MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/howto-mfa-getstarted.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/authentication/howto-mfa-getstarted.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/identity-protection/TOC.yml
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/identity-protection/TOC.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/identity-protection/concept-identity-protection-policies.md
Lines changed: 44 additions & 24 deletions b/‎articles/active-directory/identity-protection/concept-identity-protection-policies.md
Lines changed: 44 additions & 24 deletions
diff --git a/‎articles/active-directory/identity-protection/concept-identity-protection-risks.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/identity-protection/concept-identity-protection-risks.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/identity-protection/concept-identity-protection-user-experience.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/identity-protection/concept-identity-protection-user-experience.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy.md
Lines changed: 7 additions & 7 deletions b/‎articles/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy.md
Lines changed: 7 additions & 7 deletions
@@ -103,8 +103,8 @@ If your organization uses [Azure AD Identity Protection](../identity-protection/
 Risk policies include:
 
 - [Require all users to register for Azure AD Multi-Factor Authentication](../identity-protection/howto-identity-protection-configure-mfa-policy.md)
-- [Require a password change for users that are high-risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-with-conditional-access)
-- [Require MFA for users with medium or high sign in risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#sign-in-risk-with-conditional-access)
+- [Require a password change for users that are high-risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-policy-in-conditional-access)
+- [Require MFA for users with medium or high sign in risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#sign-in-risk-policy-in-conditional-access)
 
 ### Convert users from per-user MFA to Conditional Access based MFA
 
 
@@ -11,7 +11,7 @@
     href: concept-identity-protection-security-overview.md
   - name: What are risks?
     href: concept-identity-protection-risks.md
-  - name: Identity Protection policies
+  - name: Risk-based access policies
     href: concept-identity-protection-policies.md
   - name: What is the sign-in experience?
     href: concept-identity-protection-user-experience.md
 
@@ -1,63 +1,83 @@
 ---
-title: Azure AD Identity Protection policies
-description: Identifying the three policies that are enabled with Identity Protection
+title: Azure AD Identity Protection risk-based access policies
+description: Identifying risk-based Conditional Access policies
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: conceptual
-ms.date: 08/22/2022
+ms.date: 10/04/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
-ms.reviewer: sahandle
+ms.reviewer: chuqiaoshi
 
 ms.collection: M365-identity-device-management
 ---
-# Identity Protection policies
+# Risk-based access policies
 
-Azure Active Directory Identity Protection includes three default policies that administrators can choose to enable. These policies include limited customization but are applicable to most organizations. All of the policies allow for excluding users such as your [emergency access or break-glass administrator accounts](../roles/security-emergency-access.md).
+Access control policies can be applied to protect organizations when a sign-in or user is detected to be at risk. Such policies are called **risk-based policies**. 
 
-![Identity Protection policies](./media/concept-identity-protection-policies/identity-protection-policies.png)
+Azure AD Conditional Access offers two risk conditions: **Sign-in risk** and **User risk**. Organizations can create risk-based Conditional Access policies by configuring these two risk conditions and choosing an access control method. During each sign-in, Identity Protection sends the detected risk levels to Conditional Access, and the risk-based policies will apply if the policy conditions are satisfied.
 
-## Azure AD MFA registration policy
+![Diagram that shows a conceptual risk-based Conditional Access policy.](./media/concept-identity-protection-policies/risk-based-conditional-access-diagram.png)
+
+For example, as shown in the diagram below, if organizations have a sign-in risk policy that requires multifactor authentication when the sign-in risk level is medium or high, their users must complete multifactor authentication when their sign-in risk is medium or high.
 
-Identity Protection can help organizations roll out Azure AD Multifactor Authentication (MFA) using a Conditional Access policy requiring registration at sign-in. Enabling this policy is a great way to ensure new users in your organization have registered for MFA on their first day. Multifactor authentication is one of the self-remediation methods for risk events within Identity Protection. Self-remediation allows your users to take action on their own to reduce helpdesk call volume.
+![Diagram that shows a conceptual risk-based Conditional Access policy with self-remediation.](./media/concept-identity-protection-policies/risk-based-conditional-access-policy-example.png)
 
-More information about Azure AD Multifactor Authentication can be found in the article, [How it works: Azure AD Multifactor Authentication](../authentication/concept-mfa-howitworks.md).
+The example above also demonstrates a main benefit of a risk-based policy: **automatic risk remediation**. When a user successfully completes the required access control, like a secure password change, their risk is remediated. That sign-in session and user account won't be at risk, and no action is needed from the administrator. 
 
-## Sign-in risk policy
+Allowing users to self-remediate using this process will significantly reduce the risk investigation and remediation burden on the administrators while protecting your organizations from security compromises. More information about risk remediation can be found in the article, [Remediate risks and unblock users](howto-identity-protection-remediate-unblock.md).
 
-Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't really the user. Administrators can make a decision based on this risk score signal to enforce organizational requirements like: 
+## Sign-in risk-based Conditional Access policy
+
+During each sign-in, Identity Protection analyzes hundreds of signals in real-time and calculates a sign-in risk level that represents the probability that the given authentication request isn't authorized. This risk level then gets sent to Conditional Access, where the organization's configured policies are evaluated. Administrators can configure sign-in risk-based Conditional Access policies to enforce access controls based on sign-in risk, including requirements such as:
 
 - Block access
 - Allow access
 - Require multifactor authentication
 
-If risk is detected, users can perform multifactor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.
-
-> [!NOTE] 
-> Users must have previously registered for Azure AD Multifactor Authentication before triggering the sign-in risk policy.
+If risks are detected on a sign-in, users can perform the required access control such as multifactor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.
 
-### Custom Conditional Access policy
+![Screenshot of a sign-in risk-based Conditional Access policy.](./media/concept-identity-protection-policies/sign-in-risk-policy.png)
 
-Administrators can also choose to create a custom Conditional Access policy including sign-in risk as an assignment condition. More information about risk as a condition in a Conditional Access policy can be found in the article, [Conditional Access: Conditions](../conditional-access/concept-conditional-access-conditions.md#sign-in-risk)
+> [!NOTE] 
+> Users must have previously registered for Azure AD multifactor authentication before triggering the sign-in risk policy.
 
-![Custom Conditional Access sign-in risk policy](./media/concept-identity-protection-policies/identity-protection-custom-sign-in-policy.png)
+## User risk-based Conditional Access policy
 
-## User risk policy
+Identity Protection analyzes signals about user accounts and calculates a risk score based on the probability that the user has been compromised. If a user has risky sign-in behavior, or their credentials have been leaked, Identity Protection will use these signals to calculate the user risk level. Administrators can configure user risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as: 
 
-Identity Protection can calculate what it believes is normal for a user's behavior and use that to base decisions for their risk. User risk is a calculation of probability that an identity has been compromised. Administrators can make a decision based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require a password change using [Azure AD self-service password reset](../authentication/howto-sspr-deployment.md).
+- Block access
+- Allow access but require a secure password change using [Azure AD self-service password reset](../authentication/howto-sspr-deployment.md).
 
-If risk is detected, users can perform self-service password reset to self-remediate and close the user risk event to prevent unnecessary noise for administrators.
+A secure password change will remediate the user risk and close the risky user event to prevent unnecessary noise for administrators.
 
 > [!NOTE] 
 > Users must have previously registered for self-service password reset before triggering the user risk policy.
 
+## Identity Protection policies
+
+While Identity Protection also offers a user interface for creating user risk policy and sign-in risk policy, we highly recommend that you [use Azure AD Conditional Access to create risk-based policies](howto-identity-protection-configure-risk-policies.md) for the following benefits:
+
+- Rich set of conditions to control access: Conditional Access offers a rich set of conditions such as applications and locations for configuration. The risk conditions can be used in combination with other conditions to create policies that best enforce your organizational requirements.
+- Multiple risk-based policies can be put in place to target different user groups or apply different access control for different risk levels.
+- Conditional Access policies can be created through Microsoft Graph API and can be tested first in report-only mode.
+- Manage all access policies in one place in Conditional Access.
+
+If you already have Identity Protection risk policies set up, we encourage you to [migrate them to Conditional Access](howto-identity-protection-configure-risk-policies.md#migrate-risk-policies-from-identity-protection-to-conditional-access).
+
+## Azure AD MFA registration policy
+
+Identity Protection can help organizations roll out Azure AD multifactor authentication (MFA) using a policy requiring registration at sign-in. Enabling this policy is a great way to ensure new users in your organization have registered for MFA on their first day. Multifactor authentication is one of the self-remediation methods for risk events within Identity Protection. Self-remediation allows your users to take action on their own to reduce helpdesk call volume.
+
+More information about Azure AD multifactor authentication can be found in the article, [How it works: Azure AD multifactor authentication](../authentication/concept-mfa-howitworks.md).
+
 ## Next steps
 
 - [Enable Azure AD self-service password reset](../authentication/howto-sspr-deployment.md)
-- [Enable Azure AD Multifactor Authentication](../authentication/howto-mfa-getstarted.md)
-- [Enable Azure AD Multifactor Authentication registration policy](howto-identity-protection-configure-mfa-policy.md)
+- [Enable Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md)
+- [Enable Azure AD multifactor authentication registration policy](howto-identity-protection-configure-mfa-policy.md)
 - [Enable sign-in and user risk policies](howto-identity-protection-configure-risk-policies.md)
@@ -11,7 +11,7 @@ ms.date: 08/16/2022
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
-ms.reviewer: sahandle, chuqiaoshi
+ms.reviewer: chuqiaoshi
 
 ms.collection: M365-identity-device-management
 ---
@@ -99,7 +99,7 @@ Premium detections are visible only to Azure AD Premium P2 customers. Customers
 
 ### Risk levels
 
-Identity Protection categorizes risk into three tiers: low, medium, and high. When configuring [custom Identity protection policies](./concept-identity-protection-policies.md#custom-conditional-access-policy), you can also configure it to trigger upon **No risk** level. No Risk means there's no active indication that the user's identity has been compromised.
+Identity Protection categorizes risk into three tiers: low, medium, and high. When configuring [Identity protection policies](./concept-identity-protection-policies.md), you can also configure it to trigger upon **No risk** level. No Risk means there's no active indication that the user's identity has been compromised.
 
 Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
 
 
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 With Azure Active Directory Identity Protection, you can:
 
-* Require users to register for Azure AD Multi-Factor Authentication (MFA)
+* Require users to register for Azure AD multifactor authentication (MFA)
 * Automate remediation of risky sign-ins and compromised users
 
 All of the Identity Protection policies have an impact on the sign in experience for users. Allowing users to register for and use tools like Azure AD MFA and self-service password reset can lessen the impact. These tools along with the appropriate policy choices gives users a self-remediation option when they need it.
@@ -34,7 +34,7 @@ Enabling the Identity Protection policy requiring multi-factor authentication re
 
     ![More information required](./media/concept-identity-protection-user-experience/identity-protection-experience-more-info-mfa.png)
 
-1. Complete the guided steps to register for Azure AD Multi-Factor Authentication and complete your sign-in.
+1. Complete the guided steps to register for Azure AD multifactor authentication and complete your sign-in.
 
 ## Risky sign-in remediation
 
 
@@ -15,20 +15,20 @@ ms.reviewer: sahandle
 
 ms.collection: M365-identity-device-management
 ---
-# How To: Configure the Azure AD Multifactor Authentication registration policy
+# How To: Configure the Azure AD multifactor authentication registration policy
 
-Azure Active Directory (Azure AD) Identity Protection helps you manage the roll-out of Azure AD Multifactor Authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you're signing in to.
+Azure Active Directory (Azure AD) Identity Protection helps you manage the roll-out of Azure AD multifactor authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you're signing in to.
 
-## What is the Azure AD Multifactor Authentication registration policy?
+## What is the Azure AD multifactor authentication registration policy?
 
-Azure AD Multifactor Authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins. In order for users to be able to respond to MFA prompts, they must first register for Azure AD Multifactor Authentication.
+Azure AD multifactor authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins. In order for users to be able to respond to MFA prompts, they must first register for Azure AD multifactor authentication.
 
-We recommend that you require Azure AD Multifactor Authentication for user sign-ins because it:
+We recommend that you require Azure AD multifactor authentication for user sign-ins because it:
 
 - Delivers strong authentication through a range of verification options.
 - Plays a key role in preparing your organization to self-remediate from risk detections in Identity Protection.
 
-For more information on Azure AD Multifactor Authentication, see [What is Azure AD Multifactor Authentication?](../authentication/howto-mfa-getstarted.md)
+For more information on Azure AD multifactor authentication, see [What is Azure AD multifactor authentication?](../authentication/howto-mfa-getstarted.md)
 
 ## Policy configuration
 
@@ -54,4 +54,4 @@ For an overview of the related user experience, see:
 
 - [Enable Azure AD self-service password reset](../authentication/howto-sspr-deployment.md)
 
-- [Enable Azure AD Multifactor Authentication](../authentication/howto-mfa-getstarted.md)
+- [Enable Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md)