Merge branch 'main' into cloud-support/20250106T1105230550Z

Author: Danielabom

api-reference/beta/api/domain-list.md

@@ -38,7 +38,7 @@ GET /domains
 This method supports the [OData Query Parameters](/graph/query-parameters) to help customize the response.
 
 > [!NOTE]
-> This API has a [known issue](https://developer.microsoft.com/graph/known-issues/?search=20454) related to the `$search` parameter.
+> This API has a [known issue](https://developer.microsoft.com/graph/known-issues/?search=20454) related to the `$search`, `$top`, and `$filter` query parameters.
 
 ## Request headers
 

api-reference/beta/api/user-get.md

@@ -30,8 +30,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 [!INCLUDE [permissions-table](../includes/permissions/user-get-permissions.md)]
 
 >[!NOTE]
-> - Calling the `/me` endpoint requires a signed-in user and therefore a delegated permission. Application permissions are not supported when using the `/me` endpoint.
-> - The `User.Read` permission allows the app to read the profile, and discover relationships such as the group membership, reports and manager of the signed-in user only.
+> - Calling the `/me` endpoint requires a signed-in user and therefore a delegated permission. Application permissions aren't supported when using the `/me` endpoint.
+> - The `User.Read` permission allows the app to read the profile, and discover relationships such as the group membership, reports, and manager of the signed-in user only.
 
 ### Permissions for specific scenarios
 - To read the **employeeLeaveDateTime** property:
@@ -41,7 +41,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
   - In delegated scenarios, the signed-in user must be assigned the *Attribute Assignment Administrator* role and the app granted the *CustomSecAttributeAssignment.Read.All* permission.
   - In app-only scenarios with Microsoft Graph permissions, the app must be granted the *CustomSecAttributeAssignment.Read.All* permission.
 - *User-Mail.ReadWrite.All* is the least privileged permission to read and write the **otherMails** property; also allows to read some identifier-related properties on the user object.
-- *User-PasswordProfile.ReadWrite.All* is the least privileged permission to read and write the **passwordProfile** property; also allows to read some identifier-related properties on the user object.
+- *User-PasswordProfile.ReadWrite.All* is the least privileged permission to read and write password reset-related properties; also allows to read some identifier-related properties on the user object.
 - *User-Phone.ReadWrite.All* is the least privileged permission to read and write the **businessPhones** and **mobilePhone** properties; also allows to read some identifier-related properties on the user object.
 - *User.EnableDisableAccount.All* + *User.Read.All* is the least privileged combination of permissions to read and write the **accountEnabled** property.
 
@@ -56,7 +56,7 @@ GET /users/{id | userPrincipalName}
 
 > [!TIP]
 >
-> + When the **userPrincipalName** begins with a `$` character, the GET request URL syntax `/users/$x@y.com` fails with a `400 Bad Request` error code. This is because this request URL violates the OData URL convention, which expects only system query options to be prefixed with a `$` character. Remove the slash (/) after `/users` and enclose the **userPrincipalName** in parentheses and single quotes, as follows: `/users('$x@y.com')`. For example, `/users('$AdeleVance@contoso.com')`.
+> + When the **userPrincipalName** begins with a `$` character, the GET request URL syntax `/users/$x@y.com` fails with a `400 Bad Request` error code. The request fails because the URL violates the OData URL convention, which expects only system query options to be prefixed with a `$` character. Remove the slash (/) after `/users` and enclose the **userPrincipalName** in parentheses and single quotes, as follows: `/users('$x@y.com')`. For example, `/users('$AdeleVance@contoso.com')`.
 > + To query a B2B user using the **userPrincipalName**, encode the hash (#) character. That is, replace the `#` symbol with `%23`. For example, `/users/AdeleVance_adatum.com%23EXT%23@contoso.com`.
 
 For the signed-in user:
@@ -67,7 +67,7 @@ GET /me
 
 ## Optional query parameters
 
-This method supports the `$select` [OData query parameter](/graph/query-parameters) to retrieve specific user properties, including those that are not returned by default. Extension properties also support query parameters as follows:
+This method supports the `$select` [OData query parameter](/graph/query-parameters) to retrieve specific user properties, including those not returned by default. Extension properties also support query parameters as follows:
 
 | Extension type                     | Comments                                                                            |
 |------------------------------------|-------------------------------------------------------------------------------------|
@@ -247,7 +247,7 @@ Content-type: application/json
 
 ### Example 3: Use $select to retrieve specific properties of a user
 
-To retrieve specific properties, use the OData `$select` query parameter. For example, to return _displayName_, _givenName_, _postalCode_, and _identities_, you would use the add the following to your query `$select=displayName,givenName,postalCode,identities`
+To retrieve specific properties, use the OData `$select` query parameter. For example, to return _displayName_, _givenName_, _postalCode_, and _identities_, add the following query expression to your query `$select=displayName,givenName,postalCode,identities`
 
 #### Request
 
@@ -436,7 +436,7 @@ Content-type: application/json
 }
 ```
 
-If there are no custom security attributes assigned to the user or if the calling principal does not have access, the following will be the response:
+If there are no custom security attributes assigned to the user or if the calling principal does not have access, the following block shows the response:
 
 ```http
 HTTP/1.1 200 OK

api-reference/beta/api/user-list.md

@@ -35,7 +35,7 @@ Guest users cannot call this API. For more information about the permissions for
 
 ### Permissions for specific scenarios
 - *User-Mail.ReadWrite.All* is the least privileged permission to read and write the **otherMails** property; also allows to read some identifier-related properties on the user object.
-- *User-PasswordProfile.ReadWrite.All* is the least privileged permission to read and write the **passwordProfile** property; also allows to read some identifier-related properties on the user object.
+- *User-PasswordProfile.ReadWrite.All* is the least privileged permission to read and write password reset-related properties; also allows to read some identifier-related properties on the user object.
 - *User-Phone.ReadWrite.All* is the least privileged permission to read and write the **businessPhones** and **mobilePhone** properties; also allows to read some identifier-related properties on the user object.
 - *User.EnableDisableAccount.All* + *User.Read.All* is the least privileged combination of permissions to read and write the **accountEnabled** property.
 

api-reference/beta/resources/devicetemplate.md

@@ -46,7 +46,7 @@ Inherits from [directoryObject](../resources/directoryobject.md).
 |Relationship|Type|Description|
 |:---|:---|:---|
 |deviceInstances|[device](../resources/device.md) collection|Collection of **device** objects created based on this template.|
-|owners|[directoryObject](../resources/directoryobject.md) collection|Collection of directory objects that can manage the device template and the related **deviceInstances**. Owners can be represented as [service principals](..\resources\serviceprincipal.md), [users](..\resources\users.md), or [applications](..\resources\application.md). An owner has full privileges over the device template and doesn't require other administrator roles to create, update, or delete devices from this template, as well as to add or remove template owners. |
+|owners|[directoryObject](../resources/directoryobject.md) collection|Collection of directory objects that can manage the device template and the related **deviceInstances**. Owners can be represented as [service principals](..\resources\serviceprincipal.md), [users](..\resources\users.md), or [applications](..\resources\application.md). An owner has full privileges over the device template and doesn't require other administrator roles to create, update, or delete devices from this template, as well as to add or remove template owners. <br/><br/> Supports `$expand`. |
 
 ## JSON representation
 The following JSON representation shows the resource type.

api-reference/beta/resources/identity-network-access-overview.md

@@ -50,7 +50,7 @@ A core functionality of identity and access management is managing your tenant c
 | Retrieve BitLocker recovery keys | [bitlockerRecoveryKey resource type](bitlockerrecoverykey.md) and its associated APIs |
 | Manage custom security attributes | See [Overview of custom security attributes using the Microsoft Graph API](custom-security-attributes-overview.md) |
 | Manage deleted directory objects. The functionality to store deleted objects in a "recycle bin" is supported for the following objects: <li> Administrative units <li> Applications <li> Public key infrastructure<li> External user profiles <li> Groups <li> Pending external user profiles <li> Service principals <li> Users | <li> [Get](../api/directory-deleteditems-get.md) or [List](../api/directory-deleteditems-list.md) deleted objects <li> [Permanently delete](../api/directory-deleteditems-delete.md) a deleted object   <li> [Restore a deleted item](../api/directory-deleteditems-restore.md) <li> [List deleted items owned by user](../api/directory-deleteditems-getuserownedobjects.md) |
-| Manage devices in the cloud | [device resource type](device.md) and its associated APIs |
+| Manage devices in the cloud |<li> [device resource type](device.md) and its associated APIs <li> [deviceTemplate resource type](devicetemplate.md) and its associated APIs|
 | View local administrator credential information for all device objects in Microsoft Entra ID that are enabled with Local Admin Password Solution (LAPS). This feature is the cloud-based LAPS solution | [deviceLocalCredentialInfo resource type](devicelocalcredentialinfo.md) and its associated APIs |
 | Directory objects are the core objects in Microsoft Entra ID, such as users, groups, and applications. You can use the directoryObject resource type and its associated APIs to check memberships of directory objects, track changes for multiple directory objects, or validate that a Microsoft 365 group's display name or mail nickname complies with naming policies | [directoryObject resource type](directoryobject.md) and its associated APIs |
 | Administrator roles, including Microsoft Entra administrator roles, are one of the most sensitive resources in a tenant. You can manage the lifecycle of their assignment in the tenant, including creating custom roles, assigning roles, tracking changes to role assignments, and removing assignees from roles | [directoryRole resource type](directoryrole.md)  and [directoryRoleTemplate resource type](directoryroletemplate.md) and their associated APIs <br/><br/> [roleManagement resource type](rolemanagement.md) and its associated APIs (**recommended**)<br/><br/> These APIs allow you to make direct role assignments. Alternatively, you can use Privileged Identity Management APIs for [Microsoft Entra roles](privilegedidentitymanagementv3-overview.md) and [groups](privilegedidentitymanagement-for-groups-api-overview.md) to make just-in-time and time-bound role assignments, instead of direct forever active assignments. |

api-reference/v1.0/api/domain-list.md

@@ -35,7 +35,7 @@ GET /domains
 
 This method supports the [OData Query Parameters](/graph/query-parameters) to help customize the response.
 > [!NOTE]
-> This API has a [known issue](https://developer.microsoft.com/graph/known-issues/?search=20454) related to the `$search` parameter.
+> This API has a [known issue](https://developer.microsoft.com/graph/known-issues/?search=20454) related to the `$search`, `$top`, and `$filter` query parameters.
 
 ## Request headers
 

api-reference/v1.0/api/user-get.md

@@ -28,8 +28,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 [!INCLUDE [permissions-table](../includes/permissions/user-get-permissions.md)]
 
 >[!NOTE]
-> - Calling the `/me` endpoint requires a signed-in user and therefore a delegated permission. Application permissions are not supported when using the `/me` endpoint.
-> - The `User.Read` permission allows the app to read the profile, and discover relationships such as the group membership, reports and manager of the signed-in user only.
+> - Calling the `/me` endpoint requires a signed-in user and therefore a delegated permission. Application permissions aren't supported when using the `/me` endpoint.
+> - The `User.Read` permission allows the app to read the profile, and discover relationships such as the group membership, reports, and manager of the signed-in user only.
 
 ### Permissions for specific scenarios
 - To read the **employeeLeaveDateTime** property:
@@ -39,7 +39,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
   - In delegated scenarios, the signed-in user must be assigned the *Attribute Assignment Administrator* role and the app granted the *CustomSecAttributeAssignment.Read.All* permission.
   - In app-only scenarios with Microsoft Graph permissions, the app must be granted the *CustomSecAttributeAssignment.Read.All* permission.
 - *User-Mail.ReadWrite.All* is the least privileged permission to read and write the **otherMails** property; also allows to read some identifier-related properties on the user object.
-- *User-PasswordProfile.ReadWrite.All* is the least privileged permission to read and write the **passwordProfile** property; also allows to read some identifier-related properties on the user object.
+- *User-PasswordProfile.ReadWrite.All* is the least privileged permission to read and write password reset-related properties; also allows to read some identifier-related properties on the user object.
 - *User-Phone.ReadWrite.All* is the least privileged permission to read and write the **businessPhones** and **mobilePhone** properties; also allows to read some identifier-related properties on the user object.
 - *User.EnableDisableAccount.All* + *User.Read.All* is the least privileged combination of permissions to read and write the **accountEnabled** property.
 
@@ -53,7 +53,7 @@ GET /users/{id | userPrincipalName}
 
 > [!TIP]
 >
-> + When the **userPrincipalName** begins with a `$` character, the GET request URL syntax `/users/$x@y.com` fails with a `400 Bad Request` error code. This is because this request URL violates the OData URL convention, which expects only system query options to be prefixed with a `$` character. Remove the slash (/) after `/users` and enclose the **userPrincipalName** in parentheses and single quotes, as follows: `/users('$x@y.com')`. For example, `/users('$AdeleVance@contoso.com')`.
+> + When the **userPrincipalName** begins with a `$` character, the GET request URL syntax `/users/$x@y.com` fails with a `400 Bad Request` error code. The request fails because the URL violates the OData URL convention, which expects only system query options to be prefixed with a `$` character. Remove the slash (/) after `/users` and enclose the **userPrincipalName** in parentheses and single quotes, as follows: `/users('$x@y.com')`. For example, `/users('$AdeleVance@contoso.com')`.
 > + To query a B2B user using the **userPrincipalName**, encode the hash (#) character. That is, replace the `#` symbol with `%23`. For example, `/users/AdeleVance_adatum.com%23EXT%23@contoso.com`.
 
 For the signed-in user:
@@ -63,9 +63,9 @@ GET /me
 ```
 
 ## Optional query parameters
-This method supports the `$select` [OData query parameter](/graph/query-parameters) to retrieve specific user properties, including those that aren't returned by default.
+This method supports the `$select` [OData query parameter](/graph/query-parameters) to retrieve specific user properties, including those not returned by default.
 
-By default, only a limited set of properties are returned ( _businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName_ ).
+By default, only a limited set of properties are returned (_businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName_).
 
 To return an alternative property set, you must specify the desired set of [user](../resources/user.md) properties using the OData `$select` query parameter. For example, to return _displayName_, _givenName_, and _postalCode_, add the following expression to your query `$select=displayName,givenName,postalCode`.
 
@@ -253,7 +253,7 @@ Content-type: application/json
 
 ### Example 3: Use $select to retrieve specific properties of a user
 
-To retrieve specific properties, use the OData `$select` query parameter. For example, to return _displayName_, _givenName_, _postalCode_, and _identities_, you would use the add the following to your query `$select=displayName,givenName,postalCode,identities`
+To retrieve specific properties, use the OData `$select` query parameter. For example, to return _displayName_, _givenName_, _postalCode_, and _identities_, add the following query expression to your query `$select=displayName,givenName,postalCode,identities`
 
 #### Request
 
@@ -513,7 +513,7 @@ Content-type: application/json
 }
 ```
 
-If there are no custom security attributes assigned to the user or if the calling principal doesn't have access, the following will be the response:
+If there are no custom security attributes assigned to the user or if the calling principal doesn't have access, the following block shows the response:
 
 ```http
 HTTP/1.1 200 OK

api-reference/v1.0/api/user-list.md

@@ -33,7 +33,7 @@ Guests can't call this API. For more information about the permissions for membe
 
 ### Permissions for specific scenarios
 - *User-Mail.ReadWrite.All* is the least privileged permission to read and write the **otherMails** property; also allows to read some identifier-related properties on the user object.
-- *User-PasswordProfile.ReadWrite.All* is the least privileged permission to read and write the **passwordProfile** property; also allows to read some identifier-related properties on the user object.
+- *User-PasswordProfile.ReadWrite.All* is the least privileged permission to read and write password reset-related properties; also allows to read some identifier-related properties on the user object.
 - *User-Phone.ReadWrite.All* is the least privileged permission to read and write the **businessPhones** and **mobilePhone** properties; also allows to read some identifier-related properties on the user object.
 - *User.EnableDisableAccount.All* + *User.Read.All* is the least privileged combination of permissions to read and write the **accountEnabled** property.
 

changelog/Microsoft.DirectoryServices.json

@@ -113,7 +113,7 @@
           "ApiChange": "Permission",
           "ChangedApiName": "User-PasswordProfile.ReadWrite.All",
           "ChangeType": "Addition",
-          "Description": "Added support for the `User-PasswordProfile.ReadWrite.All` delegated and application permissions to the read and write operations of the [user](https://learn.microsoft.com/graph/api/resources/user?view=graph-rest-1.0) resource. This permission is the least privileged permission required to reset a user's password and read and update the **passwordProfile** property for a user. It also allows you to read some identifier-related properties on the user object.",
+          "Description": "Added support for the `User-PasswordProfile.ReadWrite.All` delegated and application permissions to the read and write operations of the [user](https://learn.microsoft.com/graph/api/resources/user?view=graph-rest-1.0) resource. This permission is the least privileged permission required to reset a user's password and read and write password reset-related properties on the user object. It also allows you to read some identifier-related properties on the user object.",
           "Target": "user"
         },
         {