Merge branch 'main' into als-networking-scenarios-fix

Author: ntrogh

.openpublishing.redirection.json

@@ -22203,6 +22203,16 @@
             "redirect_url": "/azure/active-directory/develop/zero-trust-for-developers",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/active-directory-v2-protocols.md",
+            "redirect_url": "/azure/active-directory/develop/v2-protocols",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-net-aad-b2c-considerations.md",
+            "redirect_url": "/azure/active-directory/develop/msal-net-b2c-considerations",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/active-directory/develop/active-directory-how-applications-are-added.md",
             "redirect_url": "/azure/active-directory/develop/how-applications-are-added",

articles/active-directory/authentication/howto-authentication-passwordless-faqs.md

@@ -106,7 +106,7 @@ For a full list of endpoints needed to use Microsoft online products, see [Offic
 To check if the Windows 10 client device has the right domain join type, use the following command:
 
 ```console
-Dsregcmd/status
+Dsregcmd /status
 ```
 
 The following sample output shows that the device is Azure AD joined as *AzureADJoined* is set to *YES*:

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -87,14 +87,17 @@ Users can register for passwordless phone sign-in directly within the Microsoft
 6. Once signed-in, continue following the additional steps to set up phone sign-in. 
 
 ### Guided registration with My Sign-ins 
+> [!NOTE]
+> Users will only be able to register Microsoft Authenticator via combined registration if the Microsoft Authenticator authentication mode is to  Any or Push. 
+
 To register the Microsoft Authenticator app, follow these steps:
 
 1. Browse to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo).
 1. Sign in, then select **Add method** > **Authenticator app** > **Add** to add Microsoft Authenticator.
 1. Follow the instructions to install and configure the Microsoft Authenticator app on your device.
 1. Select **Done** to complete Microsoft Authenticator configuration.
 
-### Enable phone sign-in
+#### Enable phone sign-in
 
 After users registered themselves for the Microsoft Authenticator app, they need to enable phone sign-in: 
 

articles/active-directory/authentication/media/how-to-mfa-server-migration-utility/settings.png

@@ -126,7 +126,7 @@
     - name: Add app roles in your application
       href: ../develop/howto-add-app-roles-in-azure-ad-apps.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json
     - name: Branding guidelines
-      href: ../develop/howto-add-branding-in-azure-ad-apps.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json
+      href: /azure/active-directory/develop/howto-add-branding-in-apps
     - name: Terms of Service and Privacy Statement
       href: ../develop/howto-add-terms-of-service-privacy-statement.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json
   - name: Bring an app to market

articles/active-directory/azuread-dev/TOC.yml

@@ -8,4 +8,4 @@
     items:
     - name: Cloud sync
       tocHref: /azure/active-directory/hybrid/
-      topicHref: /azure/active-directory/cloud-sync/index
+      topicHref: /azure/active-directory/hybrid/cloud-sync/

articles/active-directory/cloud-sync/bread/toc.yml

@@ -4,7 +4,7 @@ description: Learn how to use token protection in Conditional Access policies.
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 06/05/2023
+ms.date: 06/21/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -24,6 +24,10 @@ Token protection creates a cryptographically secure tie between the token and th
 
 With this preview, we're giving you the ability to create a Conditional Access policy to require token protection for sign-in tokens (refresh tokens) for specific services. We support token protection for sign-in tokens in Conditional Access for desktop applications accessing Exchange Online and SharePoint Online on Windows devices.
 
+> [!IMPORTANT]
+> The following changes have been made to Token Protection since the initial public preview release:
+> * **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change.
+
 > [!NOTE]
 > We may interchange sign in tokens and refresh tokens in this content. This preview doesn't currently support access tokens or web cookies.
 
@@ -47,6 +51,7 @@ This preview supports the following configurations:
    - PowerQuery extension for Excel
    - Extensions to Visual Studio Code which access Exchange or SharePoint
    - Visual Studio
+   - The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in an August release.
 - The following Windows client devices aren't supported:
    - Windows Server 
    - Surface Hub
@@ -129,6 +134,9 @@ You can also use [Log Analytics](../reports-monitoring/tutorial-log-analytics-wi
 
 Here's a sample Log Analytics query searching the non-interactive sign-in logs for the last seven days, highlighting **Blocked** versus **Allowed** requests by **Application**. These queries are only samples and are subject to change.
 
+> [!NOTE]
+> **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change.
+
 ```kusto
 //Per Apps query 
 // Select the log you want to query (SigninLogs or AADNonInteractiveUserSignInLogs ) 
@@ -142,10 +150,10 @@ AADNonInteractiveUserSignInLogs
 //Add userPrinicpalName if you want to filter  
 // | where UserPrincipalName =="<user_principal_Name>" 
 | mv-expand todynamic(ConditionalAccessPolicies) 
-| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["Binding"]' 
+| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]' 
 | where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" 
 | extend SessionNotSatisfyResult = ConditionalAccessPolicies["sessionControlsNotSatisfied"] 
-| extend Result = case (SessionNotSatisfyResult contains 'Binding', 'Block','Allow') 
+| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow') 
 | summarize by Id,UserPrincipalName, AppDisplayName, Result 
 | summarize Requests = count(), Users = dcount(UserPrincipalName), Block = countif(Result == "Block"), Allow = countif(Result == "Allow"), BlockedUsers = dcountif(UserPrincipalName, Result == "Block") by AppDisplayName 
 | extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) 
@@ -171,10 +179,10 @@ AADNonInteractiveUserSignInLogs
 //Add userPrincipalName if you want to filter  
 // | where UserPrincipalName =="<user_principal_Name>" 
 | mv-expand todynamic(ConditionalAccessPolicies) 
-| where ConditionalAccessPolicies.enforcedSessionControls contains '["Binding"]' 
+| where ConditionalAccessPolicies.enforcedSessionControls contains '["SignInTokenProtection"]' 
 | where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" 
 | extend SessionNotSatisfyResult = ConditionalAccessPolicies.sessionControlsNotSatisfied 
-| extend Result = case (SessionNotSatisfyResult contains 'Binding', 'Block','Allow') 
+| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow') 
 | summarize by Id, UserPrincipalName, AppDisplayName, ResourceDisplayName,Result  
 | summarize Requests = count(),Block = countif(Result == "Block"), Allow = countif(Result == "Allow") by UserPrincipalName, AppDisplayName,ResourceDisplayName 
 | extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) 

articles/active-directory/conditional-access/concept-token-protection.md

@@ -6,25 +6,27 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 02/13/2023
+ms.date: 06/20/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
-ms.reviewer: calebb
+ms.reviewer: kvenkit
 
 ms.collection: M365-identity-device-management
 ms.custom: zt-include
 ---
 # What is Conditional Access?
 
-The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions. 
+Microsoft is providing Conditional Access templates to organizations in report-only mode starting in January of 2023. We may add more policies as new threats emerge.
+
+The modern security perimeter extends beyond an organization's network perimeter to include user and device identity. Organizations now use identity-driven signals as part of their access control decisions.
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4MwZs]
 
-Conditional Access brings signals together, to make decisions, and enforce organizational policies. Azure AD Conditional Access is at the heart of the new identity-driven control plane.
+Azure AD Conditional Access brings signals together, to make decisions, and enforce organizational policies. Conditional Access is Microsoft's [Zero Trust policy engine](/security/zero-trust/deploy/identity) taking signals from various sources into account when enforcing policy decisions.
 
-![Conceptual Conditional signal plus decision to get enforcement](./media/overview/conditional-access-signal-decision-enforcement.png)
+:::image type="content" source="media/overview/conditional-access-signal-decision-enforcement.png" alt-text="Diagram showing concept of Conditional Access signals plus decision to enforce organizational policy.":::
 
 Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multifactor authentication to access it.
 
@@ -35,14 +37,16 @@ Administrators are faced with two primary goals:
 
 Use Conditional Access policies to apply the right access controls when needed to keep your organization secure.
 
-![Conceptual Conditional Access process flow](./media/overview/conditional-access-overview-how-it-works.png)
-
 > [!IMPORTANT]
 > Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
 
 ## Common signals
 
-Common signals that Conditional Access can take in to account when making a policy decision include the following signals:
+Conditional Access takes signals from various sources into account when making access decisions. 
+
+:::image type="content" source="media/overview/conditional-access-central-policy-engine-zero-trust.png" alt-text="Diagram showing Conditional Access as the Zero Trust policy engine aggregating signals from various sources.":::
+
+These signals include:
 
 - User or group membership
    - Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
@@ -55,21 +59,24 @@ Common signals that Conditional Access can take in to account when making a poli
 - Application
    - Users attempting to access specific applications can trigger different Conditional Access policies. 
 - Real-time and calculated risk detection
-   - Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multifactor authentication to reduce their risk level, or block access until an administrator takes manual action.
+   - Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify and remediate risky users and sign-in behavior.
 - [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
-   - Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities done within your cloud environment.
+   - Enables user application access and sessions to be monitored and controlled in real time. This integration increases visibility and control over access to and activities done within your cloud environment.
 
 ## Common decisions
 
 - Block access
    - Most restrictive decision
 - Grant access
-   - Least restrictive decision, can still require one or more of the following options:
+   - Less restrictive decision, can require one or more of the following options:
       - Require multifactor authentication
+      - Require authentication strength
       - Require device to be marked as compliant
       - Require Hybrid Azure AD joined device
       - Require approved client app
-      - Require app protection policy (preview)
+      - Require app protection policy
+      - Require password change
+      - Require terms of use
 
 ## Commonly applied policies
 
@@ -83,6 +90,20 @@ Many organizations have [common access concerns that Conditional Access policies
 - Blocking risky sign-in behaviors
 - Requiring organization-managed devices for specific applications
 
+Administrators can create policies from scratch or start from a template policy in the portal or using the Microsoft Graph API.
+
+## Administrator experience
+
+Administrators with the [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) role can manage policies in Azure AD. 
+
+Conditional Access is found in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access**.
+
+:::image type="content" source="media/overview/conditional-access-overview.png" alt-text="Screenshot of the Conditional Access overview page in the Azure portal." lightbox="media/overview/conditional-access-overview.png":::
+
+- The **Overview** page provides a summary of policy state, users, devices, and applications as well as general and security alerts with suggestions. 
+- The **Coverage** page provides a synopsis of applications with and without Conditional Access policy coverage over the last seven days. 
+- The **Monitoring** page allows administrators to see a graph of sign-ins that can be filtered to see potential gaps in policy coverage.
+
 ## License requirements
 
 [!INCLUDE [Active Directory P1 license](../../../includes/active-directory-p1-license.md)]
@@ -93,7 +114,7 @@ Risk-based policies require access to [Identity Protection](../identity-protecti
 
 Other products and features that may interact with Conditional Access policies require appropriate licensing for those products and features.
 
-When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted so customers can migrate away from Conditional Access policies without a sudden change in their security posture. Remaining policies can be viewed and deleted, but no longer updated. 
+When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted. This grants customers the ability to migrate away from Conditional Access policies without a sudden change in their security posture. Remaining policies can be viewed and deleted, but no longer updated. 
 
 [Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) help protect against identity-related attacks and are available for all customers.  
 
@@ -103,6 +124,3 @@ When licenses required for Conditional Access expire, policies aren't automatica
 
 - [Building a Conditional Access policy piece by piece](concept-conditional-access-policies.md)
 - [Plan your Conditional Access deployment](plan-conditional-access.md)
-- [Learn about Identity Protection](../identity-protection/overview-identity-protection.md)
-- [Learn about Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)
-- [Learn about Microsoft Intune](/intune/index)