Merge branch 'main' into US55911

Author: v-regandowner

.openpublishing.publish.config.json

@@ -410,12 +410,6 @@
       "branch": "main",
       "branch_mapping": {}
     },
-    {
-      "path_to_root": "azureml-examples-vj",
-      "url": "https://github.com/azure/azureml-examples",
-      "branch": "vijetajo-patch-2",
-      "branch_mapping": {}
-    },
     {
       "path_to_root": "azureml-examples-batch-pup",
       "url": "https://github.com/azure/azureml-examples",

.openpublishing.redirection.json

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/24/2023
+ms.date: 06/24/2023
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -175,15 +175,19 @@ Now that your policy can create SAML responses, you must configure the policy to
 
 1. Open the *SignUpOrSigninSAML.xml* file in your preferred editor.
 
-1. Change the `PolicyId` and `PublicPolicyUri` values of the policy to `B2C_1A_signup_signin_saml` and `http://<tenant-name>.onmicrosoft.com/B2C_1A_signup_signin_saml`.
+1. Change the value of:
+    
+    1. `PolicyId` to `B2C_1A_signup_signin_saml` 
+    
+    1. `PublicPolicyUri` to `http://<tenant-name>.onmicrosoft.com/B2C_1A_signup_signin_saml`. Replace `<tenant-name>` placeholder with the subdomain of your Azure AD B2C tenant's domain name. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn [how to read your tenant details](tenant-management-read-tenant-name.md#get-your-tenant-name).  
 
     ```xml
     <TrustFrameworkPolicy
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
     xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
     PolicySchemaVersion="0.3.0.0"
-    TenantId="tenant-name.onmicrosoft.com"
+    TenantId="<tenant-name>.onmicrosoft.com"
     PolicyId="B2C_1A_signup_signin_saml"
     PublicPolicyUri="http://<tenant-name>.onmicrosoft.com/B2C_1A_signup_signin_saml">
     ```
@@ -206,7 +210,7 @@ If you started from a different folder in the starter pack or you customized the
 
 The relying party element determines which protocol your application uses. The default is `OpenId`. The `Protocol` element must be changed to `SAML`. The output claims will create the claims mapping to the SAML assertion.
 
-Replace the entire `<TechnicalProfile>` element in the `<RelyingParty>` element with the following technical profile XML. Update `tenant-name` with the name of your Azure AD B2C tenant.
+Replace the entire `<TechnicalProfile>` element in the `<RelyingParty>` element with the following technical profile XML.
 
 ```xml
     <TechnicalProfile Id="PolicyProfile">

articles/active-directory-b2c/saml-service-provider.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 11/30/2021
+ms.date: 06/22/2023
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -117,7 +117,7 @@ The **Protocol** element specifies the protocol to be used for the communication
 | Attribute | Required | Description |
 | --------- | -------- | ----------- |
 | Name | Yes | The name of a valid protocol supported by Azure AD B2C that's used as part of the technical profile. Possible values are `OAuth1`, `OAuth2`, `SAML2`, `OpenIdConnect`, `Proprietary`, or `None`. |
-| Handler | No | When the protocol name is set to `Proprietary`, specifies the name of the assembly that's used by Azure AD B2C to determine the protocol handler. |
+| Handler | No | When the protocol name is set to `Proprietary`, specifies the name of the assembly that's used by Azure AD B2C to determine the protocol handler. If you set the protocol *Name* attribute to `None`, do not include the *Handler* attribute.|
 
 ## Metadata
 

articles/active-directory-b2c/technicalprofiles.md

@@ -311,21 +311,21 @@ To verify that the VM has been successfully joined to the managed domain, start
 1. Create a new SSH connection from your console. Use a domain account that belongs to the managed domain using the `ssh -l` command, such as `contosoadmin@aaddscontoso.com` and then enter the address of your VM, such as *rhel.aaddscontoso.com*. If you use the Azure Cloud Shell, use the public IP address of the VM rather than the internal DNS name.
 
     ```bash
-    sudo ssh -l contosoadmin@AADDSCONTOSO.com rhel.aaddscontoso.com
+    ssh -l contosoadmin@AADDSCONTOSO.com rhel.aaddscontoso.com
     ```
 
 1. When you've successfully connected to the VM, verify that the home directory was initialized correctly:
 
     ```bash
-    sudo pwd
+    pwd
     ```
 
     You should be in the */home* directory with your own directory that matches the user account.
 
 1. Now check that the group memberships are being resolved correctly:
 
     ```bash
-    sudo id
+    id
     ```
 
     You should see your group memberships from the managed domain.

articles/active-directory-domain-services/join-rhel-linux-vm.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 01/29/2023
+ms.date: 06/22/2023
 ms.author: justinha
 
 #Customer intent: As an server administrator, I want to learn how to join a Windows Server VM to an Azure Active Directory Domain Services managed domain to provide centralized identity and policy.
@@ -67,7 +67,7 @@ If you already have a VM that you want to domain-join, skip to the section to [j
     | Virtual machine name | Enter a name for the VM, such as *myVM* |
     | Region               | Choose the region to create your VM in, such as *East US* |
     | Username             | Enter a username for the local administrator account to create on the VM, such as *azureuser* |
-    | Password             | Enter, and then confirm, a secure password for the local administrator to create on the VM. Don't specify a domain user account's credentials. |
+    | Password             | Enter, and then confirm, a secure password for the local administrator to create on the VM. Don't specify a domain user account's credentials. [Windows LAPS](/windows-server/identity/laps/laps-overview) isn't supported. |
 
 1. By default, VMs created in Azure are accessible from the Internet using RDP. When RDP is enabled, automated sign-in attacks are likely to occur, which may disable accounts with common names such as *admin* or *administrator* due to multiple failed successive sign-in attempts.
 

articles/active-directory-domain-services/join-windows-vm.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/12/2023
+ms.date: 06/22/2023
 
 ms.author: justinha
 author: mjsantani
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 # Protecting authentication methods in Azure Active Directory
 
 >[!NOTE]
->The Microsoft managed value for Authenticator Lite will move from disabled to enabled on June 9th, 2023. All tenants left in the default state 'Microsoft managed' will be enabled for the feature on June 9th.
+>The Microsoft managed value for Authenticator Lite will move from disabled to enabled on June 26th, 2023. All tenants left in the default state **Microsoft managed** will be enabled for the feature on June 26th.
 
 Azure Active Directory (Azure AD) adds and improves security features to better protect customers against increasing attacks. As new attack vectors become known, Azure AD may respond by enabling protection by default to help customers stay ahead of emerging security threats. 
 
@@ -39,9 +39,6 @@ Number matching is a good example of protection for an authentication method tha
 
 As MFA fatigue attacks rise, number matching becomes more critical to sign-in security. As a result, Microsoft will change the default behavior for push notifications in Microsoft Authenticator. 
 
->[!NOTE]
->Number matching will begin to be enabled for all users of Microsoft Authenticator starting May 08, 2023.
-
 ## Microsoft managed settings
 
 In addition to configuring Authentication methods policy settings to be either **Enabled** or **Disabled**, IT admins can configure some settings in the Authentication methods policy to be **Microsoft managed**. A setting that is configured as **Microsoft managed** allows Azure AD to enable or disable the setting. 
@@ -56,13 +53,13 @@ The following table lists each setting that can be set to Microsoft managed and
 
 | Setting                                                                                         | Configuration |
 |-------------------------------------------------------------------------------------------------|---------------|
-| [Registration campaign](how-to-mfa-registration-campaign.md)                                    | Disabled      |
+| [Registration campaign](how-to-mfa-registration-campaign.md)                                    | Beginning in July, 2023, enabled for SMS and voice call users with free and trial subscriptions.      |
 | [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)           | Disabled      |
 | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)   | Disabled      |
 | [System-preferred MFA](concept-system-preferred-multifactor-authentication.md)                  | Disabled      |
 | [Authenticator Lite](how-to-mfa-authenticator-lite.md)                                          | Disabled      |  
 
-As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). 
+As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using SMS and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication.
 
 ## Next steps
 

articles/active-directory/authentication/concept-authentication-default-enablement.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: authentication
 ms.custom: ignite-2022
 ms.topic: conceptual
-ms.date: 06/10/2023
+ms.date: 06/22/2023
 
 ms.author: justinha
 author: mjsantani
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
 
 You can nudge users to set up Microsoft Authenticator during sign-in. Users will go through their regular sign-in, perform multifactor authentication as usual, and then be prompted to set up Microsoft Authenticator. You can include or exclude users or groups to control who gets nudged to set up the app. This allows targeted campaigns to move users from less secure authentication methods to the Authenticator app.  
 
-In addition to choosing who can be nudged, you can define how many days a user can postpone, or "snooze", the nudge. If a user taps **Not now** to snooze the app setup, they'll be nudged again on the next MFA attempt after the snooze duration has elapsed. 
+In addition to choosing who can be nudged, you can define how many days a user can postpone, or "snooze", the nudge. If a user taps **Not now** to postpone the app setup, they'll be nudged again on the next MFA attempt after the snooze duration has elapsed. Users with free and trial subscriptions can postpone the app setup up to three times.
 
 >[!NOTE]
 >As users go through their regular sign-in, Conditional Access policies that govern security info registration apply before the user is prompted to set up Authenticator. For example, if a Conditional Access policy requires security info updates can only occur on an internal network, then users won't be prompted to set up Authenticator unless they are on the internal network. 
@@ -66,7 +66,7 @@ In addition to choosing who can be nudged, you can define how many days a user c
 
       ![Installation complete](./media/how-to-nudge-authenticator-app/finish.png)
 
-1. If a user wishes to not install the Authenticator app, they can tap **Not now** to snooze the prompt for up to 14 days, which can be set by an admin. 
+1. If a user wishes to not install the Authenticator app, they can tap **Not now** to snooze the prompt for up to 14 days, which can be set by an admin. Users with free and trial subscriptions can snooze the prompt up to three times.
 
    ![Snooze installation](./media/how-to-nudge-authenticator-app/snooze.png)
 
@@ -75,10 +75,12 @@ In addition to choosing who can be nudged, you can define how many days a user c
 To enable a registration campaign in the Azure portal, complete the following steps:
 
 1. In the Azure portal, click **Security** > **Authentication methods** > **Registration campaign**.
-1. For **State**, click **Enabled**, select any users or groups to exclude from the registration campaign, and then click **Save**.
+1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either enabled or disabled. For the registration campaign, the Microsoft managed value is Enabled for voice call and SMS users with free and trial subscriptions. For more information, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md).
 
    ![Screenshot of enabling a registration campaign.](./media/how-to-nudge-authenticator-app/registration-campaign.png)
 
+1. Select any users or groups to exclude from the registration campaign, and then click **Save**. 
+
 ## Enable the registration campaign policy using Graph Explorer
 
 In addition to using the Azure portal, you can also enable the registration campaign policy using Graph Explorer. To enable the registration campaign policy, you must use the Authentication Methods Policy using Graph APIs. **Global administrators** and **Authentication Method Policy administrators** can update the policy. 

articles/active-directory/authentication/how-to-mfa-registration-campaign.md

@@ -106,7 +106,7 @@ For a full list of endpoints needed to use Microsoft online products, see [Offic
 To check if the Windows 10 client device has the right domain join type, use the following command:
 
 ```console
-Dsregcmd/status
+Dsregcmd /status
 ```
 
 The following sample output shows that the device is Azure AD joined as *AzureADJoined* is set to *YES*:

articles/active-directory/authentication/howto-authentication-passwordless-faqs.md

@@ -87,14 +87,17 @@ Users can register for passwordless phone sign-in directly within the Microsoft
 6. Once signed-in, continue following the additional steps to set up phone sign-in. 
 
 ### Guided registration with My Sign-ins 
+> [!NOTE]
+> Users will only be able to register Microsoft Authenticator via combined registration if the Microsoft Authenticator authentication mode is to  Any or Push. 
+
 To register the Microsoft Authenticator app, follow these steps:
 
 1. Browse to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo).
 1. Sign in, then select **Add method** > **Authenticator app** > **Add** to add Microsoft Authenticator.
 1. Follow the instructions to install and configure the Microsoft Authenticator app on your device.
 1. Select **Done** to complete Microsoft Authenticator configuration.
 
-### Enable phone sign-in
+#### Enable phone sign-in
 
 After users registered themselves for the Microsoft Authenticator app, they need to enable phone sign-in: