Merge pull request #201815 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

.openpublishing.redirection.active-directory.json

@@ -355,6 +355,11 @@
       "redirect_url": "/azure/active-directory/saas-apps/mimecast-personal-portal-tutorial",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/saas-apps/carlsonwagonlit-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/cwt-tutorial",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/active-directory-saas-fax.plus-tutorial.md",
       "redirect_url": "/articles/active-directory/saas-apps/fax-plus-tutorial",

.openpublishing.redirection.json

@@ -754,6 +754,11 @@
       "redirect_url": "/azure/frontdoor/create-front-door-cli",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/cdn/index.yml",
+      "redirect_url": "/azure/frontdoor",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/app-service-web/web-sites-dotnet-deploy-aspnet-mvc-app-membership-oauth-sql-database.md",
       "redirect_url": "/aspnet/core/security/authorization/secure-data",

articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md

@@ -194,6 +194,10 @@
         href: concept-certificate-based-authentication-limitations.md
       - name: Configure Azure AD CBA
         href: how-to-certificate-based-authentication.md
+      - name: Windows SmartCard logon
+        href: concept-certificate-based-authentication-smartcard.md
+      - name: Mobile devices
+        href: concept-certificate-based-authentication-mobile.md
       - name: FAQ
         href: certificate-based-authentication-faq.yml
       - name: Troubleshoot

articles/active-directory/authentication/TOC.yml

@@ -96,4 +96,6 @@ additionalContent: |
     * [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)
     * [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md)
     * [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+    * [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+    * [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
     * [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)

articles/active-directory/authentication/certificate-based-authentication-faq.yml

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 02/18/2022
+ms.date: 06/07/2022
 
 ms.author: justinha
 author: vimrang
@@ -38,7 +38,6 @@ The following scenarios aren't supported:
 
 - Public Key Infrastructure for creating client certificates. Customers need to configure their own Public Key Infrastructure (PKI) and provision certificates to their users and devices. 
 - Certificate Authority hints aren't supported, so the list of certificates that appears for users in the UI isn't scoped.
-- Windows login using smart cards on Windows devices.
 - Only one CRL Distribution Point (CDP) for a trusted CA is supported.
 - The CDP can be only HTTP URLs. We don't support Online Certificate Status Protocol (OCSP), or Lightweight Directory Access Protocol (LDAP) URLs.
 - Configuring other certificate-to-user account bindings, such as using the **subject field**, or **keyid** and **issuer**, aren’t available in this release.

articles/active-directory/authentication/concept-certificate-based-authentication-limitations.md

@@ -0,0 +1,73 @@
+---
+title: Azure Active Directory certificate-based authentication on mobile devices (Android and iOS) - Azure Active Directory
+description: Learn about Azure Active Directory certificate-based authentication on mobile devices (Android and iOS)
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: how-to
+ms.date: 06/07/2022
+
+ms.author: justinha
+author: vimrang
+manager: daveba
+ms.reviewer: vimrang
+
+ms.collection: M365-identity-device-management
+ms.custom: has-adal-ref
+---
+# Azure Active Directory certificate-based authentication on mobile devices (Android and iOS) (Preview)
+
+Android and iOS devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory using a client certificate on their device when connecting to:
+
+- Office mobile applications such as Microsoft Outlook and Microsoft Word
+- Exchange ActiveSync (EAS) clients
+
+Azure AD certificate-based authentication (CBA) is supported for certificates on-device on native browsers as well as on Microsoft first-party applications on both iOS and Android devices. 
+
+Azure AD CBA eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.
+
+## Prerequisites
+
+- For Android device, OS version must be Android 5.0 (Lollipop) and above.
+- For iOS device, OS version must be iOS 9 or above.
+- Microsoft Authenticator is required for Office applications on iOS.
+
+## Microsoft mobile applications support
+
+| Applications | Support | 
+|:---------|:------------:|
+|Azure Information Protection app|  ✅ |
+|Company Portal	 |  ✅ |
+|Microsoft Teams |  ✅ |
+|Office (mobile) |  ✅ |
+|OneNote |  ✅ |
+|OneDrive |  ✅ |
+|Outlook |  ✅ |
+|Power BI |  ✅ |
+|Skype for Business	 |  ✅ |
+|Word / Excel / PowerPoint	 |  ✅ |
+|Yammer	 |  ✅ |
+
+## Support for Exchange ActiveSync clients
+
+On iOS 9 or later, the native iOS mail client is supported. 
+
+Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are supported. 
+
+To determine if your email application supports this feature, contact your application developer.
+
+## Known issue
+
+On iOS, users will see a double prompt, where they must click the option to use certificate-based authentication twice. We are working on making the user experience better.
+
+## Next steps
+
+- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)
+- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)   
+- [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md)
+- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [FAQ](certificate-based-authentication-faq.yml)
+- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)
+
+

articles/active-directory/authentication/concept-certificate-based-authentication-mobile.md

@@ -0,0 +1,50 @@
+---
+title: Windows SmartCard logon using Azure Active Directory certificate-based authentication - Azure Active Directory
+description: Learn how to enable Windows SmartCard logon using Azure Active Directory certificate-based authentication
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: how-to
+ms.date: 06/15/2022
+
+ms.author: justinha
+author: vimrang
+manager: daveba
+ms.reviewer: vimrang
+
+ms.collection: M365-identity-device-management
+ms.custom: has-adal-ref
+---
+# Windows SmartCard logon using Azure Active Directory certificate-based authentication (Preview)
+
+Azure AD users can authenticate using X.509 certificates on their SmartCards directly against Azure AD at Windows logon. There is no special configuration needed on the Windows client to accept the SmartCard authentication. 
+ 
+## User experience 
+
+Follow these steps to set up Windows SmartCard logon:
+
+1. Join the machine to either Azure AD or a hybrid environment (hybrid join). 
+1. Configure Azure AD CBA in your tenant as described in [Configure Azure AD CBA](how-to-certificate-based-authentication.md).
+1. Make sure the user is either on managed authentication or using staged rollout. 
+1. Present the physical or virtual SmartCard to the test machine.
+1. Select SmartCard icon, enter the PIN and authenticate the user.  
+
+   :::image type="content" border="false" source="./media/concept-certificate-based-authentication/smartcard.png" alt-text="Screenshot of SmartCard sign in.":::
+
+Users will get a primary refresh token (PRT) from Azure Active Directory after the successful login and depending on the Certificate-based authentication configuration, the PRT will contain the multifactor claim. 
+
+## Restrictions and caveats  
+
+- The Windows login only works with the latest preview build of Windows 11. We are working to backport the functionality to Windows 10 and Windows Server.
+- Only Windows machines that are joined to either or a hybrid environment can test SmartCard logon.  
+- Like in the other Azure AD CBA scenarios, the user must be on a managed domain or using staged rollout and cannot use a federated authentication model.
+
+## Next steps
+
+- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)
+- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)   
+- [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md)
+- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
+- [FAQ](certificate-based-authentication-faq.yml)
+- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)

articles/active-directory/authentication/concept-certificate-based-authentication-smartcard.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 03/11/2022
+ms.date: 06/15/2022
 
 ms.author: justinha
 author: vimrang
@@ -34,7 +34,7 @@ Let's cover each step:
 
 1. The user tries to access an application, such as [MyApps portal](https://myapps.microsoft.com/).
 1. If the user is not already signed in, the user is redirected to the Azure AD **User Sign-in** page at [https://login.microsoftonline.com/](https://login.microsoftonline.com/).
-1. The user enters their username into the Azure AD sign in page, and then clicks **Next**.
+1. The user enters their username into the Azure AD sign-in page, and then clicks **Next**.
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in.png" alt-text="Screenshot of the Sign-in for MyApps portal.":::
 
@@ -82,7 +82,7 @@ Since multiple authentication binding policy rules can be created with different
 
 1. Exact match is used for strong authentication via policy OID. If you have a certificate A with policy OID **1.2.3.4.5** and a derived credential B based on that certificate has a policy OID **1.2.3.4.5.6** and the custom rule is defined as **Policy OID** with value **1.2.3.4.5** with MFA, only certificate A will satisfy MFA and credential B will satisfy only single-factor authentication. If the user used derived credential during sign-in and was configured to have MFA, the user will be asked for a second factor for successful authentication.
 1. Policy OID rules will take precedence over certificate issuer rules. If a certificate has both policy OID and Issuer, the policy OID is always checked first and if no policy rule is found then the issuer subject bindings are checked. Policy OID has a higher strong authentication binding priority than the issuer.
-1. If one CA binds to MFA, all user certificates that this CA issues qualify as MFA. The same logic applies for single-factor authentication.
+1. If one CA binds to MFA, all user certificates that the CA issues qualify as MFA. The same logic applies for single-factor authentication.
 1. If one policy OID binds to MFA, all user certificates that include this policy OID as one of the OIDs (A user certificate could have multiple policy OIDs) qualify as MFA.
 1. If there is a conflict between multiple policy OIDs (such as when a certificate has two policy OIDs, where one binds to single-factor authentication and the other binds to MFA) then treat the certificate as a single-factor authentication.
 1. One certificate can only have one valid strong authentication binding (that is, a certificate cannot bind to both single-factor and MFA).
@@ -101,7 +101,7 @@ Use the highest priority (lowest number) binding.
    1. If a unique user is found, authenticate the user.
    1. If a unique user is not found, authentication fails.
 1. If the X.509 certificate field is not on the presented certificate, move to the next priority binding.
-1. If the specified X.509 certificate field is found on the certificate, but Azure AD does not find a user object in the directory matching that value, the authentication fails. Azure AD does not attempt to use the next binding in the list in this case. Only if the X.509 certificate field is not on the certificate does it tries the next binding, as mentioned in Step 2.
+1. If the specified X.509 certificate field is found on the certificate, but Azure AD does not find a user object in the directory matching that value, the authentication fails. Azure AD does not attempt to use the next binding in the list in this case. Only if the X.509 certificate field is not on the certificate does it try the next binding, as mentioned in Step 2.
 
 ## Understanding the certificate revocation process
 
@@ -117,7 +117,7 @@ An admin can configure the CRL distribution point during the setup process of th
 >[!IMPORTANT]
 >If the admin skips the configuration of the CRL, Azure AD will not perform any CRL checks during the certificate-based authentication of the user. This can be helpful for initial troubleshooting but should not be considered for production use.
 
-As of now, we don't support Online Certificate Status Protocol (OCSP) because of performance and reliability reasons. Instead of downloading the CRL at every connection by the client browser for OCSP, Azure AD downloads once at the first sign in and caches it, thereby improving the performance and reliability of CRL verification. We also index the cache so the search is must faster every time. Customers must publish CRLs for certificate revocation.
+As of now, we don't support Online Certificate Status Protocol (OCSP) because of performance and reliability reasons. Instead of downloading the CRL at every connection by the client browser for OCSP, Azure AD downloads once at the first sign-in and caches it, thereby improving the performance and reliability of CRL verification. We also index the cache so the search is much faster every time. Customers must publish CRLs for certificate revocation.
 
 **Typical flow of the CRL check:**
 
@@ -207,7 +207,7 @@ For the next test scenario, configure the authentication policy where the **poli
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/several-entries.png" alt-text="Screenshot of several entries in the sign-in logs." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/several-entries.png":::  
 
-   The entry with **Interrupted** status provides has more diagnostic info in the **Additional Details** tab. 
+   The entry with **Interrupted** status has more diagnostic info on the **Additional Details** tab. 
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/interrupted-user-details.png" alt-text="Screenshot of interrupted attempt details in the sign-in logs." :::  
 
@@ -240,5 +240,7 @@ For the next test scenario, configure the authentication policy where the **poli
 - [Overview of Azure AD CBA](concept-certificate-based-authentication.md)
 - [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md)
 - [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
 - [FAQ](certificate-based-authentication-faq.yml)
 - [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 02/09/2022
+ms.date: 06/07/2022
 
 ms.author: justinha
 author: vimrang
@@ -62,6 +62,8 @@ The following images show how Azure AD CBA simplifies the customer environment b
 - [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)
 - [Limitations with CBA](concept-certificate-based-authentication-limitations.md)
 - [How to configure CBA](how-to-certificate-based-authentication.md)
+- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
 - [FAQ](certificate-based-authentication-faq.yml)
 - [Troubleshoot CBA](troubleshoot-certificate-based-authentication.md)