Merge branch 'main' into master

Author: ashwinder

articles/active-directory-b2c/aad-sspr-technical-profile.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 06/23/2020
+ms.date: 11/08/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -26,8 +26,6 @@ This technical profile:
 - Uses the Azure AD SSPR service to generate and send a code to an email address, and then verifies the code.
 - Validates an email address via a verification code.
 
-[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
-
 ## Protocol
 
 The **Name** attribute of the **Protocol** element needs to be set to `Proprietary`. The **handler** attribute must contain the fully qualified name of the protocol handler assembly that is used by Azure AD B2C:

articles/active-directory-b2c/custom-policy-developer-notes.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 06/27/2022
+ms.date: 11/08/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -22,7 +22,9 @@ Azure Active Directory B2C [user flows and custom policies](user-flow-overview.m
 ## Terms for features in public preview
 
 - We encourage you to use public preview features for evaluation purposes only.
+
 - [Service level agreements (SLAs)](https://azure.microsoft.com/support/legal/sla/active-directory-b2c) don't apply to public preview features.
+
 - Support requests for public preview features can be submitted through regular support channels.
 
 ## User flows
@@ -156,7 +158,7 @@ The following table summarizes the Security Assertion Markup Language (SAML) app
 | ------- | :--: | ----- |
 | [MFA using time-based one-time password (TOTP) with authenticator apps](multi-factor-authentication.md#verification-methods) | GA |  Users can use any authenticator app that supports TOTP verification, such as the [Microsoft Authenticator app](https://www.microsoft.com/security/mobile-authenticator-app).|
 | [Phone factor authentication](phone-factor-technical-profile.md) | GA |  |
-| [Azure AD MFA authentication](multi-factor-auth-technical-profile.md) | Preview |  |
+| [Azure AD MFA authentication](multi-factor-auth-technical-profile.md) | GA |  |
 | [One-time password](one-time-password-technical-profile.md) | GA |  |
 | [Azure Active Directory](active-directory-technical-profile.md) as local directory | GA |  |
 | [Predicate validations](predicates.md) | GA | For example, password complexity. |

articles/active-directory-b2c/multi-factor-auth-technical-profile.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 12/09/2021
+ms.date: 11/08/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -18,7 +18,6 @@ ms.subservice: B2C
 
 Azure Active Directory B2C (Azure AD B2C) provides support for verifying a phone number by using a verification code, or verifying a Time-based One-time Password (TOTP) code.
 
-[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
 
 ## Protocol
 

articles/active-directory/authentication/howto-mfa-app-passwords.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/01/2022
+ms.date: 11/08/2022
 
 ms.author: justinha
 author: justinha
@@ -24,7 +24,7 @@ Modern authentication is supported for the Microsoft Office 2013 clients and lat
 This article shows you how to use app passwords for legacy applications that don't support multi-factor authentication prompts.
 
 >[!NOTE]
-> App passwords don't work with Conditional Access based multi-factor authentication policies and modern authentication. App passwords only work with legacy authentication protocols such as IMAP and SMTP.
+>App passwords don't work for accounts that are required to use modern authentication. 
 
 ## Overview and considerations
 

articles/active-directory/conditional-access/overview.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 08/05/2022
+ms.date: 11/07/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -93,6 +93,10 @@ Risk-based policies require access to [Identity Protection](../identity-protecti
 
 Other products and features that may interact with Conditional Access policies require appropriate licensing for those products and features.
 
+When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted so customers can migrate away from Conditional Access policies without a sudden change in their security posture. Remaining policies can be viewed and deleted, but no longer updated. 
+
+[Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) help protect against identity-related attacks and are available for all customers.  
+
 ## Next steps
 
 - [Building a Conditional Access policy piece by piece](concept-conditional-access-policies.md)

articles/active-directory/external-identities/b2b-tutorial-require-mfa.md

@@ -11,17 +11,20 @@ ms.date: 01/07/2022
 ms.author: mimart
 author: msmimart
 manager: CelesteDG
-ms.custom: "it-pro, seo-update-azuread-jan"
+ms.custom: "engagement-fy23, it-pro, seo-update-azuread-jan"
 ms.collection: M365-identity-device-management
+
+# Customer intent: As a tenant administrator, I want to set up MFA requirement for B2B guest users to protect my apps and resources. 
 ---
 
 # Tutorial: Enforce multi-factor authentication for B2B guest users
 
-When collaborating with external B2B guest users, it’s a good idea to protect your apps with multi-factor authentication (MFA) policies. Then external users will need more than just a user name and password to access your resources. In Azure Active Directory (Azure AD), you can accomplish this goal with a Conditional Access policy that requires MFA for access. MFA policies can be enforced at the tenant, app, or individual guest user level, the same way that they are enabled for members of your own organization. The resource tenant is always responsible for Azure AD Multi-Factor Authentication for users, even if the guest user’s organization has Multi-Factor Authentication capabilities.
+When collaborating with external B2B guest users, it’s a good idea to protect your apps with multi-factor authentication (MFA) policies. Then external users will need more than just a user name and password to access your resources. In Azure Active Directory (Azure AD), you can accomplish this goal with a Conditional Access policy that requires MFA for access. MFA policies can be enforced at the tenant, app, or individual guest user level, the same way that they're enabled for members of your own organization. The resource tenant is always responsible for Azure AD Multi-Factor Authentication for users, even if the guest user’s organization has Multi-Factor Authentication capabilities.
 
 Example:
 
-![Diagram showing a guest user signing into a company's apps](media/tutorial-mfa/aad-b2b-mfa-example.png)
+:::image type="content" source="media/tutorial-mfa/aad-b2b-mfa-example.png" alt-text="Diagram showing a guest user signing into a company's apps.":::
+
 
 1. An admin or employee at Company A invites a guest user to use a cloud or on-premises application that is configured to require MFA for access.
 1. The guest user signs in with their own work, school, or social identity.
@@ -34,6 +37,7 @@ Example:
 In this tutorial, you will:
 
 > [!div class="checklist"]
+>
 > - Test the sign-in experience before MFA setup.
 > - Create a Conditional Access policy that requires MFA for access to a cloud app in your environment. In this tutorial, we’ll use the Microsoft Azure Management app to illustrate the process.
 > - Use the What If tool to simulate MFA sign-in.
@@ -46,29 +50,29 @@ If you don’t have an Azure subscription, create a [free account](https://azure
 
 To complete the scenario in this tutorial, you need:
 
-- **Access to Azure AD Premium edition**, which includes Conditional Access policy capabilities. To enforce MFA, you need to create an Azure AD Conditional Access policy. Note that MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities.
+- **Access to Azure AD Premium edition**, which includes Conditional Access policy capabilities. To enforce MFA, you need to create an Azure AD Conditional Access policy. MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities.
 - **A valid external email account** that you can add to your tenant directory as a guest user and use to sign in. If you don't know how to create a guest account, see [Add a B2B guest user in the Azure portal](add-users-administrator.md).
 
 ## Create a test guest user in Azure AD
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) as an Azure AD administrator.
 1. In the Azure portal, select **Azure Active Directory**.
 1. In the left menu, under **Manage**, select **Users**.
-1. Select **New guest user**.
+1. Select **New user**, and then select **Invite external user**.
 
-    ![Screenshot showing where to select the New guest user option](media/tutorial-mfa/tutorial-mfa-user-3.png)
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-new-user.png" alt-text="Screenshot showing where to select the new guest user option.":::
 
 1. Under **Identity**, enter the email address of the external user. Optionally, include a name and welcome message.
 
-    ![Screenshot showing where to enter the guest invitation message](media/tutorial-mfa/tutorial-mfa-user-4.png)
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-new-user-identity.png" alt-text="Screenshot showing where to enter the guest email.":::
 
 1. Select **Invite** to automatically send the invitation to the guest user. A **Successfully invited user** message appears.
 1. After you send the invitation, the user account is automatically added to the directory as a guest.
 
 ## Test the sign-in experience before MFA setup
 
 1. Use your test user name and password to sign in to your [Azure portal](https://portal.azure.com/).
-1. Note that you’re able to access the Azure portal using just your sign-in credentials. No additional authentication is required.
+1. You should be able to access the Azure portal using only your sign-in credentials. No other authentication is required.
 1. Sign out.
 
 ## Create a Conditional Access policy that requires MFA
@@ -80,56 +84,55 @@ To complete the scenario in this tutorial, you need:
 1. On the **Conditional Access** page, in the toolbar on the top, select **New policy**.
 1. On the **New** page, in the **Name** textbox, type **Require MFA for B2B portal access**.
 1. In the **Assignments** section, choose the link under **Users and groups**.
-1. On the **Users and groups** page, choose **Select users and groups**, and then choose **All guest and external users**.
+1. On the **Users and groups** page, choose **Select users and groups**, and then choose **Guest or external users**. You can assign the policy to different [external user types](authentication-conditional-access.md#assigning-conditional-access-policies-to-external-user-types-preview), built-in [directory roles](../conditional-access/concept-conditional-access-users-groups.md#include-users), or users and groups. 
+
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-user-access.png" alt-text="Screenshot showing selecting all guest users.":::
 
-    ![Screenshot showing selecting all guest users](media/tutorial-mfa/tutorial-mfa-policy-6.png)
 1. In the **Assignments** section, choose the link under **Cloud apps or actions**.
 1. Choose **Select apps**, and then choose the link under **Select**.
 
-    ![Screenshot showing the Cloud apps page and the Select option](media/tutorial-mfa/tutorial-mfa-policy-10.png)
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-app-access.png" alt-text="Screenshot showing the Cloud apps page and the Select option." lightbox="media/tutorial-mfa/tutorial-mfa-app-access.png":::
 
-1.	On the **Select** page, choose **Microsoft Azure Management**, and then choose **Select**.
+1. On the **Select** page, choose **Microsoft Azure Management**, and then choose **Select**.
 
-    ![Screenshot that highlights the Microsoft Azure Management option.](media/tutorial-mfa/tutorial-mfa-policy-11.png)
+1. On the **New** page, in the **Access controls** section, choose the link under **Grant**.
+1. On the **Grant** page, choose **Grant access**, select the **Require multi-factor authentication** check box, and then choose **Select**.
 
-1.	On the **New** page, in the **Access controls** section, choose the link under **Grant**.
-1.	On the **Grant** page, choose **Grant access**, select the **Require multi-factor authentication** check box, and then choose **Select**.
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-grant-access.png" alt-text="Screenshot showing the Require multi-factor authentication option.":::
 
-    ![Screenshot showing the Require multi-factor authentication option](media/tutorial-mfa/tutorial-mfa-policy-13.png)
 
-1.	Under **Enable policy**, select **On**.
+1. Under **Enable policy**, select **On**.
 
-    ![Screenshot showing the Enable policy option set to On](media/tutorial-mfa/tutorial-mfa-policy-14.png)
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-enable-policy.png" alt-text="Screenshot showing the Enable policy option set to On.":::
 
-1.	Select **Create**.
+1. Select **Create**.
 
 ## Use the What If option to simulate sign-in
 
 1. On the **Conditional Access | Policies** page, select **What If**.
 
-    ![Screenshot that highlights where to select the What if option on the Conditional Access - Policies page.](media/tutorial-mfa/tutorial-mfa-whatif-1.png)
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if.png" alt-text="Screenshot that highlights where to select the What if option on the Conditional Access - Policies page.":::
 
 1. Select the link under **User**. 
 1. In the search box, type the name of your test guest user. Choose the user in the search results, and then choose **Select**.
 
-    ![Screenshot showing a guest user selected](media/tutorial-mfa/tutorial-mfa-whatif-2.png)
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if-user.png" alt-text="Screenshot showing a guest user selected.":::
 
-1. Select the link under **Cloud apps, actions, or authentication content**. 
-. Choose **Select apps**, and then choose the link under **Select**.
+1. Select the link under **Cloud apps, actions, or authentication content**. Choose **Select apps**, and then choose the link under **Select**.
 
-    ![Screenshot showing the Microsoft Azure Management app selected](media/tutorial-mfa/tutorial-mfa-whatif-3.png)
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if-app.png" alt-text="Screenshot showing the Microsoft Azure Management app selected." lightbox="media/tutorial-mfa/tutorial-mfa-what-if-app.png":::
 
 1. On the **Cloud apps** page, in the applications list, choose **Microsoft Azure Management**, and then choose **Select**.
 1. Choose **What If**, and verify that your new policy appears under **Evaluation results** on the **Policies that will apply** tab.
 
-    ![Screenshot showing where to select the What if option](media/tutorial-mfa/tutorial-mfa-whatif-4.png)
+    :::image type="content" source="media/tutorial-mfa/tutorial-mfa-whatif-4.png" alt-text="Screenshot showing the results of the What If evaluation.":::
 
 ## Test your Conditional Access policy
 
 1. Use your test user name and password to sign in to your [Azure portal](https://portal.azure.com/).
-1. You should see a request for additional authentication methods. Note that it could take some time for the policy to take effect.
+1. You should see a request for additional authentication methods. It can take some time for the policy to take effect.
 
-    ![Screenshot showing the More information required message](media/tutorial-mfa/mfa-required.png)
+    :::image type="content" source="media/tutorial-mfa/mfa-required.PNG" alt-text="Screenshot showing the More information required message.":::
 
     > [!NOTE]
     > You also can configure [cross-tenant access settings](cross-tenant-access-overview.md) to trust the MFA from the Azure AD home tenant. This allows external Azure AD users to use the MFA registered in their own tenant rather than register in the resource tenant.