Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: b-ahibbard

articles/active-directory-domain-services/policy-reference.md

@@ -1,7 +1,7 @@
 ---
 title: Built-in policy definitions for Azure Active Directory Domain Services
 description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/29/2023
+ms.date: 02/21/2023
 ms.service: active-directory
 ms.subservice: domain-services
 author: justinha

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -74,30 +74,24 @@ Now we'll walk through each step:
 
 ## Certificate-based authentication is MFA capable
 
-Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to proof up to register other authentication methods when the user is in scope for CBA. 
+Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to get MFA and proof up to register other authentication methods when the user is in scope for CBA.
 
-This can happen when: 
-
-If CBA enabled user only has a Single Factor (SF) certificate
-	To unblock user:
-	1. Use Password + SF certificate.
+If CBA enabled user only has a Single Factor (SF) certificate and need MFA
+   1. Use Password + SF certificate.
    1. Issue Temporary Access Pass (TAP)
    1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
 
-If CBA enabled user but has not yet been issued a certificate
-   To unblock user:
+If CBA enabled user has not yet been issued a certificate and need MFA
    1. Issue Temporary Access Pass (TAP)
    1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
 
-If CBA enabled user cannot use MF cert (such as on mobile device without smart card support)
-   To unblock user: 
+If CBA enabled user cannot use MF cert (such as on mobile device without smart card support) and need MFA
    1. Issue Temporary Access Pass (TAP)
    1. User Register another MFA method (when user can use MF cert)
    1. Use Password + MF cert (when user can use MF cert)
    1. Admin adds Phone Number to user account and allows Voice/SMS method for user
 
 
-
 ## MFA with Single-factor certificate-based authentication
 
 Azure AD CBA can be used as a second factor to meet MFA requirements with single-factor certificates. The supported combintaions are

articles/active-directory/fundamentals/2-secure-access-current-state.md

@@ -1,14 +1,14 @@
 ---
-title: Discover the current state of external collaboration with Azure Active Directory 
-description: Learn methods to discover the current state of your collaboration
+title: Discover the current state of external collaboration in your organization
+description: Discover the current state of an organization's collaboration with audit logs, reporting, allowlist, blocklist, and more.
 services: active-directory
 author: gargi-sinha
 manager: martinco
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 12/15/2022
+ms.date: 02/21/2023
 ms.author: gasinh
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -19,53 +19,55 @@ ms.collection: M365-identity-device-management
 
 Before you learn about the current state of your external collaboration, determine a security posture. Consider centralized vs. delegated control, also governance, regulatory, and compliance targets.
 
-Learn more: [Determine your security posture for external users](1-secure-access-posture.md)
+Learn more: [Determine your security posture for external access with Azure Active Directory](1-secure-access-posture.md)
 
-Users in your organization likely collaborate with users from other organizations. Collaboration can occur with productivity applications like Microsoft 365, by email, or sharing resources with external users. The foundation of your governance plan can include:
+Users in your organization likely collaborate with users from other organizations. Collaboration occurs with productivity applications like Microsoft 365, by email, or sharing resources with external users. These scenarios include users:
 
-* Users initiating external collaboration
-* Collaboration with external users and organizations
-* Access granted to external users
+* Initiating external collaboration
+* Collaborating with external users and organizations
+* Granting access to external users
 
-## Users initiating external collaboration
+## Determine who initiates external collaboration
 
-Users seeking external collaboration know the applications needed for their work, and when access ends. Therefore, determine users with delegated permission to invite external users, create access packages, and complete access reviews.
+Generally, users seeking external collaboration know the applications to use, and when access ends. Therefore, determine users with delegated permissions to invite external users, create access packages, and complete access reviews.
 
 To find collaborating users:
 
-* [Microsoft 365, audit log activities](/microsoft-365/compliance/audit-log-activities?view=o365-worldwide&preserve-view=true)
-* [Auditing and reporting a B2B collaboration user](../external-identities/auditing-and-reporting.md)
+* Microsoft 365 [Audit log activities](/microsoft-365/compliance/audit-log-activities?view=o365-worldwide&preserve-view=true) - search for events and discover activities audited in Microsoft 365
+* [Auditing and reporting a B2B collaboration user](../external-identities/auditing-and-reporting.md) - verify guest user access, and see records of system and user activities
 
-## Collaboration with external users and organizations
+## Enumerate guest users and organizations
 
-External users might be Azure AD B2B users with partner-managed credentials, or external users with locally provisioned credentials. Typically, these users are a UserType of Guest. See, [B2B collaboration overview](../external-identities/what-is-b2b.md).
+External users might be Azure AD B2B users with partner-managed credentials, or external users with locally provisioned credentials. Typically, these users are the Guest UserType. To learn about inviting guests users and sharing resources, see [B2B collaboration overview](../external-identities/what-is-b2b.md).
 
 You can enumerate guest users with:
 
 * [Microsoft Graph API](/graph/api/user-list?tabs=http)
 * [PowerShell](/graph/api/user-list?tabs=http)
 * [Azure portal](../enterprise-users/users-bulk-download.md)
 
-There are tools to identify Azure AD B2B collaboration, external Azure AD tenants and users accessing applications:
+Use the following tools to identify Azure AD B2B collaboration, external Azure AD tenants, and users accessing applications:
 
-* [PowerShell module](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MSIDCrossTenantAccessActivity)
-* [Azure Monitor workbook](../reports-monitoring/workbook-cross-tenant-access-activity.md)
+* PowerShell module, [Get MsIdCrossTenantAccessActivity](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MSIDCrossTenantAccessActivity)
+* [Cross-tenant access activity workbook](../reports-monitoring/workbook-cross-tenant-access-activity.md)
 
-### Email domains and companyName property
+### Discover email domains and companyName property
 
-Determine external organizations with the domain names of external user email addresses. This discovery might not be possible with consumer identity providers such as Google. We recommend you write the companyName attribute to identify external organizations.
+You can determine external organizations with the domain names of external user email addresses. This discovery might not be possible with consumer identity providers. We recommend you write the companyName attribute to identify external organizations.
 
-### Allowlist, blocklist, and entitlement management
+### Use allowlist, blocklist, and entitlement management
 
-For your organization to collaborate with, or block, specific organizations, at the tenant level, there is allowlist or blocklist. Use this feature to control B2B invitations and redemptions regardless of source (such as Microsoft Teams, SharePoint, or the Azure portal). See, [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).
+Use the allowlist or blocklist to enable your organization to collaborate with, or block, organizations at the tenant level. Control B2B invitations and redemptions regardless of source (such as Microsoft Teams, SharePoint, or the Azure portal). 
+
+See, [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md)
 
 If you use entitlement management, you can confine access packages to a subset of partners with the **Specific connected organizations** option, under New access packages, in Identity Governance.
 
-   ![Screenshot of the Specific connected organizations option, under New access packages.](media/secure-external-access/2-new-access-package.png)
+   ![Screenshot of settings and options under Identity Governance, New access package.](media/secure-external-access/2-new-access-package.png)
 
-## External user access
+## Determine external user access
 
-After you have an inventory of external users and organizations, determine the access to grant to these users. You can use the Microsoft Graph API to determine Azure AD group membership or application assignment.
+With an inventory of external users and organizations, determine the access to grant to the users. You can use the Microsoft Graph API to determine Azure AD group membership or application assignment.
 
 * [Working with groups in Microsoft Graph](/graph/api/resources/groups-overview?context=graph%2Fcontext&view=graph-rest-1.0&preserve-view=true)
 * [Applications API overview](/graph/applications-concept-overview?view=graph-rest-1.0&preserve-view=true)

articles/active-directory/fundamentals/whats-new-sovereign-clouds.md

@@ -22,6 +22,58 @@ Azure AD receives improvements on an ongoing basis. To stay up to date with the
 This page is updated monthly, so revisit it regularly.
 
 
+## January 2023
+
+### General Availability - Azure AD Domain Services: Deeper Insights
+
+**Type:** New feature  
+**Service category:** Azure AD Domain Services             
+**Product capability:** Azure AD Domain Services        
+
+Now within the Azure portal you have access to view key data for your Azure AD-DS Domain Controllers such as: LDAP Searches/sec, Total Query Received/sec, DNS Total Response Sent/sec, LDAP Successful Binds/sec, memory usage, processor time, Kerberos Authentications, and NTLM Authentications. For more information, see: [Check fleet metrics of Azure Active Directory Domain Services](/azure/active-directory-domain-services/fleet-metrics).
+
+---
+
+### General Availability - Add multiple domains to the same SAML/Ws-Fed based identity provider configuration for your external users
+
+**Type:** New feature   
+**Service category:** B2B        
+**Product capability:** B2B/B2C   
+
+An IT admin can now add multiple domains to a single SAML/WS-Fed identity provider configuration to invite users from multiple domains to authenticate from the same identity provider endpoint. For more information, see: [Federation with SAML/WS-Fed identity providers for guest users](../external-identities/direct-federation.md).
+
+---
+
+### General Availability - New risk in Identity Protection: Anomalous user activity
+
+**Type:** New feature  
+**Service category:** Conditional Access          
+**Product capability:** Identity Security & Protection     
+
+This risk detection baselines normal administrative user behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. For more information, see: [User-linked detections](../identity-protection/concept-identity-protection-risks.md#user-linked-detections).
+
+---
+
+### General Availability - Administrative unit support for devices
+
+**Type:** New feature   
+**Service category:** Directory Management             
+**Product capability:** AuthZ/Access Delegation       
+
+You can now use administrative units to delegate management of specified devices in your tenant by adding devices to an administrative unit, and assigning built-in and custom device management roles scoped to that administrative unit. For more information, see: [Device management](../roles/administrative-units.md#device-management).
+
+---
+
+### General Availability - Azure AD Terms of Use (ToU) API
+
+**Type:** New feature  
+**Service category:** Conditional Access          
+**Product capability:** Identity Security & Protection     
+
+Represents a tenant's customizable terms of use agreement that is created, and managed, with Azure Active Directory (Azure AD). You can use the following methods to create and manage the [Azure Active Directory Terms of Use feature](/graph/api/resources/agreement?#json-representation) according to your scenario. For more information, see: [agreement resource type](/graph/api/resources/agreement).
+
+---
+
 ## December 2022
 
 ### General Availability - Risk-based Conditional Access for workload identities
@@ -40,7 +92,7 @@ Customers can now bring one of the most powerful forms of access control in the
 **Service category:** Enterprise Apps        
 **Product capability:** Identity Lifecycle Management     
 
-Restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items. If an item was accidentally deleted, you can fully restore the item. This isn't applicable to security groups, which are deleted permanently. A recently deleted item will remain available for up to 30 days. After 30 days, the item is permanently deleted. For more information, see: [servicePrincipal resource type](/graph/api/resources/serviceprincipal).
+Restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items. If an item was accidentally deleted, you can fully restore the item. This isn't applicable to security groups, which are deleted permanently. A recently deleted item remains available for up to 30 days. After 30 days, the item is permanently deleted. For more information, see: [servicePrincipal resource type](/graph/api/resources/serviceprincipal).
 
 ---
 
@@ -50,7 +102,7 @@ Restore a recently deleted application, group, servicePrincipal, administrative
 **Service category:** Authentications (Logins)     
 **Product capability:** Identity Security & Protection   
 
-We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, we’ve made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).
+We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, we’ve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).
 
 ---
 
@@ -64,7 +116,7 @@ We're excited to announce the general availability of hybrid cloud Kerberos trus
 **Service category:** Authentications (Logins)     
 **Product capability:** User Authentication   
 
-We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, we’ve made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Hybrid Cloud Kerberos Trust Deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
+We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, we’ve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Hybrid Cloud Kerberos Trust Deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
 
 ---
 

articles/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md

@@ -81,7 +81,7 @@ Once you have the app registration configured, you can run activity log queries
 1. Use one of the following queries to start using Microsoft Graph for accessing activity logs:
     - GET `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits`
     - GET `https://graph.microsoft.com/v1.0/auditLogs/signIns`
-    - For more information on Microsoft Graph queries for activity logs, see [Activity reports API overview](/graph/api/resources/azuread-auditlog-overview)
+    - For more information on Microsoft Graph queries for activity logs, see [Activity reports API overview](/graph/api/resources/azure-ad-auditlog-overview)
 
     ![Screenshot of an activity log GET query in Microsoft Graph.](./media/howto-configure-prerequisites-for-reporting-api/graph-sample-get-query.png)
 
@@ -134,4 +134,4 @@ Programmatic access APIs:
 
 * [Get started with Azure Active Directory Identity Protection and Microsoft Graph](../identity-protection/howto-identity-protection-graph-api.md)
 * [Audit API reference](/graph/api/resources/directoryaudit) 
-* [Sign-in API reference](/graph/api/resources/signin)
+* [Sign-in API reference](/graph/api/resources/signin)

articles/aks/policy-reference.md

@@ -1,7 +1,7 @@
 ---
 title: Built-in policy definitions for Azure Kubernetes Service
 description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/05/2023
+ms.date: 02/21/2023
 ms.topic: reference
 ms.custom: subject-policy-reference
 ---

articles/api-management/policy-reference.md

@@ -1,7 +1,7 @@
 ---
 title: Built-in policy definitions for Azure API Management
 description: Lists Azure Policy built-in policy definitions for Azure API Management. These built-in policy definitions provide approaches to managing your Azure resources.
-ms.date: 01/05/2023
+ms.date: 02/21/2023
 author: dlepow
 ms.author: danlep
 ms.service: api-management