Links, intro and missing step

yoelhor · yoelhor · commit 32c63253e0d5 · 2022-08-05T17:52:54.000+03:00
diff --git a/articles/active-directory/conditional-access/concept-conditional-access-grant.md b/articles/active-directory/conditional-access/concept-conditional-access-grant.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 06/29/2022
+ms.date: 08/05/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -192,6 +192,10 @@ Restrictions when you configure a policy using the password change control.
 
 If your organization has created terms of use, other options may be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy. More information about terms of use can be found in the article, [Azure Active Directory terms of use](terms-of-use.md).
 
+### Custom controls (preview)
+
+Custom controls is a preview capability of the Azure Active Directory. When using custom controls, your users are redirected to a compatible service to satisfy authentication requirements outside of Azure Active Directory. For more information, check out the [Custom controls](controls.md) article.
+
 ## Next steps
 
 - [Conditional Access: Session controls](concept-conditional-access-session.md)
diff --git a/articles/active-directory/conditional-access/concept-conditional-access-policies.md b/articles/active-directory/conditional-access/concept-conditional-access-policies.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 01/11/2022
+ms.date: 08/05/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -29,18 +29,21 @@ If a policy where "Require one of the selected controls" is selected, we prompt
 
 All policies are enforced in two phases:
 
-- Phase 1: Collect session details 
+- **Phase 1**: Collect session details 
    - Gather session details, like network location and device identity that will be necessary for policy evaluation. 
    - Phase 1 of policy evaluation occurs for enabled policies and policies in [report-only mode](concept-conditional-access-report-only.md).
-- Phase 2: Enforcement 
+- **Phase 2**: Enforcement 
    - Use the session details gathered in phase 1 to identify any requirements that haven't been met. 
    - If there's a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked. 
    - The user will be prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:  
-      - Multi-factor authentication​ 
-      - Approved client app/app protection policy​ 
-      - Managed device (compliant or hybrid Azure AD join)​ 
-      - Terms of use 
-      - Custom controls  
+      - [Multi-factor authentication​](concept-conditional-access-grant.md#require-multifactor-authentication)
+      - [Device to be marked as compliant](./concept-conditional-access-grant.md#require-device-to-be-marked-as-compliant)
+      - [Hybrid Azure AD joined device](./concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device)
+      - [Approved client app](./concept-conditional-access-grant.md#require-approved-client-app)
+      - [App protection policy](./concept-conditional-access-grant.md#require-app-protection-policy)
+      - [Password change](./concept-conditional-access-grant.md#require-password-change)
+      - [Terms of use](concept-conditional-access-grant.md#terms-of-use)
+      - [Custom controls](./concept-conditional-access-grant.md#custom-controls-preview)
    - Once all grant controls have been satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime) 
    - Phase 2 of policy evaluation occurs for all enabled policies. 
 
@@ -76,7 +79,7 @@ Location data is provided by IP geolocation data. Administrators can choose to d
 
 #### Client apps
 
-By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isn't configured.
+The software the user is employing to access the cloud app. For example, 'Browser', and 'Mobile apps and desktop clients'. By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isn't configured.
 
 The behavior of the client apps condition was updated in August 2020. If you have existing Conditional Access policies, they'll remain unchanged. However, if you select on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.
 
@@ -104,7 +107,7 @@ Block access does just that, it will block access under the specified assignment
 
 The grant control can trigger enforcement of one or more controls. 
 
-- Require multi-factor authentication (Azure AD Multi-Factor Authentication)
+- Require multi-factor authentication
 - Require device to be marked as compliant (Intune)
 - Require Hybrid Azure AD joined device
 - Require approved client app
@@ -123,7 +126,7 @@ Administrators can choose to require one of the previous controls or all selecte
 
 - Use app enforced restrictions
    - Currently works with Exchange Online and SharePoint Online only.
-      - Passes device information to allow control of experience granting full or limited access.
+   - Passes device information to allow control of experience granting full or limited access.
 - Use Conditional Access App Control
    - Uses signals from Microsoft Defender for Cloud Apps to do things like: 
       - Block download, cut, copy, and print of sensitive documents.
@@ -133,6 +136,8 @@ Administrators can choose to require one of the previous controls or all selecte
    - Ability to change the default sign in frequency for modern authentication.
 - Persistent browser session
    - Allows users to remain signed in after closing and reopening their browser window.
+- Customize continuous access evaluation
+- Disable resilience defaults 
 
 ## Simple policies
 
diff --git a/articles/active-directory/conditional-access/overview.md b/articles/active-directory/conditional-access/overview.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 08/07/2022
+ms.date: 08/05/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -55,8 +55,8 @@ Common signals that Conditional Access can take in to account when making a poli
 - Application
    - Users attempting to access specific applications can trigger different Conditional Access policies. 
 - Real-time and calculated risk detection
-   - Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.
-- Microsoft Defender for Cloud Apps
+   - Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
    - Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities done within your cloud environment.
 
 ## Common decisions
diff --git a/articles/active-directory/conditional-access/require-tou.md b/articles/active-directory/conditional-access/require-tou.md
@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: quickstart
-ms.date: 11/21/2019
+ms.date: 08/05/2022
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
@@ -52,11 +52,11 @@ This section provides you with the steps to create a sample ToU. When you create
 1. In Microsoft Word, create a new document.
 1. Type **My terms of use**, and then save the document on your computer as **mytou.pdf**.
 1. Sign in to your [Azure portal](https://portal.azure.com) as global administrator, security administrator, or a Conditional Access administrator.
-1. In the Azure portal, on the left navbar, click **Azure Active Directory**.
+1. Search for and select **Azure Active Directory**. Then select **Security** from the menu on the left-hand side.
 
    ![Azure Active Directory](./media/require-tou/02.png)
 
-1. On the **Azure Active Directory** page, in the **Security** section, click **Conditional Access**.
+1. On the left navbar, select **Security**. Then select **Conditional Access**.
 
    ![Conditional Access](./media/require-tou/03.png)
 
