MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/TOC.yml
Lines changed: 76 additions & 66 deletions b/‎articles/active-directory/authentication/TOC.yml
Lines changed: 76 additions & 66 deletions
diff --git a/‎articles/active-directory/authentication/concept-authentication-methods-manage.md
Lines changed: 110 additions & 0 deletions b/‎articles/active-directory/authentication/concept-authentication-methods-manage.md
Lines changed: 110 additions & 0 deletions
@@ -26,6 +26,8 @@
     items:
     - name: Overview
       href: concept-authentication-methods.md
+    - name: Manage 
+      href: concept-authentication-methods-manage.md
     - name: Microsoft Authenticator app
       href: concept-authentication-authenticator-app.md
     - name: OATH tokens
@@ -84,6 +86,80 @@
     href: concept-resilient-controls.md
 - name: How-to guides
   items:
+  - name: Manage authentication methods
+    href: how-to-authentication-methods-manage.md      
+  - name: Passwordless
+    items: 
+      - name: Deploying passwordless
+        href: howto-authentication-passwordless-deployment.md
+      - name: Passwordless FIDO2 security keys
+        items:
+          - name: Enable FIDO2 security keys 
+            href: howto-authentication-passwordless-security-key.md
+          - name: Sign in to Windows 10 devices
+            href: howto-authentication-passwordless-security-key-windows.md
+          - name: SSO to on-premises resources
+            href: howto-authentication-passwordless-security-key-on-premises.md
+          - name: Hybrid FAQs
+            href: howto-authentication-passwordless-faqs.md
+          - name: Troubleshoot hybrid
+            href: howto-authentication-passwordless-troubleshoot.md
+      - name: Passwordless phone sign-in
+        items:
+        - name: Manage
+          href: howto-authentication-passwordless-phone.md
+        - name: Run a registration campaign
+          href: how-to-mfa-registration-campaign.md
+        - name: Use number matching 
+          href: how-to-mfa-number-match.md
+        - name: Use additional context 
+          href: how-to-mfa-additional-context.md
+        - name: Use Microsoft managed settings 
+          href: how-to-mfa-microsoft-managed.md
+      - name: Windows Hello for Business
+        href: /windows/security/identity-protection/hello-for-business/hello-identity-verification
+      - name: Use a Temporary Access Pass
+        href: howto-authentication-temporary-access-pass.md
+      - name: Use SMS-based authentication
+        items:  
+        - name: Manage
+          href: howto-authentication-sms-signin.md
+        - name: Supported apps for SMS-based authentication
+          href: how-to-authentication-sms-supported-apps.md
+        - name: Two-way SMS unsupported
+          href: how-to-authentication-two-way-sms-unsupported.md
+      - name: Use email address sign-in
+        href: howto-authentication-use-email-signin.md
+      - name: Certificate-based authentication
+        items:
+        - name: Azure AD CBA
+          items:
+          - name: Overview
+            href: concept-certificate-based-authentication.md
+          - name: How Azure AD CBA works
+            href: concept-certificate-based-authentication-technical-deep-dive.md
+          - name: Configure Azure AD CBA
+            href: how-to-certificate-based-authentication.md
+          - name: Windows smart card logon
+            href: concept-certificate-based-authentication-smartcard.md
+          - name: iOS devices
+            href: concept-certificate-based-authentication-mobile-ios.md
+          - name: Android devices
+            href: concept-certificate-based-authentication-mobile-android.md
+          - name: Certificate user IDs
+            href: concept-certificate-based-authentication-certificateuserids.md
+          - name: Migrate federated users
+            href: concept-certificate-based-authentication-migration.md
+          - name: FAQ
+            href: certificate-based-authentication-faq.yml
+        - name: Federated CBA with Azure AD
+          items:
+          - name: Configure CBA with federation
+            href: active-directory-certificate-based-authentication-get-started.md
+          - name: Use on Android Devices
+            href: active-directory-certificate-based-authentication-android.md
+          - name: Use on iOS Devices
+            href: active-directory-certificate-based-authentication-ios.md
   - name: Self-service password reset
     items:
     - name: Deployment guide
@@ -130,26 +206,6 @@
         href: howto-mfa-nps-extension-rdg.md
       - name: VPN
         href: howto-mfa-nps-extension-vpn.md
-  - name: Passwordless
-    items: 
-      - name: Deploying passwordless
-        href: howto-authentication-passwordless-deployment.md
-      - name: Passwordless FIDO2 security keys
-        items:
-          - name: Enable FIDO2 security keys for your tenant
-            href: howto-authentication-passwordless-security-key.md
-          - name: Sign in to Windows 10 devices
-            href: howto-authentication-passwordless-security-key-windows.md
-          - name: SSO to on-premises resources
-            href: howto-authentication-passwordless-security-key-on-premises.md
-          - name: Hybrid FAQs
-            href: howto-authentication-passwordless-faqs.md
-          - name: Troubleshoot hybrid
-            href: howto-authentication-passwordless-troubleshoot.md
-      - name: Passwordless phone sign-in
-        href: howto-authentication-passwordless-phone.md
-      - name: Windows Hello for Business
-        href: /windows/security/identity-protection/hello-for-business/hello-identity-verification
   - name: Security info registration
     items:
     - name: Enable combined registration
@@ -170,54 +226,8 @@
       href: howto-password-ban-bad-on-premises-faq.yml
     - name: Agent version history
       href: howto-password-ban-bad-on-premises-agent-versions.md
-  - name: Run a registration campaign
-    href: how-to-mfa-registration-campaign.md
-  - name: Use number matching 
-    href: how-to-mfa-number-match.md
-  - name: Use additional context 
-    href: how-to-mfa-additional-context.md
-  - name: Use a Temporary Access Pass
-    href: howto-authentication-temporary-access-pass.md
-  - name: Use SMS-based authentication
-    href: howto-authentication-sms-signin.md
-  - name: Supported apps for SMS-based authentication
-    href: how-to-authentication-sms-supported-apps.md
-  - name: Two-way SMS unsupported
-    href: how-to-authentication-two-way-sms-unsupported.md
-  - name: Use email address sign-in
-    href: howto-authentication-use-email-signin.md
   - name: Azure AD smart lockout
     href: howto-password-smart-lockout.md
-  - name: Certificate-based authentication
-    items:
-    - name: Azure AD CBA
-      items:
-      - name: Overview
-        href: concept-certificate-based-authentication.md
-      - name: How Azure AD CBA works
-        href: concept-certificate-based-authentication-technical-deep-dive.md
-      - name: Configure Azure AD CBA
-        href: how-to-certificate-based-authentication.md
-      - name: Windows SmartCard logon
-        href: concept-certificate-based-authentication-smartcard.md
-      - name: iOS devices
-        href: concept-certificate-based-authentication-mobile-ios.md
-      - name: Android devices
-        href: concept-certificate-based-authentication-mobile-android.md
-      - name: Certificate user IDs
-        href: concept-certificate-based-authentication-certificateuserids.md
-      - name: Migrate federated users
-        href: concept-certificate-based-authentication-migration.md
-      - name: FAQ
-        href: certificate-based-authentication-faq.yml
-    - name: Federated CBA with Azure AD
-      items:
-      - name: Configure CBA with federation
-        href: active-directory-certificate-based-authentication-get-started.md
-      - name: Use on Android Devices
-        href: active-directory-certificate-based-authentication-android.md
-      - name: Use on iOS Devices
-        href: active-directory-certificate-based-authentication-ios.md
   - name: Reporting
     items:
     - name: Authentication methods activity
 
@@ -0,0 +1,110 @@
+---
+title: Manage authentication methods - Azure Active Directory
+description: Learn about the authentication methods policy and different ways to manage authentication methods.
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 11/17/2022
+
+ms.author: justinha
+author: justinha
+manager: amycolannino
+
+ms.collection: M365-identity-device-management
+ms.custom: contperf-fy20q4
+
+# Customer intent: As an identity administrator, I want to understand what authentication options are available in Azure AD and how I can manage them.
+---
+# Manage authentication methods for Azure AD
+
+Azure Active Directory (Azure AD) allows the use of a range of authentication methods to support a wide variety of sign-in scenarios. Administrators can specifically configure each method to meet their goals for user experience and security. This topic explains how to manage authentication methods for Azure AD, and how configuration options affect user sign-in and password reset scenarios. 
+
+## Authentication methods policy
+
+The Authentication methods policy is the recommended way to manage authentication methods, including modern methods like passwordless authentication. [Authentication Policy Administrators](../roles/permissions-reference.md#authentication-policy-administrator) can edit this policy to enable authentication methods for specific users and groups. 
+
+Methods enabled in the Authentication methods policy can typically be used anywhere in Azure AD - for both authentication and password reset scenarios. The exception is that some methods are inherently limited to use in authentication, such as FIDO2 and Windows Hello for Business, and others are limited to use in password reset, such as security questions. For more control over which methods are usable in a given authentication scenario, consider using the **Authentication Strengths** feature.
+
+Most methods also have configuration parameters to more precisely control how that method can be used. For example, if you enable **Phone call**, you can also specify whether an office phone can be used in addition to a mobile phone.
+ 
+Or let's say you want to enable passwordless authentication with Microsoft Authenticator. You can set extra parameters like showing the user sign-in location or the name of the app being signed into. These options provide more context for users when they sign-in and help prevent accidental MFA approvals.
+
+To manage the Authentication methods policy, click **Security** > **Authentication methods** > **Policies**.
+
+:::image type="content" border="true" source="./media/concept-authentication-methods-manage/authentication-methods-policy.png" alt-text="Screenshot of Authentication methods policy.":::
+
+Only the [converged registration experience](concept-registration-mfa-sspr-combined.md) is aware of the Authentication methods policy. Users in scope of the Authentication methods policy but not the converged registration experience won't see the correct methods to register.
+
+>[!NOTE]
+>Some pieces of the Authentication methods policy experience are in preview. This includes management of Email OTP, third party software OATH tokens, SMS, and voice call as noted in the portal. Also, use of the authentication methods policy alone with the legacy MFA and SSPR polices disabled is a preview experience.
+
+## Legacy MFA and SSPR policies
+
+Two other policies, located in **Multifactor authentication** settings and **Password reset** settings, provide a legacy way to manage some authentication methods for all users in the tenant. You can't control who uses an enabled authentication method, or how the method can be used. A [Global Administrator](../roles/permissions-reference.md#global-administrator) is needed to manage these policies. 
+
+>[!NOTE]
+>Hardware OATH tokens and security questions can only be enabled today by using these legacy policies. In the future, these methods will be available in the Authentication methods policy.
+
+To manage the legacy MFA policy, click **Security** > **Multifactor Authentication** > **Additional cloud-based multifactor authentication settings**.
+
+:::image type="content" border="true" source="./media/concept-authentication-methods-manage/service-settings.png" alt-text="Screenshot of MFA service settings.":::
+
+To manage authentication methods for self-service password reset (SSPR), click **Password reset** > **Authentication methods**. The **Mobile phone** option in this policy allows either voice call or SMS to be sent to a mobile phone. The **Office phone** option allows only voice call. 
+
+:::image type="content" border="true" source="./media/concept-authentication-methods-manage/password-reset.png" alt-text="Screenshot of password reset settings.":::
+
+## How policies work together
+
+Settings aren't synchronized between the policies, which allows administrators to manage each policy independently. Azure AD respects the settings in all of the policies so a user who is enabled for an authentication method in _any_ policy can register and use that method. To prevent users from using a method, it must be disabled in all policies.
+
+Let's walk through an example where a user who belongs to the Accounting group wants to register Microsoft Authenticator. The registration process first checks the Authentication methods policy. If the Accounting group is enabled for Microsoft Authenticator, the user can register it. 
+
+If not, the registration process checks the legacy MFA policy. In that policy, any user can register Microsoft Authenticator if one of these settings is enabled for MFA:
+
+- **Notification through mobile app** 
+- **Verification code from mobile app or hardware token**
+
+If the user can't register Microsoft Authenticator based on either of those policies, the registration process checks the legacy SSPR policy. In that policy too, a user can register Microsoft Authenticator if the user is enabled for SSPR and any of these settings are enabled:
+
+- **Mobile app notification**
+- **Mobile app code**
+
+For users who are enabled for **Mobile phone** for SSPR, the independent control between policies can impact sign-in behavior. Where the other policies have separate options for SMS and voice call, the **Mobile phone** for SSPR enables both options. As a result, anyone who uses **Mobile phone** for SSPR can also use voice call for password reset, even if the other policies don't allow phone calls. 
+
+Similarly, let's suppose you enable **Phone call** for a group. After you enable it, you find that even users who aren't group members can sign-in with a voice call. In this case, it's likely those users are enabled for **Mobile phone** in the legacy SSPR policy or **Call to phone** in the legacy MFA policy.  
+
+## Migration between policies
+
+The Authentication methods policy provides a migration path toward unified administration of all authentication methods. All desired methods can be enabled in the Authentication methods policy. Methods in the legacy MFA and SSPR policies can be disabled. Migration has three settings to let you move at your own pace, and avoid problems with sign-in or SSPR during the transition. After migration is complete, you'll centralize control over authentication methods for both sign-in and SSPR in a single place, and the legacy MFA and SSPR policies will be disabled.
+
+>[!Note]
+>Controls in the Authentication methods policy for Hardware OATH tokens and security questions are coming soon, but not yet available. If you are using hardware OATH tokens, which are currently in public preview, you should hold off on migrating OATH tokens and do not complete the migration process. If you are using security questions, and don't want to disable them, make sure to keep them enabled in the legacy SSPR policy until the new control is available in the future.
+
+To view the migration options, open the Authentication methods policy and click **Manage migration**.
+
+:::image type="content" border="true" source="./media/concept-authentication-methods-manage/manage-migration.png" alt-text="Screenshot of migration options.":::
+
+The following table describes each option.
+
+| Option | Description |
+|:-------|:------------|
+| Pre-migration | The Authentication methods policy is used only for authentication.<br>Legacy policy settings are respected.      |
+| Migration in Progress | The Authentication methods policy is used for authentication and SSPR.<br>Legacy policy settings are respected.     |
+| Migration Complete | Only the Authentication methods policy is used for authentication and SSPR.<br>Legacy policy settings are ignored.  |
+
+Tenants are set to either Pre-migration or Migration in Progress by default, depending on their tenant's current state. At any time, you can change to another option. If you move to Migration Complete, and then choose to roll back to an earlier state, we'll ask why so we can evaluate performance of the product.
+
+:::image type="content" border="true" source="./media/concept-authentication-methods-manage/reason.png" alt-text="Screenshot of reasons for rollback.":::
+
+## Known issues
+
+* Currently, all users must be enabled for at least one MFA method that isn't passwordless and the user can register in interrupt mode. Possible methods include Microsoft Authenticator, SMS, voice call, and software OATH/mobile app code. The method(s) can be enabled in any policy. If a user is not eligible for at least one of those methods, the user will see an error during registration and when visiting My Security Info. We're working to improve this experience to enable fully passwordless configurations. 
+
+## Next steps
+
+- [How to migrate MFA and SSPR policy settings to the Authentication methods policy](how-to-authentication-methods-manage.md)
+- [What authentication and verification methods are available in Azure Active Directory?](concept-authentication-methods.md)
+- [How Azure AD Multi-Factor Authentication works](concept-mfa-howitworks.md)
+- [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview)