username and password; these two things together make up the account. A privileged account is allowed to do more things than a normal account. | -| Public Cloud | Computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. | +| Public Cloud | Computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. | | Resource | Any entity that uses compute capabilities can be accessed by users and services to perform actions. | -| Role | An IAM identity that has specific permissions. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A role doesn't have standard long-term credentials such as a password or access keys associated with. | -| SCIM | System for Cross–domain Identity Management | -| SIEM | Security Information and Event Management. Technology that supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting). | +| Role | An IAM identity that has specific permissions. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A role doesn't have standard long-term credentials such as a password or access keys associated with. | +| SCIM | System for Cross–domain Identity Management | +| SIEM | Security Information and Event Management. Technology that supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting). | | SOAR | Security orchestration, automation and response (SOAR). Technologies that enable organizations to take inputs from various sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These workflows can be orchestrated via integrations with other technologies and automated to achieve the desired outcome and greater visibility. Other capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes. | | Super user / Super identity | A powerful account used by IT system administrators that can be used to make configurations to a system or application, add or remove users, or delete data. | -| Tenant | A dedicated instance of the services and organization data stored within a specific default location. | -| UUID | Universally unique identifier. A 128-bit label used for information in computer systems. The term globally unique identifier (GUID) is also used.| +| Tenant | A dedicated instance of the services and organization data stored within a specific default location. | +| UUID | Universally unique identifier. A 128-bit label used for information in computer systems. The term globally unique identifier (GUID) is also used.| | Zero trust security | The three foundational principles: explicit verification, breach assumption, and least privileged access.| | ZTNA | Zero trust network access. A product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. It removes application assets from public visibility and significantly reduces the surface area for attack.| ## Next steps -- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md). +- For an overview of Permissions Management, see [What's Permissions Management?](overview.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-add-account-after-onboarding.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-add-account-after-onboarding.md similarity index 69% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-add-account-after-onboarding.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/onboard-add-account-after-onboarding.md index bceb2295d459..c02c442060d6 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-add-account-after-onboarding.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-add-account-after-onboarding.md @@ -1,6 +1,6 @@ --- -title: Add an account/ subscription/ project to Microsoft CloudKnox Permissions Management after onboarding is complete -description: How to add an account/ subscription/ project to Microsoft CloudKnox Permissions Management after onboarding is complete. +title: Add an account /subscription/ project to Permissions Management after onboarding is complete +description: How to add an account/ subscription/ project to Permissions Management after onboarding is complete. services: active-directory author: kenwith manager: rkarlin @@ -15,22 +15,22 @@ ms.author: kenwith # Add an account/ subscription/ project after onboarding is complete > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how to add an Amazon Web Services (AWS) account, Microsoft Azure subscription, or Google Cloud Platform (GCP) project in Microsoft CloudKnox Permissions Management (CloudKnox) after you've completed the onboarding process. +This article describes how to add an Amazon Web Services (AWS) account, Microsoft Azure subscription, or Google Cloud Platform (GCP) project in Microsoft Permissions Management after you've completed the onboarding process. ## Add an AWS account after onboarding is complete -1. In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data collectors** tab. +1. In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data collectors** tab. 1. On the **Data collectors** dashboard, select **AWS**. 1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**. - The **CloudKnox Onboarding - Summary** page displays. + The **Permissions Management Onboarding - Summary** page displays. 1. Go to **AWS Account IDs**, and then select **Edit** (the pencil icon). - The **CloudKnox Onboarding - AWS Member Account Details** page displays. + The **Permissions Management Onboarding - AWS Member Account Details** page displays. 1. Go to **Enter Your AWS Account IDs**, and then select **Add** (the plus **+** sign). 1. Copy your account ID from AWS and paste it into the **Enter Account ID** box. @@ -44,7 +44,7 @@ This article describes how to add an Amazon Web Services (AWS) account, Microsof 1. Create a new script for the new account and press the **Enter** key. 1. Paste the script you copied. 1. Locate the account line, delete the original account ID (the one that was previously added), and then run the script. -1. Return to CloudKnox, and the new account ID you added will be added to the list of account IDs displayed in the **CloudKnox Onboarding - Summary** page. +1. Return to Permissions Management, and the new account ID you added will be added to the list of account IDs displayed in the **Permissions Management Onboarding - Summary** page. 1. Select **Verify now & save**. When your changes are saved, the following message displays: **Successfully updated configuration.** @@ -52,11 +52,11 @@ This article describes how to add an Amazon Web Services (AWS) account, Microsof ## Add an Azure subscription after onboarding is complete -1. In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data collectors** tab. +1. In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data collectors** tab. 1. On the **Data collectors** dashboard, select **Azure**. 1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**. - The **CloudKnox Onboarding - Summary** page displays. + The **Permissions Management Onboarding - Summary** page displays. 1. Go to **Azure subscription IDs**, and then select **Edit** (the pencil icon). 1. Go to **Enter your Azure Subscription IDs**, and then select **Add subscription** (the plus **+** sign). @@ -71,18 +71,18 @@ This article describes how to add an Amazon Web Services (AWS) account, Microsof 1. Create a new script for the new subscription and press enter. 1. Paste the script you copied. 1. Locate the subscription line and delete the original subscription ID (the one that was previously added), and then run the script. -1. Return to CloudKnox, and the new subscription ID you added will be added to the list of subscription IDs displayed in the **CloudKnox Onboarding - Summary** page. +1. Return to Permissions Management, and the new subscription ID you added will be added to the list of subscription IDs displayed in the **Permissions Management Onboarding - Summary** page. 1. Select **Verify now & save**. When your changes are saved, the following message displays: **Successfully updated configuration.** ## Add a GCP project after onboarding is complete -1. In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data collectors** tab. +1. In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data collectors** tab. 1. On the **Data collectors** dashboard, select **GCP**. 1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**. - The **CloudKnox Onboarding - Summary** page displays. + The **Permissions Management Onboarding - Summary** page displays. 1. Go to **GCP Project IDs**, and then select **Edit** (the pencil icon). 1. Go to **Enter your GCP Project IDs**, and then select **Add Project ID** (the plus **+** sign). @@ -97,7 +97,7 @@ This article describes how to add an Amazon Web Services (AWS) account, Microsof 1. Create a new script for the new project ID and press enter. 1. Paste the script you copied. 1. Locate the project ID line and delete the original project ID (the one that was previously added), and then run the script. -1. Return to CloudKnox, and the new project ID you added will be added to the list of project IDs displayed in the **CloudKnox Onboarding - Summary** page. +1. Return to Permissions Management, and the new project ID you added will be added to the list of project IDs displayed in the **Permissions Management Onboarding - Summary** page. 1. Select **Verify now & save**. When your changes are saved, the following message displays: **Successfully updated configuration.** @@ -106,7 +106,7 @@ This article describes how to add an Amazon Web Services (AWS) account, Microsof ## Next steps -- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an AWS account](cloudknox-onboard-aws.md). - - For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](cloudknox-onboard-azure.md). -- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a GCP project](cloudknox-onboard-gcp.md). -- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](cloudknox-onboard-enable-controller-after-onboarding.md). +- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an AWS account](onboard-aws.md). + - For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](onboard-azure.md). +- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a GCP project](onboard-gcp.md). +- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-aws.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md similarity index 55% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-aws.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md index 968f5dfb047e..fc4d7b83549e 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-aws.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md @@ -1,6 +1,6 @@ --- -title: Onboard an Amazon Web Services (AWS) account on CloudKnox Permissions Management -description: How to onboard an Amazon Web Services (AWS) account on CloudKnox Permissions Management. +title: Onboard an Amazon Web Services (AWS) account on Permissions Management +description: How to onboard an Amazon Web Services (AWS) account on Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,150 +15,150 @@ ms.author: kenwith # Onboard an Amazon Web Services (AWS) account > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -> [!NOTE] -> The CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU). +> [!NOTE] +> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU). -This article describes how to onboard an Amazon Web Services (AWS) account on CloudKnox Permissions Management (CloudKnox). +This article describes how to onboard an Amazon Web Services (AWS) account on Permissions Management. -> [!NOTE] -> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable CloudKnox on your Azure Active Directory tenant](cloudknox-onboard-enable-tenant.md). +> [!NOTE] +> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md). ## View a training video on configuring and onboarding an AWS account -To view a video on how to configure and onboard AWS accounts in CloudKnox, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE). +To view a video on how to configure and onboard AWS accounts in Permissions Management, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE). ## Onboard an AWS account -1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches: +1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches: - - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. + - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. 1. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**. -### 1. Create an Azure AD OIDC App. +### 1. Create an Azure AD OIDC App -1. On the **CloudKnox Onboarding - Azure AD OIDC App Creation** page, enter the **OIDC Azure app name**. +1. On the **Permissions Management Onboarding - Azure AD OIDC App Creation** page, enter the **OIDC Azure app name**. This app is used to set up an OpenID Connect (OIDC) connection to your AWS account. OIDC is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. The scripts generated on this page create the app of this specified name in your Azure AD tenant with the right configuration. - + 1. To create the app registration, copy the script and run it in your Azure command-line app. - > [!NOTE] + > [!NOTE] > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app. > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your AWS account. -1. Return to CloudKnox, and in the **CloudKnox Onboarding - Azure AD OIDC App Creation**, select **Next**. +1. Return to Permissions Management, and in the **Permissions Management Onboarding - Azure AD OIDC App Creation**, select **Next**. -### 2. Set up an AWS OIDC account. +### 2. Set up an AWS OIDC account -1. In the **CloudKnox Onboarding - AWS OIDC Account Setup** page, enter the **AWS OIDC account ID** where the OIDC provider is created. You can change the role name to your requirements. +1. In the **Permissions Management Onboarding - AWS OIDC Account Setup** page, enter the **AWS OIDC account ID** where the OIDC provider is created. You can change the role name to your requirements. 1. Open another browser window and sign in to the AWS account where you want to create the OIDC provider. -1. Select **Launch Template**. This link takes you to the **AWS CloudFormation create stack** page. +1. Select **Launch Template**. This link takes you to the **AWS CloudFormation create stack** page. 1. Scroll to the bottom of the page, and in the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create Stack.** This AWS CloudFormation stack creates an OIDC Identity Provider (IdP) representing Azure AD STS and an AWS IAM role with a trust policy that allows external identities from Azure AD to assume it via the OIDC IdP. These entities are listed on the **Resources** page. -1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS OIDC Account Setup** page, select **Next**. +1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS OIDC Account Setup** page, select **Next**. + +### 3. Set up an AWS master account (Optional) -### 3. Set up an AWS master account. (Optional) +1. If your organization has Service Control Policies (SCPs) that govern some or all of the member accounts, set up the master account connection in the **Permissions Management Onboarding - AWS Master Account Details** page. -1. If your organization has Service Control Policies (SCPs) that govern some or all of the member accounts, set up the master account connection in the **CloudKnox Onboarding - AWS Master Account Details** page. + Setting up the master account connection allows Permissions Management to auto-detect and onboard any AWS member accounts that have the correct Permissions Management role. - Setting up the master account connection allows CloudKnox to auto-detect and onboard any AWS member accounts that have the correct CloudKnox role. + - In the **Permissions Management Onboarding - AWS Master Account Details** page, enter the **Master Account ID** and **Master Account Role**. - - In the **CloudKnox Onboarding - AWS Master Account Details** page, enter the **Master Account ID** and **Master Account Role**. - 1. Open another browser window and sign in to the AWS console for your master account. -1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS Master Account Details** page, select **Launch Template**. +1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Master Account Details** page, select **Launch Template**. The **AWS CloudFormation create stack** page opens, displaying the template. 1. Review the information in the template, make changes, if necessary, then scroll to the bottom of the page. 1. In the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**. - - This AWS CloudFormation stack creates a role in the master account with the necessary permissions (policies) to collect SCPs and list all the accounts in your organization. + + This AWS CloudFormation stack creates a role in the master account with the necessary permissions (policies) to collect SCPs and list all the accounts in your organization. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack. - -1. Return to CloudKnox, and in **CloudKnox Onboarding - AWS Master Account Details**, select **Next**. -### 4. Set up an AWS Central logging account. (Optional but recommended) +1. Return to Permissions Management, and in **Permissions Management Onboarding - AWS Master Account Details**, select **Next**. + +### 4. Set up an AWS Central logging account (Optional but recommended) + +1. If your organization has a central logging account where logs from some or all of your AWS account are stored, in the **Permissions Management Onboarding - AWS Central Logging Account Details** page, set up the logging account connection. -1. If your organization has a central logging account where logs from some or all of your AWS account are stored, in the **CloudKnox Onboarding - AWS Central Logging Account Details** page, set up the logging account connection. + In the **Permissions Management Onboarding - AWS Central Logging Account Details** page, enter the **Logging Account ID** and **Logging Account Role**. - In the **CloudKnox Onboarding - AWS Central Logging Account Details** page, enter the **Logging Account ID** and **Logging Account Role**. - 1. In another browser window, sign in to the AWS console for the AWS account you use for central logging. -1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS Central Logging Account Details** page, select **Launch Template**. +1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Central Logging Account Details** page, select **Launch Template**. The **AWS CloudFormation create stack** page opens, displaying the template. 1. Review the information in the template, make changes, if necessary, then scroll to the bottom of the page. 1. In the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**, and then select **Create stack**. - + This AWS CloudFormation stack creates a role in the logging account with the necessary permissions (policies) to read S3 buckets used for central logging. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack. - -1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS Central Logging Account Details** page, select **Next**. -### 5. Set up an AWS member account. +1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Central Logging Account Details** page, select **Next**. + +### 5. Set up an AWS member account -1. In the **CloudKnox Onboarding - AWS Member Account Details** page, enter the **Member Account Role** and the **Member Account IDs**. +1. In the **Permissions Management Onboarding - AWS Member Account Details** page, enter the **Member Account Role** and the **Member Account IDs**. You can enter up to 10 account IDs. Click the plus icon next to the text box to add more account IDs. > [!NOTE] > Perform the next 6 steps for each account ID you add. -1. Open another browser window and sign in to the AWS console for the member account. +1. Open another browser window and sign in to the AWS console for the member account. -1. Return to the **CloudKnox Onboarding - AWS Member Account Details** page, select **Launch Template**. +1. Return to the **Permissions Management Onboarding - AWS Member Account Details** page, select **Launch Template**. The **AWS CloudFormation create stack** page opens, displaying the template. -1. In the **CloudTrailBucketName** page, enter a name. +1. In the **CloudTrailBucketName** page, enter a name. You can copy and paste the **CloudTrailBucketName** name from the **Trails** page in AWS. - > [!NOTE] - > A *cloud bucket* collects all the activity in a single account that CloudKnox monitors. Enter the name of a cloud bucket here to provide CloudKnox with the access required to collect activity data. + > [!NOTE] + > A *cloud bucket* collects all the activity in a single account that Permissions Management monitors. Enter the name of a cloud bucket here to provide Permissions Management with the access required to collect activity data. -1. From the **Enable Controller** dropdown, select: +1. From the **Enable Controller** dropdown, select: - - **True**, if you want the controller to provide CloudKnox with read and write access so that any remediation you want to do from the CloudKnox platform can be done automatically. - - **False**, if you want the controller to provide CloudKnox with read-only access. + - **True**, if you want the controller to provide Permissions Management with read and write access so that any remediation you want to do from the Permissions Management platform can be done automatically. + - **False**, if you want the controller to provide Permissions Management with read-only access. 1. Scroll to the bottom of the page, and in the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**. - This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection. + This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection. + + A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack. - A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack. +1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Member Account Details** page, select **Next**. -1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS Member Account Details** page, select **Next**. - This step completes the sequence of required connections from Azure AD STS to the OIDC connection account and the AWS member account. -### 6. Review and save. +### 6. Review and save -1. In **CloudKnox Onboarding – Summary**, review the information you’ve added, and then select **Verify Now & Save**. +1. In **Permissions Management Onboarding – Summary**, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully created configuration.** - On the **Data Collectors** dashboard, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** + On the **Data Collectors** dashboard, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** - You have now completed onboarding AWS, and CloudKnox has started collecting and processing your data. + You have now completed onboarding AWS, and Permissions Management has started collecting and processing your data. -### 7. View the data. +### 7. View the data -1. To view the data, select the **Authorization Systems** tab. +1. To view the data, select the **Authorization Systems** tab. The **Status** column in the table displays **Collecting Data.** @@ -167,7 +167,7 @@ To view a video on how to configure and onboard AWS accounts in CloudKnox, selec ## Next steps -- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](cloudknox-onboard-azure.md). -- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a Google Cloud Platform (GCP) project](cloudknox-onboard-gcp.md). -- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](cloudknox-onboard-enable-controller-after-onboarding.md). -- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](cloudknox-onboard-add-account-after-onboarding.md). +- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](onboard-azure.md). +- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a Google Cloud Platform (GCP) project](onboard-gcp.md). +- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md). +- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-azure.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md similarity index 54% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-azure.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md index 939c093c9b3a..9b21f89b3dbc 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-azure.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md @@ -1,6 +1,6 @@ --- -title: Onboard a Microsoft Azure subscription in CloudKnox Permissions Management -description: How to a Microsoft Azure subscription on CloudKnox Permissions Management. +title: Onboard a Microsoft Azure subscription in Permissions Management +description: How to a Microsoft Azure subscription on Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,74 +15,74 @@ ms.author: kenwith # Onboard a Microsoft Azure subscription > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management (Permissions Management) is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -> [!NOTE] -> The CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU). +> [!NOTE] +> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU). -This article describes how to onboard a Microsoft Azure subscription or subscriptions on CloudKnox Permissions Management (CloudKnox). Onboarding a subscription creates a new authorization system to represent the Azure subscription in CloudKnox. +This article describes how to onboard a Microsoft Azure subscription or subscriptions on Permissions Management (Permissions Management). Onboarding a subscription creates a new authorization system to represent the Azure subscription in Permissions Management. -> [!NOTE] -> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable CloudKnox on your Azure Active Directory tenant](cloudknox-onboard-enable-tenant.md). +> [!NOTE] +> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md). ## Prerequisites -To add CloudKnox to your Azure AD tenant: +To add Permissions Management to your Azure AD tenant: - You must have an Azure AD user account and an Azure command-line interface (Azure CLI) on your system, or an Azure subscription. If you don't already have one, [create a free account](https://azure.microsoft.com/free/). - You must have **Microsoft.Authorization/roleAssignments/write** permission at the subscription or management group scope to perform these tasks. If you don't have this permission, you can ask someone who has this permission to perform these tasks for you. -## View a training video on enabling CloudKnox in your Azure AD tenant +## View a training video on enabling Permissions Management in your Azure AD tenant -To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo). +To view a video on how to enable Permissions Management in your Azure AD tenant, select [Enable Permissions Management in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo). ## How to onboard an Azure subscription -1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches: +1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches: - - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. + - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. 1. On the **Data Collectors** dashboard, select **Azure**, and then select **Create Configuration**. ### 1. Add Azure subscription details -1. On the **CloudKnox Onboarding - Azure Subscription Details** page, enter the **Subscription IDs** that you want to onboard. - - > [!NOTE] +1. On the **Permissions Management Onboarding - Azure Subscription Details** page, enter the **Subscription IDs** that you want to onboard. + + > [!NOTE] > To locate the Azure subscription IDs, open the **Subscriptions** page in Azure. > You can enter up to 10 subscriptions IDs. Select the plus sign **(+)** icon next to the text box to enter more subscriptions. -1. From the **Scope** dropdown, select **Subscription** or **Management Group**. The script box displays the role assignment script. - - > [!NOTE] - > Select **Subscription** if you want to assign permissions separately for each individual subscription. The generated script has to be executed once per subscription. +1. From the **Scope** dropdown, select **Subscription** or **Management Group**. The script box displays the role assignment script. + + > [!NOTE] + > Select **Subscription** if you want to assign permissions separately for each individual subscription. The generated script has to be executed once per subscription. > Select **Management Group** if all of your subscriptions are under one management group. The generated script must be executed once for the management group. -1. To give this role assignment to the service principal, copy the script to a file on your system where Azure CLI is installed and execute it. +1. To give this role assignment to the service principal, copy the script to a file on your system where Azure CLI is installed and execute it. You can execute the script once for each subscription, or once for all the subscriptions in the management group. 1. From the **Enable Controller** dropdown, select: - - **True**, if you want the controller to provide CloudKnox with read and write access so that any remediation you want to do from the CloudKnox platform can be done automatically. - - **False**, if you want the controller to provide CloudKnox with read-only access. + - **True**, if you want the controller to provide Permissions Management with read and write access so that any remediation you want to do from the Permissions Management platform can be done automatically. + - **False**, if you want the controller to provide Permissions Management with read-only access. -1. Return to **CloudKnox Onboarding - Azure Subscription Details** page and select **Next**. +1. Return to **Permissions Management Onboarding - Azure Subscription Details** page and select **Next**. ### 2. Review and save. -- In **CloudKnox Onboarding – Summary** page, review the information you’ve added, and then select **Verify Now & Save**. +- In **Permissions Management Onboarding – Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration.** - On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** + On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** - You have now completed onboarding Azure, and CloudKnox has started collecting and processing your data. + You have now completed onboarding Azure, and Permissions Management has started collecting and processing your data. ### 3. View the data. -- To view the data, select the **Authorization Systems** tab. +- To view the data, select the **Authorization Systems** tab. The **Status** column in the table displays **Collecting Data.** @@ -91,9 +91,9 @@ To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enab ## Next steps -- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](cloudknox-onboard-aws.md). -- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a Google Cloud Platform (GCP) project](cloudknox-onboard-gcp.md). -- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](cloudknox-onboard-enable-controller-after-onboarding.md). -- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](cloudknox-onboard-add-account-after-onboarding.md). -- For an overview on CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md). -- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md). \ No newline at end of file +- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](onboard-aws.md). +- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a Google Cloud Platform (GCP) project](onboard-gcp.md). +- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md). +- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md). +- For an overview on Permissions Management, see [What's Permissions Management?](overview.md). +- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md). \ No newline at end of file diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-controller-after-onboarding.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-controller-after-onboarding.md similarity index 57% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-controller-after-onboarding.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-controller-after-onboarding.md index 2e380779c657..f8fa037bb911 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-controller-after-onboarding.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-controller-after-onboarding.md @@ -1,6 +1,6 @@ --- -title: Enable or disable the controller in Microsoft CloudKnox Permissions Management after onboarding is complete -description: How to enable or disable the controller in Microsoft CloudKnox Permissions Management after onboarding is complete. +title: Enable or disable the controller in Permissions Management after onboarding is complete +description: How to enable or disable the controller in Permissions Management after onboarding is complete. services: active-directory author: kenwith manager: rkarlin @@ -15,7 +15,7 @@ ms.author: kenwith # Enable or disable the controller after onboarding is complete > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This article describes how to enable or disable the controller in Microsoft Azure and Google Cloud Platform (GCP) after onboarding is complete. @@ -24,30 +24,30 @@ This article also describes how to enable the controller in Amazon Web Services ## Enable the controller in AWS -> [!NOTE] +> [!NOTE] > You can only enable the controller in AWS; you can't disable it at this time. -1. Sign in to the AWS console of the member account in a separate browser window. -1. Go to the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. +1. Sign in to the AWS console of the member account in a separate browser window. +1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. 1. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**. -1. On the **CloudKnox Onboarding - AWS Member Account Details** page, select **Launch Template**. +1. On the **Permissions Management Onboarding - AWS Member Account Details** page, select **Launch Template**. The **AWS CloudFormation create stack** page opens, displaying the template. -1. In the **CloudTrailBucketName** box, enter a name. +1. In the **CloudTrailBucketName** box, enter a name. You can copy and paste the **CloudTrailBucketName** name from the **Trails** page in AWS. - > [!NOTE] - > A *cloud bucket* collects all the activity in a single account that CloudKnox monitors. Enter the name of a cloud bucket here to provide CloudKnox with the access required to collect activity data. + > [!NOTE] + > A *cloud bucket* collects all the activity in a single account that Permissions Management monitors. Enter the name of a cloud bucket here to provide Permissions Management with the access required to collect activity data. -1. In the **EnableController** box, from the drop-down list, select **True** to provide CloudKnox with read and write access so that any remediation you want to do from the CloudKnox platform can be done automatically. +1. In the **EnableController** box, from the drop-down list, select **True** to provide Permissions Management with read and write access so that any remediation you want to do from the Permissions Management platform can be done automatically. 1. Scroll to the bottom of the page, and in the **Capabilities** box and select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**. - This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack. + This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack. -1. Return to CloudKnox, and on the CloudKnox **Onboarding - AWS Member Account Details** page, select **Next**. -1. On **CloudKnox Onboarding – Summary** page, review the information you’ve added, and then select **Verify Now & Save**. +1. Return to Permissions Management, and on the Permissions Management **Onboarding - AWS Member Account Details** page, select **Next**. +1. On **Permissions Management Onboarding – Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully created configuration.** @@ -65,39 +65,38 @@ This article also describes how to enable the controller in Amazon Web Services 1. To add the administrative role assignment, return to the **Access control (IAM)** page, and then select **Add role assignment**. 1. Add or remove the role assignment for Cloud Infrastructure Entitlement Management. -1. Go to the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. +1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. 1. On the **Data Collectors** dashboard, select **Azure**, and then select **Create Configuration**. -1. On the **CloudKnox Onboarding - Azure Subscription Details** page, enter the **Subscription ID**, and then select **Next**. -1. On **CloudKnox Onboarding – Summary** page, review the controller permissions, and then select **Verify Now & Save**. +1. On the **Permissions Management Onboarding - Azure Subscription Details** page, enter the **Subscription ID**, and then select **Next**. +1. On **Permissions Management Onboarding – Summary** page, review the controller permissions, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration.** ## Enable or disable the controller in GCP -1. Execute the **gcloud auth login**. +1. Execute the **gcloud auth login**. 1. Follow the instructions displayed on the screen to authorize access to your Google account. 1. Execute the **sh mciem-workload-identity-pool.sh** to create the workload identity pool, provider, and service account. -1. Execute the **sh mciem-member-projects.sh** to give CloudKnox permissions to access each of the member projects. +1. Execute the **sh mciem-member-projects.sh** to give Permissions Management permissions to access each of the member projects. - - If you want to manage permissions through CloudKnox, select **Y** to **Enable controller**. + - If you want to manage permissions through Permissions Management, select **Y** to **Enable controller**. - If you want to onboard your projects in read-only mode, select **N** to **Disable controller**. 1. Optionally, execute **mciem-enable-gcp-api.sh** to enable all recommended GCP APIs. -1. Go to the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. +1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. 1. On the **Data Collectors** dashboard, select **GCP**, and then select **Create Configuration**. -1. On the **CloudKnox Onboarding - Azure AD OIDC App Creation** page, select **Next**. -1. On the **CloudKnox Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project Number** and **OIDC Project ID**, and then select **Next**. -1. On the **CloudKnox Onboarding - GCP Project IDs** page, enter the **Project IDs**, and then select **Next**. -1. On the **CloudKnox Onboarding – Summary** page, review the information you’ve added, and then select **Verify Now & Save**. +1. On the **Permissions Management Onboarding - Azure AD OIDC App Creation** page, select **Next**. +1. On the **Permissions Management Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project Number** and **OIDC Project ID**, and then select **Next**. +1. On the **Permissions Management Onboarding - GCP Project IDs** page, enter the **Project IDs**, and then select **Next**. +1. On the **Permissions Management Onboarding – Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration.** ## Next steps -- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an AWS account](cloudknox-onboard-aws.md). -- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](cloudknox-onboard-azure.md). -- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a GCP project](cloudknox-onboard-gcp.md). -- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](cloudknox-onboard-add-account-after-onboarding.md). - +- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an AWS account](onboard-aws.md). +- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](onboard-azure.md). +- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a GCP project](onboard-gcp.md). +- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md new file mode 100644 index 000000000000..3bae1ac5a586 --- /dev/null +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md @@ -0,0 +1,112 @@ +--- +title: Enable Permissions Management in your organization +description: How to enable Permissions Management in your organization. +services: active-directory +author: kenwith +manager: rkarlin +ms.service: active-directory +ms.subservice: ciem +ms.workload: identity +ms.topic: how-to +ms.date: 04/20/2022 +ms.author: kenwith +--- + +# Enable Permissions Management in your organization + +> [!IMPORTANT] +> Microsoft Entra Permissions Management is currently in PREVIEW. +> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +> [!NOTE] +> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU). + + + +This article describes how to enable Permissions Management in your organization. Once you've enabled Permissions Management, you can connect it to your Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) platforms. + +> [!NOTE] +> To complete this task, you must have *global administrator* permissions as a user in that tenant. You can't enable Permissions Management as a user from other tenant who has signed in via B2B or via Azure Lighthouse. + +## Prerequisites + +To enable Permissions Management in your organization: + +- You must have an Azure AD tenant. If you don't already have one, [create a free account](https://azure.microsoft.com/free/). +- You must be eligible for or have an active assignment to the global administrator role as a user in that tenant. + +> [!NOTE] +> During public preview, Permissions Management doesn't perform a license check. + +## View a training video on enabling Permissions Management + +- To view a video on how to enable Permissions Management in your Azure AD tenant, select [Enable Permissions Management in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo). +- To view a video on how to configure and onboard AWS accounts in Permissions Management, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE). +- To view a video on how to configure and onboard GCP accounts in Permissions Management, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28). + + +## How to enable Permissions Management on your Azure AD tenant + +1. In your browser: + 1. Go to [Azure services](https://portal.azure.com) and use your credentials to sign in to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview). + 1. If you aren't already authenticated, sign in as a global administrator user. + 1. If needed, activate the global administrator role in your Azure AD tenant. + 1. In the Azure AD portal, select **Features highlights**, and then select **Permissions Management**. + + 1. If you're prompted to select a sign in account, sign in as a global administrator for a specified tenant. + + The **Welcome to Permissions Management** screen appears, displaying information on how to enable Permissions Management on your tenant. + +1. To provide access to the Permissions Management application, create a service principal. + + An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. + + > [!NOTE] + > To complete this step, you must have Azure CLI or Azure PowerShell on your system, or an Azure subscription where you can run Cloud Shell. + + - To create a service principal that points to the Permissions Management application via Cloud Shell: + + 1. Copy the script on the **Welcome** screen: + + `az ad sp create --id b46c3ac5-9da6-418f-a849-0a07a10b3c6c` + + 1. If you have an Azure subscription, return to the Azure AD portal and select **Cloud Shell** on the navigation bar. + If you don't have an Azure subscription, open a command prompt on a Windows Server. + 1. If you have an Azure subscription, paste the script into Cloud Shell and press **Enter**. + + - For information on how to create a service principal through the Azure portal, see [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli). + + - For information on the **az** command and how to sign in with the no subscriptions flag, see [az login](/cli/azure/reference-index?view=azure-cli-latest#az-login&preserve-view=true). + + - For information on how to create a service principal via Azure PowerShell, see [Create an Azure service principal with Azure PowerShell](/powershell/azure/create-azure-service-principal-azureps?view=azps-7.1.0&preserve-view=true). + + 1. After the script runs successfully, the service principal attributes for Permissions Management display. Confirm the attributes. + + The **Cloud Infrastructure Entitlement Management** application displays in the Azure AD portal under **Enterprise applications**. + +1. Return to the **Welcome to Permissions Management** screen and select **Enable Permissions Management**. + + You have now completed enabling Permissions Management on your tenant. Permissions Management launches with the **Data Collectors** dashboard. + +## Configure data collection settings + +Use the **Data Collectors** dashboard in Permissions Management to configure data collection settings for your authorization system. + +1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches: + + - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. + +1. Select the authorization system you want: **AWS**, **Azure**, or **GCP**. + +1. For information on how to onboard an AWS account, Azure subscription, or GCP project into Permissions Management, select one of the following articles and follow the instructions: + + - [Onboard an AWS account](onboard-aws.md) + - [Onboard an Azure subscription](onboard-azure.md) + - [Onboard a GCP project](onboard-gcp.md) + +## Next steps + +- For an overview of Permissions Management, see [What's Permissions Management?](overview.md) +- For a list of frequently asked questions (FAQs) about Permissions Management, see [FAQs](faqs.md). +- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-gcp.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md similarity index 61% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-gcp.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md index 8b894aea37e7..f811ac098cdd 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-gcp.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md @@ -1,6 +1,6 @@ --- -title: Onboard a Google Cloud Platform (GCP) project in CloudKnox Permissions Management -description: How to onboard a Google Cloud Platform (GCP) project on CloudKnox Permissions Management. +title: Onboard a Google Cloud Platform (GCP) project in Permissions Management +description: How to onboard a Google Cloud Platform (GCP) project on Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,106 +15,106 @@ ms.author: kenwith # Onboard a Google Cloud Platform (GCP) project > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -> [!NOTE] -> The CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU). +> [!NOTE] +> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU). -This article describes how to onboard a Google Cloud Platform (GCP) project on CloudKnox Permissions Management (CloudKnox). +This article describes how to onboard a Google Cloud Platform (GCP) project on Permissions Management. > [!NOTE] -> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable CloudKnox on your Azure Active Directory tenant](cloudknox-onboard-enable-tenant.md). +> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md). ## View a training video on configuring and onboarding a GCP account -To view a video on how to configure and onboard GCP accounts in CloudKnox, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28). +To view a video on how to configure and onboard GCP accounts in Permissions Management, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28). ## Onboard a GCP project -1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches: +1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches: - - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. + - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. 1. On the **Data Collectors** tab, select **GCP**, and then select **Create Configuration**. ### 1. Create an Azure AD OIDC app. -1. On the **CloudKnox Onboarding - Azure AD OIDC App Creation** page, enter the **OIDC Azure App Name**. +1. On the **Permissions Management Onboarding - Azure AD OIDC App Creation** page, enter the **OIDC Azure App Name**. This app is used to set up an OpenID Connect (OIDC) connection to your GCP project. OIDC is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. The scripts generated will create the app of this specified name in your Azure AD tenant with the right configuration. - + 1. To create the app registration, copy the script and run it in your command-line app. - > [!NOTE] + > [!NOTE] > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app. > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your AWS account. - 1. Return to CloudKnox, and in the **CloudKnox Onboarding - Azure AD OIDC App Creation**, select **Next**. - + 1. Return to Permissions Management, and in the **Permissions Management Onboarding - Azure AD OIDC App Creation**, select **Next**. + ### 2. Set up a GCP OIDC project. -1. In the **CloudKnox Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project ID** and **OIDC Project Number** of the GCP project in which the OIDC provider and pool will be created. You can change the role name to your requirements. +1. In the **Permissions Management Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project ID** and **OIDC Project Number** of the GCP project in which the OIDC provider and pool will be created. You can change the role name to your requirements. - > [!NOTE] + > [!NOTE] > You can find the **Project number** and **Project ID** of your GCP project on the GCP **Dashboard** page of your project in the **Project info** panel. 1. You can change the **OIDC Workload Identity Pool Id**, **OIDC Workload Identity Pool Provider Id** and **OIDC Service Account Name** to meet your requirements. Optionally, specify **G-Suite IDP Secret Name** and **G-Suite IDP User Email** to enable G-Suite integration. - You can either download and run the script at this point or you can do it in the Google Cloud Shell, as described [later in this article](cloudknox-onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed). + You can either download and run the script at this point or you can do it in the Google Cloud Shell, as described [later in this article](onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed). 1. Select **Next**. ### 3. Set up GCP member projects. -1. In the **CloudKnox Onboarding - GCP Project Ids** page, enter the **Project IDs**. +1. In the **Permissions Management Onboarding - GCP Project Ids** page, enter the **Project IDs**. You can enter up to 10 GCP project IDs. Select the plus icon next to the text box to insert more project IDs. - -1. You can choose to download and run the script at this point, or you can do it via Google Cloud Shell, as described in the [next step](cloudknox-onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed). - + +1. You can choose to download and run the script at this point, or you can do it via Google Cloud Shell, as described in the [next step](onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed). + ### 4. Run scripts in Cloud Shell. (Optional if not already executed) -1. In the **CloudKnox Onboarding - GCP Project Ids** page, select **Launch SSH**. +1. In the **Permissions Management Onboarding - GCP Project Ids** page, select **Launch SSH**. 1. To copy all your scripts into your current directory, in **Open in Cloud Shell**, select **Trust repo**, and then select **Confirm**. The Cloud Shell provisions the Cloud Shell machine and makes a connection to your Cloud Shell instance. - > [!NOTE] + > [!NOTE] > Follow the instructions in the browser as they may be different from the ones given here. - The **Welcome to CloudKnox GCP onboarding** screen appears, displaying steps you must complete to onboard your GCP project. + The **Welcome to Permissions Management GCP onboarding** screen appears, displaying steps you must complete to onboard your GCP project. -### 5. Paste the environment vars from the CloudKnox portal. +### 5. Paste the environment vars from the Permissions Management portal. -1. Return to CloudKnox and select **Copy export variables**. +1. Return to Permissions Management and select **Copy export variables**. 1. In the GCP Onboarding shell editor, paste the variables you copied, and then press **Enter**. -1. Execute the **gcloud auth login**. +1. Execute the **gcloud auth login**. 1. Follow instructions displayed on the screen to authorize access to your Google account. 1. Execute the **sh mciem-workload-identity-pool.sh** to create the workload identity pool, provider, and service account. -1. Execute the **sh mciem-member-projects.sh** to give CloudKnox permissions to access each of the member projects. +1. Execute the **sh mciem-member-projects.sh** to give Permissions Management permissions to access each of the member projects. - - If you want to manage permissions through CloudKnox, select **Y** to **Enable controller**. + - If you want to manage permissions through Permissions Management, select **Y** to **Enable controller**. - If you want to onboard your projects in read-only mode, select **N** to **Disable controller**. 1. Optionally, execute **mciem-enable-gcp-api.sh** to enable all recommended GCP APIs. -1. Return to **CloudKnox Onboarding - GCP Project Ids**, and then select **Next**. +1. Return to **Permissions Management Onboarding - GCP Project Ids**, and then select **Next**. ### 6. Review and save. -1. In the **CloudKnox Onboarding – Summary** page, review the information you’ve added, and then select **Verify Now & Save**. +1. In the **Permissions Management Onboarding – Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration.** - On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** + On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** - You have now completed onboarding GCP, and CloudKnox has started collecting and processing your data. + You have now completed onboarding GCP, and Permissions Management has started collecting and processing your data. ### 7. View the data. @@ -128,7 +128,7 @@ To view a video on how to configure and onboard GCP accounts in CloudKnox, selec ## Next steps -- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](cloudknox-onboard-aws.md). -- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](cloudknox-onboard-azure.md). -- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](cloudknox-onboard-enable-controller-after-onboarding.md). -- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](cloudknox-onboard-add-account-after-onboarding.md). +- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](onboard-aws.md). +- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](onboard-azure.md). +- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md). +- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-overview.md b/articles/active-directory/cloud-infrastructure-entitlement-management/overview.md similarity index 60% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-overview.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/overview.md index cac6d12faa32..67286f887251 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-overview.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/overview.md @@ -1,6 +1,6 @@ --- -title: What's CloudKnox Permissions Management? -description: An introduction to CloudKnox Permissions Management. +title: What's Permissions Management? +description: An introduction to Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -12,41 +12,41 @@ ms.date: 04/20/2022 ms.author: kenwith --- -# What's CloudKnox Permissions Management? +# What's Permissions Management? > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -> [!NOTE] -> The CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU). +> [!NOTE] +> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU). ## Overview -CloudKnox Permissions Management (CloudKnox) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). +Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). -CloudKnox detects, automatically right-sizes, and continuously monitors unused and excessive permissions. +Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions. -Organizations have to consider permissions management as a central piece of their Zero Trust security to implement least privilege access across their entire infrastructure: +Organizations have to consider permissions management as a central piece of their Zero Trust security to implement least privilege access across their entire infrastructure: - Organizations are increasingly adopting multi-cloud strategy and are struggling with the lack of visibility and the increasing complexity of managing access permissions. - With the proliferation of identities and cloud services, the number of high-risk cloud permissions is exploding, expanding the attack surface for organizations. - IT security teams are under increased pressure to ensure access to their expanding cloud estate is secure and compliant. -- The inconsistency of cloud providers’ native access management models makes it even more complex for Security and Identity to manage permissions and enforce least privilege access policies across their entire environment. +- The inconsistency of cloud providers' native access management models makes it even more complex for Security and Identity to manage permissions and enforce least privilege access policies across their entire environment. :::image type="content" source="media/cloudknox-overview/cloudknox-key-cases.png" alt-text="CloudKnox Permissions Management."::: ## Key use cases - -CloudKnox allows customers to address three key use cases: *discover*, *remediate*, and *monitor*. + +Permissions Management allows customers to address three key use cases: *discover*, *remediate*, and *monitor*. ### Discover Customers can assess permission risks by evaluating the gap between permissions granted and permissions used. - Cross-cloud permissions discovery: Granular and normalized metrics for key cloud platforms: AWS, Azure, and GCP. -- Permission Creep Index (PCI): An aggregated metric that periodically evaluates the level of risk associated with the number of unused or excessive permissions across your identities and resources. It measures how much damage identities can cause based on the permissions they have. +- Permission Creep Index (PCI): An aggregated metric that periodically evaluates the level of risk associated with the number of unused or excessive permissions across your identities and resources. It measures how much damage identities can cause based on the permissions they have. - Permission usage analytics: Multi-dimensional view of permissions risk for all identities, actions, and resources. ### Remediate @@ -64,15 +64,15 @@ Customers can detect anomalous activities with machine language-powered (ML-powe - ML-powered anomaly detections. - Context-rich forensic reports around identities, actions, and resources to support rapid investigation and remediation. -CloudKnox deepens Zero Trust security strategies by augmenting the least privilege access principle, allowing customers to: +Permissions Management deepens Zero Trust security strategies by augmenting the least privilege access principle, allowing customers to: -- Get comprehensive visibility: Discover which identity is doing what, where, and when. -- Automate least privilege access: Use access analytics to ensure identities have the right permissions, at the right time. -- Unify access policies across infrastructure as a service (IaaS) platforms: Implement consistent security policies across your cloud infrastructure. +- Get comprehensive visibility: Discover which identity is doing what, where, and when. +- Automate least privilege access: Use access analytics to ensure identities have the right permissions, at the right time. +- Unify access policies across infrastructure as a service (IaaS) platforms: Implement consistent security policies across your cloud infrastructure. ## Next steps -- For information on how to onboard CloudKnox in your organization, see [Enable CloudKnox in your organization](cloudknox-onboard-enable-tenant.md). -- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](cloudknox-faqs.md). \ No newline at end of file +- For information on how to onboard Permissions Management for your organization, see [Enable Permissions Management in your organization](onboard-enable-tenant.md). +- For a list of frequently asked questions (FAQs) about Permissions Management, see [FAQs](faqs.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-explorer.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-account-explorer.md similarity index 80% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-explorer.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-account-explorer.md index 3ee999fbceb9..d36ed904a965 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-explorer.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-account-explorer.md @@ -1,6 +1,6 @@ --- -title: The CloudKnox Permissions Management - View roles and identities that can access account information from an external account -description: How to view information about identities that can access accounts from an external account in CloudKnox Permissions Management. +title: View roles and identities that can access account information from an external account +description: How to view information about identities that can access accounts from an external account in Permissions Management. services: active-directory manager: rkarlin ms.service: active-directory @@ -13,14 +13,14 @@ ms.author: kenwith # View roles and identities that can access account information from an external account > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -You can view information about users, groups, and resources that can access account information from an external account in CloudKnox Permissions Management (CloudKnox). +You can view information about users, groups, and resources that can access account information from an external account in Permissions Management. ## Display information about users, groups, or tasks -1. In CloudKnox, select the **Usage analytics** tab, and then, from the dropdown, select one of the following: +1. In Permissions Management, select the **Usage analytics** tab, and then, from the dropdown, select one of the following: - **Users** - **Group** @@ -31,8 +31,8 @@ You can view information about users, groups, and resources that can access acco 1. To choose an account from your authorization system, select the lock icon in the left panel. 1. In the **Authorization systems** pane, select an account, then select **Apply**. -1. To choose a user, role, or group, select the person icon. -1. Select a user or group, then select **Apply**. +1. To choose a user, role, or group, select the person icon. +1. Select a user or group, then select **Apply**. 1. To choose an account from your authorization system, select it from the Authorization Systems menu. 1. In the user type filter, user, role, or group. 1. In the **Task** filter, select **All** or **High-risk tasks**, then select **Apply**. @@ -53,7 +53,7 @@ To export the data in comma-separated values (CSV) file format, select **Export* 1. To view all the identities from various accounts that can assume this role, select the down arrow to the left of the role name. 1. To view a graph of all the identities that can access the specified account and through which role(s), select the role name. - If CloudKnox is monitoring the external account, it lists specific identities from the accounts that can assume this role. Otherwise, it lists the identities declared in the **Trusted entity** section. + If Permissions Management is monitoring the external account, it lists specific identities from the accounts that can assume this role. Otherwise, it lists the identities declared in the **Trusted entity** section. **Connecting roles**: Lists the following roles for each account: - *Direct roles* that are trusted by the account role. @@ -62,7 +62,7 @@ To export the data in comma-separated values (CSV) file format, select **Export* 1. To view all the roles from that account that are used to access the specified account, select the down arrow to the left of the account name. 1. To view the trusted identities declared by the role, select the down arrow to the left of the role name. - The trusted identities for the role are listed only if the account is being monitored by CloudKnox. + The trusted identities for the role are listed only if the account is being monitored by Permissions Management. 1. To view the role definition, select the "eye" icon to the right of the role name. @@ -75,4 +75,4 @@ To export the data in comma-separated values (CSV) file format, select **Export* 1. The **Info** tab displays the **Privilege creep index** and **Service control policy (SCP)** information about the account. -For more information about the **Privilege creep index** and SCP information, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md). +For more information about the **Privilege creep index** and SCP information, see [View key statistics and data about your authorization system](ui-dashboard.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-settings.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-account-settings.md similarity index 61% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-settings.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-account-settings.md index 5ab6917745ce..7219ed8d1fb9 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-settings.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-account-settings.md @@ -1,6 +1,6 @@ --- -title: View personal and organization information in CloudKnox Permissions Management -description: How to view personal and organization information in the Account settings dashboard in CloudKnox Permissions Management. +title: View personal and organization information in Permissions Management +description: How to view personal and organization information in the Account settings dashboard in Permissions Management. services: active-directory manager: rkarlin ms.service: active-directory @@ -13,21 +13,21 @@ ms.author: kenwith # View personal and organization information > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Account settings** dashboard in CloudKnox Permissions Management (CloudKnox) allows you to view personal information, passwords, and account preferences. +The **Account settings** dashboard in Permissions Management allows you to view personal information, passwords, and account preferences. This information can't be modified because the user information is pulled from Azure AD. Only **User Session Time(min)** ## View personal information -1. In the CloudKnox home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account Settings**. +1. In the Permissions Management home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account Settings**. - The **Personal Information** box displays your **First Name**, **Last Name**, and the **Email Address** that was used to register your account on CloudKnox. + The **Personal Information** box displays your **First Name**, **Last Name**, and the **Email Address** that was used to register your account on Permissions Management. ## View current organization information -1. In the CloudKnox home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account Settings**. +1. In the Permissions Management home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account Settings**. The **Current Organization Information** displays the **Name** of your organization, the **Tenant ID** box, and the **User Session Timeout (min)**. @@ -37,6 +37,6 @@ This information can't be modified because the user information is pulled from A ## Next steps -- For information about how to manage user information, see [Manage users and groups with the User management dashboard](cloudknox-ui-user-management.md). -- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](cloudknox-ui-tasks.md). -- For information about how to select group-based permissions settings, see [Select group-based permissions settings](cloudknox-howto-create-group-based-permissions.md). +- For information about how to manage user information, see [Manage users and groups with the User management dashboard](ui-user-management.md). +- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](ui-tasks.md). +- For information about how to select group-based permissions settings, see [Select group-based permissions settings](how-to-create-group-based-permissions.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-audit-trail.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-audit-trail.md similarity index 83% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-audit-trail.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-audit-trail.md index ef3ea798af79..fc0679b50dab 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-audit-trail.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-audit-trail.md @@ -1,6 +1,6 @@ --- -title: Filter and query user activity in CloudKnox Permissions Management -description: How to filter and query user activity in CloudKnox Permissions Management. +title: Filter and query user activity in Permissions Management +description: How to filter and query user activity in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,27 +15,27 @@ ms.author: kenwith # Filter and query user activity > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Audit** dashboard in CloudKnox Permissions Management (CloudKnox) details all user activity performed in your authorization system. It captures all high risk activity in a centralized location, and allows system administrators to query the logs. The **Audit** dashboard enables you to: +The **Audit** dashboard in Permissions Management details all user activity performed in your authorization system. It captures all high risk activity in a centralized location, and allows system administrators to query the logs. The **Audit** dashboard enables you to: - Create and save new queries so you can access key data points easily. - Query across multiple authorization systems in one query. ## Filter information by authorization system -If you haven't used filters before, the default filter is the first authorization system in the filter list. +If you haven't used filters before, the default filter is the first authorization system in the filter list. If you have used filters before, the default filter is last filter you selected. -1. To display the **Audit** dashboard, on the CloudKnox home page, select **Audit**. +1. To display the **Audit** dashboard, on the Permissions Management home page, select **Audit**. -1. To select your authorization system type, in the **Authorization System Type** box, select Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), Google Cloud Platform (**GCP**), or Platform (**Platform**). +1. To select your authorization system type, in the **Authorization System Type** box, select Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), Google Cloud Platform (**GCP**), or Platform (**Platform**). 1. To select your authorization system, in the **Authorization System** box: - - From the **List** subtab, select the accounts you want to use. + - From the **List** subtab, select the accounts you want to use. - From the **Folders** subtab, select the folders you want to use. 1. To view your query results, select **Apply**. @@ -48,7 +48,7 @@ There are several different query parameters you can configure individually or i - To view an existing query, select **View** (the eye icon). - To edit an existing query, select **Edit** (the pencil icon). - To delete a function line in a query, select **Delete** (the minus sign **-** icon). -- To create multiple queries at one time, select **Add New Tab** to the right of the **Query** tabs that are displayed. +- To create multiple queries at one time, select **Add New Tab** to the right of the **Query** tabs that are displayed. You can open a maximum number of six query tab pages at the same time. A message will appear when you've reached the maximum. @@ -69,7 +69,7 @@ There are several different query parameters you can configure individually or i - **Is**: Select this option to choose a specific date from the calendar. - **Custom**: Select this option to set a date range from the **From** and **To** calendars. -1. To run the query on the current selection, select **Search**. +1. To run the query on the current selection, select **Search**. 1. To save your query, select **Save**. @@ -80,7 +80,7 @@ There are several different query parameters you can configure individually or i The **Operator** menu displays the following options depending on the identity you select in the first dropdown: - **Is** / **Is Not**: View a list of all available usernames. You can either select or enter a username in the box. -- **Contains** / **Not Contains**: Enter text that the **Username** should or shouldn't contain, for example, *CloudKnox*. +- **Contains** / **Not Contains**: Enter text that the **Username** should or shouldn't contain, for example, *Permissions Management*. - **In** / **Not In**: View a list all available usernames and select multiple usernames. ### Create a query with a username @@ -95,11 +95,11 @@ The **Operator** menu displays the following options depending on the identity y You can change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with the username **Test**. -1. Select the plus (**+**) sign, select **Or** with **Contains**, and then enter a username, for example, *CloudKnox*. +1. Select the plus (**+**) sign, select **Or** with **Contains**, and then enter a username, for example, *Permissions Management*. 1. To remove a row of criteria, select **Remove** (the minus sign **-** icon). -1. To run the query on the current selection, select **Search**. +1. To run the query on the current selection, select **Search**. 1. To clear the recent selections, select **Reset**. @@ -113,13 +113,13 @@ The **Operator** menu displays the following options depending on the identity y 1. To add criteria to this section, select **Add**. - You can change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with resource name **Test**. + You can change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with resource name **Test**. -1. Select the plus (**+**) sign, select **Or** with **Contains**, and then enter a username, for example, *CloudKnox*. +1. Select the plus (**+**) sign, select **Or** with **Contains**, and then enter a username, for example, *Permissions Management*. 1. To remove a row of criteria, select **Remove** (the minus sign **-** icon). -1. To run the query on the current selection, select **Search**. +1. To run the query on the current selection, select **Search**. 1. To clear the recent selections, select **Reset**. @@ -133,9 +133,9 @@ The **Operator** menu displays the following options depending on the identity y 1. To add criteria to this section, select **Add**. -1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with resource type **s3::bucket**. +1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with resource type **s3::bucket**. -1. Select the plus (**+**) sign, select **Or** with **Is**, and then enter or select `ec2::instance`. +1. Select the plus (**+**) sign, select **Or** with **Is**, and then enter or select `ec2::instance`. 1. To remove a row of criteria, select **Remove** (the minus sign **-** icon). @@ -152,15 +152,15 @@ The **Operator** menu displays the following options depending on the identity y 1. From the **Operator** menu, select the required option. -1. To add criteria to this section, select **Add**. +1. To add criteria to this section, select **Add**. -1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with task name **s3:CreateBucket**. +1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with task name **s3:CreateBucket**. -1. Select **Add**, select **Or** with **Is**, and then enter or select `ec2:TerminateInstance`. +1. Select **Add**, select **Or** with **Is**, and then enter or select `ec2:TerminateInstance`. 1. To remove a row of criteria, select **Remove** (the minus sign **-** icon). -1. To run the query on the current selection, select **Search**. +1. To run the query on the current selection, select **Search**. 1. To clear the recent selections, select **Reset**. @@ -174,15 +174,15 @@ The **Operator** menu displays the following options depending on the identity y - **Is** / **Is not**: Allows a user to select in the value field and select **Authorization Failure**, **Error**, or **Success**. -1. To add criteria to this section, select **Add**. +1. To add criteria to this section, select **Add**. -1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with State **Authorization Failure**. +1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with State **Authorization Failure**. -1. Select the **Add** icon, select **Or** with **Is**, and then select **Success**. +1. Select the **Add** icon, select **Or** with **Is**, and then select **Success**. 1. To remove a row of criteria, select **Remove** (the minus sign **-** icon). -1. To run the query on the current selection, select **Search**. +1. To run the query on the current selection, select **Search**. 1. To clear the recent selections, select **Reset**. @@ -194,15 +194,15 @@ The **Operator** menu displays the following options depending on the identity y 3. From the **Operator** menu, select the required option. -4. To add criteria to this section, select **Add**. +4. To add criteria to this section, select **Add**. -5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free text **Test**. +5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free text **Test**. -6. Select the **Add** icon, select **Or** with **Contains**, and then enter your criteria, for example *CloudKnox*. +6. Select the **Add** icon, select **Or** with **Contains**, and then enter your criteria, for example *Permissions Management*. 7. To remove a row of criteria, select **Remove** (the minus sign **-** icon). -8. To run the query on the current selection, select **Search**. +8. To run the query on the current selection, select **Search**. 9. To clear the recent selections, select **Reset**. @@ -214,15 +214,15 @@ The **Operator** menu displays the following options depending on the identity y 3. From the **Operator** menu, select the required option. -4. To add criteria to this section, select **Add**. +4. To add criteria to this section, select **Add**. -5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free text **Test**. +5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free text **Test**. -6. Select the **Add** icon, select **Or** with **Contains**, and then enter your criteria, for example *CloudKnox*. +6. Select the **Add** icon, select **Or** with **Contains**, and then enter your criteria, for example *Permissions Management*. 7. To remove a row of criteria, select **Remove** (the minus sign **-** icon). -8. To run the query on the current selection, select **Search**. +8. To run the query on the current selection, select **Search**. 9. To clear the recent selections, select **Reset**. @@ -234,11 +234,11 @@ The **Operator** menu displays the following options depending on the identity y 3. From the **Operator** menu, select the required option. -4. To add criteria to this section, select **Add**. +4. To add criteria to this section, select **Add**. -5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free `AKIAIFXNDW2Z2MPEH5OQ`. +5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free `AKIAIFXNDW2Z2MPEH5OQ`. -6. Select the **Add** icon, select **Or** with **Not** **Contains**, and then enter `AKIAVP2T3XG7JUZRM7WU`. +6. Select the **Add** icon, select **Or** with **Not** **Contains**, and then enter `AKIAVP2T3XG7JUZRM7WU`. 7. To remove a row of criteria, select **Remove** (the minus sign **-** icon). @@ -256,13 +256,13 @@ The **Operator** menu displays the following options depending on the identity y 4. To add criteria to this section, select **Add**. -5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** and type in, or select **Test**. +5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** and type in, or select **Test**. -6. Select the **Add** icon, select **Or** with **Is**, and then enter your criteria, for example *CloudKnox*. +6. Select the **Add** icon, select **Or** with **Is**, and then enter your criteria, for example *Permissions Management*. 7. To remove a row of criteria, select **Remove** (the minus sign **-** icon). -8. To run the query on the current selection, select **Search**. +8. To run the query on the current selection, select **Search**. 9. To clear the recent selections, select **Reset**. @@ -276,19 +276,19 @@ The **Operator** menu displays the following options depending on the identity y 4. To add criteria to this section, select **Add**. -5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** and type in, or select **Test**. +5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** and type in, or select **Test**. -6. Select the **Add** icon, select **Or** with **Is**, and then enter your criteria, for example *CloudKnox*. +6. Select the **Add** icon, select **Or** with **Is**, and then enter your criteria, for example *Permissions Management*. 7. To remove a row of criteria, select **Remove** (the minus sign **-** icon). -8. To run the query on the current selection, select **Search**. +8. To run the query on the current selection, select **Search**. 9. To clear the recent selections, select **Reset**. ### View query results -1. In the **Activity** table, your query results display in columns. +1. In the **Activity** table, your query results display in columns. The results display all executed tasks that aren't read-only. @@ -300,7 +300,7 @@ The **Operator** menu displays the following options depending on the identity y - **Resource Name**: The name of the resource on which the task is being performed. - If the column displays **Multiple**, it means multiple resources are listed in the column. + If the column displays **Multiple**, it means multiple resources are listed in the column. 1. To view a list of all resources, hover over **Multiple**. @@ -323,22 +323,22 @@ The **Operator** menu displays the following options depending on the identity y 2. In the **Query Name** box, enter a name for your query, and then select **Save**. -3. To save a query with a different name, select the ellipses (**...**) next to **Save**, and then select **Save As**. +3. To save a query with a different name, select the ellipses (**...**) next to **Save**, and then select **Save As**. 4. Make your query selections from the **New Query** section, select the ellipses (**...**), and then select **Save As**. -5. To save a new query, in the **Save Query** box, enter the name for the query, and then select **Save**. +5. To save a new query, in the **Save Query** box, enter the name for the query, and then select **Save**. -6. To save an existing query you've modified, select the ellipses (**...**). +6. To save an existing query you've modified, select the ellipses (**...**). - To save a modified query under the same name, select **Save**. - To save a modified query under a different name, select **Save As**. ### View a saved query -1. Select **Saved Queries**, and then select a query from the **Load Queries** list. +1. Select **Saved Queries**, and then select a query from the **Load Queries** list. - A message box opens with the following options: **Load with the saved authorization system** or **Load with the currently selected authorization system**. + A message box opens with the following options: **Load with the saved authorization system** or **Load with the currently selected authorization system**. 1. Select the appropriate option, and then select **Load Queries**. @@ -366,16 +366,16 @@ The **Operator** menu displays the following options depending on the identity y ### Save a query under a different name -- Select the ellipses (**...**). +- Select the ellipses (**...**). System queries have only one option: - **Duplicate**: Creates a duplicate of the query and names the file *Copy of XXX*. - Custom queries have the following options: + Custom queries have the following options: - **Rename**: Enter the new name of the query and select **Save**. - - **Delete**: Delete the saved query. + - **Delete**: Delete the saved query. The **Delete Query** box opens, asking you to confirm that you want to delete the query. Select **Yes** or **No**. @@ -391,11 +391,11 @@ The **Operator** menu displays the following options depending on the identity y - To export the results of the query, select **Export**. - CloudKnox exports the results in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format. + Permissions Management exports the results in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format. ## Next steps -- For information on how to view how users access information, see [Use queries to see how users access information](cloudknox-ui-audit-trail.md). -- For information on how to create a query, see [Create a custom query](cloudknox-howto-create-custom-queries.md). -- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](cloudknox-howto-audit-trail-results.md). +- For information on how to view how users access information, see [Use queries to see how users access information](ui-audit-trail.md). +- For information on how to create a query, see [Create a custom query](how-to-create-custom-queries.md). +- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](how-to-audit-trail-results.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-dashboard.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-dashboard.md similarity index 79% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-dashboard.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-dashboard.md index 48d0653e35e9..7822f837ca11 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-dashboard.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-dashboard.md @@ -1,6 +1,6 @@ --- -title: View data about the activity in your authorization system in CloudKnox Permissions Management -description: How to view data about the activity in your authorization system in the CloudKnox Dashboard in CloudKnox Permissions Management. +title: View data about the activity in your authorization system in Permissions Management +description: How to view data about the activity in your authorization system in the Permissions Management Dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -17,35 +17,35 @@ ms.author: kenwith # View data about the activity in your authorization system > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The CloudKnox Permissions Management (CloudKnox) **Dashboard** provides an overview of the authorization system and account activity being monitored. You can use this dashboard to view data collected from your Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) authorization systems. +The Permissions Management **Dashboard** provides an overview of the authorization system and account activity being monitored. You can use this dashboard to view data collected from your Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) authorization systems. ## View data about your authorization system -1. In the CloudKnox home page, select **Dashboard**. +1. In the Permissions Management home page, select **Dashboard**. 1. From the **Authorization systems type** dropdown, select **AWS**, **Azure**, or **GCP**. -1. Select the **Authorization System** box to display a **List** of accounts and **Folders** available to you. -1. Select the accounts and folders you want, and then select **Apply**. +1. Select the **Authorization System** box to display a **List** of accounts and **Folders** available to you. +1. Select the accounts and folders you want, and then select **Apply**. The **Permission Creep Index (PCI)** chart updates to display information about the accounts and folders you selected. The number of days since the information was last updated displays in the upper right corner. 1. In the Permission Creep Index (PCI) graph, select a bubble. - The bubble displays the number of identities that are considered high-risk. + The bubble displays the number of identities that are considered high-risk. *High-risk* refers to the number of users who have permissions that exceed their normal or required usage. -1. Select the box to display detailed information about the identities contributing to the **Low PCI**, **Medium PCI**, and **High PCI**. +1. Select the box to display detailed information about the identities contributing to the **Low PCI**, **Medium PCI**, and **High PCI**. 1. The **Highest PCI change** displays the authorization system name with the PCI number and the change number for the last seven days, if applicable. - + - To view all the changes and PCI ratings in your authorization system, select **View all**. -1. To return to the PCI graph, select the **Graph** icon in the upper right of the list box. +1. To return to the PCI graph, select the **Graph** icon in the upper right of the list box. -For more information about the CloudKnox **Dashboard**, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md). +For more information about the Permissions Management **Dashboard**, see [View key statistics and data about your authorization system](ui-dashboard.md). ## View user data on the PCI heat map @@ -53,7 +53,7 @@ The **Permission Creep Index (PCI)** heat map shows the incurred risk of users w - To view detailed data about a user, select the number. - The PCI trend graph shows you the historical trend of the PCI score over the last 90 days. + The PCI trend graph shows you the historical trend of the PCI score over the last 90 days. - To download the **PCI History** report, select **Download** (the down arrow icon). @@ -69,7 +69,7 @@ To view specific information about the following, select the number displayed on ## View identity findings -The **Identity** section below the heat map on the left side of the page shows all the relevant findings about identities, including roles that can access secret information, roles that are inactive, over provisioned active roles, and so on. +The **Identity** section below the heat map on the left side of the page shows all the relevant findings about identities, including roles that can access secret information, roles that are inactive, over provisioned active roles, and so on. - To expand the full list of identity findings, select **All findings**. @@ -79,4 +79,4 @@ The **Resource** section below the heat map on the right side of the page shows ## Next steps -- For more information about how to view key statistics and data in the Dashboard, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md). +- For more information about how to view key statistics and data in the Dashboard, see [View key statistics and data about your authorization system](ui-dashboard.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-inventory.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-inventory.md similarity index 68% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-inventory.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-data-inventory.md index 594f7f8b54df..50ad92ce4918 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-inventory.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-inventory.md @@ -1,6 +1,6 @@ --- -title: CloudKnox Permissions Management - Display an inventory of created resources and licenses for your authorization system -description: How to display an inventory of created resources and licenses for your authorization system in CloudKnox Permissions Management. +title: Display an inventory of created resources and licenses for your authorization system +description: How to display an inventory of created resources and licenses for your authorization system in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,15 +15,15 @@ ms.author: kenwith # Display an inventory of created resources and licenses for your authorization system > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -You can use the **Inventory** dashboard in CloudKnox Permissions Management (CloudKnox) to display an inventory of created resources and licensing information for your authorization system and its associated accounts. +You can use the **Inventory** dashboard in Permissions Management to display an inventory of created resources and licensing information for your authorization system and its associated accounts. ## View resources created for your authorization system -1. To access your inventory information, in the CloudKnox home page, select **Settings** (the gear icon). -1. Select the **Inventory** tab, select the **Inventory** subtab, and then select your authorization system type: +1. To access your inventory information, in the Permissions Management home page, select **Settings** (the gear icon). +1. Select the **Inventory** tab, select the **Inventory** subtab, and then select your authorization system type: - **AWS** for Amazon Web Services. - **Azure** for Microsoft Azure. @@ -37,7 +37,7 @@ You can use the **Inventory** dashboard in CloudKnox Permissions Management (Clo ## View the number of licenses associated with your authorization system -1. To access licensing information about your data sources, in the CloudKnox home page, select **Settings** (the gear icon). +1. To access licensing information about your data sources, in the Permissions Management home page, select **Settings** (the gear icon). 1. Select the **Inventory** tab, select the **Licensing** subtab, and then select your authorization system type. @@ -48,9 +48,9 @@ You can use the **Inventory** dashboard in CloudKnox Permissions Management (Clo - The number of **Serverless** licenses. - The number of **Compute containers**. - The number of **Databases**. - - The **Total number of licenses**. + - The **Total number of licenses**. ## Next steps -- For information about viewing and configuring settings for collecting data from your authorization system and its associated accounts, see [View and configure settings for data collection](cloudknox-product-data-sources.md). +- For information about viewing and configuring settings for collecting data from your authorization system and its associated accounts, see [View and configure settings for data collection](product-data-sources.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-sources.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-sources.md similarity index 70% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-sources.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-data-sources.md index 2e28b3153498..35fc4609c126 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-sources.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-sources.md @@ -1,6 +1,6 @@ --- -title: View and configure settings for data collection from your authorization system in CloudKnox Permissions Management -description: How to view and configure settings for collecting data from your authorization system in CloudKnox Permissions Management. +title: View and configure settings for data collection from your authorization system in Permissions Management +description: How to view and configure settings for collecting data from your authorization system in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -12,20 +12,20 @@ ms.date: 02/23/2022 ms.author: kenwith --- -# View and configure settings for data collection +# View and configure settings for data collection > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -You can use the **Data Collectors** dashboard in CloudKnox Permissions Management (CloudKnox) to view and configure settings for collecting data from your authorization systems. It also provides information about the status of the data collection. +You can use the **Data Collectors** dashboard in Permissions Management to view and configure settings for collecting data from your authorization systems. It also provides information about the status of the data collection. ## Access and view data sources -1. To access your data sources, in the CloudKnox home page, select **Settings** (the gear icon). Then select the **Data Collectors** tab. +1. To access your data sources, in the Permissions Management home page, select **Settings** (the gear icon). Then select the **Data Collectors** tab. -1. On the **Data Collectors** dashboard, select your authorization system type: +1. On the **Data Collectors** dashboard, select your authorization system type: - **AWS** for Amazon Web Services. - **Azure** for Microsoft Azure. @@ -48,54 +48,54 @@ You can use the **Data Collectors** dashboard in CloudKnox Permissions Managemen - **ID**: The unique identification number for the data collector. - **Data types**: Displays the data types that are collected: - **Entitlements**: The permissions of all identities and resources for all the configured authorization systems. - - **Recently uploaded on**: Displays whether the entitlement data is being collected. + - **Recently uploaded on**: Displays whether the entitlement data is being collected. The status displays *ONLINE* if the data collection has no errors and *OFFLINE* if there are errors. - **Recently transformed on**: Displays whether the entitlement data is being processed. - The status displays *ONLINE* if the data processing has no errors and *OFFLINE* if there are errors. + The status displays *ONLINE* if the data processing has no errors and *OFFLINE* if there are errors. - The **Tenant ID**. - The **Tenant name**. -## Modify a data collector +## Modify a data collector 1. Select the ellipses **(...)** at the end of the row in the table. -1. Select **Edit Configuration**. +1. Select **Edit Configuration**. - The **CloudKnox Onboarding - Summary** box displays. + The **Permissions Management Onboarding - Summary** box displays. -1. Select **Edit** (the pencil icon) for each field you want to change. +1. Select **Edit** (the pencil icon) for each field you want to change. 1. Select **Verify now & save**. To verify your changes later, select **Save & verify later**. When your changes are saved, the following message displays: **Successfully updated configuration.** - -## Delete a data collector + +## Delete a data collector 1. Select the ellipses **(...)** at the end of the row in the table. -1. Select **Delete Configuration**. +1. Select **Delete Configuration**. - The **CloudKnox Onboarding - Summary** box displays. + The **Permissions Management Onboarding - Summary** box displays. 1. Select **Delete**. -1. Check your email for a one time password (OTP) code, and enter it in **Enter OTP**. +1. Check your email for a one time password (OTP) code, and enter it in **Enter OTP**. If you don't receive an OTP, select **Resend OTP**. The following message displays: **Successfully deleted configuration.** -## Start collecting data from an authorization system +## Start collecting data from an authorization system 1. Select the **Authorization Systems** tab, and then select your authorization system type. 1. Select the ellipses **(...)** at the end of the row in the table. 1. Select **Collect Data**. - A message displays to confirm data collection has started. + A message displays to confirm data collection has started. -## Stop collecting data from an authorization system +## Stop collecting data from an authorization system 1. Select the ellipses **(...)** at the end of the row in the table. -1. To delete your authorization system, select **Delete**. +1. To delete your authorization system, select **Delete**. The **Validate OTP To Delete Authorization System** box displays. @@ -104,4 +104,4 @@ You can use the **Data Collectors** dashboard in CloudKnox Permissions Managemen ## Next steps -- For information about viewing an inventory of created resources and licensing information for your authorization system, see [Display an inventory of created resources and licenses for your authorization system](cloudknox-product-data-inventory.md) +- For information about viewing an inventory of created resources and licensing information for your authorization system, see [Display an inventory of created resources and licenses for your authorization system](product-data-inventory.md) diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-define-permission-levels.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-define-permission-levels.md similarity index 85% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-define-permission-levels.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-define-permission-levels.md index d775a826389a..9aeb4875d5cc 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-define-permission-levels.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-define-permission-levels.md @@ -1,6 +1,6 @@ --- -title: Define and manage users, roles, and access levels in CloudKnox Permissions Management -description: How to define and manage users, roles, and access levels in CloudKnox Permissions Management User management dashboard. +title: Define and manage users, roles, and access levels in Permissions Management +description: How to define and manage users, roles, and access levels in Permissions Management User management dashboard. services: active-directory author: kenwith manager: rkarlin @@ -15,14 +15,14 @@ ms.author: kenwith # Define and manage users, roles, and access levels > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -In CloudKnox Permissions Management (CloudKnox), a key component of the interface is the User management dashboard. This topic describes how system administrators can define and manage users, their roles, and their access levels in the system. +In Permissions Management, a key component of the interface is the User management dashboard. This topic describes how system administrators can define and manage users, their roles, and their access levels in the system. ## The User management dashboard -The CloudKnox User management dashboard provides a high-level overview of: +The Permissions Management User management dashboard provides a high-level overview of: - Registered and invited users. - Permissions allowed for each user within a given system. @@ -33,58 +33,58 @@ It also provides the functionality to invite or delete a user, edit, view, and c ## Manage users for customers without SAML integration -Follow this process to invite users if the customer hasn't enabled SAML integration with the CloudKnox application. +Follow this process to invite users if the customer hasn't enabled SAML integration with the Permissions Management application. -### Invite a user to CloudKnox +### Invite a user to Permissions Management -Inviting a user to CloudKnox adds the user to the system and allows system administrators to assign permissions to those users. Follow the steps below to invite a user to CloudKnox. +Inviting a user to Permissions Management adds the user to the system and allows system administrators to assign permissions to those users. Follow the steps below to invite a user to Permissions Management. -1. To invite a user to CloudKnox, select the down caret icon next to the **User** icon on the right of the screen, and then select **User Management**. +1. To invite a user to Permissions Management, select the down caret icon next to the **User** icon on the right of the screen, and then select **User Management**. 2. From the **Users** tab, select **Invite User**. 3. From the **Set User Permission** window, in the **User** text box, enter the user's email address. -4. Under **Permission**, select the applicable option. +4. Under **Permission**, select the applicable option. - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types. 1. Select **Next**. - 2. Select **Requestor for User** for each authorization system, if applicable. + 2. Select **Requestor for User** for each authorization system, if applicable. A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out. - 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. + 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. - For example, a user may have various roles in different authorization systems, so they can select the **Add** icon and the **Users** icon to request access for all their accounts. + For example, a user may have various roles in different authorization systems, so they can select the **Add** icon and the **Users** icon to request access for all their accounts. 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**. - + - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types. - - 1. Select **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s). + + 1. Select **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s). 2. Select **Next**. - 3. Select **Requestor for User** for each authorization system, if applicable. - + 3. Select **Requestor for User** for each authorization system, if applicable. + A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out. - 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. + 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. 5. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**. - + - **Custom**: **View**, **Control**, and **Approve** permissions for specific accounts in **Auth System Types**. - + 1. Select **Next**. The default view displays the **List** section. - 2. Select the appropriate boxes for **Viewer**, **Controller**, or **Approver**. + 2. Select the appropriate boxes for **Viewer**, **Controller**, or **Approver**. - For access to all authorization system types, select **All (Current and Future)**. + For access to all authorization system types, select **All (Current and Future)**. 1. Select **Next**. - 1. Select **Requestor for User** for each authorization system, if applicable. + 1. Select **Requestor for User** for each authorization system, if applicable. A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out. 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. - For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. + For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**. -5. Select **Save**. +5. Select **Save**. The following message displays in green at the top of the screen: **New User Has Been Invited Successfully**. @@ -92,18 +92,18 @@ Inviting a user to CloudKnox adds the user to the system and allows system admin ## Manage users for customers with SAML integration -Follow this process to invite users if the customer has enabled SAML integration with the CloudKnox application. +Follow this process to invite users if the customer has enabled SAML integration with the Permissions Management application. -### Create a permission in CloudKnox +### Create a permission in Permissions Management -Creating a permission directly in CloudKnox allows system administrators to assign permissions to specific users. The following steps help you to create a permission. +Creating a permission directly in Permissions Management allows system administrators to assign permissions to specific users. The following steps help you to create a permission. - On the right side of the screen, select the down caret icon next to **User**, and then select **User management**. - For **Users**: 1. To create permissions for a specific user, select the **Users** tab, and then select **Permission.** 2. From the **Set User Permission** window, enter the user's email address in the **User** text box. - 3. Under **Permission**, select the applicable button. Then expand menu to view instructions for each option. + 3. Under **Permission**, select the applicable button. Then expand menu to view instructions for each option. - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types. 1. Select **Next**. 2. Check **Requestor for User** for each authorization system, if applicable. @@ -112,12 +112,12 @@ Creating a permission directly in CloudKnox allows system administrators to assi 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. - For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. + For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**. - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types. - 1. Check **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s). + 1. Check **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s). 2. Select **Next**. 3. Check **Requestor for User** for each authorization system, if applicable. @@ -142,15 +142,15 @@ Creating a permission directly in CloudKnox allows system administrators to assi A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out. 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. - For example, a user can have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. + For example, a user can have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**. - 4. Select **Save**. - + 4. Select **Save**. + The following message displays in green at the top of the screen: - **New User Has Been Created Successfully**. - 5. The new user receives an email invitation to log in to CloudKnox. + **New User Has Been Created Successfully**. + 5. The new user receives an email invitation to log in to Permissions Management. ### The Pending tab @@ -165,7 +165,7 @@ Creating a permission directly in CloudKnox allows system administrators to assi - **Delete**: System administrators can delete a permission - **Reinvite**: System administrator can reinvite the permission if the user didn't receive the email invite - When a user registers with CloudKnox, they move from the **Pending** tab to the **Registered** tab. + When a user registers with Permissions Management, they move from the **Pending** tab to the **Registered** tab. ### The Registered tab @@ -176,7 +176,7 @@ Creating a permission directly in CloudKnox allows system administrators to assi - The **Permissions** column lists each authorization system, and each type of permission. If a user has all permissions for all authorization systems, **Admin for All Authorization Types** display across all columns. If a user only has some permissions, numbers display in each column they have permissions for. For example, if the number "3" is listed in the **Viewer** column, the user has viewer permission for three accounts within that authorization system. - - The **Joined On** column records when the user registered for CloudKnox. + - The **Joined On** column records when the user registered for Permissions Management. - The **Recent Activity** column displays the date when a user last performed an activity. - The **Search** button allows a system administrator to search for a user by name and all users who match the criteria displays. - The **Filters** option allows a system administrator to filter by specific details. When the filter option is selected, the **Authorization System** box displays. @@ -194,7 +194,7 @@ Creating a permission directly in CloudKnox allows system administrators to assi The identity provider creates groups. Some users may be part of multiple groups. In this case, the user's overall permissions is a union of the permissions assigned the various groups the user is a member of. - 3. Under **Permission**, select the applicable button and expand the menu to view instructions for each option. + 3. Under **Permission**, select the applicable button and expand the menu to view instructions for each option. - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types. 1. Select **Next**. @@ -208,48 +208,48 @@ Creating a permission directly in CloudKnox allows system administrators to assi 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**. - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types. - 1. Check **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s). + 1. Check **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s). 2. Select **Next**. 3. Check **Requestor for User** for each authorization system, if applicable. A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out. 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. - For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. + For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. 5. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**. - + - **Custom**: **View**, **Control**, and **Approve** permissions for specific accounts in Auth System Types. - 1. Select **Next**. + 1. Select **Next**. The default view displays the **List** section. - 2. Check the appropriate boxes for **Viewer**, **Controller**, or **Approver. + 2. Check the appropriate boxes for **Viewer**, **Controller**, or **Approver. For access to all authorization system types, select **All (Current and Future)**. 3. Select **Next**. - 4. Check **Requestor for User** for each authorization system, if applicable. + 4. Check **Requestor for User** for each authorization system, if applicable. A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out. - 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. + 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**. - For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. + For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts. 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**. - 4. Select **Save**. - - The following message displays in green at the top of the screen: **New Group Has Been Created Successfully**. + 4. Select **Save**. + + The following message displays in green at the top of the screen: **New Group Has Been Created Successfully**. ### The Groups tab 1. The **Groups** tab provides a high-level overview of user details to system administrators: - + - The **Name** column lists the name of the group. - - The **Permissions** column lists each authorization system, and each type of permission. + - The **Permissions** column lists each authorization system, and each type of permission. If a group has all permissions for all authorization systems, **Admin for All Authorization Types** displays across all columns. @@ -262,7 +262,7 @@ Creating a permission directly in CloudKnox allows system administrators to assi - The **Filters** option allows a system administrator to filter by specific details. When the filter option is selected, the **Authorization System** box displays. To display all authorization system accounts, select **All**. Then select the appropriate boxes for the accounts that need to be viewed. - + 2. To make changes to the following, select the ellipses **(...)** in the far right column: - **View Permissions**: Displays a list of the accounts for which the group has permissions. - **Edit Permissions**: System administrators can edit a group's permissions. @@ -272,6 +272,5 @@ Creating a permission directly in CloudKnox allows system administrators to assi ## Next steps -- For information about how to view user management information, see [Manage users with the User management dashboard](cloudknox-ui-user-management.md). -- For information about how to create group-based permissions, see [Create group-based permissions](cloudknox-howto-create-group-based-permissions.md). - +- For information about how to view user management information, see [Manage users with the User management dashboard](ui-user-management.md). +- For information about how to create group-based permissions, see [Create group-based permissions](how-to-create-group-based-permissions.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-integrations.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-integrations.md similarity index 100% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-integrations.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-integrations.md diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permission-analytics.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-permission-analytics.md similarity index 83% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permission-analytics.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-permission-analytics.md index 479f73496ba0..6c51f7ca8c57 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permission-analytics.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-permission-analytics.md @@ -1,6 +1,6 @@ --- -title: Create and view permission analytics triggers in CloudKnox Permissions Management -description: How to create and view permission analytics triggers in the Permission analytics tab in CloudKnox Permissions Management. +title: Create and view permission analytics triggers in Permissions Management +description: How to create and view permission analytics triggers in the Permission analytics tab in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -12,24 +12,24 @@ ms.date: 02/23/2022 ms.author: kenwith --- -# Create and view permission analytics triggers +# Create and view permission analytics triggers > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how you can create and view permission analytics triggers in CloudKnox Permissions Management (CloudKnox). +This article describes how you can create and view permission analytics triggers in Permissions Management. ## View permission analytics triggers -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Permission Analytics**, and then select the **Alerts** subtab. The **Alerts** subtab displays the following information: - **Alert Name**: Lists the name of the alert. - - To view the name, ID, role, domain, authorization system, statistical condition, anomaly date, and observance period, select **Alert name**. - - To expand the top information found with a graph of when the anomaly occurred, select **Details**. + - To view the name, ID, role, domain, authorization system, statistical condition, anomaly date, and observance period, select **Alert name**. + - To expand the top information found with a graph of when the anomaly occurred, select **Details**. - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert. - **# of Occurrences**: Displays how many times the alert trigger has occurred. - **Task**: Displays how many tasks are affected by the alert @@ -39,7 +39,7 @@ This article describes how you can create and view permission analytics triggers - **Date/Time**: Displays the date and time of the alert. - **Date/Time (UTC)**: Lists the date and time of the alert in Coordinated Universal Time (UTC). -1. To filter the alerts, select the appropriate alert name or, from the **Alert Name** menu,select **All**. +1. To filter the alerts, select the appropriate alert name or, from the **Alert Name** menu,select **All**. - From the **Date** dropdown menu, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**, and then select **Apply**. @@ -48,30 +48,30 @@ This article describes how you can create and view permission analytics triggers 1. To view the following details, select the ellipses (**...**): - **Details**: Displays **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, and **Identities** that matched the alert criteria. -1. To view specific matches, select **Resources**, **Tasks**, or **Identities**. +1. To view specific matches, select **Resources**, **Tasks**, or **Identities**. The **Activity** section displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date**, and **IP Address**. ## Create a permission analytics trigger -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Permission Analytics**, select the **Alerts** subtab, and then select **Create Permission Analytics Trigger**. 1. In the **Alert Name** box, enter a name for the alert. 1. Select the **Authorization System**. 1. Select **Identity performed high number of tasks**, and then select **Next**. -1. On the **Authorization Systems** tab, select the appropriate accounts and folders, or select **All**. +1. On the **Authorization Systems** tab, select the appropriate accounts and folders, or select **All**. This screen defaults to the **List** view but can also be changed to the **Folder** view, and the applicable folder can be selected instead of individually by system. - The **Status** column displays if the authorization system is online or offline - - The **Controller** column displays if the controller is enabled or disabled. + - The **Controller** column displays if the controller is enabled or disabled. 1. On the **Configuration** tab, to update the **Time Interval**, select **90 Days**, **60 Days**, or **30 Days** from the **Time range** dropdown. 1. Select **Save**. ## View permission analytics alert triggers -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Permission Analytics**, and then select the **Alert Triggers** subtab. The **Alert triggers** subtab displays the following information: @@ -96,7 +96,7 @@ This article describes how you can create and view permission analytics triggers ## Next steps -- For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md). -- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md). -- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md). -- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md). +- For an overview on activity triggers, see [View information about activity triggers](ui-triggers.md). +- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](how-to-create-alert-trigger.md). +- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](product-rule-based-anomalies.md). +- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](product-statistical-anomalies.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permissions-analytics-reports.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-permissions-analytics-reports.md similarity index 50% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permissions-analytics-reports.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-permissions-analytics-reports.md index 7f2acdd173c0..21a8dbd44a40 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permissions-analytics-reports.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-permissions-analytics-reports.md @@ -1,5 +1,5 @@ --- -title: Generate and download the Permissions analytics report in CloudKnox Permissions Management +title: Generate and download the Permissions analytics report in CloudKnox Permissions Management description: How to generate and download the Permissions analytics report in CloudKnox Permissions Management. services: active-directory author: kenwith @@ -23,7 +23,7 @@ This article describes how to generate and download the **Permissions analytics > [!NOTE] > This topic applies only to Amazon Web Services (AWS) users. -## Generate the Permissions analytics report +## Generate the Permissions analytics report 1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems Reports** subtab. @@ -34,71 +34,71 @@ This article describes how to generate and download the **Permissions analytics 1. For detailed information in the report, select the right arrow next to one of the following categories. Or, select the required category under the **Findings** column. - - **AWS** - - Inactive Identities - - Users - - Roles - - Resources - - Serverless Functions - - Inactive Groups - - Super Identities - - Users - - Roles - - Resources - - Serverless Functions - - Over-Provisioned Active Identities - - Users - - Roles - - Resources - - Serverless Functions - - PCI Distribution - - Privilege Escalation - - Users - - Roles - - Resources - - S3 Bucket Encryption - - Unencrypted Buckets - - SSE-S3 Buckets - - S3 Buckets Accessible Externally - - EC2 S3 Buckets Accessibility - - Open Security Groups - - Identities That Can Administer Security Tools - - Users - - Roles - - Resources - - Serverless Functions - - Identities That Can Access Secret Information - - Users - - Roles - - Resources - - Serverless Functions - - Cross-Account Access - - External Accounts - - Roles That Allow All Identities - - Hygiene: MFA Enforcement - - Hygiene: IAM Access Key Age - - Hygiene: Unused IAM Access Keys - - Exclude From Reports - - Users - - Roles - - Resources - - Serverless Functions - - Groups - - Security Groups - - S3 Buckets + - **AWS** + - Inactive Identities + - Users + - Roles + - Resources + - Serverless Functions + - Inactive Groups + - Super Identities + - Users + - Roles + - Resources + - Serverless Functions + - Over-Provisioned Active Identities + - Users + - Roles + - Resources + - Serverless Functions + - PCI Distribution + - Privilege Escalation + - Users + - Roles + - Resources + - S3 Bucket Encryption + - Unencrypted Buckets + - SSE-S3 Buckets + - S3 Buckets Accessible Externally + - EC2 S3 Buckets Accessibility + - Open Security Groups + - Identities That Can Administer Security Tools + - Users + - Roles + - Resources + - Serverless Functions + - Identities That Can Access Secret Information + - Users + - Roles + - Resources + - Serverless Functions + - Cross-Account Access + - External Accounts + - Roles That Allow All Identities + - Hygiene: MFA Enforcement + - Hygiene: IAM Access Key Age + - Hygiene: Unused IAM Access Keys + - Exclude From Reports + - Users + - Roles + - Resources + - Serverless Functions + - Groups + - Security Groups + - S3 Buckets 1. Select a category and view the following columns of information: - - **User**, **Role**, **Resource**, **Serverless Function Name**: Displays the name of the identity. - - **Authorization System**: Displays the authorization system to which the identity belongs. - - **Domain**: Displays the domain name to which the identity belongs. - - **Permissions**: Displays the maximum number of permissions that the identity can be granted. - - **Used**: Displays how many permissions that the identity has used. - - **Granted**: Displays how many permissions that the identity has been granted. - - **PCI**: Displays the permission creep index (PCI) score of the identity. - - **Date Last Active On**: Displays the date that the identity was last active. - - **Date Created On**: Displays the date when the identity was created. + - **User**, **Role**, **Resource**, **Serverless Function Name**: Displays the name of the identity. + - **Authorization System**: Displays the authorization system to which the identity belongs. + - **Domain**: Displays the domain name to which the identity belongs. + - **Permissions**: Displays the maximum number of permissions that the identity can be granted. + - **Used**: Displays how many permissions that the identity has used. + - **Granted**: Displays how many permissions that the identity has been granted. + - **PCI**: Displays the permission creep index (PCI) score of the identity. + - **Date Last Active On**: Displays the date that the identity was last active. + - **Date Created On**: Displays the date when the identity was created. @@ -108,7 +108,7 @@ This article describes how to generate and download the **Permissions analytics 1. Select one of the categories from the **Permissions Analytics Report**. 1. Select the identity name to which you want to add a tag. Then, select the checkbox at the top to select all identities. 1. Select **Add Tag**. -1. In the **Tag** column: +1. In the **Tag** column: - To select from the available options from the list, select **Select a Tag**. - To search for a tag, enter the tag name. - To create a new custom tag, select **New Custom Tag**. @@ -117,10 +117,10 @@ This article describes how to generate and download the **Permissions analytics 1. In the **Value (optional)** box, enter a value, if necessary. 1. Select **Save**.---> - + ## Next steps -- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](cloudknox-product-reports.md). -- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md). -- For information about how to generate and view a system report, see [Generate and view a system report](cloudknox-report-view-system-report.md). -- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md). +- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](product-reports.md). +- For a detailed overview of available system reports, see [View a list and description of system reports](all-reports.md). +- For information about how to generate and view a system report, see [Generate and view a system report](report-view-system-report.md). +- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](report-view-system-report.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/product-reports.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-reports.md new file mode 100644 index 000000000000..5539d0460aad --- /dev/null +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-reports.md @@ -0,0 +1,141 @@ +--- +title: View system reports in the Reports dashboard in CloudKnox Permissions Management +description: How to view system reports in the Reports dashboard in CloudKnox Permissions Management. +services: active-directory +author: kenwith +manager: rkarlin +ms.service: active-directory +ms.subservice: ciem +ms.workload: identity +ms.topic: how-to +ms.date: 02/23/2022 +ms.author: kenwith +--- + +# View system reports in the Reports dashboard + +> [!IMPORTANT] +> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +CloudKnox Permissions Management (CloudKnox) has various types of system report types available that capture specific sets of data. These reports allow management to: + +- Make timely decisions. +- Analyze trends and system/user performance. +- Identify trends in data and high risk areas so that management can address issues more quickly and improve their efficiency. + +## Explore the Reports dashboard + +The **Reports** dashboard provides a table of information with both system reports and custom reports. The **Reports** dashboard defaults to the **System Reports** tab, which has the following details: + +- **Report Name**: The name of the report. +- **Category**: The type of report. For example, **Permission**. +- **Authorization Systems**: Displays which authorizations the custom report applies to. +- **Format**: Displays the output format the report can be generated in. For example, comma-separated values (CSV) format, portable document format (PDF), or Microsoft Excel Open XML Spreadsheet (XLSX) format. + + - To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**. + + The following message displays across the top of the screen in green if the download is successful: **Successfully Started To Generate On Demand Report**. + +## Available system reports + +CloudKnox offers the following reports for management associated with the authorization systems noted in parenthesis: + +- **Access Key Entitlements And Usage**: + - **Summary of report**: Provides information about access key, for example, permissions, usage, and rotation date. + - **Applies to**: Amazon Web Services (AWS) and Microsoft Azure + - **Report output type**: CSV + - **Ability to collate report**: Yes + - **Type of report**: **Summary** or **Detailed** + - **Use cases**: + - The access key age, last rotation date, and last usage date is available in the summary report to help with key rotation. + - The granted task and Permissions creep index (PCI) score to take action on the keys. + +- **User Entitlements And Usage**: + - **Summary of report**: Provides information about the identities' permissions, for example, entitlement, usage, and PCI. + - **Applies to**: AWS, Azure, and Google Cloud Platform (GCP) + - **Report output type**: CSV + - **Ability to collate report**: Yes + - **Type of report**: **Summary** or **Detailed** + - **Use cases**: + - The data displayed on the **Usage Analytics** screen is downloaded as part of the **Summary** report. The user's detailed permissions usage is listed in the **Detailed** report. + +- **Group Entitlements And Usage**: + - **Summary of report**: Provides information about the group's permissions, for example, entitlement, usage, and PCI. + - **Applies to**: AWS, Azure, and GCP + - **Report output type**: CSV + - **Ability to collate report**: Yes + - **Type of report**: **Summary** + - **Use cases**: + - All group level entitlements and permission assignments, PCIs, and the number of members are listed as part of this report. + +- **Identity Permissions**: + - **Summary of report**: Report on identities that have specific permissions, for example, identities that have permission to delete any S3 buckets. + - **Applies to**: AWS, Azure, and GCP + - **Report output type**: CSV + - **Ability to collate report**: No + - **Type of report**: **Summary** + - **Use cases**: + - Any task usage or specific task usage via User/Group/Role/App can be tracked with this report. + +- **Identity privilege activity report** + - **Summary of report**: Provides information about permission changes that have occurred in the selected duration. + - **Applies to**: AWS, Azure, and GCP + - **Report output type**: PDF + - **Ability to collate report**: No + - **Type of report**: **Summary** + - **Use cases**: + - Any identity permission change can be captured using this report. + - The **Identity Privilege Activity** report has the following main sections: **User Summary**, **Group Summary**, **Role Summary**, and **Delete Task Summary**. + - The **User** summary lists the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted users, users with PCI change, and High-risk active/inactive users. + - The **Group** summary lists the administrator level groups with the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted groups, groups with PCI change, and High-risk active/inactive groups. + - The **Role summary** lists similar details as **Group Summary**. + - The **Delete Task summary** section lists the number of times the **Delete task** has been executed in the given time period. + +- **Permissions Analytics Report** + - **Summary of report**: Provides information about the violation of key security best practices. + - **Applies to**: AWS, Azure, and GCP + - **Report output type**: CSV + - **Ability to collate report**: Yes + - **Type of report**: **Detailed** + - **Use cases**: + - This report lists the different key findings in the selected auth systems. The key findings include super identities, inactive identities, over provisioned active identities, storage bucket hygiene, and access key age (for AWS only). The report helps administrators to visualize the findings across the organization. + + For more information about this report, see [Permissions analytics report](product-permissions-analytics-reports.md). + +- **Role/Policy Details** + - **Summary of report**: Provides information about roles and policies. + - **Applies to**: AWS, Azure, GCP + - **Report output type**: CSV + - **Ability to collate report**: No + - **Type of report**: **Summary** + - **Use cases**: + - Assigned/Unassigned, custom/system policy, and the used/unused condition is captured in this report for any specific, or all, AWS accounts. Similar data can be captured for Azure/GCP for the assigned/unassigned roles. + +- **PCI History** + - **Summary of report**: Provides a report of privilege creep index (PCI) history. + - **Applies to**: AWS, Azure, GCP + - **Report output type**: CSV + - **Ability to collate report**: Yes + - **Type of report**: **Summary** + - **Use cases**: + - This report plots the trend of the PCI by displaying the monthly PCI history for each authorization system. + +- **All Permissions for Identity** + - **Summary of report**: Provides results of all permissions for identities. + - **Applies to**: AWS, Azure, GCP + - **Report output type**: CSV + - **Ability to collate report**: Yes + - **Type of report**: **Detailed** + - **Use cases**: + - This report lists all the assigned permissions for the selected identities. + + + + +## Next steps + +- For a detailed overview of available system reports, see [View a list and description of system reports](all-reports.md). +- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](report-view-system-report.md). +- For information about how to create and view a custom report, see [Generate and view a custom report](report-create-custom-report.md). +- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-rule-based-anomalies.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-rule-based-anomalies.md similarity index 82% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-rule-based-anomalies.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-rule-based-anomalies.md index f9af667bb858..2d014ae108e0 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-rule-based-anomalies.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-rule-based-anomalies.md @@ -1,6 +1,6 @@ --- -title: Create and view rule-based anomalies and anomaly triggers in CloudKnox Permissions Management -description: How to create and view rule-based anomalies and anomaly triggers in CloudKnox Permissions Management. +title: Create and view rule-based anomalies and anomaly triggers in Permissions Management +description: How to create and view rule-based anomalies and anomaly triggers in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -12,23 +12,23 @@ ms.date: 02/23/2022 ms.author: kenwith --- -# Create and view rule-based anomaly alerts and anomaly triggers +# Create and view rule-based anomaly alerts and anomaly triggers > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Rule-based anomalies identify recent activity in CloudKnox Permissions Management (CloudKnox) that is determined to be unusual based on explicit rules defined in the activity trigger. The goal of rule-based anomaly is high precision detection. +Rule-based anomalies identify recent activity in Permissions Management that is determined to be unusual based on explicit rules defined in the activity trigger. The goal of rule-based anomaly is high precision detection. ## View rule-based anomaly alerts -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Rule-Based Anomaly**, and then select the **Alerts** subtab. The **Alerts** subtab displays the following information: - **Alert Name**: Lists the name of the alert. - + - To view the specific identity, resource, and task names that occurred during the alert collection period, select the **Alert Name**. - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert. @@ -36,18 +36,18 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen - **Task**: How many tasks performed are triggered by the alert. - **Resources**: How many resources accessed are triggered by the alert. - **Identity**: How many identities performing unusual behavior are triggered by the alert. - - **Authorization System**: Displays which authorization systems the alert applies to, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). + - **Authorization System**: Displays which authorization systems the alert applies to, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). - **Date/Time**: Lists the date and time of the alert. - **Date/Time (UTC)**: Lists the date and time of the alert in Coordinated Universal Time (UTC). - + 1. To filter alerts: - - From the **Alert Name** dropdown, select **All** or the appropriate alert name. + - From the **Alert Name** dropdown, select **All** or the appropriate alert name. - From the **Date** dropdown menu, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**, and select **Apply**. - If you select **Custom Range**, also enter **From** and **To** duration settings. -1. To view details that match the alert criteria, select the ellipses (**...**). +1. To view details that match the alert criteria, select the ellipses (**...**). - **View Trigger**: Displays the current trigger settings and applicable authorization system details - **Details**: Displays details about **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, **Identities**, and **Activity** @@ -55,7 +55,7 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen ## Create a rule-based anomaly trigger -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Rule-Based Anomaly**, and then select the **Alerts** subtab. 1. Select **Create Anomaly Trigger**. @@ -66,11 +66,11 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen - **Identity Performs a Particular Task for the First Time**: The identity does a specific task for the first time during the specified time interval. - **Identity Performs a Task for the First Time**: The identity performs any task for the first time during the specified time interval 1. Select **Next**. -1. On the **Authorization Systems** tab, select the available authorization systems and folders, or select **All**. +1. On the **Authorization Systems** tab, select the available authorization systems and folders, or select **All**. - This screen defaults to **List** view, but you can change it to **Folders** view. You can select the applicable folder instead of individually selecting by authorization system. + This screen defaults to **List** view, but you can change it to **Folders** view. You can select the applicable folder instead of individually selecting by authorization system. - - The **Status** column displays if the authorization system is online or offline. + - The **Status** column displays if the authorization system is online or offline. - The **Controller** column displays if the controller is enabled or disabled. 1. On the **Configuration** tab, to update the **Time Interval**, select **90 Days**, **60 Days**, or **30 Days** from the **Time range** dropdown. @@ -78,9 +78,9 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen ## View a rule-based anomaly trigger -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Rule-Based Anomaly**, and then select the **Alert Triggers** subtab. - + The **Alert Triggers** subtab displays the following information: - **Alerts**: Displays the name of the alert. @@ -89,13 +89,13 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen - **Created By**: Displays the email address of the user who created the alert. - **Last Modified By**: Displays the email address of the user who last modified the alert. - **Last Modified On**: Displays the date and time the trigger was last modified. - - **Subscription**: Subscribes you to receive alert emails. Switches between **On** and **Off**. + - **Subscription**: Subscribes you to receive alert emails. Switches between **On** and **Off**. 1. To view other options available to you, select the ellipses (**...**), and then select from the available options: If the **Subscription** is **On**, the following options are available: - - **Edit**: Enables you to modify alert parameters. + - **Edit**: Enables you to modify alert parameters. Only the user who created the alert can edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved. @@ -103,7 +103,7 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen - **Rename**: Enter the new name of the query, and then select **Save.** - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users. - **Activate**: Activate the alert trigger and start sending emails to subscribed users. - - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger. + - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger. - **Delete**: Delete the alert. If the **Subscription** is **Off**, the following options are available: @@ -117,7 +117,7 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen ## Next steps -- For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md). -- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md). -- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md). -- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md). +- For an overview on activity triggers, see [View information about activity triggers](ui-triggers.md). +- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](how-to-create-alert-trigger.md). +- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](product-statistical-anomalies.md). +- For information on permission analytics triggers, see [Create and view permission analytics triggers](product-permission-analytics.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-statistical-anomalies.md b/articles/active-directory/cloud-infrastructure-entitlement-management/product-statistical-anomalies.md similarity index 88% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-statistical-anomalies.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/product-statistical-anomalies.md index ebddfd89f42d..bcef698e31a8 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-statistical-anomalies.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/product-statistical-anomalies.md @@ -1,6 +1,6 @@ --- -title: Create and view statistical anomalies and anomaly triggers in CloudKnox Permissions Management -description: How to create and view statistical anomalies and anomaly triggers in the Statistical Anomaly tab in CloudKnox Permissions Management. +title: Create and view statistical anomalies and anomaly triggers in Permissions Management +description: How to create and view statistical anomalies and anomaly triggers in the Statistical Anomaly tab in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,25 +15,25 @@ ms.author: kenwith # Create and view statistical anomalies and anomaly triggers > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Statistical anomalies can detect outliers in an identity's behavior if recent activity is determined to be unusual based on models defined in an activity trigger. The goal of this anomaly trigger is a high recall rate. ## View statistical anomalies in an identity's behavior -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Statistical Anomaly**, and then select the **Alerts** subtab. The **Alerts** subtab displays the following information: - **Alert Name**: Lists the name of the alert. - - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert. + - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert. - **# of Occurrences**: Displays how many times the alert trigger has occurred. - **Authorization System**: Displays which authorization systems the alert applies to. - **Date/Time**: Lists the day of the outlier occurring. - **Date/Time (UTC)**: Lists the day of the outlier occurring in Coordinated Universal Time (UTC). - + 1. To filter the alerts based on name, select the appropriate alert name or choose **All** from the **Alert Name** dropdown menu, and select **Apply**. 1. To filter the alerts based on alert time, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range** from the **Date** dropdown menu, and select **Apply**. @@ -41,11 +41,11 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac - **Details**, this brings you to an Alert Summary view with **Authorization System**, **Statistical Model** and **Observance Period** displayed along with a table with a row per identity triggering this alert. From here you can click: - **Details**: Displays graph(s) highlighting the anomaly with context, and up to the top 3 actions performed on the day of the anomaly - **View Trigger**: Displays the current trigger settings and applicable authorization system details - - **View Trigger**: Displays the current trigger settings and applicable authorization system details + - **View Trigger**: Displays the current trigger settings and applicable authorization system details ## Create a statistical anomaly trigger -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Statistical Anomaly**, select the **Alerts** subtab, and then select **Create Alert Trigger**. 1. Enter a name for the alert in the **Alert Name** box. 1. Select the **Authorization System**, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). @@ -65,11 +65,11 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac - **Identity Performed Tasks with Multiple Unusual Patterns**: The identity has several unusual patterns in the tasks performed by the identity as established by their baseline in the observance period. 1. Select **Next**. -1. On the **Authorization Systems** tab, select the appropriate systems, or, to select all systems, select **All**. +1. On the **Authorization Systems** tab, select the appropriate systems, or, to select all systems, select **All**. - The screen defaults to the **List** view but you can switch to **Folder** view using the menu, and then select the applicable folder instead of individually by system. + The screen defaults to the **List** view but you can switch to **Folder** view using the menu, and then select the applicable folder instead of individually by system. - - The **Status** column displays if the authorization system is online or offline. + - The **Status** column displays if the authorization system is online or offline. - The **Controller** column displays if the controller is enabled or disabled. @@ -78,13 +78,13 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac ## View statistical anomaly triggers -1. In the CloudKnox home page, select **Activity triggers** (the bell icon). +1. In the Permissions Management home page, select **Activity triggers** (the bell icon). 1. Select **Statistical Anomaly**, and then select the **Alert Triggers** subtab. The **Alert Triggers** subtab displays the following information: - **Alert**: Displays the name of the alert. - - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert. + - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert. - **# of users subscribed**: Displays the number of users subscribed to the alert. - **Created By**: Displays the email address of the user who created the alert. - **Last Modified By**: Displays the email address of the user who last modified the alert. @@ -96,7 +96,7 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac 1. To view other options available to you, select the ellipses (**...**), and then select from the available options: If the **Subscription** is **On**, the following options are available: - - **Edit**: Enables you to modify alert parameters + - **Edit**: Enables you to modify alert parameters > [!NOTE] > Only the user who created the alert can perform the following actions: edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved. @@ -106,12 +106,12 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac - **Activate**: Activate the alert trigger and start sending emails to subscribed users. - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger. - **Delete**: Delete the alert. - + If the **Subscription** is **Off**, the following options are available: - **View**: View details of the alert trigger. - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger. - **Duplicate**: Create a duplicate copy of the selected alert trigger. - + 1. Select **Apply**. @@ -119,7 +119,7 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac ## Next steps -- For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md). -- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md). -- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md). -- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md). +- For an overview on activity triggers, see [View information about activity triggers](ui-triggers.md). +- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](how-to-create-alert-trigger.md). +- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](product-rule-based-anomalies.md). +- For information on permission analytics triggers, see [Create and view permission analytics triggers](product-permission-analytics.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-create-custom-report.md b/articles/active-directory/cloud-infrastructure-entitlement-management/report-create-custom-report.md similarity index 63% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-create-custom-report.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/report-create-custom-report.md index 2f7d8b0c51ff..203365d8a884 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-create-custom-report.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/report-create-custom-report.md @@ -1,6 +1,6 @@ --- -title: Create, view, and share a custom report a custom report in CloudKnox Permissions Management -description: How to create, view, and share a custom report in the CloudKnox Permissions Management. +title: Create, view, and share a custom report a custom report in Permissions Management +description: How to create, view, and share a custom report in the Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,14 +15,14 @@ ms.author: kenwith # Create, view, and share a custom report > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how to create, view, and share a custom report in CloudKnox Permissions Management (CloudKnox). +This article describes how to create, view, and share a custom report in Permissions Management. -## Create a custom report +## Create a custom report -1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom Reports** subtab. +1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab. 1. Select **New Custom Report**. 1. In the **Report Name** box, enter a name for your report. 1. From the **Report Based on** list: @@ -37,7 +37,7 @@ This article describes how to create, view, and share a custom report in CloudKn 1. Select the **Report Format** subtab, and then select the format for your report: comma-separated values (**CSV**) file, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) file. 1. Select the **Schedule** tab, and then select the frequency for your report, from **None** up to **Monthly**. - - For **Hourly** and **Daily** options, set the start date by choosing from the **Calendar** dropdown, and can input a specific time of the day they want to receive the report. + - For **Hourly** and **Daily** options, set the start date by choosing from the **Calendar** dropdown, and can input a specific time of the day they want to receive the report. In addition to date and time, the **Weekly** and **Biweekly** provide options for you to select on which day(s)of the week the report should repeat. @@ -46,9 +46,9 @@ This article describes how to create, view, and share a custom report in CloudKn The following message displays across the top of the screen in green if the download is successful: **Report has been created**. The report name appears in the **Reports** table. -## View a custom report +## View a custom report -1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom Reports** subtab. +1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab. The **Custom Reports** tab displays the following information in the **Reports** table: @@ -63,21 +63,21 @@ The report name appears in the **Reports** table. ## Share a custom report -1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom Reports** subtab. +1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab. 1. In the **Reports** table, select a report and then select the ellipses (**...**) icon. 1. In the **Report Settings** box, select **Share with**. -1. In the **Search Email to add** box, enter the name of other CloudKnox user(s). +1. In the **Search Email to add** box, enter the name of other Permissions Management user(s). - You can only share reports with other CloudKnox users. + You can only share reports with other Permissions Management users. 1. Select **Save**. -## Search for a custom report +## Search for a custom report -1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom Reports** subtab. +1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab. 1. On the **Custom Reports** tab, select **Search**. 1. In the **Search** box, enter the name of the report you want. - The **Custom Reports** tab displays a list of reports that match your search criteria. + The **Custom Reports** tab displays a list of reports that match your search criteria. 1. Select the report you want. 1. To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**. 1. To refresh the list of reports, select **Reload**. @@ -85,44 +85,44 @@ The report name appears in the **Reports** table. ## Modify a saved or scheduled custom report -1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom Reports** subtab. +1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab. 1. Hover over the report name on the **Custom Reports** tab. - To rename the report, select **Edit** (the pencil icon), and enter a new name. - To change the settings for your report, select **Settings** (the gear icon). Make your changes, and then select **Save**. - - To download a copy of the report, select the **Down arrow** icon. + - To download a copy of the report, select the **Down arrow** icon. 1. To perform other actions to the report, select the ellipses (**...**) icon: - - **Download**: Downloads a copy of the report. + - **Download**: Downloads a copy of the report. - - **Report Settings**: Displays the settings for the report, including scheduling, sharing the report, and so on. + - **Report Settings**: Displays the settings for the report, including scheduling, sharing the report, and so on. - - **Duplicate**: Creates a duplicate of the report called **"Copy of XXX"**. Any reports not created by the current user are listed as **Duplicate**. + - **Duplicate**: Creates a duplicate of the report called **"Copy of XXX"**. Any reports not created by the current user are listed as **Duplicate**. - When you select **Duplicate**, a box appears asking if you're sure you want to create a duplicate. Select **Confirm**. + When you select **Duplicate**, a box appears asking if you're sure you want to create a duplicate. Select **Confirm**. When the report is successfully duplicated, the following message displays: **Report generated successfully**. - - **API Settings**: Download the report using your Application Programming Interface (API) settings. + - **API Settings**: Download the report using your Application Programming Interface (API) settings. - When this option is selected, the **API Settings** window opens and displays the **Report ID** and **Secret Key**. Select **Generate New Key**. + When this option is selected, the **API Settings** window opens and displays the **Report ID** and **Secret Key**. Select **Generate New Key**. - - **Delete**: Select this option to delete the report. + - **Delete**: Select this option to delete the report. - After selecting **Delete**, a pop-up box appears asking if the user is sure they want to delete the report. Select **Confirm**. + After selecting **Delete**, a pop-up box appears asking if the user is sure they want to delete the report. Select **Confirm**. **Report is deleted successfully** appears across the top of the screen in green if successfully deleted. - - **Unsubscribe**: Unsubscribe the user from receiving scheduled reports and notifications. + - **Unsubscribe**: Unsubscribe the user from receiving scheduled reports and notifications. - This option is only available after a report has been scheduled. + This option is only available after a report has been scheduled. ## Next steps -- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](cloudknox-product-reports.md). -- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md). -- For information about how to generate and view a system report, see [Generate and view a system report](cloudknox-report-view-system-report.md). -- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md). +- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](product-reports.md). +- For a detailed overview of available system reports, see [View a list and description of system reports](all-reports.md). +- For information about how to generate and view a system report, see [Generate and view a system report](report-view-system-report.md). +- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-view-system-report.md b/articles/active-directory/cloud-infrastructure-entitlement-management/report-view-system-report.md similarity index 76% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-view-system-report.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/report-view-system-report.md index 35563a9b5634..d93af027fb2f 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-view-system-report.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/report-view-system-report.md @@ -1,6 +1,6 @@ --- -title: Generate and view a system report in CloudKnox Permissions Management -description: How to generate and view a system report in the CloudKnox Permissions Management. +title: Generate and view a system report in Permissions Management +description: How to generate and view a system report in the Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,14 +15,14 @@ ms.author: kenwith # Generate and view a system report > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how to generate and view a system report in CloudKnox Permissions Management (CloudKnox). +This article describes how to generate and view a system report in Permissions Management. -## Generate a system report +## Generate a system report -1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems Reports** subtab. +1. In the Permissions Management home page, select the **Reports** tab, and then select the **Systems Reports** subtab. The **Systems Reports** subtab displays the following options in the **Reports** table: - **Report Name**: The name of the report. @@ -41,12 +41,12 @@ This article describes how to generate and view a system report in CloudKnox Per 1. To refresh the list of reports, select **Reload**. -## Search for a system report +## Search for a system report 1. On the **Systems Reports** subtab, select **Search**. 1. In the **Search** box, enter the name of the report you want. - The **Systems Reports** subtab displays a list of reports that match your search criteria. + The **Systems Reports** subtab displays a list of reports that match your search criteria. 1. Select a report from the **Report Name** column. 1. To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**. 1. To refresh the list of reports, select **Reload**. @@ -54,7 +54,7 @@ This article describes how to generate and view a system report in CloudKnox Per ## Next steps -- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](cloudknox-product-reports.md). -- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md). -- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md). -- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md). +- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](product-reports.md). +- For a detailed overview of available system reports, see [View a list and description of system reports](all-reports.md). +- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](report-view-system-report.md). +- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-training-videos.md b/articles/active-directory/cloud-infrastructure-entitlement-management/training-videos.md similarity index 91% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-training-videos.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/training-videos.md index 5e92b74f6f40..7c4b7650af8a 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-training-videos.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/training-videos.md @@ -36,6 +36,6 @@ To view a video on how to configure and onboard Google Cloud Platform (GCP) acco ## Next steps -- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md) -- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](cloudknox-faqs.md). -- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md). \ No newline at end of file +- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](overview.md) +- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](faqs.md). +- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](ui-dashboard.md). \ No newline at end of file diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-troubleshoot.md b/articles/active-directory/cloud-infrastructure-entitlement-management/troubleshoot.md similarity index 59% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-troubleshoot.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/troubleshoot.md index 8d685638b9e0..fe392e6558e7 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-troubleshoot.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/troubleshoot.md @@ -1,6 +1,6 @@ --- -title: Troubleshoot issues with CloudKnox Permissions Management -description: Troubleshoot issues with CloudKnox Permissions Management +title: Troubleshoot issues with Permissions Management +description: Troubleshoot issues with Permissions Management services: active-directory author: kenwith manager: rkarlin @@ -12,31 +12,31 @@ ms.date: 02/23/2022 ms.author: kenwith --- -# Troubleshoot issues with CloudKnox Permissions Management +# Troubleshoot issues with Permissions Management > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This section answers troubleshoot issues with CloudKnox Permissions Management (CloudKnox). +This section answers troubleshoot issues with Permissions Management. ## One time passcode (OTP) email ### The user didn't receive the OTP email. -- Check your junk or Spam mail folder for the email. +- Check your junk or Spam mail folder for the email. ## Reports ### The individual files are generated according to the authorization system (subscription/account/project). -- Select the **Collate** option in the **Custom Report** screen in the CloudKnox **Reports** tab. +- Select the **Collate** option in the **Custom Report** screen in the Permissions Management **Reports** tab. ## Data collection in AWS -### Data collection > AWS Authorization system data collection status is offline. Upload and transform is also offline. +### Data collection > AWS Authorization system data collection status is offline. Upload and transform is also offline. -- Check the CloudKnox-related role that exists in these accounts. -- Validate the trust relationship with the OpenID Connect (OIDC) role. +- Check the Permissions Management-related role that exists in these accounts. +- Validate the trust relationship with the OpenID Connect (OIDC) role. diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-audit-trail.md b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-audit-trail.md similarity index 75% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-audit-trail.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/ui-audit-trail.md index 6f854bb414c7..43ee6f14eec9 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-audit-trail.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-audit-trail.md @@ -1,6 +1,6 @@ --- -title: Use queries to see how users access information in an authorization system in CloudKnox Permissions Management -description: How to use queries to see how users access information in an authorization system in CloudKnox Permissions Management. +title: Use queries to see how users access information in an authorization system in Permissions Management +description: How to use queries to see how users access information in an authorization system in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,21 +15,21 @@ ms.author: kenwith # Use queries to see how users access information > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Audit** dashboard in CloudKnox Permissions Management (CloudKnox) provides an overview of queries a CloudKnox user has created to review how users access their authorization systems and accounts. +The **Audit** dashboard in Permissions Management provides an overview of queries a Permissions Management user has created to review how users access their authorization systems and accounts. This article provides an overview of the components of the **Audit** dashboard. ## View information in the Audit dashboard -1. In CloudKnox, select the **Audit** tab. +1. In Permissions Management, select the **Audit** tab. - CloudKnox displays the query options available to you. + Permissions Management displays the query options available to you. -1. The following options display at the top of the **Audit** dashboard: +1. The following options display at the top of the **Audit** dashboard: - A tab for each existing query. Select the tab to see details about the query. - **New Query**: Select the tab to create a new query. @@ -39,9 +39,9 @@ This article provides an overview of the components of the **Audit** dashboard. 1. To return to the main page, select **Back to Audit Trail**. -## Use a query to view information +## Use a query to view information -1. In CloudKnox, select the **Audit** tab. +1. In Permissions Management, select the **Audit** tab. 1. The **New query** tab displays the following options: - **Authorization Systems Type**: A list of your authorization systems: Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), Google Cloud Platform (**GCP**), or Platform (**Platform**). @@ -51,7 +51,7 @@ This article provides an overview of the components of the **Audit** dashboard. - To display a **List** of accounts and **Folders** in the authorization system, select the down arrow, and then select **Apply**. 1. To add an **Audit Trail Condition**, select **Conditions** (the eye icon), select the conditions you want to add, and then select **Close**. - + 1. To edit existing parameters, select **Edit** (the pencil icon). 1. To add the parameter that you created to the query, select **Add**. @@ -70,6 +70,6 @@ This article provides an overview of the components of the **Audit** dashboard. ## Next steps -- For information on how to filter and view user activity, see [Filter and query user activity](cloudknox-product-audit-trail.md). -- For information on how to create a query,see [Create a custom query](cloudknox-howto-create-custom-queries.md). -- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](cloudknox-howto-audit-trail-results.md). +- For information on how to filter and view user activity, see [Filter and query user activity](product-audit-trail.md). +- For information on how to create a query,see [Create a custom query](how-to-create-custom-queries.md). +- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](how-to-audit-trail-results.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-autopilot.md b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-autopilot.md similarity index 75% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-autopilot.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/ui-autopilot.md index 586576497eb4..0d4f53e45ee7 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-autopilot.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-autopilot.md @@ -1,6 +1,6 @@ --- -title: View rules in the Autopilot dashboard in CloudKnox Permissions Management -description: How to view rules in the Autopilot dashboard in CloudKnox Permissions Management. +title: View rules in the Autopilot dashboard in Permissions Management +description: How to view rules in the Autopilot dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,27 +15,27 @@ ms.author: kenwith # View rules in the Autopilot dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Micorosft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Autopilot** dashboard in CloudKnox Permissions Management (CloudKnox) provides a table of information about **Autopilot rules** for administrators. +The **Autopilot** dashboard in Permissions Management provides a table of information about **Autopilot rules** for administrators. > [!NOTE] > Only users with the **Administrator** role can view and make changes on this tab. -## View a list of rules +## View a list of rules -1. In the CloudKnox home page, select the **Autopilot** tab. +1. In the Permissions Management home page, select the **Autopilot** tab. 1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select the authorization system types you want: Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). 1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want. -1. Select **Apply**. +1. Select **Apply**. The following information displays in the **Autopilot Rules** table: - **Rule Name**: The name of the rule. - **State**: The status of the rule: idle (not being use) or active (being used). - - **Rule Type**: The type of rule being applied. + - **Rule Type**: The type of rule being applied. - **Mode**: The status of the mode: on-demand or not. - **Last Generated**: The date and time the rule was last generated. - **Created By**: The email address of the user who created the rule. @@ -49,7 +49,7 @@ The **Autopilot** dashboard in CloudKnox Permissions Management (CloudKnox) prov The following options are available: - **View Rule**: Select to view details of the rule. - - **Delete Rule**: Select to delete the rule. Only the user who created the selected rule can delete the rule. + - **Delete Rule**: Select to delete the rule. Only the user who created the selected rule can delete the rule. - **Generate Recommendations**: Creates recommendations for each user and the authorization system. Only the user who created the selected rule can create recommendations. - **View Recommendations**: Displays the recommendations for each user and authorization system. - **Notification Settings**: Displays the users subscribed to this rule. Only the user who created the selected rule can add other users to be notified. @@ -59,13 +59,13 @@ You can also select: - **Reload**: Select to refresh the displayed list of roles/policies. - **Search**: Select to search for a specific role/policy. - **Columns**: From the dropdown list, select the columns you want to display. - - Select **Reset to default** to return to the system defaults. -- **New Rule**: Select to create a new rule. For more information, see [Create a rule](cloudknox-howto-create-rule.md). + - Select **Reset to default** to return to the system defaults. +- **New Rule**: Select to create a new rule. For more information, see [Create a rule](how-to-create-rule.md). ## Next steps -- For information about creating rules, see [Create a rule](cloudknox-howto-create-rule.md). -- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](cloudknox-howto-recommendations-rule.md). -- For information about notification settings for rules, see [View notification settings for a rule](cloudknox-howto-notifications-rule.md). +- For information about creating rules, see [Create a rule](how-to-create-rule.md). +- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](how-to-recommendations-rule.md). +- For information about notification settings for rules, see [View notification settings for a rule](how-to-notifications-rule.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-dashboard.md b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-dashboard.md similarity index 77% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-dashboard.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/ui-dashboard.md index f813214c6f40..23e1ce1b147b 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-dashboard.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-dashboard.md @@ -1,6 +1,6 @@ --- -title: View key statistics and data about your authorization system in CloudKnox Permissions Management -description: How to view statistics and data about your authorization system in the CloudKnox Permissions Management. +title: View key statistics and data about your authorization system in Permissions Management +description: How to view statistics and data about your authorization system in the Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -16,31 +16,31 @@ ms.author: kenwith # View key statistics and data about your authorization system > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -CloudKnox Permissions Management (CloudKnox) provides a summary of key statistics and data about your authorization system regularly. This information is available for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). +Permissions Management provides a summary of key statistics and data about your authorization system regularly. This information is available for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). ## View metrics related to avoidable risk -The data provided by CloudKnox includes metrics related to avoidable risk. These metrics allow the CloudKnox administrator to identify areas where they can reduce risks related to the principle of least permissions. +The data provided by Permissions Management includes metrics related to avoidable risk. These metrics allow the Permissions Management administrator to identify areas where they can reduce risks related to the principle of least permissions. -You can view the following information in CloudKnox: +You can view the following information in Entra: -- The **Permission Creep Index (PCI)** heat map on the CloudKnox **Dashboard** identifies: +- The **Permission Creep Index (PCI)** heat map on the Permissions Management **Dashboard** identifies: - The number of users who have been granted high-risk permissions but aren't using them. - The number of users who contribute to the permission creep index (PCI) and where they are on the scale. -- The [**Analytics** dashboard](cloudknox-usage-analytics-home.md) provides a snapshot of permission metrics within the last 90 days. +- The [**Analytics** dashboard](usage-analytics-home.md) provides a snapshot of permission metrics within the last 90 days. -## Components of the CloudKnox Dashboard +## Components of the Permissions Management Dashboard -The CloudKnox **Dashboard** displays the following information: +The Permissions Management **Dashboard** displays the following information: - **Authorization system types**: A dropdown list of authorization system types you can access: AWS, Azure, and GCP. - -- **Authorization System**: Displays a **List** of accounts and **Folders** in the selected authorization system you can access. + +- **Authorization System**: Displays a **List** of accounts and **Folders** in the selected authorization system you can access. - To add or remove accounts and folders, from the **Name** list, select or deselect accounts and folders, and then select **Apply**. @@ -48,17 +48,17 @@ The CloudKnox **Dashboard** displays the following information: The PCI graph may display one or more bubbles. Each bubble displays the number of identities that are considered high risk. *High-risk* refers to the number of users who have permissions that exceed their normal or required usage. - To display a list of the number of identities contributing to the **Low PCI**, **Medium PCI**, and **High PCI**, select the **List** icon in the upper right of the graph. - - To display the PCI graph again, select the **Graph** icon in the upper right of the list box. + - To display the PCI graph again, select the **Graph** icon in the upper right of the list box. - **Highest PCI change**: Displays a list of your accounts and information about the **PCI** and **Change** in the index over the past 7 days. - To download the list, select the down arrow in the upper right of the list box. - The following message displays: **We'll email you a link to download the file.** - - Check your email for the message from the CloudKnox Customer Success Team. The email contains a link to the **PCI history** report in Microsoft Excel format. + The following message displays: **We'll email you a link to download the file.** + - Check your email for the message from the Permissions Management Customer Success Team. The email contains a link to the **PCI history** report in Microsoft Excel format. - The email also includes a link to the **Reports** dashboard, where you can configure how and when you want to receive reports automatically. - To view all the PCI changes, select **View all**. -- **Identity**: A summary of the **Findings** that includes: +- **Identity**: A summary of the **Findings** that includes: - The number of **Inactive** identities that haven't been accessed in over 90 days. - The number of **Super** identities that access data regularly. - The number of identities that can **Access secret information**: A list of roles that can access sensitive or secret information. @@ -73,7 +73,7 @@ The CloudKnox **Dashboard** displays the following information: - **Instances with access to S3 buckets** - **Unencrypted S3 buckets** - **SSE-S3 Encrypted buckets** - - **S3 Bucket accessible externally** + - **S3 Bucket accessible externally** @@ -85,7 +85,7 @@ The **Permission Creep Index** heat map shows the incurred risk of users with a - The number of resources a user has access to, otherwise known as resource reach. -- The high-risk permissions coupled with the number of resources a user has access to produce the score seen on the chart. +- The high-risk permissions coupled with the number of resources a user has access to produce the score seen on the chart. Permissions are classified as *high*, *medium*, and *low*. @@ -93,11 +93,11 @@ The **Permission Creep Index** heat map shows the incurred risk of users with a - **Medium** (displayed in yellow) - The score is between 34 and 67. The user has access to some high-risk permissions that they use, or have medium resource reach. - **Low** (displayed in green) - The score is between 0 and 33. The user has access to few high-risk permissions. They use all their permissions and have low resource reach. -- The number displayed on the graph shows how many users contribute to a particular score. To view detailed data about a user, hover over the number. +- The number displayed on the graph shows how many users contribute to a particular score. To view detailed data about a user, hover over the number. The distribution graph displays all the users who contribute to the permission creep. It displays how many users contribute to a particular score. For example, if the score from the PCI chart is 14, the graph shows how many users have a score of 14. -- The **PCI Trend** graph shows you the historical trend of the PCI score over the last 90 days. +- The **PCI Trend** graph shows you the historical trend of the PCI score over the last 90 days. - To download the **PCI history report**, select **Download**. ### View information on the heat map @@ -107,7 +107,7 @@ The **Permission Creep Index** heat map shows the incurred risk of users with a - The total number of **Identities** and how many of them are in the high, medium, and low categories. - The **PCI trend** over the last several weeks. -1. The **Identity** section below the heat map on the left side of the page shows all the relevant findings about identities, including roles that can access secret information, roles that are inactive, over provisioned active roles, and so on. +1. The **Identity** section below the heat map on the left side of the page shows all the relevant findings about identities, including roles that can access secret information, roles that are inactive, over provisioned active roles, and so on. - To expand the full list of identities, select **All findings**. @@ -116,7 +116,7 @@ The **Permission Creep Index** heat map shows the incurred risk of users with a ## The Analytics summary -You can also view a summary of users and activities section on the [Analytics dashboard](cloudknox-usage-analytics-home.md). This dashboard provides a snapshot of the following high-risk tasks or actions users have accessed, and displays the total number of users with the high-risk access, how many users are inactive or have unexecuted tasks, and how many users are active or have executed tasks: +You can also view a summary of users and activities section on the [Analytics dashboard](usage-analytics-home.md). This dashboard provides a snapshot of the following high-risk tasks or actions users have accessed, and displays the total number of users with the high-risk access, how many users are inactive or have unexecuted tasks, and how many users are active or have executed tasks: - **Users with access to high-risk tasks**: Displays the total number of users with access to a high risk task (**Total**), how many users have access but haven't used the task (**Inactive**), and how many users are actively using the task (**Active**). @@ -134,7 +134,5 @@ You can also view a summary of users and activities section on the [Analytics da ## Next steps -- For information on how to view authorization system and account activity data on the CloudKnox Dashboard, see [View data about the activity in your authorization system](cloudknox-product-dashboard.md). -- For an overview of the Analytics dashboard, see [An overview of the Analytics dashboard](cloudknox-usage-analytics-home.md). - - +- For information on how to view authorization system and account activity data on the Permissions ManagementDashboard, see [View data about the activity in your authorization system](product-dashboard.md). +- For an overview of the Analytics dashboard, see [An overview of the Analytics dashboard](usage-analytics-home.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-remediation.md b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-remediation.md similarity index 83% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-remediation.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/ui-remediation.md index c2a38900d6ff..4d8ae893d635 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-remediation.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-remediation.md @@ -1,6 +1,6 @@ --- -title: View existing roles/policies and requests for permission in the Remediation dashboard in CloudKnox Permissions Management -description: How to view existing roles/policies and requests for permission in the Remediation dashboard in CloudKnox Permissions Management. +title: View existing roles/policies and requests for permission in the Remediation dashboard in Permissions Management +description: How to view existing roles/policies and requests for permission in the Remediation dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,41 +15,41 @@ ms.author: kenwith # View roles/policies and requests for permission in the Remediation dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) provides an overview of roles/policies, permissions, a list of existing requests for permissions, and requests for permissions you have made. +The **Remediation** dashboard in Permissions Management provides an overview of roles/policies, permissions, a list of existing requests for permissions, and requests for permissions you have made. This article provides an overview of the components of the **Remediation** dashboard. > [!NOTE] -> To view the **Remediation** dashboard, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this dashboard, you must have **Controller** or **Administrator** permissions. If you don’t have these permissions, contact your system administrator. +> To view the **Remediation** dashboard, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this dashboard, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator. > [!NOTE] -> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. +> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both. ## Display the Remediation dashboard -1. On the CloudKnox home page, select the **Remediation** tab. +1. On the Permissions Management home page, select the **Remediation** tab. - The **Remediation** dashboard includes six subtabs: + The **Remediation** dashboard includes six subtabs: - **Roles/Policies**: Use this subtab to perform Create Read Update Delete (CRUD) operations on roles/policies. - **Permissions**: Use this subtab to perform Read Update Delete (RUD) on granted permissions. - **Role/Policy Template**: Use this subtab to create a template for roles/policies template. - **Requests**: Use this subtab to view approved, pending, and processed Permission on Demand (POD) requests. - - **My Requests**: Use this tab to manage lifecycle of the POD request either created by you or needs your approval. + - **My Requests**: Use this tab to manage lifecycle of the POD request either created by you or needs your approval. - **Settings**: Use this subtab to select **Request Role/Policy Filters**, **Request Settings**, and **Auto-Approve** settings. 1. Use the dropdown to select the **Authorization System Type** and **Authorization System**, and then select **Apply**. -## View and create roles/policies +## View and create roles/policies The **Role/Policies** subtab provides the following settings that you can use to view and create a role/policy. - **Authorization System Type**: Displays a dropdown with authorization system types you can access, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). - **Authorization System**: Displays a list of authorization systems accounts you can access. -- **Policy Type**: A dropdown with available role/policy types. You can select **All**, **Custom**, **System**, or **CloudKnox Only**. +- **Policy Type**: A dropdown with available role/policy types. You can select **All**, **Custom**, **System**, or **Permissions Management Only**. - **Policy Status**: A dropdown with available role/policy statuses. You can select **All**, **Assigned**, or **Unassigned**. - **Policy Usage**: A dropdown with **All** or **Unused** roles/policies. - **Apply**: Select this option to save the changes you've made. @@ -58,23 +58,23 @@ The **Role/Policies** subtab provides the following settings that you can use to The **Policy list** displays a list of existing roles/policies and the following information about each role/policy. - **Policy Name**: The name of the roles/policies available to you. -- **Policy Type**: **Custom**, **System**, or **CloudKnox Only** -- **Actions** +- **Policy Type**: **Custom**, **System**, or **Permissions Management Only** +- **Actions** - Select **Clone** to create a duplicate copy of the role/policy. - Select **Modify** to change the existing role/policy. - - Select **Delete** to delete the role/policy. + - Select **Delete** to delete the role/policy. Other options available to you: - **Search**: Select this option to search for a specific role/policy. - **Reload**: Select this option to refresh the displayed list of roles/policies. -- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file. +- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file. When the file is successfully exported, a message appears: **Exported Successfully.** - - Check your email for a message from the CloudKnox Customer Success Team. This email contains a link to: + - Check your email for a message from the Permissions Management Customer Success Team. This email contains a link to: - The **Role Policy Details** report in CSV format. - The **Reports** dashboard where you can configure how and when you can automatically receive reports. -- **Create Role/Policy**: Select this option to create a new role/policy. For more information, see [Create a role/policy](cloudknox-howto-create-role-policy.md). +- **Create Role/Policy**: Select this option to create a new role/policy. For more information, see [Create a role/policy](how-to-create-role-policy.md). ## Add filters to permissions @@ -91,11 +91,11 @@ The **Permissions** subtab provides the following settings that you can use to a - **Enter a Group Name**: A dropdown from which you can select a group name. - **Apply**: Select this option to save the changes you've made and run the filter. - **Reset Filter**: Select this option to discard the changes you've made. -- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file. +- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file. When the file is successfully exported, a message appears: **Exported Successfully.** - - Check your email for a message from the CloudKnox Customer Success Team. This email contains a link to: + - Check your email for a message from the Permissions Management Customer Success Team. This email contains a link to: - The **Role Policy Details** report in CSV format. - The **Reports** dashboard where you can configure how and when you can automatically receive reports. @@ -118,7 +118,7 @@ Other options available to you: - **Search**: Select this option to search for a specific role/policy. - **Reload**: Select this option to refresh the displayed list of roles/policies. -## View requests for permission +## View requests for permission Use the **Requests** tab to view a list of **Pending**, **Approved**, and **Processed** requests for permissions your team members have made. @@ -159,7 +159,7 @@ The **Pending** table displays the following information: **To return to the previous view:** -- Select the up arrow. +- Select the up arrow. ### View approved requests @@ -169,7 +169,7 @@ The **Approved** table displays information about the requests that have been ap The **Processed** table displays information about the requests that have been processed. -## View requests for permission for your approval +## View requests for permission for your approval Use the **My Requests** subtab to view a list of **Pending**, **Approved**, and **Processed** requests for permissions your team members have made and you must approve or reject. @@ -228,14 +228,13 @@ The **Settings** subtab provides the following settings that you can use to make ## Next steps -- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md). -- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md). -- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md). -- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md). -- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md). -- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md). -- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md). -- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md) -- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md). -- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md) - +- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md). +- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md). +- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md). +- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md). +- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md). +- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md). +- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md). +- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md) +- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md). +- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md) diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-tasks.md b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-tasks.md similarity index 63% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-tasks.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/ui-tasks.md index bd11caa9bb3b..c4d6d89960a9 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-tasks.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-tasks.md @@ -1,6 +1,6 @@ --- -title: View information about active and completed tasks in CloudKnox Permissions Management -description: How to view information about active and completed tasks in the Activities pane in CloudKnox Permissions Management. +title: View information about active and completed tasks in Permissions Management +description: How to view information about active and completed tasks in the Activities pane in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,24 +15,24 @@ ms.author: kenwith # View information about active and completed tasks > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes the usage of the **CloudKnox Tasks** pane in CloudKnox Permissions Management (CloudKnox). +This article describes the usage of the **Permissions Management Tasks** pane in Permissions Management. ## Display active and completed tasks -1. In the CloudKnox home page, select **Tasks** (the timer icon). +1. In the Permissions Management home page, select **Tasks** (the timer icon). - The **CloudKnox Tasks** pane appears on the right of the CloudKnox home page. It has two tabs: + The **Permissions Management Tasks** pane appears on the right of the Permissions Management home page. It has two tabs: - **Active**: Displays a list of active tasks, a description of each task, and when the task was started. If there are no active tasks, the following message displays: **There are no active tasks**. - **Completed**: Displays a list of completed tasks, a description of each task, when the task was started and ended, and whether the task **Failed** or **Succeeded**. If there are no completed activities, the following message displays: **There are no recently completed tasks**. -1. To close the **CloudKnox Tasks** pane, click outside the pane. +1. To close the **Permissions Management Tasks** pane, click outside the pane. ## Next steps -- For information on how to create a role/policy in the **Remediation** dashboard, see [Create a role/policy](cloudknox-howto-create-role-policy.md). +- For information on how to create a role/policy in the **Remediation** dashboard, see [Create a role/policy](how-to-create-role-policy.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-triggers.md b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-triggers.md similarity index 78% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-triggers.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/ui-triggers.md index c0faaaaba109..01471aee6f3a 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-triggers.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-triggers.md @@ -1,6 +1,6 @@ --- -title: View information about activity triggers in CloudKnox Permissions Management -description: How to view information about activity triggers in the Activity triggers dashboard in CloudKnox Permissions Management. +title: View information about activity triggers in Permissions Management +description: How to view information about activity triggers in the Activity triggers dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,14 +15,14 @@ ms.author: kenwith # View information about activity triggers > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how to use the **Activity triggers** dashboard in CloudKnox Permissions Management (CloudKnox) to view information about activity alerts and triggers. +This article describes how to use the **Activity triggers** dashboard in Permissions Management to view information about activity alerts and triggers. ## Display the Activity triggers dashboard -- In the CloudKnox home page, select **Activity triggers** (the bell icon). +- In the Permissions Management home page, select **Activity triggers** (the bell icon). The **Activity triggers** dashboard has four tabs: @@ -46,8 +46,8 @@ The **Alerts** subtab in the **Activity**, **Rule-Based Anomaly**, **Statistical - If you select **Custom Range**, also enter **From** and **To** duration settings. - **Apply**: Select this option to activate your settings. - **Reset Filter**: Select this option to discard your settings. -- **Reload**: Select this option to refresh the displayed information. -- **Create Activity Trigger**: Select this option to [create a new alert trigger](cloudknox-howto-create-alert-trigger.md). +- **Reload**: Select this option to refresh the displayed information. +- **Create Activity Trigger**: Select this option to [create a new alert trigger](how-to-create-alert-trigger.md). - The **Alerts** table displays a list of alerts with the following information: - **Alerts**: The name of the alert. - **# of users subscribed**: The number of users who have subscribed to the alert. @@ -64,10 +64,10 @@ The **Rule-Based Anomaly** tab and the **Statistical Anomaly** tab both have one The **Alert Triggers** subtab in the **Activity**, **Rule-Based Anomaly**, **Statistical Anomaly**, and **Permission Analytics** tab displays the following information: - **Status**: Select the alert status you want to display: **All**, **Activated**, or **Deactivated**. -- **Apply**: Select this option to activate your settings. +- **Apply**: Select this option to activate your settings. - **Reset Filter**: Select this option to discard your settings. -- **Reload**: Select **Reload** to refresh the displayed information. -- **Create Activity Trigger**: Select this option to [create a new alert trigger](cloudknox-howto-create-alert-trigger.md). +- **Reload**: Select **Reload** to refresh the displayed information. +- **Create Activity Trigger**: Select this option to [create a new alert trigger](how-to-create-alert-trigger.md). - The **Triggers** table displays a list of triggers with the following information: - **Alerts**: The name of the alert. - **# of users subscribed**: The number of users who have subscribed to the alert. @@ -81,7 +81,7 @@ The **Alert Triggers** subtab in the **Activity**, **Rule-Based Anomaly**, **Sta ## Next steps -- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md). -- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md). -- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md). -- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md). +- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](how-to-create-alert-trigger.md). +- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](product-rule-based-anomalies.md). +- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](product-statistical-anomalies.md). +- For information on permission analytics triggers, see [Create and view permission analytics triggers](product-permission-analytics.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-user-management.md b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-user-management.md similarity index 82% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-user-management.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/ui-user-management.md index 010ce9de7b7e..0ac386906b41 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-user-management.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/ui-user-management.md @@ -1,6 +1,6 @@ --- -title: Manage users and groups with the User management dashboard in CloudKnox Permissions Management -description: How to manage users and groups in the User management dashboard in CloudKnox Permissions Management. +title: Manage users and groups with the User management dashboard in Permissions Management +description: How to manage users and groups in the User management dashboard in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,14 +15,14 @@ ms.author: kenwith # Manage users and groups with the User management dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article describes how to use the CloudKnox Permissions Management (CloudKnox) **User management** dashboard to view and manage users and groups. +This article describes how to use the Permissions Management **User management** dashboard to view and manage users and groups. **To display the User management dashboard**: -- In the upper right of the CloudKnox home page, select **User** (your initials) in the upper right of the screen, and then select **User management.** +- In the upper right of the Permissions Management home page, select **User** (your initials) in the upper right of the screen, and then select **User management.** The **User Management** dashboard has two tabs: @@ -30,7 +30,7 @@ This article describes how to use the CloudKnox Permissions Management (CloudKno - **Groups**: Displays information about groups. ## Manage users - + Use the **Users** tab to display the following information about users: - **Name** and **Email Address**: The user's name and email address. @@ -49,11 +49,11 @@ You can also select the following options: - **Search**: Enter a name or email address to search for a specific user. ## Manage groups - + Use the **Groups** tab to display the following information about groups: - **Name**: Displays the registered user's name and email address. -- **Permissions**: +- **Permissions**: - The **Authorization Systems** and the type of permissions the user has been granted: **Admin for all Authorization System Types**, **Admin for selected Authorization System Types**, or **Custom**. - Information about the **Viewer**, **Controller**, **Approver**, and **Requestor**. - **Modified By**: The email address of the user who modified the group. @@ -69,7 +69,7 @@ Use the **Groups** tab to display the following information about groups: - **Edit Permissions**: Select this option to modify the group's permissions. - **Delete**: Select this option to delete the group's permissions. - The **Delete Permission** box asks you to confirm that you want to delete the group. + The **Delete Permission** box asks you to confirm that you want to delete the group. - Select **Delete** if you want to delete the group, **Cancel** to discard your changes. @@ -77,13 +77,13 @@ You can also select the following options: - **Reload**: Select this option to refresh the information displayed in the **User** table. - **Search**: Enter a name or email address to search for a specific user. -- **Filters**: Select the authorization systems and accounts you want to display. -- **Create Permission**: Create a group and set up its permissions. For more information, see [Create group-based permissions](cloudknox-howto-create-group-based-permissions.md) +- **Filters**: Select the authorization systems and accounts you want to display. +- **Create Permission**: Create a group and set up its permissions. For more information, see [Create group-based permissions](how-to-create-group-based-permissions.md) ## Next steps -- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](cloudknox-ui-tasks.md). -- For information about how to view personal and organization information, see [View personal and organization information](cloudknox-product-account-settings.md). -- For information about how to select group-based permissions settings, see [Select group-based permissions settings](cloudknox-howto-create-group-based-permissions.md). +- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](ui-tasks.md). +- For information about how to view personal and organization information, see [View personal and organization information](product-account-settings.md). +- For information about how to select group-based permissions settings, see [Select group-based permissions settings](how-to-create-group-based-permissions.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-access-keys.md b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-access-keys.md similarity index 83% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-access-keys.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-access-keys.md index 2d8b54bda220..c2677c84e9cf 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-access-keys.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-access-keys.md @@ -1,6 +1,6 @@ --- -title: View analytic information about access keys in CloudKnox Permissions Management -description: How to view analytic information about access keys in CloudKnox Permissions Management. +title: View analytic information about access keys in Permissions Management +description: How to view analytic information about access keys in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,10 +15,10 @@ ms.author: kenwith # View analytic information about access keys > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) provides details about identities, resources, and tasks that you can use make informed decisions about granting permissions, and reducing risk on unused permissions. +The **Analytics** dashboard in Permissions Management provides details about identities, resources, and tasks that you can use make informed decisions about granting permissions, and reducing risk on unused permissions. - **Users**: Tracks assigned permissions and usage of various identities. - **Groups**: Tracks assigned permissions and usage of the group and the group members. @@ -31,9 +31,9 @@ This article describes how to view usage analytics about access keys. ## Create a query to view access keys -When you select **Access keys**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities. +When you select **Access keys**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities. -1. On the main **Analytics** dashboard, select **Access Keys** from the drop-down list at the top of the screen. +1. On the main **Analytics** dashboard, select **Access Keys** from the drop-down list at the top of the screen. The following components make up the **Access Keys** dashboard: @@ -53,8 +53,8 @@ When you select **Access keys**, the **Analytics** dashboard provides a high-lev The **Access Keys** table displays the results of your query. -- **Access Key ID**: Provides the ID for the access key. - - To view details about the access keys, select the down arrow to the left of the ID. +- **Access Key ID**: Provides the ID for the access key. + - To view details about the access keys, select the down arrow to the left of the ID. - The **Owner** name. - The **Account** number. - The **Permission Creep Index (PCI)**: Provides the following information: @@ -65,26 +65,26 @@ The **Access Keys** table displays the results of your query. - **Access Key Age**: How old the access key is, in days. - **Last Used**: How long ago the access key was last accessed. -## Apply filters to your query +## Apply filters to your query -There are many filter options within the **Active Tasks** screen, including filters by **Authorization System**, filters by **User** and filters by **Task**. -Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. +There are many filter options within the **Active Tasks** screen, including filters by **Authorization System**, filters by **User** and filters by **Task**. +Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. ### Apply filters by authorization system type 1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by authorization system -1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. +1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by key status @@ -128,12 +128,12 @@ Filters can be applied in one, two, or all three categories depending on the typ ## Export the results of your query -- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV** or **CSV (Detailed)**. +- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV** or **CSV (Detailed)**. ## Next steps -- To view active tasks, see [View usage analytics about active tasks](cloudknox-usage-analytics-active-tasks.md). -- To view assigned permissions and usage by users, see [View usage analytics about users](cloudknox-usage-analytics-users.md). -- To view assigned permissions and usage of the group and the group members, see [View usage analytics about groups](cloudknox-usage-analytics-groups.md). -- To view active resources, see [View usage analytics about active resources](cloudknox-usage-analytics-active-resources.md). -- To view assigned permissions and usage of the serverless functions, see [View usage analytics about serverless functions](cloudknox-usage-analytics-serverless-functions.md). +- To view active tasks, see [View usage analytics about active tasks](usage-analytics-active-tasks.md). +- To view assigned permissions and usage by users, see [View usage analytics about users](usage-analytics-users.md). +- To view assigned permissions and usage of the group and the group members, see [View usage analytics about groups](usage-analytics-groups.md). +- To view active resources, see [View usage analytics about active resources](usage-analytics-active-resources.md). +- To view assigned permissions and usage of the serverless functions, see [View usage analytics about serverless functions](usage-analytics-serverless-functions.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-resources.md b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-resources.md similarity index 80% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-resources.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-resources.md index e42aa721e001..d05b4f4b4898 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-resources.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-resources.md @@ -1,6 +1,6 @@ --- -title: View analytic information about active resources in CloudKnox Permissions Management -description: How to view usage analytics about active resources in CloudKnox Permissions Management. +title: View analytic information about active resources in Permissions Management +description: How to view usage analytics about active resources in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,10 +15,10 @@ ms.author: kenwith # View analytic information about active resources > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: +The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: - **Users**: Tracks assigned permissions and usage of various identities. - **Groups**: Tracks assigned permissions and usage of the group and the group members. @@ -31,7 +31,7 @@ This article describes how to view usage analytics about active resources. ## Create a query to view active resources -1. On the main **Analytics** dashboard, select **Active Resources** from the drop-down list at the top of the screen. +1. On the main **Analytics** dashboard, select **Active Resources** from the drop-down list at the top of the screen. The dashboard only lists tasks that are active. The following components make up the **Active Resources** dashboard: 1. From the dropdowns, select: @@ -50,8 +50,8 @@ This article describes how to view usage analytics about active resources. The **Active Resources** table displays the results of your query: -- **Resource Name**: Provides the name of the task. - - To view details about the task, select the down arrow. +- **Resource Name**: Provides the name of the task. + - To view details about the task, select the down arrow. - **Account**: The name of the account. - **Resources Type**: The type of resources used, for example, **bucket** or **key**. - **Tasks**: Displays the number of **Granted** and **Executed** tasks. @@ -68,26 +68,26 @@ The **Active Resources** table displays the results of your query: 1. To add the tag to the serverless function, select **Add Tag**. -## Apply filters to your query +## Apply filters to your query -There are many filter options within the **Active Resources** screen, including filters by **Authorization System**, filters by **User** and filters by **Task**. -Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. +There are many filter options within the **Active Resources** screen, including filters by **Authorization System**, filters by **User** and filters by **Task**. +Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. ### Apply filters by authorization system 1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by authorization system type -1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. +1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by task type @@ -114,13 +114,13 @@ You can filter user details by type of user, user role, app, or service used, or ## Export the results of your query -- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**. +- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**. ## Next steps -- To track active tasks, see [View usage analytics about active tasks](cloudknox-usage-analytics-active-tasks.md). -- To track assigned permissions and usage of users, see [View usage analytics about users](cloudknox-usage-analytics-users.md). -- To track assigned permissions and usage of the group and the group members, see [View usage analytics about groups](cloudknox-usage-analytics-groups.md). -- To track the permission usage of access keys for a given user, see [View usage analytics about access keys](cloudknox-usage-analytics-access-keys.md). -- To track assigned permissions and usage of the serverless functions, see [View usage analytics about serverless functions](cloudknox-usage-analytics-serverless-functions.md). +- To track active tasks, see [View usage analytics about active tasks](usage-analytics-active-tasks.md). +- To track assigned permissions and usage of users, see [View usage analytics about users](usage-analytics-users.md). +- To track assigned permissions and usage of the group and the group members, see [View usage analytics about groups](usage-analytics-groups.md). +- To track the permission usage of access keys for a given user, see [View usage analytics about access keys](usage-analytics-access-keys.md). +- To track assigned permissions and usage of the serverless functions, see [View usage analytics about serverless functions](usage-analytics-serverless-functions.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-tasks.md b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-tasks.md similarity index 77% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-tasks.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-tasks.md index e0e6679f637f..729df078b99d 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-tasks.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-tasks.md @@ -1,6 +1,6 @@ --- -title: View analytic information about active tasks in CloudKnox Permissions Management -description: How to view analytic information about active tasks in CloudKnox Permissions Management. +title: View analytic information about active tasks in Permissions Management +description: How to view analytic information about active tasks in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,10 +15,10 @@ ms.author: kenwith # View analytic information about active tasks > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: +The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: - **Users**: Tracks assigned permissions and usage of various identities. - **Groups**: Tracks assigned permissions and usage of the group and the group members. @@ -31,9 +31,9 @@ This article describes how to view usage analytics about active tasks. ## Create a query to view active tasks -When you select **Active Tasks**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities. +When you select **Active Tasks**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities. -1. On the main **Analytics** dashboard, select **Active Tasks** from the drop-down list at the top of the screen. +1. On the main **Analytics** dashboard, select **Active Tasks** from the drop-down list at the top of the screen. The dashboard only lists tasks that are active. The following components make up the **Active Tasks** dashboard: @@ -51,12 +51,12 @@ When you select **Active Tasks**, the **Analytics** dashboard provides a high-le The **Active Tasks** table displays the results of your query. -- **Task Name**: Provides the name of the task. - - To view details about the task, select the down arrow in the table. +- **Task Name**: Provides the name of the task. + - To view details about the task, select the down arrow in the table. - A **Normal Task** icon displays to the left of the task name if the task is normal (that is, not risky). - - A **Deleted Task** icon displays to the left of the task name if the task involved deleting data. - - A **High-Risk Task** icon displays to the left of the task name if the task is high-risk. + - A **Deleted Task** icon displays to the left of the task name if the task involved deleting data. + - A **High-Risk Task** icon displays to the left of the task name if the task is high-risk. - **Performed on (resources)**: The number of resources on which the task was used. @@ -65,25 +65,25 @@ The **Active Tasks** table displays the results of your query. - **Accessed**: Displays the number of users that have accessed the task. -## Apply filters to your query +## Apply filters to your query -There are many filter options within the **Active Tasks** screen, including **Authorization System**, **User**, and **Task**. -Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. +There are many filter options within the **Active Tasks** screen, including **Authorization System**, **User**, and **Task**. +Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. ### Apply filters by authorization system type 1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by authorization system -1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. +1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by task type @@ -100,12 +100,12 @@ You can filter user details by type of user, user role, app, or service used, or ## Export the results of your query -- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**. +- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**. ## Next steps -- To view assigned permissions and usage by users, see [View analytic information about users](cloudknox-usage-analytics-users.md). -- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](cloudknox-usage-analytics-groups.md). -- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md). -- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md). -- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md). +- To view assigned permissions and usage by users, see [View analytic information about users](usage-analytics-users.md). +- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md). +- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md). +- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md). +- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-groups.md b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-groups.md similarity index 83% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-groups.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-groups.md index f53777999454..11894bc662e3 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-groups.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-groups.md @@ -1,6 +1,6 @@ --- -title: View analytic information about groups in CloudKnox Permissions Management -description: How to view analytic information about groups in CloudKnox Permissions Management. +title: View analytic information about groups in Permissions Management +description: How to view analytic information about groups in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,10 +15,10 @@ ms.author: kenwith # View analytic information about groups > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: +The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: - **Users**: Tracks assigned permissions and usage of various identities. - **Groups**: Tracks assigned permissions and usage of the group and the group members. @@ -31,9 +31,9 @@ This article describes how to view usage analytics about groups. ## Create a query to view groups -When you select **Groups**, the **Usage Analytics** dashboard provides a high-level overview of groups. +When you select **Groups**, the **Usage Analytics** dashboard provides a high-level overview of groups. -1. On the main **Analytics** dashboard, select **Groups** from the drop-down list at the top of the screen. +1. On the main **Analytics** dashboard, select **Groups** from the drop-down list at the top of the screen. The following components make up the **Groups** dashboard: @@ -51,8 +51,8 @@ When you select **Groups**, the **Usage Analytics** dashboard provides a high-le The **Groups** table displays the results of your query: -- **Group Name**: Provides the name of the group. - - To view details about the group, select the down arrow. +- **Group Name**: Provides the name of the group. + - To view details about the group, select the down arrow. - A **Group Type** icon displays to the left of the group name to describe the type of group (**ED** or **Local**). - The **Domain/Account** name. - The **Permission Creep Index (PCI)**: Provides the following information: @@ -83,25 +83,25 @@ The **Groups** table displays the results of your query: 1. From the **Tasks** dropdown, select **All Tasks**, **High Risk Tasks**, and **Delete Tasks**. 1. The pane on the right displays a list of **Users**, **Policies** for **AWS** and **Roles** for **GCP or AZURE**, and **Tags**. -## Apply filters to your query +## Apply filters to your query -There are many filter options within the **Groups** screen, including filters by **Authorization System Type**, **Authorization System**, **Group Type**, **Group Activity Status**, and **Tasks Type**. -Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. +There are many filter options within the **Groups** screen, including filters by **Authorization System Type**, **Authorization System**, **Group Type**, **Group Activity Status**, and **Tasks Type**. +Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. ### Apply filters by authorization system type 1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by authorization system -1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. +1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by group type @@ -140,15 +140,15 @@ You can filter user details by type of user, user role, app, or service used, or ## Export the results of your query -- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**. -- To view a list of members of the groups in your query, select **Export**, and then select **Memberships**. +- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**. +- To view a list of members of the groups in your query, select **Export**, and then select **Memberships**. ## Next steps -- To view active tasks, see [View analytic information about active tasks](cloudknox-usage-analytics-active-tasks.md). -- To view assigned permissions and usage by users, see [View analytic information about users](cloudknox-usage-analytics-users.md). -- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md). -- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md). -- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md). +- To view active tasks, see [View analytic information about active tasks](usage-analytics-active-tasks.md). +- To view assigned permissions and usage by users, see [View analytic information about users](usage-analytics-users.md). +- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md). +- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md). +- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-home.md b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-home.md similarity index 61% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-home.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-home.md index 055a106e941f..e0933b95f7a1 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-home.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-home.md @@ -1,6 +1,6 @@ --- -title: View analytic information with the Analytics dashboard in CloudKnox Permissions Management -description: How to use the Analytics dashboard in CloudKnox Permissions Management to view details about users, groups, active resources, active tasks, access keys, and serverless functions. +title: View analytic information with the Analytics dashboard in Permissions Management +description: How to use the Analytics dashboard in Permissions Management to view details about users, groups, active resources, active tasks, access keys, and serverless functions. services: active-directory author: kenwith manager: rkarlin @@ -15,28 +15,28 @@ ms.author: kenwith # View analytic information with the Analytics dashboard > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This article provides a brief overview of the Analytics dashboard in CloudKnox Permissions Management (CloudKnox), and the type of analytic information it provides for Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). +This article provides a brief overview of the Analytics dashboard in Permissions Management, and the type of analytic information it provides for Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). ## Display the Analytics dashboard -- From the CloudKnox home page, select the **Analytics** tab. +- From the Permissions Management home page, select the **Analytics** tab. - The **Analytics** dashboard displays detailed information about: + The **Analytics** dashboard displays detailed information about: - - **Users**: Tracks assigned permissions and usage by users. For more information, see [View analytic information about users](cloudknox-usage-analytics-users.md). + - **Users**: Tracks assigned permissions and usage by users. For more information, see [View analytic information about users](usage-analytics-users.md). - - **Groups**: Tracks assigned permissions and usage of the group and the group members. For more information, see [View analytic information about groups](cloudknox-usage-analytics-groups.md). + - **Groups**: Tracks assigned permissions and usage of the group and the group members. For more information, see [View analytic information about groups](usage-analytics-groups.md). - - **Active Resources**: Tracks resources that have been used in the last 90 days. For more information, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md). + - **Active Resources**: Tracks resources that have been used in the last 90 days. For more information, see [View analytic information about active resources](usage-analytics-active-resources.md). - - **Active Tasks**: Tracks tasks that have been performed in the last 90 days. For more information, see [View analytic information about active tasks](cloudknox-usage-analytics-active-tasks.md). + - **Active Tasks**: Tracks tasks that have been performed in the last 90 days. For more information, see [View analytic information about active tasks](usage-analytics-active-tasks.md). - - **Access Keys**: Tracks the permission usage of access keys for a given user. For more information, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md). + - **Access Keys**: Tracks the permission usage of access keys for a given user. For more information, see [View analytic information about access keys](usage-analytics-access-keys.md). - - **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions for AWS only. For more information, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md). + - **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions for AWS only. For more information, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md). System administrators can use this information to make decisions about granting permissions and reducing risk on unused permissions. @@ -44,9 +44,9 @@ This article provides a brief overview of the Analytics dashboard in CloudKnox P ## Next steps -- To view active tasks, see [View analytic information about active tasks](cloudknox-usage-analytics-active-tasks.md). -- To view assigned permissions and usage by users, see [View analytic information about users](cloudknox-usage-analytics-users.md). -- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](cloudknox-usage-analytics-groups.md). -- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md). -- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md). -- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md). \ No newline at end of file +- To view active tasks, see [View analytic information about active tasks](usage-analytics-active-tasks.md). +- To view assigned permissions and usage by users, see [View analytic information about users](usage-analytics-users.md). +- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md). +- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md). +- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md). +- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md). \ No newline at end of file diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-serverless-functions.md b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-serverless-functions.md similarity index 79% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-serverless-functions.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-serverless-functions.md index 976ff2b442a0..e9d93ed26b0a 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-serverless-functions.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-serverless-functions.md @@ -1,6 +1,6 @@ --- -title: View analytic information about serverless functions in CloudKnox Permissions Management -description: How to view analytic information about serverless functions in CloudKnox Permissions Management. +title: View analytic information about serverless functions in Permissions Management +description: How to view analytic information about serverless functions in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,10 +15,10 @@ ms.author: kenwith # View analytic information about serverless functions > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: +The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: - **Users**: Tracks assigned permissions and usage of various identities. - **Groups**: Tracks assigned permissions and usage of the group and the group members. @@ -31,9 +31,9 @@ This article describes how to view usage analytics about serverless functions. ## Create a query to view serverless functions -When you select **Serverless Functions**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities. +When you select **Serverless Functions**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities. -1. On the main **Analytics** dashboard, select **Serverless Functions** from the dropdown list at the top of the screen. +1. On the main **Analytics** dashboard, select **Serverless Functions** from the dropdown list at the top of the screen. The following components make up the **Serverless Functions** dashboard: @@ -49,8 +49,8 @@ When you select **Serverless Functions**, the **Analytics** dashboard provides a The **Serverless Functions** table displays the results of your query. -- **Function Name**: Provides the name of the serverless function. - - To view details about a serverless function, select the down arrow to the left of the function name. +- **Function Name**: Provides the name of the serverless function. + - To view details about a serverless function, select the down arrow to the left of the function name. - A **Function Type** icon displays to the left of the function name to describe the type of serverless function, for example **Lambda function**. - The **Permission Creep Index (PCI)**: Provides the following information: - **Index**: A numeric value assigned to the PCI. @@ -81,32 +81,32 @@ The **Serverless Functions** table displays the results of your query. 1. From the **Tasks** dropdown, select **All Tasks**, **High Risk Tasks**, and **Delete Tasks**. -## Apply filters to your query +## Apply filters to your query -You can filter the **Serverless Functions** results by **Authorization System Type** and **Authorization System**. +You can filter the **Serverless Functions** results by **Authorization System Type** and **Authorization System**. ### Apply filters by authorization system type 1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by authorization system -1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. +1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ## Next steps -- To view active tasks, see [View usage analytics about active tasks](cloudknox-usage-analytics-active-tasks.md). -- To view assigned permissions and usage by users, see [View analytic information about users](cloudknox-usage-analytics-users.md). -- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](cloudknox-usage-analytics-groups.md). -- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md). -- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md). +- To view active tasks, see [View usage analytics about active tasks](usage-analytics-active-tasks.md). +- To view assigned permissions and usage by users, see [View analytic information about users](usage-analytics-users.md). +- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md). +- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md). +- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md). diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-users.md b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-users.md similarity index 83% rename from articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-users.md rename to articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-users.md index 43aea761580c..51779608d21c 100644 --- a/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-users.md +++ b/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-users.md @@ -1,6 +1,6 @@ --- -title: View analytic information about users in CloudKnox Permissions Management -description: How to view analytic information about users in CloudKnox Permissions Management. +title: View analytic information about users in Permissions Management +description: How to view analytic information about users in Permissions Management. services: active-directory author: kenwith manager: rkarlin @@ -15,10 +15,10 @@ ms.author: kenwith # View analytic information about users > [!IMPORTANT] -> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW. +> Microsoft Entra Permissions Management is currently in PREVIEW. > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: +The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for: - **Users**: Tracks assigned permissions and usage of various identities. - **Groups**: Tracks assigned permissions and usage of the group and the group members. @@ -31,9 +31,9 @@ This article describes how to view usage analytics about users. ## Create a query to view users -When you select **Users**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities. +When you select **Users**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities. -1. On the main **Analytics** dashboard, select **Users** from the drop-down list at the top of the screen. +1. On the main **Analytics** dashboard, select **Users** from the drop-down list at the top of the screen. The following components make up the **Users** dashboard: @@ -43,15 +43,15 @@ When you select **Users**, the **Analytics** dashboard provides a high-level ove - **Search**: Enter criteria to find specific tasks. 1. Select **Apply** to display the criteria you've selected. - Select **Reset filter** to discard your changes. + Select **Reset filter** to discard your changes. ## View the results of your query The **Identities** table displays the results of your query. -- **Name**: Provides the name of the group. - - To view details about the group, select the down arrow. +- **Name**: Provides the name of the group. + - To view details about the group, select the down arrow. - The **Domain/Account** name. - The **Permission Creep Index (PCI)**: Provides the following information: - **Index**: A numeric value assigned to the PCI. @@ -79,26 +79,26 @@ The **Identities** table displays the results of your query. A message displays to confirm that your remediation settings are automatically updated. -## Apply filters to your query +## Apply filters to your query -There are many filter options within the **Users** screen, including filters by **Authorization System**, **Identity Type**, and **Identity State**. -Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. +There are many filter options within the **Users** screen, including filters by **Authorization System**, **Identity Type**, and **Identity State**. +Filters can be applied in one, two, or all three categories depending on the type of information you're looking for. ### Apply filters by authorization system type 1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset Filter** to discard your changes. + Select **Reset Filter** to discard your changes. ### Apply filters by authorization system -1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. +1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**. 1. Select **Apply** to run your query and display the information you selected. - Select **Reset filter** to discard your changes. + Select **Reset filter** to discard your changes. ### Apply filters by identity type @@ -152,15 +152,15 @@ You can filter user details by type of user, user role, app, or service used, or ## Export the results of your query -- To export a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**. +- To export a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**. - To export the data in a detailed comma-separated values (CSV) file format, select **Export** and then select **CSV (Detailed)**. - To export a report of user permissions, select **Export** and then select **Permissions**. ## Next steps -- To view active tasks, see [View analytic information about active tasks](cloudknox-usage-analytics-active-tasks.md). -- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](cloudknox-usage-analytics-groups.md). -- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md). -- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md). -- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md). +- To view active tasks, see [View analytic information about active tasks](usage-analytics-active-tasks.md). +- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md). +- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md). +- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md). +- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md). \ No newline at end of file diff --git a/articles/active-directory/develop/developer-glossary.md b/articles/active-directory/develop/developer-glossary.md index ac417d44e0c9..8a670becc121 100644 --- a/articles/active-directory/develop/developer-glossary.md +++ b/articles/active-directory/develop/developer-glossary.md @@ -1,44 +1,42 @@ --- -title: Microsoft identity platform developer glossary | Azure -description: A list of terms for commonly used Microsoft identity platform developer concepts and features. +title: Glossary of terms in the Microsoft identity platform +description: Definitions of terms commonly found in Microsoft identity platform documentation, Azure portal, and authentication SDKs like the Microsoft Authentication Library (MSAL). services: active-directory author: rwike77 manager: CelesteDG ms.service: active-directory ms.subservice: develop -ms.topic: conceptual -ms.workload: identity -ms.date: 12/14/2021 +ms.topic: reference +ms.date: 05/28/2022 ms.author: ryanwi -ms.custom: aaddev -ms.reviewer: jmprieur, saeeda, jesakowi, nacanuma +ms.reviewer: mmacy --- -# Microsoft identity platform developer glossary +# Glossary: Microsoft identity platform -This article contains definitions for some of the core developer concepts and terminology, which are helpful when learning about application development using Microsoft identity platform. +You'll see these terms when you use our documentation, the Azure portal, our authentication libraries, and the Microsoft Graph API. Some terms are Microsoft-specific while others are related to protocols like OAuth or other technologies you use with the Microsoft identity platform. ## Access token -A type of [security token](#security-token) issued by an [authorization server](#authorization-server), and used by a [client application](#client-application) in order to access a [protected resource server](#resource-server). Typically in the form of a [JSON Web Token (JWT)][JWT], the token embodies the authorization granted to the client by the [resource owner](#resource-owner), for a requested level of access. The token contains all applicable [claims](#claim) about the subject, enabling the client application to use it as a form of credential when accessing a given resource. This also eliminates the need for the resource owner to expose credentials to the client. +A type of [security token](#security-token) issued by an [authorization server](#authorization-server) and used by a [client application](#client-application) to access a [protected resource server](#resource-server). Typically in the form of a [JSON Web Token (JWT)][JWT], the token embodies the authorization granted to the client by the [resource owner](#resource-owner), for a requested level of access. The token contains all applicable [claims](#claim) about the subject, enabling the client application to use it as a form of credential when accessing a given resource. This also eliminates the need for the resource owner to expose credentials to the client. -Access tokens are only valid for a short period of time and cannot be revoked. An authorization server may also issue a [refresh token](#refresh-token) when the access token is issued. Refresh tokens are typically provided only to confidential client applications. +Access tokens are only valid for a short period of time and can't be revoked. An authorization server may also issue a [refresh token](#refresh-token) when the access token is issued. Refresh tokens are typically provided only to confidential client applications. Access tokens are sometimes referred to as "User+App" or "App-Only", depending on the credentials being represented. For example, when a client application uses the: -* ["Authorization code" authorization grant](#authorization-grant), the end user authenticates first as the resource owner, delegating authorization to the client to access the resource. The client authenticates afterward when obtaining the access token. The token can sometimes be referred to more specifically as a "User+App" token, as it represents both the user that authorized the client application, and the application. -* ["Client credentials" authorization grant](#authorization-grant), the client provides the sole authentication, functioning without the resource-owner's authentication/authorization, so the token can sometimes be referred to as an "App-Only" token. +- ["Authorization code" authorization grant](#authorization-grant), the end user authenticates first as the resource owner, delegating authorization to the client to access the resource. The client authenticates afterward when obtaining the access token. The token can sometimes be referred to more specifically as a "User+App" token, as it represents both the user that authorized the client application, and the application. +- ["Client credentials" authorization grant](#authorization-grant), the client provides the sole authentication, functioning without the resource-owner's authentication/authorization, so the token can sometimes be referred to as an "App-Only" token. See the [access tokens reference][AAD-Tokens-Claims] for more details. ## Actor -Another term for the [client application](#client-application) - this is the party acting on behalf of the subject, or [resource owner](#resource-owner). +Another term for the [client application](#client-application). The actor is the party acting on behalf of a subject ([resource owner](#resource-owner)). -## Application ID (client ID) +## Application (client) ID -The unique identifier Azure AD issues to an application registration that identifies a specific application and the associated configurations. This application ID ([client ID](https://tools.ietf.org/html/rfc6749#page-15)) is used when performing authentication requests and is provided to the authentication libraries in development time. The application ID (client ID) is not a secret. +The application ID, or _[client ID](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2)_, is a value the Microsoft identity platform assigns to your application when you register it in Azure AD. The application ID is a GUID value that uniquely identifies the application and its configuration within the identity platform. You add the app ID to your application's code, and authentication libraries include the value in their requests to the identity platform at application runtime. The application (client) ID isn't a secret - don't use it as a password or other credential. ## Application manifest @@ -46,62 +44,62 @@ A feature provided by the [Azure portal][AZURE-portal], which produces a JSON re ## Application object -When you register/update an application in the [Azure portal][AZURE-portal], the portal creates/updates both an application object and a corresponding [service principal object](#service-principal-object) for that tenant. The application object *defines* the application's identity configuration globally (across all tenants where it has access), providing a template from which its corresponding service principal object(s) are *derived* for use locally at run-time (in a specific tenant). +When you register/update an application in the [Azure portal][AZURE-portal], the portal creates/updates both an application object and a corresponding [service principal object](#service-principal-object) for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where it has access), providing a template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). For more information, see [Application and Service Principal Objects][AAD-App-SP-Objects]. ## Application registration -In order to allow an application to integrate with and delegate Identity and Access Management functions to Azure AD, it must be registered with an Azure AD [tenant](#tenant). When you register your application with Azure AD, you are providing an identity configuration for your application, allowing it to integrate with Azure AD and use features such as: +In order to allow an application to integrate with and delegate Identity and Access Management functions to Azure AD, it must be registered with an Azure AD [tenant](#tenant). When you register your application with Azure AD, you're providing an identity configuration for your application, allowing it to integrate with Azure AD and use features like: -* Robust management of Single Sign-On using Azure AD Identity Management and [OpenID Connect][OpenIDConnect] protocol implementation -* Brokered access to [protected resources](#resource-server) by [client applications](#client-application), via OAuth 2.0 [authorization server](#authorization-server) -* [Consent framework](#consent) for managing client access to protected resources, based on resource owner authorization. +- Robust management of Single Sign-On using Azure AD Identity Management and [OpenID Connect][OpenIDConnect] protocol implementation +- Brokered access to [protected resources](#resource-server) by [client applications](#client-application), via OAuth 2.0 [authorization server](#authorization-server) +- [Consent framework](#consent) for managing client access to protected resources, based on resource owner authorization. See [Integrating applications with Azure Active Directory][AAD-Integrating-Apps] for more details. ## Authentication -The act of challenging a party for legitimate credentials, providing the basis for creation of a security principal to be used for identity and access control. During an [OAuth2 authorization grant](#authorization-grant) for example, the party authenticating is filling the role of either [resource owner](#resource-owner) or [client application](#client-application), depending on the grant used. +The act of challenging a party for legitimate credentials, providing the basis for creation of a security principal to be used for identity and access control. During an [OAuth 2.0 authorization grant](#authorization-grant) for example, the party authenticating is filling the role of either [resource owner](#resource-owner) or [client application](#client-application), depending on the grant used. ## Authorization The act of granting an authenticated security principal permission to do something. There are two primary use cases in the Azure AD programming model: -* During an [OAuth2 authorization grant](#authorization-grant) flow: when the [resource owner](#resource-owner) grants authorization to the [client application](#client-application), allowing the client to access the resource owner's resources. -* During resource access by the client: as implemented by the [resource server](#resource-server), using the [claim](#claim) values present in the [access token](#access-token) to make access control decisions based upon them. +- During an [OAuth 2.0 authorization grant](#authorization-grant) flow: when the [resource owner](#resource-owner) grants authorization to the [client application](#client-application), allowing the client to access the resource owner's resources. +- During resource access by the client: as implemented by the [resource server](#resource-server), using the [claim](#claim) values present in the [access token](#access-token) to make access control decisions based upon them. ## Authorization code -A short lived "token" provided to a [client application](#client-application) by the [authorization endpoint](#authorization-endpoint), as part of the "authorization code" flow, one of the four OAuth2 [authorization grants](#authorization-grant). The code is returned to the client application in response to authentication of a [resource owner](#resource-owner), indicating the resource owner has delegated authorization to access the requested resources. As part of the flow, the code is later redeemed for an [access token](#access-token). +A short-lived value provided by the [authorization endpoint](#authorization-endpoint) to a [client application](#client-application) during the OAuth 2.0 _authorization code grant flow_, one of the four OAuth 2.0 [authorization grants](#authorization-grant). Also called an _auth code_, the authorization code is returned to the client application in response to the authentication of a [resource owner](#resource-owner). The auth code indicates the resource owner has delegated authorization to the client application to access their resources. As part of the flow, the auth code is later redeemed for an [access token](#access-token). ## Authorization endpoint -One of the endpoints implemented by the [authorization server](#authorization-server), used to interact with the [resource owner](#resource-owner) in order to provide an [authorization grant](#authorization-grant) during an OAuth2 authorization grant flow. Depending on the authorization grant flow used, the actual grant provided can vary, including an [authorization code](#authorization-code) or [security token](#security-token). +One of the endpoints implemented by the [authorization server](#authorization-server), used to interact with the [resource owner](#resource-owner) to provide an [authorization grant](#authorization-grant) during an OAuth 2.0 authorization grant flow. Depending on the authorization grant flow used, the actual grant provided can vary, including an [authorization code](#authorization-code) or [security token](#security-token). -See the OAuth2 specification's [authorization grant types][OAuth2-AuthZ-Grant-Types] and [authorization endpoint][OAuth2-AuthZ-Endpoint] sections, and the [OpenIDConnect specification][OpenIDConnect-AuthZ-Endpoint] for more details. +See the OAuth 2.0 specification's [authorization grant types][OAuth2-AuthZ-Grant-Types] and [authorization endpoint][OAuth2-AuthZ-Endpoint] sections, and the [OpenIDConnect specification][OpenIDConnect-AuthZ-Endpoint] for more details. ## Authorization grant -A credential representing the [resource owner's](#resource-owner) [authorization](#authorization) to access its protected resources, granted to a [client application](#client-application). A client application can use one of the [four grant types defined by the OAuth2 Authorization Framework][OAuth2-AuthZ-Grant-Types] to obtain a grant, depending on client type/requirements: "authorization code grant", "client credentials grant", "implicit grant", and "resource owner password credentials grant". The credential returned to the client is either an [access token](#access-token), or an [authorization code](#authorization-code) (exchanged later for an access token), depending on the type of authorization grant used. +A credential representing the [resource owner's](#resource-owner) [authorization](#authorization) to access its protected resources, granted to a [client application](#client-application). A client application can use one of the [four grant types defined by the OAuth 2.0 Authorization Framework][OAuth2-AuthZ-Grant-Types] to obtain a grant, depending on client type/requirements: "authorization code grant", "client credentials grant", "implicit grant", and "resource owner password credentials grant". The credential returned to the client is either an [access token](#access-token), or an [authorization code](#authorization-code) (exchanged later for an access token), depending on the type of authorization grant used. ## Authorization server -As defined by the [OAuth2 Authorization Framework][OAuth2-Role-Def], the server responsible for issuing access tokens to the [client](#client-application) after successfully authenticating the [resource owner](#resource-owner) and obtaining its authorization. A [client application](#client-application) interacts with the authorization server at runtime via its [authorization](#authorization-endpoint) and [token](#token-endpoint) endpoints, in accordance with the OAuth2 defined [authorization grants](#authorization-grant). +As defined by the [OAuth 2.0 Authorization Framework][OAuth2-Role-Def], the server responsible for issuing access tokens to the [client](#client-application) after successfully authenticating the [resource owner](#resource-owner) and obtaining its authorization. A [client application](#client-application) interacts with the authorization server at runtime via its [authorization](#authorization-endpoint) and [token](#token-endpoint) endpoints, in accordance with the OAuth 2.0 defined [authorization grants](#authorization-grant). In the case of the Microsoft identity platform application integration, the Microsoft identity platform implements the authorization server role for Azure AD applications and Microsoft service APIs, for example [Microsoft Graph APIs][Microsoft-Graph]. ## Claim -A [security token](#security-token) contains claims, which provide assertions about one entity (such as a [client application](#client-application) or [resource owner](#resource-owner)) to another entity (such as the [resource server](#resource-server)). Claims are name/value pairs that relay facts about the token subject (for example, the security principal that was authenticated by the [authorization server](#authorization-server)). The claims present in a given token are dependent upon several variables, including the type of token, the type of credential used to authenticate the subject, the application configuration, etc. +Claims are name/values pairs in a [security token](#security-token) that provide assertions made by one entity to another. These entities are typically the [client application](#client-application) or a [resource owner](#resource-owner) providing assertions to a [resource server](#resource-server). Claims relay facts about the token subject like the ID of the security principal that was authenticated by the [authorization server](#authorization-server). The claims present in a token can vary and depend on several factors like the type of token, type of credential used for authenticating the subject, the application configuration, and others. See the [Microsoft identity platform token reference][AAD-Tokens-Claims] for more details. ## Client application -Also known as the "[actor](#actor)". As defined by the [OAuth2 Authorization Framework][OAuth2-Role-Def], an application that makes protected resource requests on behalf of the [resource owner](#resource-owner). They receive permissions from the resource owner in the form of scopes. The term "client" does not imply any particular hardware implementation characteristics (for instance, whether the application executes on a server, a desktop, or other devices). +Also known as the "[actor](#actor)". As defined by the [OAuth 2.0 Authorization Framework][OAuth2-Role-Def], an application that makes protected resource requests on behalf of the [resource owner](#resource-owner). They receive permissions from the resource owner in the form of scopes. The term "client" doesn't imply any particular hardware implementation characteristics (for instance, whether the application executes on a server, a desktop, or other devices). -A client application requests [authorization](#authorization) from a resource owner to participate in an [OAuth2 authorization grant](#authorization-grant) flow, and may access APIs/data on the resource owner's behalf. The OAuth2 Authorization Framework [defines two types of clients][OAuth2-Client-Types], "confidential" and "public", based on the client's ability to maintain the confidentiality of its credentials. Applications can implement a [web client (confidential)](#web-client) which runs on a web server, a [native client (public)](#native-client) installed on a device, or a [user-agent-based client (public)](#user-agent-based-client) which runs in a device's browser. +A client application requests [authorization](#authorization) from a resource owner to participate in an [OAuth 2.0 authorization grant](#authorization-grant) flow, and may access APIs/data on the resource owner's behalf. The OAuth 2.0 Authorization Framework [defines two types of clients][OAuth2-Client-Types], "confidential" and "public", based on the client's ability to maintain the confidentiality of its credentials. Applications can implement a [web client (confidential)](#web-client) which runs on a web server, a [native client (public)](#native-client) installed on a device, or a [user-agent-based client (public)](#user-agent-based-client) which runs in a device's browser. ## Consent @@ -111,7 +109,7 @@ See [consent framework](consent-framework.md) for more information. ## ID token -An [OpenID Connect][OpenIDConnect-ID-Token] [security token](#security-token) provided by an [authorization server's](#authorization-server) [authorization endpoint](#authorization-endpoint), which contains [claims](#claim) pertaining to the authentication of an end user [resource owner](#resource-owner). Like an access token, ID tokens are also represented as a digitally signed [JSON Web Token (JWT)][JWT]. Unlike an access token though, an ID token's claims are not used for purposes related to resource access and specifically access control. +An [OpenID Connect][OpenIDConnect-ID-Token] [security token](#security-token) provided by an [authorization server's](#authorization-server) [authorization endpoint](#authorization-endpoint), which contains [claims](#claim) pertaining to the authentication of an end user [resource owner](#resource-owner). Like an access token, ID tokens are also represented as a digitally signed [JSON Web Token (JWT)][JWT]. Unlike an access token though, an ID token's claims aren't used for purposes related to resource access and specifically access control. See the [ID token reference](id-tokens.md) for more details. @@ -121,7 +119,7 @@ Eliminate the need for developers to manage credentials. Managed identities prov ## Microsoft identity platform -The Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) identity service and developer platform. It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or APIs that developers have built. It’s a full-featured platform that consists of an authentication service, libraries, application registration and configuration, full developer documentation, code samples, and other developer content. The Microsoft identity platform supports industry standard protocols such as OAuth 2.0 and OpenID Connect. +The Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) identity service and developer platform. It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or APIs that developers have built. It's a full-featured platform that consists of an authentication service, libraries, application registration and configuration, full developer documentation, code samples, and other developer content. The Microsoft identity platform supports industry standard protocols such as OAuth 2.0 and OpenID Connect. ## Multi-tenant application @@ -131,14 +129,14 @@ See [How to sign in any Azure AD user using the multi-tenant application pattern ## Native client -A type of [client application](#client-application) that is installed natively on a device. Since all code is executed on a device, it is considered a "public" client due to its inability to store credentials privately/confidentially. See [OAuth2 client types and profiles][OAuth2-Client-Types] for more details. +A type of [client application](#client-application) that is installed natively on a device. Since all code is executed on a device, it's considered a "public" client due to its inability to store credentials privately/confidentially. See [OAuth 2.0 client types and profiles][OAuth2-Client-Types] for more details. ## Permissions A [client application](#client-application) gains access to a [resource server](#resource-server) by declaring permission requests. Two types are available: -* "Delegated" permissions, which specify [scope-based](#scopes) access using delegated authorization from the signed-in [resource owner](#resource-owner), are presented to the resource at run-time as ["scp" claims](#claim) in the client's [access token](#access-token). These indicate the permission granted to the [actor](#actor) by the [subject](#subject). -* "Application" permissions, which specify [role-based](#roles) access using the client application's credentials/identity, are presented to the resource at run-time as ["roles" claims](#claim) in the client's access token. These indicate permissions granted to the [subject](#subject) by the tenant. +- "Delegated" permissions, which specify [scope-based](#scopes) access using delegated authorization from the signed-in [resource owner](#resource-owner), are presented to the resource at run-time as ["scp" claims](#claim) in the client's [access token](#access-token). These indicate the permission granted to the [actor](#actor) by the [subject](#subject). +- "Application" permissions, which specify [role-based](#roles) access using the client application's credentials/identity, are presented to the resource at run-time as ["roles" claims](#claim) in the client's access token. These indicate permissions granted to the [subject](#subject) by the tenant. They also surface during the [consent](#consent) process, giving the administrator or resource owner the opportunity to grant/deny the client access to resources in their tenant. @@ -146,21 +144,21 @@ Permission requests are configured on the **API permissions** page for an applic ## Refresh token -A type of [security token](#security-token) issued by an [authorization server](#authorization-server), and used by a [client application](#client-application) in order to request a new [access token](#access-token) before the access token expires. Typically in the form of a [JSON Web Token (JWT)][JWT]. +A type of [security token](#security-token) issued by an [authorization server](#authorization-server). Before an access token expires, a [client application](#client-application) includes its associated refresh token when it requests a new [access token](#access-token) from the authorization server. Refresh tokens are typically formatted as a [JSON Web Token (JWT)][JWT]. -Unlike access tokens, refresh tokens can be revoked. If a client application attempts to request a new access token using a refresh token that has been revoked, the authorization server will deny the request, and the client application will no longer have permission to access the [resource server](#resource-server) on behalf of the [resource owner](#resource-owner). +Unlike access tokens, refresh tokens can be revoked. An authorization server denies any request from a client application that includes a refresh token that has been revoked. When the authorization server denies a request that includes a revoked refresh token, the client application loses the permission to access the [resource server](#resource-server) on behalf of the [resource owner](#resource-owner). See the [refresh tokens](refresh-tokens.md) for more details. ## Resource owner -As defined by the [OAuth2 Authorization Framework][OAuth2-Role-Def], an entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end user. For example, when a [client application](#client-application) wants to access a user's mailbox through the [Microsoft Graph API][Microsoft-Graph], it requires permission from the resource owner of the mailbox. The "resource owner" is also sometimes called the [subject](#subject). +As defined by the [OAuth 2.0 Authorization Framework][OAuth2-Role-Def], an entity capable of granting access to a protected resource. When the resource owner is a person, it's referred to as an end user. For example, when a [client application](#client-application) wants to access a user's mailbox through the [Microsoft Graph API][Microsoft-Graph], it requires permission from the resource owner of the mailbox. The "resource owner" is also sometimes called the [subject](#subject). -Every [security token](#security-token) represents a resource owner. The resource owner is what the subject [claim](#claim), object ID claim, and personal data in the token represent. Resource owners are the party that grants delegated permissions to a client application, in the form of scopes. Resource owners are also the recipients of [roles](#roles) that indicate expanded permissions within a tenant or on an application. +Every [security token](#security-token) represents a resource owner. The resource owner is what the subject [claim](#claim), object ID claim, and personal data in the token represent. Resource owners are the party that grants delegated permissions to a client application, in the form of scopes. Resource owners are also the recipients of [roles](#roles) that indicate expanded permissions within a tenant or on an application. ## Resource server -As defined by the [OAuth2 Authorization Framework][OAuth2-Role-Def], a server that hosts protected resources, capable of accepting and responding to protected resource requests by [client applications](#client-application) that present an [access token](#access-token). Also known as a protected resource server, or resource application. +As defined by the [OAuth 2.0 Authorization Framework][OAuth2-Role-Def], a server that hosts protected resources, capable of accepting and responding to protected resource requests by [client applications](#client-application) that present an [access token](#access-token). Also known as a protected resource server, or resource application. A resource server exposes APIs and enforces access to its protected resources through [scopes](#scopes) and [roles](#roles), using the OAuth 2.0 Authorization Framework. Examples include the [Microsoft Graph API][Microsoft-Graph], which provides access to Azure AD tenant data, and the Microsoft 365 APIs that provide access to data such as mail and calendar. @@ -168,9 +166,9 @@ Just like a client application, resource application's identity configuration is ## Roles -Like [scopes](#scopes), app roles provide a way for a [resource server](#resource-server) to govern access to its protected resources. Unlike scopes, roles represent privileges that the [subject](#subject) has been granted beyond the baseline - this is why reading your own email is a scope, while being an email administrator that can read everyone's email is a role. +Like [scopes](#scopes), app roles provide a way for a [resource server](#resource-server) to govern access to its protected resources. Unlike scopes, roles represent privileges that the [subject](#subject) has been granted beyond the baseline - this is why reading your own email is a scope, while being an email administrator that can read everyone's email is a role. -App roles can support two assignment types: "user" assignment implements role-based access control for users/groups that require access to the resource, while "application" assignment implements the same for [client applications](#client-application) that require access. An app role can be defined as user-assignable, app-assignabnle, or both. +App roles can support two assignment types: "user" assignment implements role-based access control for users/groups that require access to the resource, while "application" assignment implements the same for [client applications](#client-application) that require access. An app role can be defined as user-assignable, app-assignabnle, or both. Roles are resource-defined strings (for example "Expense approver", "Read-only", "Directory.ReadWrite.All"), managed in the [Azure portal][AZURE-portal] via the resource's [application manifest](#application-manifest), and stored in the resource's [appRoles property][Graph-Sp-Resource]. The Azure portal is also used to assign users to "user" assignable roles, and configure client [application permissions](#permissions) to request "application" assignable roles. @@ -186,17 +184,17 @@ A best practice naming convention, is to use a "resource.operation.constraint" f ## Security token -A signed document containing claims, such as an OAuth2 token or SAML 2.0 assertion. For an OAuth2 [authorization grant](#authorization-grant), an [access token](#access-token) (OAuth2), [refresh token](#refresh-token), and an [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) are types of security tokens, all of which are implemented as a [JSON Web Token (JWT)][JWT]. +A signed document containing claims, such as an OAuth 2.0 token or SAML 2.0 assertion. For an OAuth 2.0 [authorization grant](#authorization-grant), an [access token](#access-token) (OAuth2), [refresh token](#refresh-token), and an [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) are types of security tokens, all of which are implemented as a [JSON Web Token (JWT)][JWT]. ## Service principal object -When you register/update an application in the [Azure portal][AZURE-portal], the portal creates/updates both an [application object](#application-object) and a corresponding service principal object for that tenant. The application object *defines* the application's identity configuration globally (across all tenants where the associated application has been granted access), and is the template from which its corresponding service principal object(s) are *derived* for use locally at run-time (in a specific tenant). +When you register/update an application in the [Azure portal][AZURE-portal], the portal creates/updates both an [application object](#application-object) and a corresponding service principal object for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where the associated application has been granted access), and is the template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). For more information, see [Application and Service Principal Objects][AAD-App-SP-Objects]. ## Sign-in -The process of a [client application](#client-application) initiating end-user authentication and capturing related state, for the purpose of acquiring a [security token](#security-token) and scoping the application session to that state. State can include artifacts such as user profile information, and information derived from token claims. +The process of a [client application](#client-application) initiating end-user authentication and capturing related state for requesting a [security token](#security-token) and scoping the application session to that state. State can include artifacts like user profile information, and information derived from token claims. The sign-in function of an application is typically used to implement single-sign-on (SSO). It may also be preceded by a "sign-up" function, as the entry point for an end user to gain access to an application (upon first sign-in). The sign-up function is used to gather and persist additional state specific to the user, and may require [user consent](#consent). @@ -206,37 +204,37 @@ The process of unauthenticating an end user, detaching the user state associated ## Subject -Also known as the [resource owner](#resource-owner). +Also known as the [resource owner](#resource-owner). ## Tenant An instance of an Azure AD directory is referred to as an Azure AD tenant. It provides several features, including: -* a registry service for integrated applications -* authentication of user accounts and registered applications -* REST endpoints required to support various protocols including OAuth2 and SAML, including the [authorization endpoint](#authorization-endpoint), [token endpoint](#token-endpoint) and the "common" endpoint used by [multi-tenant applications](#multi-tenant-application). +- a registry service for integrated applications +- authentication of user accounts and registered applications +- REST endpoints required to support various protocols including OAuth 2.0 and SAML, including the [authorization endpoint](#authorization-endpoint), [token endpoint](#token-endpoint) and the "common" endpoint used by [multi-tenant applications](#multi-tenant-application). Azure AD tenants are created/associated with Azure and Microsoft 365 subscriptions during sign-up, providing Identity & Access Management features for the subscription. Azure subscription administrators can also create additional Azure AD tenants via the Azure portal. See [How to get an Azure Active Directory tenant][AAD-How-To-Tenant] for details on the various ways you can get access to a tenant. See [Associate or add an Azure subscription to your Azure Active Directory tenant][AAD-How-Subscriptions-Assoc] for details on the relationship between subscriptions and an Azure AD tenant, and for instructions on how to associate or add a subscription to an Azure AD tenant. ## Token endpoint -One of the endpoints implemented by the [authorization server](#authorization-server) to support OAuth2 [authorization grants](#authorization-grant). Depending on the grant, it can be used to acquire an [access token](#access-token) (and related "refresh" token) to a [client](#client-application), or [ID token](#id-token) when used with the [OpenID Connect][OpenIDConnect] protocol. +One of the endpoints implemented by the [authorization server](#authorization-server) to support OAuth 2.0 [authorization grants](#authorization-grant). Depending on the grant, it can be used to acquire an [access token](#access-token) (and related "refresh" token) to a [client](#client-application), or [ID token](#id-token) when used with the [OpenID Connect][OpenIDConnect] protocol. ## User-agent-based client -A type of [client application](#client-application) that downloads code from a web server and executes within a user-agent (for instance, a web browser), such as a single-page application (SPA). Since all code is executed on a device, it is considered a "public" client due to its inability to store credentials privately/confidentially. For more information, see [OAuth2 client types and profiles][OAuth2-Client-Types]. +A type of [client application](#client-application) that downloads code from a web server and executes within a user-agent (for instance, a web browser), such as a single-page application (SPA). Since all code is executed on a device, it is considered a "public" client due to its inability to store credentials privately/confidentially. For more information, see [OAuth 2.0 client types and profiles][OAuth2-Client-Types]. ## User principal -Similar to the way a service principal object is used to represent an application instance, a user principal object is another type of security principal, which represents a user. The Microsoft Graph [User resource type][Graph-User-Resource] defines the schema for a user object, including user-related properties such as first and last name, user principal name, directory role membership, etc. This provides the user identity configuration for Azure AD to establish a user principal at run-time. The user principal is used to represent an authenticated user for Single Sign-On, recording [consent](#consent) delegation, making access control decisions, etc. +Similar to the way a service principal object is used to represent an application instance, a user principal object is another type of security principal, which represents a user. The Microsoft Graph [User resource type][Graph-User-Resource] defines the schema for a user object, including user-related properties like first and last name, user principal name, directory role membership, etc. This provides the user identity configuration for Azure AD to establish a user principal at run-time. The user principal is used to represent an authenticated user for Single Sign-On, recording [consent](#consent) delegation, making access control decisions, etc. ## Web client -A type of [client application](#client-application) that executes all code on a web server, and able to function as a "confidential" client by securely storing its credentials on the server. For more information, see [OAuth2 client types and profiles][OAuth2-Client-Types]. +A type of [client application](#client-application) that executes all code on a web server, functioning as a _confidential client_ because it can securely store its credentials on the server. For more information, see [OAuth 2.0 client types and profiles][OAuth2-Client-Types]. ## Workload identity -An identity used by a software workload (such as an application, service, script, or container) to authenticate and access other services and resources. In Azure AD, workload identities are apps, service principals, and managed identities. For more information, see [workload identity overview](workload-identities-overview.md). +An identity used by a software workload like an application, service, script, or container to authenticate and access other services and resources. In Azure AD, workload identities are apps, service principals, and managed identities. For more information, see [workload identity overview](workload-identities-overview.md). ## Workload identity federation @@ -244,9 +242,9 @@ Allows you to securely access Azure AD protected resources from external apps an ## Next steps -The [Microsoft identity platform Developer's Guide][AAD-Dev-Guide] is the landing page to use for all the Microsoft identity platform development-related topics, including an overview of [application integration][AAD-How-To-Integrate] and the basics of the [Microsoft identity platform authentication and supported authentication scenarios][AAD-Auth-Scenarios]. You can also find code samples & tutorials on how to get up and running quickly on [GitHub](https://github.com/azure-samples?utf8=%E2%9C%93&q=active%20directory&type=&language=). +Many of the terms in this glossary are related to the OAuth 2.0 and OpenID Connect protocols. Though you don't need to know how the protocols work "on the wire" to use the identity platform, knowing some protocol basics can help you more easily build and debug authentication and authorization in your apps: -Use the following comments section to provide feedback and help to refine and shape this content, including requests for new definitions or updating existing ones! +- [OAuth 2.0 and OpenID Connect (OIDC) in the Microsoft identity platform](active-directory-v2-protocols.md) @@ -278,4 +276,4 @@ Use the following comments section to provide feedback and help to refine and sh [OAuth2-Role-Def]: https://tools.ietf.org/html/rfc6749#page-6 [OpenIDConnect]: https://openid.net/specs/openid-connect-core-1_0.html [OpenIDConnect-AuthZ-Endpoint]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint -[OpenIDConnect-ID-Token]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken \ No newline at end of file +[OpenIDConnect-ID-Token]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken diff --git a/articles/active-directory/develop/includes/web-app/quickstart-nodejs-msal.md b/articles/active-directory/develop/includes/web-app/quickstart-nodejs-msal.md index 6ccdb4ffd983..ed2c683cefa7 100644 --- a/articles/active-directory/develop/includes/web-app/quickstart-nodejs-msal.md +++ b/articles/active-directory/develop/includes/web-app/quickstart-nodejs-msal.md @@ -16,7 +16,7 @@ ms.custom: aaddev, scenarios:getting-started, languages:js, devx-track-js # Customer intent: As an application developer, I want to know how to set up authentication in a web application built using Node.js and MSAL Node. --- -In this quickstart, you download and run a code sample that demonstrates how a Node.js web app can sign in users by using the authorization code flow. The code sample also demonstrates how to get an access token to call Microsoft Graph API. +In this quickstart, you download and run a code sample that demonstrates how a Node.js web app can sign in users by using the authorization code flow. The code sample also demonstrates how to get an access token to call the Microsoft Graph API. See [How the sample works](#how-the-sample-works) for an illustration. @@ -37,8 +37,8 @@ This quickstart uses the Microsoft Authentication Library for Node.js (MSAL Node 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="../../media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. 1. Under **Manage**, select **App registrations** > **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. -1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. -1. Set the **Redirect URI** value to `http://localhost:3000/redirect`. +1. Under **Supported account types**, select **Accounts in this organizational directory only**. +1. Set the **Redirect URI** value to `http://localhost:3000/auth/redirect`. 1. Select **Register**. 1. On the app **Overview** page, note the **Application (client) ID** value for later use. 1. Under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. Leave the description blank and default expiration, and then select **Add**. @@ -51,45 +51,34 @@ To run the project with a web server by using Node.js, [download the core projec #### Step 3: Configure your Node app -Extract the project, open the *ms-identity-node-main* folder, and then open the *index.js* file. - -Set the `clientID` value with the application (client) ID, and then set the `clientSecret` value with the client secret. - -```javascript -const config = { - auth: { - clientId: "Enter_the_Application_Id_Here", - authority: "https://login.microsoftonline.com/common", - clientSecret: "Enter_the_Client_Secret_Here" - }, - system: { - loggerOptions: { - loggerCallback(loglevel, message, containsPii) { - console.log(message); - }, - piiLoggingEnabled: false, - logLevel: msal.LogLevel.Verbose, - } - } -}; -``` - +Extract the project, open the *ms-identity-node-main* folder, and then open the *.env* file under the *App* folder. Replace the values above as follows: -Modify the values in the `config` section: +| Variable | Description | Example(s) | +|-----------|--------------|------------| +| `Enter_the_Cloud_Instance_Id_Here` | The Azure cloud instance in which your application is registered | `https://login.microsoftonline.com/` (include the trailing forward-slash) | +| `Enter_the_Tenant_Info_here` | Tenant ID or Primary domain | `contoso.microsoft.com` or `cbe899ec-5f5c-4efe-b7a0-599505d3d54f` | +| `Enter_the_Application_Id_Here` | Client ID of the application you registered | `cbe899ec-5f5c-4efe-b7a0-599505d3d54f` | +| `Enter_the_Client_Secret_Here` | Client secret of the application you registered | `WxvhStRfDXoEiZQj1qCy` | +| `Enter_the_Graph_Endpoint_Here` | The Microsoft Graph API cloud instance that your app will call | `https://graph.microsoft.com/` (include the trailing forward-slash) | +| `Enter_the_Express_Session_Secret_Here` | A random string of characters used to sign the Express session cookie | `WxvhStRfDXoEiZQj1qCy` | -- `Enter_the_Application_Id_Here` is the application (client) ID for the application you registered. +Your file should look similar to below: - To find the application (client) ID, go to the app registration's **Overview** page in the Azure portal. -- `Enter_the_Client_Secret_Here` is the client secret for the application you registered. +```text +CLOUD_INSTANCE=https://login.microsoftonline.com/ +TENANT_ID=cbe899ec-5f5c-4efe-b7a0-599505d3d54f +CLIENT_ID=fa29b4c9-7675-4b61-8a0a-bf7b2b4fda91 +CLIENT_SECRET=WxvhStRfDXoEiZQj1qCy - To retrieve or generate a new client secret, under **Manage**, select **Certificates & secrets**. +REDIRECT_URI=http://localhost:3000/auth/redirect +POST_LOGOUT_REDIRECT_URI=http://localhost:3000 -The default `authority` value represents the main (global) Azure cloud: +GRAPH_API_ENDPOINT=https://graph.microsoft.com/ -```javascript -authority: "https://login.microsoftonline.com/common", +EXPRESS_SESSION_SECRET=6DP6v09eLiW7f1E65B8k ``` + #### Step 4: Run the project Run the project by using Node.js. @@ -97,21 +86,22 @@ Run the project by using Node.js. 1. To start the server, run the following commands from within the project directory: ```console + cd App npm install npm start ``` 1. Go to `http://localhost:3000/`. -1. Select **Sign In** to start the sign-in process. +1. Select **Sign in** to start the sign-in process. - The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, you will see a log message in the command line. + The first time you sign in, you're prompted to provide your consent to allow the application to sign you in and access your profile. After you're signed in successfully, you'll be redirected back to the application home page. ## More information ### How the sample works -The sample hosts a web server on localhost, port 3000. When a web browser accesses this site, the sample immediately redirects the user to a Microsoft authentication page. Because of this, the sample does not contain any HTML or display elements. Authentication success displays the message "OK". +The sample hosts a web server on localhost, port 3000. When a web browser accesses this address, the app renders the home page. Once the user selects **Sign in**, the app redirects the browser to Azure AD sign-in screen, via the URL generated by the MSAL Node library. After user consents, the browser redirects the user back to the application home page, along with an ID and access token. ### MSAL Node @@ -123,5 +113,6 @@ npm install @azure/msal-node ## Next steps +Learn more about the web app scenario that the Microsoft identity platform supports: > [!div class="nextstepaction"] -> [Adding Auth to an existing web app - GitHub code sample >](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/auth-code) +> [Web app that signs in users scenario](../../scenario-web-app-sign-user-overview.md) diff --git a/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/graph-call-screen.png b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/graph-call-screen.png new file mode 100644 index 000000000000..366d9f849001 Binary files /dev/null and b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/graph-call-screen.png differ diff --git a/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/id-token-screen.png b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/id-token-screen.png new file mode 100644 index 000000000000..7b101c7d24bf Binary files /dev/null and b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/id-token-screen.png differ diff --git a/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/post-sign-in-screen.png b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/post-sign-in-screen.png new file mode 100644 index 000000000000..278d3c2a6b8d Binary files /dev/null and b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/post-sign-in-screen.png differ diff --git a/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/sign-out-screen.png b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/sign-out-screen.png new file mode 100644 index 000000000000..fc47e78a9ab3 Binary files /dev/null and b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/sign-out-screen.png differ diff --git a/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/welcome-screen.png b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/welcome-screen.png new file mode 100644 index 000000000000..f7a25c5d8aa1 Binary files /dev/null and b/articles/active-directory/develop/media/tutorial-v2-nodejs-webapp-msal/welcome-screen.png differ diff --git a/articles/active-directory/develop/mobile-app-quickstart-portal-android.md b/articles/active-directory/develop/mobile-app-quickstart-portal-android.md index edab8ca0d69b..0651ad9f6677 100644 --- a/articles/active-directory/develop/mobile-app-quickstart-portal-android.md +++ b/articles/active-directory/develop/mobile-app-quickstart-portal-android.md @@ -24,7 +24,7 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language > > We apologize for the inconvenience and appreciate your patience while we work to get this resolved. -> [!div renderon="portal" class="sxs-lookup display-on-portal"] +> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"] > # Quickstart: Sign in users and call the Microsoft Graph API from an Android app > > In this quickstart, you download and run a code sample that demonstrates how an Android application can sign in users and get an access token to call the Microsoft Graph API. @@ -42,7 +42,7 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language > ### Step 1: Configure your application in the Azure portal > For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker. > -> +> > > > [!div id="appconfigured" class="alert alert-info"] > >  Your application is configured with these attributes @@ -50,7 +50,9 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language > ### Step 2: Download the project > > Run the project using Android Studio. -> +> +> > [!div class="nextstepaction"] +> > > > > ### Step 3: Your app is configured and ready to run @@ -484,4 +486,4 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language > Move on to the Android tutorial in which you build an Android app that gets an access token from the Microsoft identity platform and uses it to call the Microsoft Graph API. > > > [!div class="nextstepaction"] -> > [Tutorial: Sign in users and call the Microsoft Graph from an Android application](tutorial-v2-android.md) \ No newline at end of file +> > [Tutorial: Sign in users and call the Microsoft Graph from an Android application](tutorial-v2-android.md) diff --git a/articles/active-directory/develop/mobile-app-quickstart-portal-ios.md b/articles/active-directory/develop/mobile-app-quickstart-portal-ios.md index 87e9bc2f40c5..5158c3110668 100644 --- a/articles/active-directory/develop/mobile-app-quickstart-portal-ios.md +++ b/articles/active-directory/develop/mobile-app-quickstart-portal-ios.md @@ -26,7 +26,7 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language > > We apologize for the inconvenience and appreciate your patience while we work to get this resolved. -> [!div renderon="portal" class="sxs-lookup display-on-portal"] +> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"] > # Quickstart: Sign in users and call the Microsoft Graph API from an iOS or macOS app > > In this quickstart, you download and run a code sample that demonstrates how a native iOS or macOS application can sign in users and get an access token to call the Microsoft Graph API. @@ -47,16 +47,18 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language > #### Step 1: Configure your application > For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker. > -> +> > > > [!div id="appconfigured" class="alert alert-info"] > >  Your application is configured with these attributes > > #### Step 2: Download the sample project > -> -> -> +> > [!div class="nextstepaction"] +> > +> +> > [!div class="nextstepaction"] +> > > > #### Step 3: Install dependencies > @@ -238,4 +240,4 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language > Move on to the step-by-step tutorial in which you build an iOS or macOS app that gets an access token from the Microsoft identity platform and uses it to call the Microsoft Graph API. > > > [!div class="nextstepaction"] -> > [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md) \ No newline at end of file +> > [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md) diff --git a/articles/active-directory/develop/msal-js-sso.md b/articles/active-directory/develop/msal-js-sso.md index 8ba97653b94c..36f68efcf2b9 100644 --- a/articles/active-directory/develop/msal-js-sso.md +++ b/articles/active-directory/develop/msal-js-sso.md @@ -19,20 +19,18 @@ ms.custom: aaddev, has-adal-ref # Single sign-on with MSAL.js -Single sign-on (SSO) provides a more seamless experience by reducing the number of times your users are asked for their credentials. Users enter their credentials once, and the established session can be reused by other applications on the device without further prompting. +Single sign-on (SSO) provides a more seamless experience by reducing the number of times your users are asked for their credentials. Users enter their credentials once, and the established session can be reused by other applications on the device without further prompting. -Azure Active Directory (Azure AD) enables SSO by setting a session cookie when a user first authenticates. MSAL.js allows use of the session cookie for SSO between the browser tabs opened for one or several applications. +Azure Active Directory (Azure AD) enables SSO by setting a session cookie when a user authenticates for the first time. MSAL.js allows the usage of the session cookie for SSO between the browser tabs opened for one or several applications. -## SSO between browser tabs +## SSO between browser tabs for the same app -When a user has your application open in several tabs and signs in on one of them, they're signed into the same app open on the other tabs without being prompted. MSAL.js caches the ID token for the user in the browser `localStorage` and will sign the user in to the application on the other open tabs. - -By default, MSAL.js uses `sessionStorage`, which doesn't allow the session to be shared between tabs. To get SSO between tabs, make sure to set the `cacheLocation` in MSAL.js to `localStorage` as shown below. +When a user has your application open in several tabs and signs in on one of them, they can be signed into the same app open on the other tabs without being prompted. To do so, you'll need to set the *cacheLocation* in MSAL.js configuration object to `localStorage` as shown below. ```javascript const config = { auth: { - clientId: "abcd-ef12-gh34-ikkl-ashdjhlhsdg", + clientId: "1111-2222-3333-4444-55555555", }, cache: { cacheLocation: "localStorage", @@ -42,61 +40,65 @@ const config = { const msalInstance = new msal.PublicClientApplication(config); ``` -## SSO between apps - -When a user authenticates, a session cookie is set on the Azure AD domain in the browser. MSAL.js relies on this session cookie to provide SSO for the user between different applications. MSAL.js also caches the ID tokens and access tokens of the user in the browser storage per application domain. As a result, the SSO behavior varies for different cases: - -### Applications on the same domain - -When applications are hosted on the same domain, the user can sign into an app once and then get authenticated to the other apps without a prompt. MSAL.js uses the tokens cached for the user on the domain to provide SSO. - -### Applications on different domain - -When applications are hosted on different domains, the tokens cached on domain A cannot be accessed by MSAL.js in domain B. - -When a user signed in on domain A navigates to an application on domain B, they're typically redirected or prompted to sign in. Because Azure AD still has the user's session cookie, it signs in the user without prompting for credentials. +## SSO between different apps -If the user has multiple user accounts in a session with Azure AD, the user is prompted to pick an account to sign in with. +When a user authenticates, a session cookie is set on the Azure AD domain in the browser. MSAL.js relies on this session cookie to provide SSO for the user between different applications. MSAL.js also caches the ID tokens and access tokens of the user in the browser storage per application domain. -### Automatic account selection +MSAL.js offers the `ssoSilent` method to sign-in the user and obtain tokens without an interaction. However, if the user has multiple user accounts in a session with Azure AD, then the user is prompted to pick an account to sign in with. As such, there are two ways to achieve SSO using `ssoSilent` method. -When a user is signed in concurrently to multiple Azure AD accounts on the same device, you might find you have the need to bypass the account selection prompt. +### With user hint -**Using a session ID** +To improve performance and ensure that the authorization server will look for the correct account session. You can pass one of the following options in the request object of the `ssoSilent` method to obtain the token silently. -Use the session ID (SID) in silent authentication requests you make with `acquireTokenSilent` in MSAL.js. +- Session ID `sid` (which can be retrieved from `idTokenClaims` of an `account` object) +- `login_hint` (which can be retrieved from the `account` object username property or the `upn` claim in the ID token) +- `account` (which can be retrieved from using one the [account methods](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/login-user.md#account-apis)) -To use a SID, add `sid` as an [optional claim](active-directory-optional-claims.md) to your app's ID tokens. The `sid` claim allows an application to identify a user's Azure AD session independent of their account name or username. To learn how to add optional claims like `sid`, see [Provide optional claims to your app](active-directory-optional-claims.md). +#### Using a session ID -The SID is bound to the session cookie and won't cross browser contexts. You can use the SID only with `acquireTokenSilent`. +To use a session ID, add `sid` as an [optional claim](active-directory-optional-claims.md) to your app's ID tokens. The `sid` claim allows an application to identify a user's Azure AD session independent of their account name or username. To learn how to add optional claims like `sid`, see [Provide optional claims to your app](active-directory-optional-claims.md). Use the session ID (SID) in silent authentication requests you make with `ssoSilent` in MSAL.js. ```javascript -var request = { +const request = { scopes: ["user.read"], sid: sid, }; - msalInstance.acquireTokenSilent(request) - .then(function (response) { - const token = response.accessToken; - }) - .catch(function (error) { - //handle error - }); + try { + const loginResponse = await msalInstance.ssoSilent(request); +} catch (err) { + if (err instanceof InteractionRequiredAuthError) { + const loginResponse = await msalInstance.loginPopup(request).catch(error => { + // handle error + }); + } else { + // handle error + } +} ``` -**Using a login hint** +#### Using a login hint To bypass the account selection prompt typically shown during interactive authentication requests (or for silent requests when you haven't configured the `sid` optional claim), provide a `loginHint`. In multi-tenant applications, also include a `domain_hint`. ```javascript -var request = { +const request = { scopes: ["user.read"], loginHint: preferred_username, extraQueryParameters: { domain_hint: "organizations" }, }; - msalInstance.loginRedirect(request); +try { + const loginResponse = await msalInstance.ssoSilent(request); +} catch (err) { + if (err instanceof InteractionRequiredAuthError) { + const loginResponse = await msalInstance.loginPopup(request).catch(error => { + // handle error + }); + } else { + // handle error + } +} ``` Get the values for `loginHint` and `domain_hint` from the user's **ID token**: @@ -107,34 +109,83 @@ Get the values for `loginHint` and `domain_hint` from the user's **ID token**: For more information about login hint and domain hint, see [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md). -## SSO without MSAL.js login +#### Using an account object -By design, MSAL.js requires that a login method is called to establish a user context before getting tokens for APIs. Since login methods are interactive, the user sees a prompt. +If you know the user account information, you can also retrieve the user account by using the `getAccountByUsername()` or `getAccountByHomeId()` methods: -There are certain cases in which applications have access to the authenticated user's context or ID token through authentication initiated in another application and want to use SSO to acquire tokens without first signing in through MSAL.js. +```javascript +const username = "test@contoso.com"; +const myAccount = msalInstance.getAccountByUsername(username); + +const request = { + scopes: ["User.Read"], + account: myAccount +}; -An example: A user is signed in to Microsoft account in a browser that hosts another JavaScript application running as an add-on or plugin, which requires a Microsoft account sign-in. +try { + const loginResponse = await msalInstance.ssoSilent(request); +} catch (err) { + if (err instanceof InteractionRequiredAuthError) { + const loginResponse = await msalInstance.loginPopup(request).catch(error => { + // handle error + }); + } else { + // handle error + } +} +``` -The SSO experience in this scenario can be achieved as follows: +### Without user hint -Pass the `sid` if available (or `login_hint` and optionally `domain_hint`) as request parameters to the MSAL.js `acquireTokenSilent` call as follows: +You can attempt to use the `ssoSilent` method without passing any `account`, `sid` or `login_hint` as shown in the code below: ```javascript -var request = { - scopes: ["user.read"], - loginHint: preferred_username, - extraQueryParameters: { domain_hint: "organizations" }, +const request = { + scopes: ["User.Read"] }; -msalInstance.acquireTokenSilent(request) - .then(function (response) { - const token = response.accessToken; - }) - .catch(function (error) { - //handle error - }); +try { + const loginResponse = await msalInstance.ssoSilent(request); +} catch (err) { + if (err instanceof InteractionRequiredAuthError) { + const loginResponse = await msalInstance.loginPopup(request).catch(error => { + // handle error + }); + } else { + // handle error + } +} ``` +However, there's a likelihood of silent sign-in errors if the application has multiple users in a single browser session or if the user has multiple accounts for that single browser session. You may see the following error in the case of multiple accounts: + +```txt +InteractionRequiredAuthError: interaction_required: AADSTS16000: Either multiple user identities are available for the current request or selected account is not supported for the scenario. +``` + +The error indicates that the server couldn't determine which account to sign into, and will require either one of the parameters above (`account`, `login_hint`, `sid`) or an interactive sign-in to choose the account. + +## Considerations when using `ssoSilent` + +### Redirect URI (reply URL) + +For better performance and to help avoid issues, set the `redirectUri` to a blank page or other page that doesn't use MSAL. + +- If your application users only popup and silent methods, set the `redirectUri` on the `PublicClientApplication` configuration object. +- If your application also uses redirect methods, set the `redirectUri` on a per-request basis. + +### Third-party cookies + +`ssoSilent` attempts to open a hidden iframe and reuse an existing session with Azure AD. This won't work in browsers that block third-party cookies such as safari, and will lead to an interaction error: + +```txt +InteractionRequiredAuthError: login_required: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD +``` + +To resolve the error, the user must create an interactive authentication request using the `loginPopup()` or `loginRedirect()`. + +Additionally, the request object is required when using the **silent** methods. If you already have the user's sign-in information, you can pass either the `loginHint` or `sid` optional parameters to sign-in a specific account. + ## SSO in ADAL.js to MSAL.js update MSAL.js brings feature parity with ADAL.js for Azure AD authentication scenarios. To make the migration from ADAL.js to MSAL.js easy and to avoid prompting your users to sign in again, the library reads the ID token representing user’s session in ADAL.js cache, and seamlessly signs in the user in MSAL.js. @@ -145,7 +196,7 @@ To take advantage of the SSO behavior when updating from ADAL.js, you'll need to // In ADAL.js window.config = { - clientId: "g075edef-0efa-453b-997b-de1337c29185", + clientId: "1111-2222-3333-4444-55555555", cacheLocation: "localStorage", }; @@ -154,7 +205,7 @@ var authContext = new AuthenticationContext(config); // In latest MSAL.js version const config = { auth: { - clientId: "abcd-ef12-gh34-ikkl-ashdjhlhsdg", + clientId: "1111-2222-3333-4444-55555555", }, cache: { cacheLocation: "localStorage", @@ -170,5 +221,6 @@ Once the `cacheLocation` is configured, MSAL.js can read the cached state of the For more information about SSO, see: -- [Single Sign-On SAML protocol](single-sign-on-saml-protocol.md) +- [Single Sign-on SAML protocol](single-sign-on-saml-protocol.md) +- [Optional token claims](active-directory-optional-claims.md) - [Configurable token lifetimes](active-directory-configurable-token-lifetimes.md) diff --git a/articles/active-directory/develop/refresh-tokens.md b/articles/active-directory/develop/refresh-tokens.md index 22a7ca457ba9..7e967d8309f8 100644 --- a/articles/active-directory/develop/refresh-tokens.md +++ b/articles/active-directory/develop/refresh-tokens.md @@ -29,7 +29,10 @@ Before reading through this article, it's recommended that you go through the fo ## Refresh token lifetime -Refresh tokens have a longer lifetime than access tokens. The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. As such, whenever a refresh token is used to acquire a new access token, a new refresh token is also issued. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials. +Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for [single page apps](reference-third-party-cookies-spas.md) and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials. + +>[!IMPORTANT] +> Refresh tokens sent to a redirect URI registered as `spa` expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users do not have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the log-in page in a top-level frame to show the login session. This is due to [privacy features in browsers that block third party cookies](reference-third-party-cookies-spas.md). ## Refresh token expiration diff --git a/articles/active-directory/develop/scenario-spa-sign-in.md b/articles/active-directory/develop/scenario-spa-sign-in.md index 41406d638a48..39dfaec5f86d 100644 --- a/articles/active-directory/develop/scenario-spa-sign-in.md +++ b/articles/active-directory/develop/scenario-spa-sign-in.md @@ -28,7 +28,7 @@ Before you can get tokens to access APIs in your application, you need an authen You can also optionally pass the scopes of the APIs for which you need the user to consent at the time of sign-in. > [!NOTE] -> If your application already has access to an authenticated user context or ID token, you can skip the login step and directly acquire tokens. For details, see [SSO without MSAL.js login](msal-js-sso.md#sso-without-msaljs-login). +> If your application already has access to an authenticated user context or ID token, you can skip the login step and directly acquire tokens. For details, see [SSO with user hint](msal-js-sso.md#with-user-hint). ## Choosing between a pop-up or redirect experience diff --git a/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md b/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md index b9a59a676984..1cdfa3235316 100644 --- a/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md +++ b/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md @@ -180,31 +180,15 @@ In the Azure portal, the reply URIs that you register on the **Authentication** # [Node.js](#tab/nodejs) -Here, the configuration parameters reside in `index.js` +Here, the configuration parameters reside in *.env* as environment variables: -```javascript +:::code language="text" source="~/ms-identity-node/App/.env"::: -const REDIRECT_URI = "http://localhost:3000/redirect"; +These parameters are used to create a configuration object in *authConfig.js* file, which will eventually be used to initialize MSAL Node: -const config = { - auth: { - clientId: "Enter_the_Application_Id_Here", - authority: "https://login.microsoftonline.com/Enter_the_Tenant_Info_Here/", - clientSecret: "Enter_the_Client_Secret_Here" - }, - system: { - loggerOptions: { - loggerCallback(loglevel, message, containsPii) { - console.log(message); - }, - piiLoggingEnabled: false, - logLevel: msal.LogLevel.Verbose, - } - } -}; -``` +:::code language="js" source="~/ms-identity-node/App/authConfig.js"::: -In the Azure portal, the reply URIs that you register on the Authentication page for your application need to match the redirectUri instances that the application defines (`http://localhost:3000/redirect`). +In the Azure portal, the reply URIs that you register on the Authentication page for your application need to match the redirectUri instances that the application defines (`http://localhost:3000/auth/redirect`). > [!NOTE] > This quickstart proposes to store the client secret in the configuration file for simplicity. In your production app, you'd want to use other ways to store your secret, such as a key vault or an environment variable. @@ -350,12 +334,9 @@ For details about the authorization code flow that this method triggers, see the # [Node.js](#tab/nodejs) -```javascript -const msal = require('@azure/msal-node'); +Node sample the Express framework. MSAL is initialized in *auth* route handler: -// Create msal application object -const cca = new msal.ConfidentialClientApplication(config); -``` +:::code language="js" source="~/ms-identity-node/App/routes/auth.js" range="6-16"::: # [Python](#tab/python) diff --git a/articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md b/articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md index 2e7f4999fc08..55ed8684248f 100644 --- a/articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md +++ b/articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md @@ -96,8 +96,8 @@ By default, the sample uses: 1. When the **Register an application page** appears, enter your application's registration information: 1. Enter a **Name** for your application, for example `node-webapp`. Users of your app might see this name, and you can change it later. - 1. Change **Supported account types** to **Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)**. - 1. In the **Redirect URI (optional)** section, select **Web** in the combo box and enter the following redirect URI: `http://localhost:3000/redirect`. + 1. Change **Supported account types** to **Accounts in this organizational directory only**. + 1. In the **Redirect URI (optional)** section, select **Web** in the combo box and enter the following redirect URI: `http://localhost:3000/auth/redirect`. 1. Select **Register** to create the application. 1. On the app's **Overview** page, find the **Application (client) ID** value and record it for later. You'll need it to configure the configuration file for this project. 1. Under **Manage**, select **Certificates & secrets**. diff --git a/articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md b/articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md index 9e70e56361a4..00ab03465cd4 100644 --- a/articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md +++ b/articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md @@ -72,7 +72,7 @@ else # [Java](#tab/java) -In our Java quickstart, the sign-in button is located in the [main/resources/templates/index.html](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/master/msal-java-webapp-sample/src/main/resources/templates/index.html) file. +In the Java quickstart, the sign-in button is located in the [main/resources/templates/index.html](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/master/msal-java-webapp-sample/src/main/resources/templates/index.html) file. ```html @@ -94,13 +94,13 @@ In our Java quickstart, the sign-in button is located in the [main/resources/tem # [Node.js](#tab/nodejs) -In the Node.js quickstart, there's no sign-in button. The code-behind automatically prompts the user for sign-in when it's reaching the root of the web app. +In the Node.js quickstart, the code for the sign-in button is located in *index.hbs* template file. -```javascript -app.get('/', (req, res) => { - // authentication logic -}); -``` +:::code language="hbs" source="~/ms-identity-node/App/views/index.hbs" range="10-11"::: + +This template is served via the main (index) route of the app: + +:::code language="js" source="~/ms-identity-node/App/routes/index.js" range="6-15"::: # [Python](#tab/python) @@ -169,40 +169,9 @@ public class AuthPageController { # [Node.js](#tab/nodejs) -Unlike other platforms, here the MSAL Node takes care of letting the user sign in from the login page. - -```javascript - -// 1st leg of auth code flow: acquire a code -app.get('/', (req, res) => { - const authCodeUrlParameters = { - scopes: ["user.read"], - redirectUri: REDIRECT_URI, - }; - - // get url to sign user in and consent to scopes needed for application - pca.getAuthCodeUrl(authCodeUrlParameters).then((response) => { - res.redirect(response); - }).catch((error) => console.log(JSON.stringify(error))); -}); - -// 2nd leg of auth code flow: exchange code for token -app.get('/redirect', (req, res) => { - const tokenRequest = { - code: req.query.code, - scopes: ["user.read"], - redirectUri: REDIRECT_URI, - }; - - pca.acquireTokenByCode(tokenRequest).then((response) => { - console.log("\nResponse: \n:", response); - res.sendStatus(200); - }).catch((error) => { - console.log(error); - res.status(500).send(error); - }); -}); -``` +When the user selects the **Sign in** link, which triggers the `/auth/signin` route, the sign-in controller takes over to authenticate the user with Microsoft identity platform. + +:::code language="js" source="~/ms-identity-node/App/routes/auth.js" range="27-107, 135-161"::: # [Python](#tab/python) @@ -355,7 +324,7 @@ In our Java quickstart, the sign-out button is located in the main/resources/tem # [Node.js](#tab/nodejs) -This sample application does not implement sign-out. +:::code language="hbs" source="~/ms-identity-node/App/views/index.hbs" range="2, 8"::: # [Python](#tab/python) @@ -431,7 +400,9 @@ In Java, sign-out is handled by calling the Microsoft identity platform `logout` # [Node.js](#tab/nodejs) -This sample application does not implement sign-out. +When the user selects the **Sign out** button, the app triggers the `/signout` route, which destroys the session and redirects the browser to Microsoft identity platform sign-out endpoint. + +:::code language="js" source="~/ms-identity-node/App/routes/auth.js" range="163-174"::: # [Python](#tab/python) @@ -479,7 +450,7 @@ In the Java quickstart, the post-logout redirect URI just displays the index.htm # [Node.js](#tab/nodejs) -This sample application does not implement sign-out. +In the Node quickstart, the post-logout redirect URI is used to redirect the browser back to sample home page after the user completes the logout process with the Microsoft identity platform. # [Python](#tab/python) @@ -494,4 +465,4 @@ If you want to learn more about sign-out, read the protocol documentation that's ## Next steps Move on to the next article in this scenario, -[Move to production](scenario-web-app-sign-user-production.md). \ No newline at end of file +[Move to production](scenario-web-app-sign-user-production.md). diff --git a/articles/active-directory/develop/tutorial-v2-ios.md b/articles/active-directory/develop/tutorial-v2-ios.md index 657e5b2399bd..e8f6b1bf542d 100644 --- a/articles/active-directory/develop/tutorial-v2-ios.md +++ b/articles/active-directory/develop/tutorial-v2-ios.md @@ -1,16 +1,13 @@ --- -title: "Tutorial: Create an iOS or macOS app that uses the Microsoft identity platform for authentication | Azure" -titleSuffix: Microsoft identity platform -description: In this tutorial, you build an iOS or macOS app that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf. -services: active-directory +title: "Tutorial: Create an iOS or macOS app that uses the Microsoft identity platform for authentication" +description: Build an iOS or macOS app that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf. author: mmacy manager: CelesteDG ms.service: active-directory ms.subservice: develop ms.topic: tutorial -ms.workload: identity -ms.date: 09/18/2020 +ms.date: 05/28/2022 ms.author: marsma ms.reviewer: oldalton ms.custom: aaddev, identityplatformtop40, has-adal-ref @@ -20,7 +17,7 @@ ms.custom: aaddev, identityplatformtop40, has-adal-ref In this tutorial, you build an iOS or macOS app that integrates with the Microsoft identity platform to sign users and get an access token to call the Microsoft Graph API. -When you've completed the guide, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) and work or school accounts from any company or organization that uses Azure Active Directory. This tutorial is applicable to both iOS and macOS apps. Some steps are different between the two platforms. +When you've completed the tutorial, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) and work or school accounts from any company or organization that uses Azure Active Directory. This tutorial is applicable to both iOS and macOS apps. Some steps are different between the two platforms. In this tutorial: @@ -75,8 +72,8 @@ If you'd like to download a completed version of the app you build in this tutor 1. Select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)** under **Supported account types**. 1. Select **Register**. 1. Under **Manage**, select **Authentication** > **Add a platform** > **iOS/macOS**. -1. Enter your project's Bundle ID. If you downloaded the code, this is `com.microsoft.identitysample.MSALiOS`. If you're creating your own project, select your project in Xcode and open the **General** tab. The bundle identifier appears in the **Identity** section. -1. Select **Configure** and save the **MSAL Configuration** that appears in the **MSAL configuration** page so you can enter it when you configure your app later. +1. Enter your project's Bundle ID. If downloaded the code sample, the Bundle ID is `com.microsoft.identitysample.MSALiOS`. If you're creating your own project, select your project in Xcode and open the **General** tab. The bundle identifier appears in the **Identity** section. +1. Select **Configure** and save the **MSAL Configuration** that appears in the **MSAL configuration** page so you can enter it when you configure your app later. 1. Select **Done**. ## Add MSAL @@ -85,7 +82,7 @@ Choose one of the following ways to install the MSAL library in your app: ### CocoaPods -1. If you're using [CocoaPods](https://cocoapods.org/), install `MSAL` by first creating an empty file called `podfile` in the same folder as your project's `.xcodeproj` file. Add the following to `podfile`: +1. If you're using [CocoaPods](https://cocoapods.org/), install `MSAL` by first creating an empty file called _podfile_ in the same folder as your project's _.xcodeproj_ file. Add the following to _podfile_: ``` use_frameworks! @@ -96,18 +93,18 @@ Choose one of the following ways to install the MSAL library in your app: ``` 2. Replace `Runs future workloads based on the last run time. | Runs the first workload instantly.
Runs future workloads based on the specified schedule. | | Start time in the past | **Recurrence** trigger: Calculates run times based on the specified start time and discards past run times.
Runs the first workload at the next future run time.
Runs future workloads based on the last run time.
**Sliding Window** trigger: Calculates run times based on the specified start time and honors past run times.
Runs future workloads based on the specified start time.
For more explanation, see the example following this table. | Runs the first workload *no sooner* than the start time, based on the schedule calculated from the start time.
Runs future workloads based on the specified schedule.
**Note:** If you specify a recurrence with a schedule, but don't specify hours or minutes for the schedule, Azure Logic Apps calculates future run times by using the hours or minutes, respectively, from the first run time. | -| Start time now or in the future | Runs the first workload at the specified start time.
**Recurrence** trigger: Runs future workloads based on the last run time.
**Sliding Window** trigger: Runs future workloads based on the specified start time. | Runs the first workload *no sooner* than the start time, based on the schedule calculated from the start time.
Runs future workloads based on the specified schedule. If you use the **Day** or **Week** frequency and specify a future date and time, make sure that you set up the recurrence in advance:
- **Day**: Set up the daily recurrence at least 24 hours in advance.
- **Week**: Set up the weekly recurrence at least 7 days in advance.
Otherwise, the workflow might skip the first recurrence.
**Note:** If you specify a recurrence with a schedule, but don't specify hours or minutes for the schedule, Azure Logic Apps calculates future run times by using the hours or minutes, respectively, from the first run time. | +| Start time now or in the future | Runs the first workload at the specified start time.
**Recurrence** trigger: Runs future workloads based on the last run time.
**Sliding Window** trigger: Runs future workloads based on the specified start time. | Runs the first workload *no sooner* than the start time, based on the schedule calculated from the start time.
Runs future workloads based on the specified schedule. If you use the **Day**, **Week**, or **Month** frequency, and you specify a future date and time, make sure that you set up the recurrence in advance:
- **Day**: Set up the daily recurrence at least 24 hours in advance.
- **Week**: Set up the weekly recurrence at least 7 days in advance.
- **Month**: Set up the monthly recurrence at least one month in advance.
Otherwise, the workflow might skip the first recurrence.
**Note:** If you specify a recurrence with a schedule, but don't specify hours or minutes for the schedule, Azure Logic Apps calculates future run times by using the hours or minutes, respectively, from the first run time. |
||||
*Example for past start time and recurrence but no schedule*
diff --git a/articles/logic-apps/create-managed-service-identity.md b/articles/logic-apps/create-managed-service-identity.md
index d0f0592b4d85..747e55960809 100644
--- a/articles/logic-apps/create-managed-service-identity.md
+++ b/articles/logic-apps/create-managed-service-identity.md
@@ -707,7 +707,7 @@ As a specific example, suppose that you want to run the [Snapshot Blob operation
> [!IMPORTANT]
> To access Azure storage accounts behind firewalls by using HTTP requests and managed identities,
-> make sure that you also set up your storage account with the [exception that allows access by trusted Microsoft services](../connectors/connectors-create-api-azureblobstorage.md#access-blob-storage-with-managed-identities).
+> make sure that you also set up your storage account with the [exception that allows access by trusted Microsoft services](../connectors/connectors-create-api-azureblobstorage.md#access-blob-storage-in-same-region-with-managed-identities).
To run the [Snapshot Blob operation](/rest/api/storageservices/snapshot-blob), the HTTP action specifies these properties:
diff --git a/articles/logic-apps/logic-apps-enterprise-integration-certificates.md b/articles/logic-apps/logic-apps-enterprise-integration-certificates.md
index 432eddc240ea..a838e6c90d8e 100644
--- a/articles/logic-apps/logic-apps-enterprise-integration-certificates.md
+++ b/articles/logic-apps/logic-apps-enterprise-integration-certificates.md
@@ -24,7 +24,7 @@ You can use the following certificate types in your workflows:
* [Public certificates](https://en.wikipedia.org/wiki/Public_key_certificate), which you must purchase from a public internet [certificate authority (CA)](https://en.wikipedia.org/wiki/Certificate_authority). These certificates don't require any keys.
-* Private certificates or [*self-signed certificates*](https://en.wikipedia.org/wiki/Self-signed_certificate), which you create and issue yourself. However, these certificates require private keys.
+* Private certificates or [*self-signed certificates*](https://en.wikipedia.org/wiki/Self-signed_certificate), which you create and issue yourself. However, these certificates require [private keys in an Azure key vault](#prerequisites).
If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overview.md)? For more information about B2B enterprise integration, review [B2B enterprise integration workflows with Azure Logic Apps and Enterprise Integration Pack](logic-apps-enterprise-integration-overview.md).
@@ -58,7 +58,7 @@ If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overvi
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
- * [Add a corresponding public certificate](#add-public-certificate) to your key vault. This certificate appears in your [agreement's **Send** and **Receive** settings for signing and encrypting messages](logic-apps-enterprise-integration-agreements.md). For example, review [Reference for AS2 messages settings in Azure Logic Apps](logic-apps-enterprise-integration-as2-message-settings.md).
+ * [Add the corresponding public certificate](#add-public-certificate) to your key vault. This certificate appears in your [agreement's **Send** and **Receive** settings for signing and encrypting messages](logic-apps-enterprise-integration-agreements.md). For example, review [Reference for AS2 messages settings in Azure Logic Apps](logic-apps-enterprise-integration-as2-message-settings.md).
* At least two [trading partners](logic-apps-enterprise-integration-partners.md) and an [agreement between those partners](logic-apps-enterprise-integration-agreements.md) in your integration account. An agreement requires a host partner and a guest partner. Also, an agreement requires that both partners use the same or compatible *business identity* qualifier that's appropriate for an AS2, X12, EDIFACT, or RosettaNet agreement.
@@ -66,7 +66,7 @@ If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overvi
-## Add a public certificate
+## Use a public certificate
To use a *public certificate* in your workflow, you have to first add the certificate to your integration account.
@@ -84,7 +84,7 @@ To use a *public certificate* in your workflow, you have to first add the certif
|----------|----------|-------|-------------|
| **Name** | Yes | <*certificate-name*> | Your certificate's name, which is `publicCert` in this example |
| **Certificate Type** | Yes | **Public** | Your certificate's type |
- | **Certificate** | Yes | <*certificate-file-name*> | To browse for the certificate file that you want to add, select the folder icon next to the **Certificate** box. |
+ | **Certificate** | Yes | <*certificate-file-name*> | To browse for the certificate file that you want to add, select the folder icon next to the **Certificate** box. Select the certificate that you want to use. |
|||||
@@ -95,11 +95,11 @@ To use a *public certificate* in your workflow, you have to first add the certif
-
+
-## Add a private certificate
+## Use a private certificate
-To use a *private certificate* in your workflow, you have to first add the certificate to your integration account. Make sure that you've also met the [prerequisites private certificates](#prerequisites).
+To use a *private certificate* in your workflow, you have to first meet the [prerequisites for private keys](#prerequisites), and add a public certificate to your integration account.
1. In the [Azure portal](https://portal.azure.com) search box, enter `integration accounts`, and select **Integration accounts**.
@@ -115,7 +115,7 @@ To use a *private certificate* in your workflow, you have to first add the certi
|----------|----------|-------|-------------|
| **Name** | Yes | <*certificate-name*> | Your certificate's name, which is `privateCert` in this example |
| **Certificate Type** | Yes | **Private** | Your certificate's type |
- | **Certificate** | Yes | <*certificate-file-name*> | To browse for the certificate file that you want to add, select the folder icon next to the **Certificate** box. In the key vault that contains your private key, the file you add there is the public certificate. |
+ | **Certificate** | Yes | <*certificate-file-name*> | To browse for the certificate file that you want to add, select the folder icon next to the **Certificate** box. Select the public certificate that corresponds to the private key that's stored in your key vault. |
| **Resource Group** | Yes | <*integration-account-resource-group*> | Your integration account's resource group, which is `Integration-Account-RG` in this example |
| **Key Vault** | Yes | <*key-vault-name*> | Your key vault name |
| **Key name** | Yes | <*key-name*> | Your key name |
diff --git a/articles/logic-apps/media/logic-apps-enterprise-integration-certificates/private-certificate-details.png b/articles/logic-apps/media/logic-apps-enterprise-integration-certificates/private-certificate-details.png
index 7b89d4714d07..9847bd98d5b6 100644
Binary files a/articles/logic-apps/media/logic-apps-enterprise-integration-certificates/private-certificate-details.png and b/articles/logic-apps/media/logic-apps-enterprise-integration-certificates/private-certificate-details.png differ
diff --git a/articles/machine-learning/how-to-configure-auto-train.md b/articles/machine-learning/how-to-configure-auto-train.md
index 921b16d2e17a..3338a416dbfa 100644
--- a/articles/machine-learning/how-to-configure-auto-train.md
+++ b/articles/machine-learning/how-to-configure-auto-train.md
@@ -104,16 +104,15 @@ The following shows two ways of creating an MLTable.
```Python
from azure.ai.ml.constants import AssetTypes
-from azure.ai.ml import automl
-from azure.ai.ml.entities import JobInput
+from azure.ai.ml import automl, Input
# A. Create MLTable for training data from your local directory
-my_training_data_input = JobInput(
+my_training_data_input = Input(
type=AssetTypes.MLTABLE, path="./data/training-mltable-folder"
)
# B. Remote MLTable definition
-my_training_data_input = JobInput(type=AssetTypes.MLTABLE, path="azureml://datastores/workspaceblobstore/paths/Classification/Train")
+my_training_data_input = Input(type=AssetTypes.MLTABLE, path="azureml://datastores/workspaceblobstore/paths/Classification/Train")
```
### Training, validation, and test data
diff --git a/articles/machine-learning/how-to-create-register-data-assets.md b/articles/machine-learning/how-to-create-register-data-assets.md
index 8a08d98323df..01a1b2877798 100644
--- a/articles/machine-learning/how-to-create-register-data-assets.md
+++ b/articles/machine-learning/how-to-create-register-data-assets.md
@@ -117,7 +117,7 @@ For a complete example, see the [working_with_uris.ipynb notebook](https://githu
# [Python-SDK](#tab/Python-SDK)
```python
from azure.ai.ml.entities import Data
-from azure.ai.ml._constants import AssetTypes
+from azure.ai.ml.constants import AssetTypes
# select one from:
my_path = 'abfss:// ADD COLUMN
ADD COLUMN
- If SSL is used on the driver side, but redirection is not supported on the server, the first connection is aborted and the following error is returned: *"Connection aborted because redirection is not enabled on the MySQL server or the network package doesn't meet redirection protocol."*
- If the MySQL server supports redirection, but the redirected connection failed for any reason, also abort the first proxy connection. Return the error of the redirected connection.|
|`preferred` or `2`
(default value)|- mysqlnd_azure will use redirection if possible.
- If the connection does not use SSL on the driver side, the server does not support redirection, or the redirected connection fails to connect for any non-fatal reason while the proxy connection is still a valid one, it will fall back to the first proxy connection.|
-For successful connection to Azure database for MySQL Single server using `mysqlnd_azure.enableRedirect` you need to follow mandatory steps of combining your root certificate as per the compliance requirements. For more details on please visit [link](./concepts-certificate-rotation.md#do-i-need-to-make-any-changes-on-my-client-to-maintain-connectivity).
+For successful connection to Azure database for MySQL Single server using `mysqlnd_azure.enableRedirect` you need to follow mandatory steps of combining your root certificate as per the compliance requirements. For more details please visit [link](./concepts-certificate-rotation.md#do-i-need-to-make-any-changes-on-my-client-to-maintain-connectivity).
The subsequent sections of the document will outline how to install the `mysqlnd_azure` extension using PECL and set the value of this parameter.
diff --git a/articles/network-watcher/enable-network-watcher-flow-log-settings.md b/articles/network-watcher/enable-network-watcher-flow-log-settings.md
new file mode 100644
index 000000000000..c5d0168cdd4e
--- /dev/null
+++ b/articles/network-watcher/enable-network-watcher-flow-log-settings.md
@@ -0,0 +1,78 @@
+---
+title: Enable Azure Network Watcher | Microsoft Docs
+description: Learn how to enable Network Watcher.
+services: network-watcher
+documentationcenter: na
+author: v-ssenthilna
+
+ms.service: network-watcher
+ms.topic: article
+ms.tgt_pltfrm: na
+ms.workload: infrastructure-services
+ms.date: 05/11/2022
+ms.author: v-ssenthilna
+ms.custom: references_regions, devx-track-azurepowershell
+---
+# Enable Azure Network Watcher
+
+To analyze traffic, you need to have an existing network watcher, or [enable a network watcher](network-watcher-create.md) in each region that you have NSGs that you want to analyze traffic for. Traffic analytics can be enabled for NSGs hosted in any of the [supported regions](supported-region-traffic-analytics.md).
+
+## Select a network security group
+
+Before enabling NSG flow logging, you must have a network security group to log flows for. If you don't have a network security group, see [Create a network security group](../virtual-network/manage-network-security-group.md#create-a-network-security-group) to create one.
+
+In Azure portal, go to **Network watcher**, and then select **NSG flow logs**. Select the network security group that you want to enable an NSG flow log for, as shown in the following picture:
+
+
+
+If you try to enable traffic analytics for an NSG that is hosted in any region other than the [supported regions](supported-region-traffic-analytics.md), you receive a "Not found" error.
+
+## Enable flow log settings
+
+Before enabling flow log settings, you must complete the following tasks:
+
+Register the Azure Insights provider, if it's not already registered for your subscription:
+
+```azurepowershell-interactive
+Register-AzResourceProvider -ProviderNamespace Microsoft.Insights
+```
+
+If you don't already have an Azure Storage account to store NSG flow logs in, you must create a storage account. You can create a storage account with the command that follows. Before running the command, replace `