Merge pull request #12187 from MicrosoftDocs/main

Auto Publish – main to live - 2026-03-24 22:10 UTC

Author: learn-build-service-prod[bot]

docs/external-id/tenant-restrictions-v2.md

@@ -682,7 +682,7 @@ Use Microsoft Graph to get policy information.
 
 - TRv2 does not enforce restrictions on cross-cloud requests at the authentication plane, so access is permitted during authentication. However, TRv2 does block cross-cloud requests at the data plane. As a result, when using Windows Group Policy (GPO), users will be unable to access TRv2-enlightened resources across cloud boundaries.
 
-- Tenant restrictions v2 doesn't work with the [macOS Platform SSO](~/identity/devices/troubleshoot-macos-platform-single-sign-on-extension.md) feature with client signaling via corporate proxy. Customers who use tenant restrictions v2 and Platform SSO should use universal tenant restrictions v2 with Global Secure Access client signaling. This is an Apple limitation in which Platform SSO is not compatible with tenant restrictions when an intermediary network solution injects headers. An example of such a solution is a proxy that uses a certificate trust chain outside Apple system root certificates.
+- Tenant restrictions v2 doesn't work with the [macOS Platform SSO](~/identity/devices/troubleshoot-macos-platform-single-sign-on-extension.md) feature with client signaling via corporate proxy if the corporate proxy uses a certificate trust chain outside Apple system root certificates. This is an Apple limitation in which Platform SSO is not compatible with tenant restrictions when an intermediary network solution injects headers using untrusted certificates. Apple does not support customers adding their own PKI certificates to the Apple system trusted root certificates store. Customers who use tenant restrictions v2 and Platform SSO should use universal tenant restrictions v2 with Global Secure Access client signaling which uses a certificate trusted by Apple systems. 
 
 - When TRv2 is enabled, accessing the Microsoft Entra admin center may result in an "Access denied" error. To resolve this issue, append the following feature flags to the Microsoft Entra admin center URL: `?feature.msaljs=true&exp.msaljsexp=true`. If you're accessing the admin center for a partner tenant (e.g., Fabrikam) and encounter the error at `https://entra.microsoft.com/`, update the URL as follows: `https://entra.microsoft.com/?feature.msaljs=true&exp.msaljsexp=true#home`. This will enable the necessary flags and restore access.
 

docs/global-secure-access/concept-transport-layer-security.md

@@ -4,7 +4,8 @@ description: "This article provides an overview of the Transport Layer Security
 author: HULKsmashGithub
 ms.author: jayrusso
 ms.topic: concept-article
-ms.date: 05/28/2025
+ms.date: 03/23/2026
+ms.reviewer: teresayao
 
 #customer intent: As a Global Secure Access administrator, I want to learn about the Transport Layer Security (TLS) protocol to support the creation of TLS inspection policies.   
 
@@ -37,7 +38,7 @@ Traffic logs include four TLS-related metadata fields that help you understand h
 To get started with TLS inspection, see [Configure Transport Layer Security Policies](how-to-transport-layer-security.md).
 
 ## Supported ciphers
-| List of supported ciphers |
+|List of supported ciphers  |
 |-------------------|
 |ECDHE-ECDSA-AES128-GCM-SHA256|
 |ECDHE-ECDSA-CHACHA20-POLY1305| 

docs/global-secure-access/how-to-ai-prompt-injection-protection.md

@@ -2,7 +2,7 @@
 title: Protect enterprise generative AI apps with prompt injection protection (preview)
 description: "Protect your enterprise generative AI apps from prompt injection attacks with Microsoft's AI Gateway prompt injection protection."
 ms.topic: how-to
-ms.date: 03/18/2026
+ms.date: 03/24/2026
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.reviewer: KaTabish
@@ -113,7 +113,7 @@ You can protect any custom JSON-based LLM or GenAI app by configuring a custom t
 ## Known limitations
 
 - Prompt Injection Protection currently supports only text prompts. It doesn't support files.
-- Prompt Injection Protection supports only JSON-based generative AI apps. It doesn't support apps that use URL-based encoding, like Gemini.
+- Prompt Injection Protection supports only JSON-based generative AI apps.
 - Prompt Injection Protection supports prompts up to 10,000 characters. Anything longer is truncated.
 
 ## Related content

docs/global-secure-access/how-to-create-remote-network-custom-ike-policy.md

@@ -4,7 +4,7 @@ description: Learn how to set up the bidirectional communication tunnel between
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: how-to
-ms.date: 02/25/2025
+ms.date: 03/23/2026
 ms.reviewer: absinh
 ms.custom: sfi-image-nochange
 # Customer intent: As an IT admin, I need to be able to create a custom Internet Key Exchange (IKE) policy to set up the communication tunnel with Global Secure Access.
@@ -29,7 +29,7 @@ If you prefer to add custom IKE policy details to your remote network, you can d
 
 To create a remote network with a custom IKE policy in the Microsoft Entra admin center:
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator).
 
 1. Browse to **Global Secure Access** > **Connect** > **Remote networks**.
 
@@ -63,7 +63,7 @@ There are several details to enter on the General tab. Pay close attention to th
         - This address is entered as the *peer* BGP​​ IP address on your CPE.
         - Refer to the [valid BGP addresses](reference-remote-network-configurations.md#valid-bgp-addresses) list for reserved values that can't be used.
 
-1. Select the **Next**.
+1. Select **Next**.
 
 ### Add a link - Details tab
 
@@ -97,13 +97,16 @@ There are several details to enter on the General tab. Pay close attention to th
 
 Remote networks with a custom IKE policy can be created using Microsoft Graph on the `/beta` endpoint.
 
+> [!IMPORTANT]
+> APIs under the `/beta` version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. For details, see [Microsoft Graph versioning and support](/graph/versioning-and-support).
+
 1. Sign in to [Graph Explorer](https://aka.ms/ge).
 1. Select **POST** as the HTTP method from the dropdown.
 1. Set the API version to **beta**.
 1. Add the following query, then select **Run query**.
 
 ```http
-    POST https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/dc6a7efd-6b2b-4c6a-84e7-5dcf97e62e04/deviceLinks
+    POST https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/{remoteNetworkId}/deviceLinks
 Content-Type: application/json
 
 {

docs/global-secure-access/how-to-create-remote-network-vwan.md

@@ -2,7 +2,7 @@
 title: Simulate remote network connectivity using Azure vWAN
 description: Use Global Secure Access to configure Azure and Microsoft Entra resources to create a virtual wide area network to connect to your resources in Azure.
 ms.topic: how-to
-ms.date: 02/25/2025
+ms.date: 03/23/2026
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.reviewer: absinh
@@ -19,7 +19,7 @@ To complete the steps in this process, you must have the following prerequisites
 - An Azure subscription and permission to create resources in the [Azure portal](https://portal.azure.com).
 - A basic understanding of virtual wide area networks (vWAN).
 - A basic understanding of [site-to-site VPN connections](/azure/vpn-gateway/tutorial-site-to-site-portal).
-- A Microsoft Entra tenant with the [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator) role assigned.
+- A Microsoft Entra tenant with the [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator) role assigned.
 - A basic understanding of Azure virtual desktops or Azure virtual machines.
 
 This document uses the following example values, along with the values in the images and steps. Feel free to configure these settings according to your own requirements.

docs/global-secure-access/how-to-manage-remote-network-device-links.md

@@ -4,7 +4,7 @@ description: Learn how to add and delete customer premises equipment device link
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: how-to
-ms.date: 02/25/2025
+ms.date: 03/23/2026
 ms.reviewer: absinh
 ms.custom: sfi-image-nochange
 # Customer intent: As an IT admin, I need to manage the router devices that connect to the Global Secure Access service so my customers can connect to the service.
@@ -83,6 +83,9 @@ The **Details** tab is where you establish the bidirectional communication chann
 
 Remote networks with a custom IKE policy can be created using Microsoft Graph on the `/beta` endpoint.
 
+> [!IMPORTANT]
+> APIs under the `/beta` version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. For details, see [Microsoft Graph versioning and support](/graph/versioning-and-support).
+
 1. Sign in to [Graph Explorer](https://aka.ms/ge).
 1. Select `POST` as the HTTP method from the dropdown.
 1. Set the API version to beta.
@@ -117,7 +120,7 @@ Sample response:
     },
     "tunnelConfiguration": {
         "@odata.type": "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default",
-        "preSharedKey": "test123"
+        "preSharedKey": "<your-preshared-key>"
     }
 }
 ```
@@ -130,7 +133,7 @@ You can delete device links through the Microsoft Entra admin center and using t
 
 ### [Microsoft Entra admin center](#tab/microsoft-entra-admin-center)
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator).
 
 1. Browse to **Global Secure Access** > **Connect** > **Remote networks**. Device links appear in the **Links** column on the list of remote networks.
 

docs/global-secure-access/reference-china-user-support.md

@@ -1,10 +1,11 @@
 ---
-title: Global Secure Access Support in China (Preview)
+title: Global Secure Access support in China
 description: Learn about how Microsoft is dedicated to supporting Global Secure Access capabilities in China.
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: reference
-ms.date: 05/20/2025
+ms.service: global-secure-access
+ms.date: 03/09/2026
 ms.reviewer: sumeetmittal
 
 # Customer intent: As an IT admin, I want to evaluate the regulatory constraints of using Global Secure Access in China so that I can ensure compliance and plan connectivity strategies effectively.   

docs/global-secure-access/reference-ciphers.md

@@ -4,7 +4,8 @@ description: Learn about the supported cryptographic algorithms, or ciphers, use
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: reference
-ms.date: 02/18/2025
+ms.service: global-secure-access
+ms.date: 03/09/2026
 ms.reviewer: sumeetmittal
 
 

docs/global-secure-access/reference-global-secure-access-certifications.md

@@ -4,7 +4,8 @@ description: Global Secure Access maintains a compliance portfolio. This article
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: reference
-ms.date: 05/29/2025
+ms.service: global-secure-access
+ms.date: 03/24/2026
 ms.reviewer: abhijeetsinha
 
 #customer intent: As an IT admin, I want to know which certifications Global Secure Access supports so that I can ensure compliance with industry standards.
@@ -28,8 +29,8 @@ Global Secure Access is included in several Azure compliance audits. The support
 | GxP (FDA 21 CFR Part 11) | Azure can help customers meet their requirements under Good Clinical, Laboratory, and Manufacturing Practices (GxP), as well as regulations enforced by the US Food and Drug Administration (FDA) under 21 CFR Part 11. For more information, see [GxP (FDA 21 CFR Part 11)](/azure/compliance/offerings/offering-gxp). | ISO 27001:2013 |
 | HDS (France) | Microsoft Azure has the Health Data Hosting (Hébergeurs de Données de Santé, HDS) certification, which is required for all entities that host personal health data governed by French law. Microsoft is the first major cloud service provider to meet the strict French standards for storing and processing health data. For more information, see [Health Data Hosting (HDS) France](/compliance/regulatory/offering-hds-france). | ISO 27001:2013 |
 | HIPAA BAA (US) | The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for the use, disclosure, and safeguarding of protected health information (PHI). It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—with access to PHI, and to business associates, such as cloud service providers, that process PHI on their behalf. For more information, see [HIPAA (US)](/azure/compliance/offerings/offering-hipaa-us). | NA |
-| ISO 20000-1:2011 | ISO 20000-1:2011 is an international standard for IT service management that defines requirements for the development, implementation, monitoring, maintenance, and improvement of an IT service management system. For more information, see [ISO/IEC 20000-1:2018](/azure/compliance/offerings/offering-iso-20000-1). | ISO 27001:2013 |
-| ISO 22301:2012 | ISO 22301:2012 is the premium international standard for business continuity management that provides for a formal certification. For more information, see [ISO 22301:2019](/azure/compliance/offerings/offering-iso-22301). | ISO 27001:2013 |
+| ISO 20000-1:2018 | ISO 20000-1:2018 is an international standard for IT service management that defines requirements for the development, implementation, monitoring, maintenance, and improvement of an IT service management system. For more information, see [ISO/IEC 20000-1:2018](/azure/compliance/offerings/offering-iso-20000-1). | ISO 27001:2013 |
+| ISO 22301:2019 | ISO 22301:2019 is the premium international standard for business continuity management that provides for a formal certification. For more information, see [ISO 22301:2019](/azure/compliance/offerings/offering-iso-22301). | ISO 27001:2013 |
 | ISO 27001:2013 | The ISO 27000 family of standards gives a framework for policies and procedures that include all legal, physical, and technical controls in Microsoft Azure Compliance Offerings for an organization's information risk management. ISO 27001 lists the requirements for implementing, maintaining, monitoring, and improving an information security management system (ISMS). For more information, see [ISO 27001:2013](/azure/compliance/offerings/offering-iso-27001). | NA |
 | ISO 27017:2015 | The ISO 27017 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO 27002. Cloud service providers can also use ISO 27017 as a guidance document for implementing commonly accepted protection controls. For more information, see [ISO/IEC 27017:2015](/azure/compliance/offerings/offering-iso-27017). | ISO 27001:2013 |
 | ISO 27018:2019 | ISO 27018 is the first international code of practice for cloud privacy that provides guidelines based on ISO 27002 guidelines and best practices for information security management. Based on EU data-protection laws, it gives specific guidance to cloud service providers acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII. ISO 27018 establishes cloud-specific control objectives and guidelines for PII in accordance with the privacy principles in ISO 29100. For more information, see [ISO/IEC 27018:2019](/azure/compliance/offerings/offering-iso-27018). | ISO 27001:2013 |
@@ -45,7 +46,7 @@ Global Secure Access is included in several Azure compliance audits. The support
 | SOC 3 | A SOC 3 report is a short, public version of the SOC 2 Type 2 attestation report. The SOC 3 report is for users who want assurance about the cloud service provider's controls but don't need a full SOC 2 report. For more information, see [System and Organization Controls (SOC) 3](/azure/compliance/offerings/offering-soc-3). | NA |
 | UK Cyber Essentials Plus | Cyber Essentials is a UK government-backed scheme that helps organizations check and reduce risks from common cybersecurity threats to their IT systems. Cyber Essentials is required for all UK government suppliers that handle personal data. For more information, see [UK Cyber Essentials Plus](/azure/compliance/offerings/offering-uk-cyber-essentials-plus). | ISO 27001:2013 |
 | UK G-Cloud | Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store—the Digital Marketplace. This approach enables public-sector organizations to compare and procure cloud services without having to do their own full review process. For more information, see [UK G-Cloud](/azure/compliance/offerings/offering-uk-g-cloud). | ISO 27001:2013 |
-| WCAG 2.0 | The Web Content Accessibility Guidelines 2.0 (WCAG 2.0) provide a framework for developing web content that improves accessibility for people with disabilities, and users of devices with limited graphical abilities. For more information, see [Web Content Accessibility Guidelines](/compliance/regulatory/offering-wcag-2-1). | ISO 27001:2013 |
+| WCAG | The Web Content Accessibility Guidelines (WCAG) provide a framework for developing web content that improves accessibility for people with disabilities, and users of devices with limited graphical abilities. For more information, see [Web Content Accessibility Guidelines](/compliance/regulatory/offering-wcag-2-1). | ISO 27001:2013 |
 
 ## Related content
 [Service Trust Portal](https://servicetrust.microsoft.com/)