Merge pull request #197190 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/active-directory-b2c/TOC.yml

@@ -671,7 +671,7 @@
 - name: Resources
   items:
   - name: Azure Roadmap
-    href: https://azure.microsoft.com/roadmap/?category=security-identity
+    href: https://azure.microsoft.com/updates/?status=nowavailable,inpreview,indevelopment&category=identity,security&query=b2c
   - name: Frequently asked questions
     href: ./faq.yml
     displayName: FAQ

articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 02/10/2022
+ms.date: 05/04/2022
 
 ms.author: justinha
 author: justinha
@@ -121,7 +121,7 @@ The EAS profile must contain the following information:
 
 - The EAS endpoint (for example, outlook.office365.com)
 
-An EAS profile can be configured and placed on the device through the utilization of Mobile device management (MDM) such as Intune or by manually placing the certificate in the EAS profile on the device.
+An EAS profile can be configured and placed on the device through the utilization of Mobile device management (MDM) such as Microsoft Endpoint Manager or by manually placing the certificate in the EAS profile on the device.
 
 ### Testing EAS client applications on Android
 

articles/active-directory/authentication/active-directory-certificate-based-authentication-ios.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/16/2022
+ms.date: 05/04/2022
 
 ms.author: justinha
 author: justinha
@@ -29,7 +29,7 @@ Using certificates eliminates the need to enter a username and password combinat
 | Apps | Support |
 | --- | --- |
 | Azure Information Protection app |![Check mark signifying support for this application][1] |
-| Intune Company Portal |![Check mark signifying support for this application][1] |
+| Company Portal |![Check mark signifying support for this application][1] |
 | Microsoft Teams |![Check mark signifying support for this application][1] |
 | Office (mobile) |![Check mark signifying support for this application][1] |
 | OneNote |![Check mark signifying support for this application][1] |

articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md

@@ -1,12 +1,12 @@
 ---
-title: Combined password policy and weak password check in Azure Active Directory
-description: Learn about the combined password policy and weak password check in Azure Active Directory
+title: Combined password policy and check for weak passwords in Azure Active Directory
+description: Learn about the combined password policy and check for weak passwords in Azure Active Directory
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 10/14/2021
+ms.date: 05/04/2022
 
 ms.author: justinha
 author: sajiang
@@ -15,7 +15,7 @@ ms.reviewer: sajiang
 
 ms.collection: M365-identity-device-management
 ---
-# Combined password policy and weak password check in Azure Active Directory
+# Combined password policy and check for weak passwords in Azure Active Directory
 
 Beginning in October 2021, Azure Active Directory (Azure AD) validation for compliance with password policies also includes a check for [known weak passwords](concept-password-ban-bad.md) and their variants. 
 As the combined check for password policy and banned passwords gets rolled out to tenants, Azure AD and Office 365 admin center users may see differences when they create, change, or reset their passwords. This topic explains details about the password policy criteria checked by Azure AD. 
@@ -24,29 +24,29 @@ As the combined check for password policy and banned passwords gets rolled out t
 
 A password policy is applied to all user and admin accounts that are created and managed directly in Azure AD. You can [ban weak passwords](concept-password-ban-bad.md) and define parameters to [lock out an account](howto-password-smart-lockout.md) after repeated bad password attempts. Other password policy settings can't be modified.
 
-The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.
+The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.
 
-The following Azure AD password policy requirements apply for all passwords that are created, changed, or reset in Azure AD. Requirements are applied during  user provisioning, password change, and password reset flows. Unless noted, you can't change these settings.
+The following Azure AD password policy requirements apply for all passwords that are created, changed, or reset in Azure AD. Requirements are applied during user provisioning, password change, and password reset flows. You can't change these settings except as noted.
 
 | Property | Requirements |
 | --- | --- |
 | Characters allowed |Uppercase characters (A - Z)<br>Lowercase characters (a - z)<br>Numbers (0 - 9)<br>Symbols:<br>- @ # $ % ^ & * - _ ! + = [ ] { } &#124; \ : ' , . ? / \` ~ " ( ) ; < ><br>- blank space |
 | Characters not allowed | Unicode characters |
-| Password length |Passwords require<br>- A minimum of 8 characters<br>- A maximum of 256 characters</li> |
-| Password complexity |Passwords require three out of four of the following:<br>- Uppercase characters<br>- Lowercase characters<br>- Numbers <br>- Symbols<br> Note: Password complexity check is not required for Education tenants. |
-| Password not recently used | When a user changes or resets their password, the new password cannot be the same as the current or recently used passwords. |
-| Password is not banned by [Azure AD Password Protection](concept-password-ban-bad.md) | The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization. |
+| Password length |Passwords require<br>- A minimum of eight characters<br>- A maximum of 256 characters</li> |
+| Password complexity |Passwords require three out of four of the following categories:<br>- Uppercase characters<br>- Lowercase characters<br>- Numbers <br>- Symbols<br> Note: Password complexity check isn't required for Education tenants. |
+| Password not recently used | When a user changes or resets their password, the new password can't be the same as the current or recently used passwords. |
+| Password isn't banned by [Azure AD Password Protection](concept-password-ban-bad.md) | The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization. |
 
 ## Password expiration policies
 
-Password expiration policies are unchanged but they are included in this topic for completeness. A *global administrator* or *user administrator* can use the [Microsoft Azure AD Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire.
+Password expiration policies are unchanged but they're included in this topic for completeness. A *global administrator* or *user administrator* can use the [Microsoft Azure AD Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire.
 
 > [!NOTE]
 > By default, only passwords for user accounts that aren't synchronized through Azure AD Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Azure AD](../hybrid/how-to-connect-password-hash-synchronization.md#password-expiration-policy).
 
 You can also use PowerShell to remove the never-expires configuration, or to see user passwords that are set to never expire.
 
-The following expiration requirements apply to other providers that use Azure AD for identity and directory services, such as Intune and Microsoft 365. 
+The following expiration requirements apply to other providers that use Azure AD for identity and directory services, such as Microsoft Endpoint Manager and Microsoft 365. 
 
 | Property | Requirements |
 | --- | --- |

articles/active-directory/authentication/concept-resilient-controls.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 07/13/2021
+ms.date: 05/04/2022
 ms.author: martinco
 ms.collection: M365-identity-device-management
 ---
@@ -22,10 +22,10 @@ Organizations that rely on a single access control, such as multi-factor authent
 
 This document provides guidance on strategies an organization should adopt to provide resilience to reduce the risk of lockout during unforeseen disruptions with the following scenarios:
 
- 1. Organizations can increase their resiliency to reduce the risk of lockout **before a disruption** by implementing mitigation strategies or contingency plans.
- 2. Organizations can continue to access apps and resources they choose **during a disruption** by having mitigation strategies and contingency plans in place.
- 3. Organizations should make sure they preserve information, such as logs,  **after a disruption** and before they roll back any contingencies they implemented.
- 4. Organizations that haven’t implemented prevention strategies or alternative plans may be able to implement **emergency options** to deal with the disruption.
+ - Organizations can increase their resiliency to reduce the risk of lockout **before a disruption** by implementing mitigation strategies or contingency plans.
+ - Organizations can continue to access apps and resources they choose **during a disruption** by having mitigation strategies and contingency plans in place.
+ - Organizations should make sure they preserve information, such as logs,  **after a disruption** and before they roll back any contingencies they implemented.
+ - Organizations that haven’t implemented prevention strategies or alternative plans may be able to implement **emergency options** to deal with the disruption.
 
 ## Key guidance
 
@@ -59,11 +59,11 @@ To unlock admin access to your tenant, you should create emergency access accoun
 
 Incorporate the following access controls in your existing Conditional Access policies for organization:
 
-1. Provision multiple authentication methods for each user that rely on different communication channels, for example the Microsoft Authenticator app (internet-based), OATH token (generated on-device), and SMS (telephonic). The following PowerShell script will help you identify in advance, which additional methods your users should register: [Script for Azure AD MFA authentication method analysis](/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/).
-2. Deploy Windows Hello for Business on Windows 10 devices to satisfy MFA requirements directly from device sign-in.
-3. Use trusted devices via [Azure AD Hybrid Join](../devices/overview.md) or [Microsoft Intune Managed devices](/intune/planning-guide). Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices.
-4. Use Azure AD identity protection risk-based policies that prevent access when the user or sign-in is at risk in place of fixed MFA policies.
-5. If you are protecting VPN access using Azure AD MFA NPS extension, consider federating your VPN solution as a [SAML app](../manage-apps/view-applications-portal.md) and determine the app category as recommended below. 
+- Provision multiple authentication methods for each user that rely on different communication channels, for example the Microsoft Authenticator app (internet-based), OATH token (generated on-device), and SMS (telephonic). The following PowerShell script will help you identify in advance, which additional methods your users should register: [Script for Azure AD MFA authentication method analysis](/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/).
+- Deploy Windows Hello for Business on Windows 10 devices to satisfy MFA requirements directly from device sign-in.
+- Use trusted devices via [Azure AD Hybrid Join](../devices/overview.md) or [Microsoft Endpoint Manager](/intune/planning-guide). Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices.
+- Use Azure AD identity protection risk-based policies that prevent access when the user or sign-in is at risk in place of fixed MFA policies.
+- If you are protecting VPN access using Azure AD MFA NPS extension, consider federating your VPN solution as a [SAML app](../manage-apps/view-applications-portal.md) and determine the app category as recommended below. 
 
 >[!NOTE]
 > Risk-based policies require [Azure AD Premium P2](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) licenses.

articles/active-directory/authentication/concept-sspr-policy.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 06/25/2021
+ms.date: 05/04/2022
 
 ms.author: justinha
 author: justinha

articles/active-directory/authentication/how-to-authentication-sms-supported-apps.md

@@ -24,7 +24,7 @@ SMS-based authentication is available to Microsoft apps integrated with the Micr
 | Office 365- Microsoft Online Services* | ● |   |
 | Microsoft One Note | ● |   |
 | Microsoft Teams | ● | ● |
-| Microsoft Intune Company portal | ● | ● |
+| Company portal | ● | ● |
 | My Apps Portal | ● |Not available|
 | Microsoft Forms | ● |Not available|
 | Microsoft Edge | ● |   |
@@ -41,12 +41,12 @@ The above mentioned Microsoft apps support SMS sign-in is because they use the M
 ## Unsupported Microsoft apps
 
 Microsoft 365 desktop (Windows or Mac) apps and Microsoft 365 web apps (except MS One Note) that are accessed directly on the web don't support SMS sign-in. These apps use the Microsoft Office login (`https://office.live.com/start/*`) that requires a password to sign in.
-For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Intune Company Portal, and Microsoft Azure) don't support SMS sign-in.
+For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Company Portal, and Microsoft Azure) don't support SMS sign-in.
 
 | Unsupported Microsoft apps| Examples |
 | --- | --- |
 | Native desktop Microsoft apps | Microsoft Teams, O365 apps, Word, Excel, etc.|
-| Native mobile Microsoft apps (except Microsoft Teams, Intune Company Portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, SharePoint, Power Apps, Word, etc.|
+| Native mobile Microsoft apps (except Microsoft Teams, Company Portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, SharePoint, Power Apps, Word, etc.|
 | Microsoft 365 web apps (accessed directly on web) | [Outlook](https://outlook.live.com/owa/), [Word](https://office.live.com/start/Word.aspx), [Excel](https://office.live.com/start/Excel.aspx), [PowerPoint](https://office.live.com/start/PowerPoint.aspx), [OneDrive](https://onedrive.live.com/about/signin)|  
 
 ## Support for Non-Microsoft apps 

articles/active-directory/authentication/howto-authentication-passwordless-deployment.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 05/28/2021
+ms.date: 05/04/2022
 
 ms.author: baselden
 author: BarbaraSelden
@@ -216,13 +216,13 @@ There are three types of passwordless sign-in deployments available with securit
 
 Enabling Windows 10 sign-in using FIDO2 security keys requires you to enable the credential provider functionality in Windows 10. Choose one of the following:
 
-* [Enable credential provider with Intune](howto-authentication-passwordless-security-key-windows.md)
+* [Enable credential provider with Microsoft Endpoint Manager](howto-authentication-passwordless-security-key-windows.md)
 
-  * We recommend Intune deployment.
+  * We recommend Microsoft Endpoint Manager deployment.
 
 * [Enable credential provider with a provisioning package](howto-authentication-passwordless-security-key-windows.md)
 
-  * If Intune deployment isn't possible, administrators must deploy a package on each machine to enable the credential provider functionality. The package installation can be carried out by one of the following options:
+  * If Microsoft Endpoint Manager deployment isn't possible, administrators must deploy a package on each machine to enable the credential provider functionality. The package installation can be carried out by one of the following options:
     * Group Policy or Configuration Manager
     * Local installation on a Windows 10 machine
 

articles/active-directory/authentication/howto-authentication-passwordless-security-key-windows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 04/20/2022
+ms.date: 05/04/2022
 
 ms.author: justinha
 author: justinha
@@ -99,7 +99,7 @@ To target specific device groups to enable the credential provider, use the foll
 
 ### Enable with a provisioning package
 
-For devices not managed by Intune, a provisioning package can be installed to enable the functionality. The Windows Configuration Designer app can be installed from the [Microsoft Store](https://www.microsoft.com/p/windows-configuration-designer/9nblggh4tx22). Complete the following steps to create a provisioning package:
+For devices not managed by Microsoft Endpoint Manager, a provisioning package can be installed to enable the functionality. The Windows Configuration Designer app can be installed from the [Microsoft Store](https://www.microsoft.com/p/windows-configuration-designer/9nblggh4tx22). Complete the following steps to create a provisioning package:
 
 1. Launch the Windows Configuration Designer.
 1. Select **File** > **New project**.

articles/active-directory/develop/authentication-flows-app-scenarios.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 03/03/2020
+ms.date: 05/05/2022
 ms.author: jmprieur
 ms.custom: aaddev, identityplatformtop40, scenarios:getting-started, has-adal-ref
 #Customer intent: As an app developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform.
@@ -106,7 +106,7 @@ To help protect a web app that signs in a user:
 
 - If you develop in .NET, you use ASP.NET or ASP.NET Core with the ASP.NET OpenID Connect middleware. Protecting a resource involves validating the security token, which is done by the [IdentityModel extensions for .NET](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki) and not MSAL libraries.
 
-- If you develop in Node.js, you use [MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) or [Passport.js](https://github.com/AzureAD/passport-azure-ad).
+- If you develop in Node.js, you use [MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).
 
 For more information, see [Web app that signs in users](scenario-web-app-sign-user-overview.md).
 
@@ -291,9 +291,6 @@ Microsoft Authentication Libraries support multiple platforms:
 
 You can also use various languages to build your applications.
 
-> [!NOTE]
-> Some application types aren't available on every platform.
-
 In the Windows column of the following table, each time .NET Core is mentioned, .NET Framework is also possible. The latter is omitted to avoid cluttering the table.
 
 |Scenario  | Windows | Linux | Mac | iOS | Android
@@ -311,5 +308,8 @@ For more information, see [Microsoft identity platform authentication libraries]
 
 ## Next steps
 
-* Learn more about [authentication basics](./authentication-vs-authorization.md) and [access tokens in the Microsoft identity platform](access-tokens.md).
-* Learn more about [securing access to IoT apps](/azure/architecture/example-scenario/iot-aad/iot-aad).
+For more information about authentication, see:
+
+- [Authentication vs. authorization.](./authentication-vs-authorization.md)
+- [Microsoft identity platform access tokens.](access-tokens.md)
+- [Securing access to IoT apps.](/azure/architecture/example-scenario/iot-aad/iot-aad#security)