Merge branch 'main' into tnote

Author: KumarVivek

.openpublishing.publish.config.json

@@ -64,12 +64,6 @@
       "branch": "master",
       "branch_mapping": {}
     },
-    {
-      "path_to_root": "msft-shared-content",
-      "url": "https://github.com/MicrosoftDocs/reusable-content",
-      "branch": "main",
-      "branch_mapping": {}
-    },
     {
       "path_to_root": "shared-content",
       "url": "https://github.com/MicrosoftDocs/powerapps-docs-pr",

power-platform/admin/TOC.yml

@@ -599,7 +599,7 @@
                   href: analytics-ui-flow.md
             - name: Reports
               items:
-                - name: Tenant-level analytics (default)
+                - name: Tenant-level analytics (preview)
                   href: tenant-level-analytics.md
                 - name: Power Apps analytics
                   href: powerapps-analytics-reports.md

power-platform/admin/about-lockbox.md

@@ -138,13 +138,15 @@ In addition, access to Customer Lockbox for Microsoft Power Platform and Dynamic
 
 ## Exclusions
 
-Lockbox requests aren't triggered in the following engineering support scenarios:
+- Lockbox requests aren't triggered in the following engineering support scenarios:
 
-- Emergency scenarios that fall outside of standard operating procedures, such as a major service outage that requires immediate attention to recover or restore services in unexpected or unpredictable cases. These “break glass” events are rare and, in most instances, don't require any access to customer data to resolve.
+    - Emergency scenarios that fall outside of standard operating procedures, such as a major service outage that requires immediate attention to recover or restore services in unexpected or unpredictable cases. These “break glass” events are rare and, in most instances, don't require any access to customer data to resolve.
 
-- A Microsoft engineer accesses the underlying platform as part of troubleshooting and is inadvertently exposed to customer data. It's rare that such scenarios would result in access to meaningful quantities of customer data.  
+    - A Microsoft engineer accesses the underlying platform as part of troubleshooting and is inadvertently exposed to customer data. It's rare that such scenarios would result in access to meaningful quantities of customer data.  
 
-Customer Lockbox requests are also not triggered by external legal demands for data. For details, refer to the discussion of government requests for data in the [Microsoft Trust Center](https://www.microsoft.com/trust-center/).
+- Customer Lockbox requests are also not triggered by external legal demands for data. For details, refer to the discussion of government requests for data in the [Microsoft Trust Center](https://www.microsoft.com/trust-center/).
+
+- Customer Lockbox won't apply to the access and manual review of customer data shared for Copilot AI features. Customer Lockbox will remain enabled for all in-scope data. 
 
 ## Known issues
 

power-platform/admin/block-cookie-replay-attack.md

@@ -1,10 +1,10 @@
 ---
 title: Block cookie replay attacks in Dataverse
 description: Learn how to use IP-based cookie binding to block session hijacking attacks in Dataverse.
-ms.date: 01/24/2023
+ms.date: 05/17/2023
 ms.topic: conceptual
 author: ritesp
-ms.reviewer: kvivek
+ms.reviewer: sericks
 ms.author: ritesp
 ms.subservice: admin
 search.audienceType: 
@@ -14,7 +14,7 @@ search.audienceType:
 
 Prevent session hijacking exploits in Dataverse with IP address-based cookie binding. Let's say that a malicious user copies a valid session cookie from an authorized computer that has cookie IP binding enabled. The user then tries to use the cookie on a different computer to gain unauthorized access to Dataverse. In real time, Dataverse compares the IP address of the cookie's origin against the IP address of the computer making the request. If the two are different, the attempt is blocked, and an error message is shown.
 
-IP-based cookie binding is available in all environments across all tenants, including government clouds. You can enable this feature in the [Power Platform admin center](https://admin.powerplatform.microsoft.com/).
+IP-based cookie binding is available only for [Managed Environments](managed-environment-licensing.md) across all tenants, including government clouds. You can enable this feature in the [Power Platform admin center](https://admin.powerplatform.microsoft.com/).
 
 
 ## Enable IP address-based cookie binding

power-platform/admin/content-security-policy.md

@@ -1,12 +1,12 @@
 ---
 title: "Content security policy"
 description: "Use content security policy to prevent clickjacking in Power Apps."  
-ms.date: 01/31/2023
+ms.date: 05/16/2023
 ms.topic: conceptual
 author: JesseParsons
 ms.subservice: admin
 ms.author: jeparson
-ms.reviewer: kvivek
+ms.reviewer: sericks
 ms.custom: "admin-security"
 search.audienceType: 
   - admin
@@ -40,15 +40,15 @@ To configure CSP, navigate to the [Power Platform admin center](https://admin.po
 
 ### Reporting
 
-The "Enable reporting" toggle controls whether model-driven and canvas apps send violation reports. Enabling it requires an endpoint to be specified. Violation reports will be sent to this endpoint regardless of whether CSP is enforced or not (using report-only mode if CSP isn't enforced). For more information, see [reporting documentation](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only).
+The "Enable reporting" toggle controls whether model-driven and canvas apps send violation reports. Enabling it requires an endpoint to be specified. Violation reports are sent to this endpoint regardless of whether CSP is enforced or not (using report-only mode if CSP isn't enforced). For more information, see [reporting documentation](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only).
 
 ![Enabling reporting endpoint](media/csp-reporting.png "Enabling reporting endpoint")
 
 ### Enforcement
 
 Enforcement of CSP is controlled independently for model-driven and canvas apps to provide granular control over policies. Use the model-driven/canvas pivot to modify the intended app type.
 
-The "Enforce content security policy" toggle turns on the default policy for enforcement, as specified above, for the given app type. Turning on this toggle will change the behavior of apps in this environment to adhere to the policy. Therefore, the suggested enablement flow would be:
+The "Enforce content security policy" toggle turns on the default policy for enforcement, as specified above, for the given app type. Turning on this toggle changes the behavior of apps in this environment to adhere to the policy. Therefore, the suggested enablement flow would be:
 1. Enforce on a dev/test environment.
 2. Enable report-only mode in production.
 3. Enforce in production once no violations are reported.
@@ -68,6 +68,8 @@ For Microsoft Teams integration using the [Dynamics 365 app](/dynamics365/teams-
 - `https://teams.microsoft.com/`
 - `https://msteamstabintegration.dynamics.com/`
 
+For Dynamics 365 App for Outlook, you must add your Outlook Web App homepage origin to `frame-ancestors`.
+
 ### Important considerations
 Turning off the default directive and saving with an empty list *turns off the directive completely* and doesn't send it as part of the CSP response header.
 
@@ -118,7 +120,7 @@ CSP can be configured without using the UI by modifying the following organizati
 
 - [ContentSecurityPolicyConfigurationForCanvas](/powerapps/developer/data-platform/reference/entities/organization#BKMK_ContentSecurityPolicyConfigurationForCanvas) controls the policy for canvas using the same process described in `ContentSecurityPolicyConfiguration` above.
 
-- [ContentSecurityPolicyReportUri](/powerapps/developer/data-platform/reference/entities/organization#BKMK_ContentSecurityPolicyReportUri) controls whether reporting should be used. This setting is used by both model-driven and canvas apps. A valid string will send violation reports to the specified endpoint, using report-only mode if `IsContentSecurityPolicyEnabled`/`IsContentSecurityPolicyEnabledForCanvas` is turned off. An empty string disables reporting. For more information, see [reporting documentation](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only).
+- [ContentSecurityPolicyReportUri](/powerapps/developer/data-platform/reference/entities/organization#BKMK_ContentSecurityPolicyReportUri) controls whether reporting should be used. This setting is used by both model-driven and canvas apps. A valid string sends violation reports to the specified endpoint, using report-only mode if `IsContentSecurityPolicyEnabled`/`IsContentSecurityPolicyEnabledForCanvas` is turned off. An empty string disables reporting. For more information, see [reporting documentation](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only).
 
 ## Configuring CSP without UI
 Especially for environments not in the Power Platform admin center such as on-premises configurations, admins may want to configure CSP using scripts to directly modify settings.

power-platform/admin/database-security.md

@@ -10,7 +10,7 @@ contributors:
 ms.custom: "admin-security"
 ms.component: pa-admin
 ms.topic: conceptual
-ms.date: 05/07/2023
+ms.date: 05/16/2023
 search.audienceType: 
   - admin
 ---
@@ -57,9 +57,10 @@ For users who make apps that connect to the database and need to create or updat
 | Environment Maker     |  Customizations       | Can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment. More information: [Environments overview](./environments-overview.md) <br /> <br />Environment makers can also distribute the apps they build in an environment to other users in your organization. They can share the app with individual users, security groups, or all users in the organization. More information: [Share an app in Power Apps](/powerapps/maker/canvas-apps/share-app)       |
 | Global Reader  |   | The [Global Reader](/azure/active-directory/roles/permissions-reference) role is not yet supported in the Power Platform admin center.  |
 | Office Collaborator | Read (self) | Has Read permission to tables where a record from these tables was shared with the organization. Does not have access to any other core and custom table records. This role is assigned to the Office Collaborators owner team and not to an individual user.   |
-| Service Reader | Read | Has full Read permission to all entities including custom entities. This is primarily used by backend service that requires reading all entities.    |
-| Service Writer | Create, Read, Write | Has full Create, Read, and Write permission to all entities including custom entities. This is primarily used by backend service that requires creating and updating records.    |
-| Support User | Read Customizations, Read Business Management settings      | Has full Read permission to customization and business management settings to allow Support staff to troubleshoot environment configuration issues. Does not have access to core records.      |
+| Service Deleted | Delete | Has full Delete permission to all entities, including custom entities. This is primarily used by the service and requires deleting records in all entities. **This role cannot be assigned to a user or team.**   |
+| Service Reader | Read | Has full Read permission to all entities, including custom entities. This is primarily used by the service and requires reading all entities. **This role cannot be assigned to a user or team.**   |
+| Service Writer | Create, Read, Write | Has full Create, Read, and Write permission to all entities, including custom entities. This is primarily used by the service and requires creating and updating records. **This role cannot be assigned to a user or team.**   |
+| Support User | Read Customizations, Read Business Management settings      | Has full Read permission to customization and business management settings, which allow support staff to troubleshoot environment configuration issues. This role does not have access to core records. **This role cannot be assigned to a user or team.**        |
 | System Administrator     |  Create, Read, Write, Delete, Customizations, Security Roles       | Has full permission to customize or administer the environment, including creating, modifying, and assigning security roles. Can view all data in the environment. More information: [Privileges required for customization](/power-apps/maker/model-driven-apps/privileges-required-customization)        |
 | System Customizer     | Create, Read, Write, Delete, Customizations         | Has full permission to customize the environment. Can view all custom table data in the environment. However, users with this role can only view rows (records) that they create in Account, Contact, Activity tables. More information: [Privileges required for customization](/power-apps/maker/model-driven-apps/privileges-required-customization)        |
 
@@ -99,18 +100,20 @@ The following table describes which resources can be authored by each security r
 |Resource  |Environment Maker  |Environment Admin  |System Customizer  |System Admin  |
 |---------|---------|---------|---------|---------|
 |Canvas app     |X         |X         |X        |X         |
-|Cloud flow     |X (non-solution aware)         |X         |X (solution aware)         |X         |
+|Cloud flow     |X (non-solution aware)         |X         |X         |X         |
 |Connector     |X (non-solution aware)         |X         |X         |X         |
-|Connection     |X         |X         |X         |X         |
+|Connection<sup>*</sup>     |X         |X         |X         |X         |
 |Data gateway     |X         |X         |-         |X         |
 |Dataflow     |X         |X         |-         |X         |
 |Dataverse tables     |-         |-         |X         |X         |
 |Model-driven app     |X        |-         |X         |X         |
 |Solution framework     |X         |-         |X         |X         |
-|<sup>*</sup>Desktop flow     |-         |-         |X         |X         |
+|Desktop flow<sup>**</sup>     |-         |-         |X         |X         |
 |AI Builder     |-         |-         |X         |X         |
 
-<sup>*</sup>Dataverse for Teams users don’t get access to desktop flows by default. You need to upgrade your environment to full Dataverse capabilities and acquire [Desktop flow license plans](https://powerautomate.microsoft.com/pricing/) in order to use desktop flows.
+\*Connections are used in [canvas apps](/power-apps/maker/canvas-apps/add-manage-connections) and [Power Automate](/power-automate/add-manage-connections).
+
+\**Dataverse for Teams users don’t get access to desktop flows by default. You need to upgrade your environment to full Dataverse capabilities and acquire [Desktop flow license plans](https://powerautomate.microsoft.com/pricing/) in order to use desktop flows.
 
 ## Assign security roles to users in an environment that has no Dataverse database 
 

power-platform/admin/delete-business-unit.md

@@ -1,19 +1,20 @@
 ---
-title: "Delete a business unit from an environment"
-description: "Learn how to deactivate and delete a business unit from an environment. Learn about the considerations before taking this irreversible action."
-author: jimholtz
-
+title: "Disable and delete a business unit from an environment"
+description: "Learn how to disable and delete a business unit from an environment. Learn about the considerations before taking this irreversible action."
+author: paulliew
 ms.component: pa-admin
 ms.topic: conceptual
-ms.date: 03/10/2020
+ms.date: 05/18/2023
 ms.subservice: admin
-ms.author: jimholtz
+ms.author: paulliew
+ms.reviewer: sericks
 search.audienceType: 
   - admin
 ---
-# Delete a business unit
 
-You can delete a business unit to completely remove it.  
+# Disable and delete a business unit
+
+You can delete a business unit to completely remove it. To delete a business unit, you must first disable it.
 
 > [!IMPORTANT]
 >  Before deleting a business unit, be sure to consider the following:  
@@ -22,25 +23,34 @@ You can delete a business unit to completely remove it.
 > -   The records owned by the business unit (for example: Teams, Facilities/Equipment, and Resource Groups) are deleted at the same time you delete the business unit.  
 > -   You can't delete a business unit until you reassign all the business unit records to another business unit.  
 
+## Disable a business unit
+
 1. In the Microsoft Power Platform admin center, select an environment. 
 
 2. Select **Settings** > **Users + permissions** > **Business units**.  
 
-3. Click to select the business unit that you want to delete.  
+3. Click to select the business unit that you want to disable.  
 
 4. On the Actions toolbar, choose **More Actions** > **Disable**.  
 
 > [!IMPORTANT]
-> When you disable a business unit, all users and teams associated with the business unit will not be able to sign in. You will need to reparent users and teams to another business unit and reassign security roles.
+> When you disable a business unit which has child business units, all child business units (all depths) are disabled.
+> 
+> All users and teams associated with the business unit or child business units won't be able to sign in. You must reparent users and teams to another business unit and reassign security roles.
 
 5. In the **Confirm Deactivation** dialog box, choose **Deactivate**.  
-  
+
+## Delete a business unit
+
 6. Change the view to **Inactive Business Units**.
 
 7. Select the business unit to delete, and then choose the **Delete** icon ![Delete button.](../admin/media/delete.png "Delete button").  
 
 8. In the **Confirm Deletion** dialog box, choose **Delete**.  
 
+> [!IMPORTANT]
+> When you need to delete a business unit which has child business units, all child business units (all depths) must be deleted first.
+
 > [!TIP]
 > If you get an error, be sure to reparent users and teams to another business unit.