Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: inward-eye

.openpublishing.redirection.active-directory.json

@@ -45,6 +45,11 @@
       "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/saas-apps/icertisicm-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/governance/tutorial-onboard-custom-workflow-graph.md",
       "redirect_url": "/graph/tutorial-lifecycle-workflows-onboard-custom-workflow",

.openpublishing.redirection.defender-for-iot.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/tutorial-getting-started-eiot-sensor.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/concept-enterprise",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/defender-for-iot/organizations/resources-frequently-asked-questions.md",
             "redirect_url": "/azure/defender-for-iot/organizations/faqs-general",

articles/active-directory/identity-protection/concept-identity-protection-policies.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: conceptual
-ms.date: 10/04/2022
+ms.date: 11/11/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -51,13 +51,10 @@ If risks are detected on a sign-in, users can perform the required access contro
 Identity Protection analyzes signals about user accounts and calculates a risk score based on the probability that the user has been compromised. If a user has risky sign-in behavior, or their credentials have been leaked, Identity Protection will use these signals to calculate the user risk level. Administrators can configure user risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as: 
 
 - Block access
-- Allow access but require a secure password change using [Azure AD self-service password reset](../authentication/howto-sspr-deployment.md).
+- Allow access but require a secure password change.
 
 A secure password change will remediate the user risk and close the risky user event to prevent unnecessary noise for administrators.
 
-> [!NOTE] 
-> Users must have previously registered for self-service password reset before triggering the user risk policy.
-
 ## Identity Protection policies
 
 While Identity Protection also offers a user interface for creating user risk policy and sign-in risk policy, we highly recommend that you [use Azure AD Conditional Access to create risk-based policies](howto-identity-protection-configure-risk-policies.md) for the following benefits:

articles/active-directory/identity-protection/concept-identity-protection-risks.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: conceptual
-ms.date: 08/16/2022
+ms.date: 11/10/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -85,7 +85,8 @@ Premium detections are visible only to Azure AD Premium P2 customers. Customers
 | Risk detection |  Detection type | Description |
 | --- | --- | --- |
 | Possible attempt to access Primary Refresh Token (PRT) | Offline | This risk detection type is detected by Microsoft Defender for Endpoint (MDE). A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10, Windows Server 2016, and later versions, iOS, and Android devices. A PRT is a JSON Web Token (JWT) that's specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices. Attackers can attempt to access this resource to move laterally into an organization or perform credential theft. This detection will move users to high risk and will only fire in organizations that have deployed MDE. This detection is low-volume and will be seen infrequently by most organizations. However, when it does occur it's high risk and users should be remediated. |
-| Anomalous user activity | Offline | This risk detection indicates that suspicious patterns of activity have been identified for an authenticated user. The post-authentication behavior of users is assessed for anomalies. This behavior is based on actions occurring for the account, along with any sign-in risk detected. |
+| Anomalous user activity | Offline | This risk detection baselines normal administrative user behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. |
+
 
 #### Nonpremium user risk detections
 

articles/active-directory/identity-protection/concept-identity-protection-user-experience.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: conceptual
-ms.date: 01/21/2022
+ms.date: 11/11/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -42,7 +42,7 @@ When an administrator has configured a policy for sign-in risks, affected users
 
 ### Risky sign-in self-remediation
 
-1. The user is informed that something unusual was detected about their sign-in. This could be something like, such as signing in from a new location, device, or app.
+1. The user is informed that something unusual was detected about their sign-in. This behavior could be something like, such as signing in from a new location, device, or app.
 
     ![Something unusual prompt](./media/concept-identity-protection-user-experience/120.png)
 
@@ -84,7 +84,7 @@ If your organization has users who are delegated access to another tenant and th
 1. An organization has a managed service provider (MSP) or cloud solution provider (CSP) who takes care of configuring their cloud environment. 
 1. One of the MSPs technicians credentials are leaked and triggers high risk. That technician is blocked from signing in to other tenants. 
 1. The technician can self-remediate and sign in if the home tenant has enabled the appropriate policies [requiring password change for high risk users](../conditional-access/howto-conditional-access-policy-risk-user.md) or [MFA for risky users](../conditional-access/howto-conditional-access-policy-risk.md). 
-   1. If the home tenant hasn't enabled self-remediation policies, an administrator in the technician's home tenant will have to [remediate the risk](howto-identity-protection-remediate-unblock.md#remediation).
+   1. If the home tenant hasn't enabled self-remediation policies, an administrator in the technician's home tenant will have to [remediate the risk](howto-identity-protection-remediate-unblock.md#risk-remediation).
 
 ## See also
 

articles/active-directory/identity-protection/concept-workload-identity-risk.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: conceptual
-ms.date: 02/07/2022
+ms.date: 11/10/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -54,8 +54,8 @@ We detect risk on workload identities across sign-in behavior and offline indica
 | Admin confirmed account compromised | Offline | This detection indicates an admin has selected 'Confirm compromised' in the Risky Workload Identities UI or using riskyServicePrincipals API. To see which admin has confirmed this account compromised, check the account’s risk history (via UI or API). |
 | Leaked Credentials | Offline | This risk detection indicates that the account's valid credentials have been leaked. This leak can occur when someone checks in the credentials in public code artifact on GitHub, or when the credentials are leaked through a data breach. <br><br> When the Microsoft leaked credentials service acquires credentials from GitHub, the dark web, paste sites, or other sources, they're checked against current valid credentials in Azure AD to find valid matches. |
 | Malicious application | Offline | This detection indicates that Microsoft has disabled an application for violating our terms of service. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.| 
-| Suspicious application | Offline | This detection indicates that Microsoft has identified an application that may be violating our terms of service, but has not disabled it. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.| 
-| Anomalous service principal activity | Offline | This risk detection indicates that suspicious patterns of activity have been identified for an authenticated service principal. The post-authentication behavior of service principals is assessed for anomalies. This behavior is based on actions occurring for the account, along with any sign-in risk detected. |
+| Suspicious application | Offline | This detection indicates that Microsoft has identified an application that may be violating our terms of service, but hasn't disabled it. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.| 
+| Anomalous service principal activity | Offline | This risk detection baselines normal administrative service principal behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrative service principal making the change or the object that was changed. |
 
 ## Identify risky workload identities
 

articles/active-directory/identity-protection/howto-identity-protection-investigate-risk.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: how-to
-ms.date: 01/24/2022
+ms.date: 11/11/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -100,7 +100,7 @@ Administrators can then choose to return to the user's risk or sign-ins report t
 Organizations may use the following frameworks to begin their investigation into any suspicious activity. Investigations may require having a conversation with the user in question, review of the [sign-in logs](../reports-monitoring/concept-sign-ins.md), or review of the [audit logs](../reports-monitoring/concept-audit-logs.md) to name a few.
 
 1. Check the logs and validate whether the suspicious activity is normal for the given user.
-   1. Look at the user’s past activities including at least the following properties to see if they are normal for the given user. 
+   1. Look at the user’s past activities including at least the following properties to see if they're normal for the given user. 
       1. Application
       1. Device - Is the device registered or compliant?
       1. Location - Is the user traveling to a different location or accessing devices from multiple locations?