You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/conditional-access-user-flow.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,7 +44,7 @@ The following example shows a Conditional Access technical profile that is used
44
44
</TechnicalProfile>
45
45
```
46
46
47
-
To ensure that Identity Protection is functioning properly, call `ConditionalAccessEvaluation` technical profile for all type of users, [local and social accounts](technical-overview.md#consumer-accounts). Failure to do so, may result in Identity Protection not working correct or have an incorrect degree of risk associated with users.
47
+
To ensure that Identity Protection signals are evaluated properly, you'll want to call the `ConditionalAccessEvaluation` technical profile for all users, including both [local and social accounts](technical-overview.md#consumer-accounts). Otherwise, Identity Protection will indicate an incorrect degree of risk associated with users.
48
48
49
49
::: zone-end
50
50
@@ -53,9 +53,9 @@ In the *Remediation* phase that follows, the user is challenged with MFA. Once c
53
53
The remediation may also happen through other channels. For example, when the account's password is reset, either by the administrator or by the user. You can check the the user *Risk state* in the [risky users report](identity-protection-investigate-risk.md#navigating-the-risky-users-report).
54
54
55
55
> [!IMPORTANT]
56
-
> To remediate the risk successfully within the journey, make sure the *Remediation* technical profile is called after *Evaluation* is executed. If only the *Evaluation*technical profile invoked without the Remediation, the risk state will be *At risk*.
56
+
> To remediate the risk successfully within the journey, make sure the *Remediation* technical profile is called after the *Evaluation*technical profile is executed. If *Evaluation*is invoked without *Remediation*, the risk state will be *At risk*.
57
57
58
-
When the *Evaluation* technical profile recommendation returns `Block`, the call to *Evaluation* technical profile is not required. The risk state is set will be*At risk*.
58
+
When the *Evaluation* technical profile recommendation returns `Block`, the call to the *Evaluation* technical profile is not required. The risk state is set to*At risk*.
59
59
60
60
::: zone pivot="b2c-custom-policy"
61
61
@@ -168,7 +168,7 @@ A sign-in risk represents the probability that a given authentication request is
168
168
169
169
If risk is detected, users can perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.
170
170
171
-
Configure Conditional Access through Azure Portal or Microsoft Graph APIs to enable a sign-in risk-based Conditional Access policy requiring multi-factor authentication (MFA) when sign-in risk is medium OR high.
171
+
Configure Conditional Access through the Azure portal or Microsoft Graph APIs to enable a sign-in risk-based Conditional Access policy requiring MFA when the sign-in risk is *medium* or *high*.
172
172
173
173
### Enable with Conditional Access policy
174
174
@@ -188,9 +188,9 @@ Configure Conditional Access through Azure Portal or Microsoft Graph APIs to ena
188
188
9. Confirm your settings and set **Enable policy** to **On**.
189
189
10. Select **Create** to create to enable your policy.
190
190
191
-
### Enable with Conditional Access APIs (Optional)
191
+
### Enable with Conditional Access APIs (optional)
192
192
193
-
To create a Sign-in risk-based Conditional Access policy with MS Graph APIs. For more information, see [Conditional Access APIs](../active-directory/conditional-access/howto-conditional-access-apis.md#graph-api).
193
+
Create a sign-in risk-based Conditional Access policy with MS Graph APIs. For more information, see [Conditional Access APIs](../active-directory/conditional-access/howto-conditional-access-apis.md#graph-api).
194
194
195
195
The following template can be used to create a Conditional Access policy with display name "Template 1: Require MFA for medium+ sign-in risk" in report-only mode.
196
196
@@ -227,9 +227,9 @@ The following template can be used to create a Conditional Access policy with di
227
227
228
228
## Add Conditional Access to a user flow
229
229
230
-
After you've added the Azure AD Conditional Access policy, enable conditional access in your user flow or custom policy. When you enable conditional access, you don't need to specify a policy name.
230
+
After you've added the Azure AD Conditional Access policy, enable Conditional Access in your user flow or custom policy. When you enable Conditional Access, you don't need to specify a policy name.
231
231
232
-
Multiple Conditional Access policies may apply to an individual user at any time. In this case, the most strict access control policy takes precedence. For example, if one policy requires multi-factor authentication (MFA), while the other blocks access, the user will be blocked.
232
+
Multiple Conditional Access policies may apply to an individual user at any time. In this case, the most strict access control policy takes precedence. For example, if one policy requires MFA while the other blocks access, the user will be blocked.
233
233
234
234
## Enable multi-factor authentication (optional)
235
235
@@ -274,9 +274,9 @@ To enable Conditional Access for a user flow, make sure the version supports Con
274
274
275
275
### Configure claim other than phone number to be used for MFA
276
276
277
-
In the conditional access policy above, the `DoesClaimExist` claim transformation method checks if a claim contains any value. For example, if `strongAuthenticationPhoneNumber` claim contains a phone number.
277
+
In the Conditional Access policy above, the `DoesClaimExist` claim transformation method checks if a claim contains a value, for example if the`strongAuthenticationPhoneNumber` claim contains a phone number.
278
278
279
-
The claims transformation isn't limited to `strongAuthenticationPhoneNumber` claim. Depending on the scenario, you can use any other claim. In the following XML snippet, the `strongAuthenticationEmailAddress` is checked instead. The claim you choose must have a valid value, otherwise the `IsMfaRegistered` claim will be set to `False`. When set to `False`, the Conditional Access policy evaluation returns `Block` grant type. Preventing the user to complete the user flow.
279
+
The claims transformation isn't limited to the `strongAuthenticationPhoneNumber` claim. Depending on the scenario, you can use any other claim. In the following XML snippet, the `strongAuthenticationEmailAddress`claim is checked instead. The claim you choose must have a valid value, otherwise the `IsMfaRegistered` claim will be set to `False`. When set to `False`, the Conditional Access policy evaluation returns a `Block` grant type, preventing the user from completing user flow.
0 commit comments