MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 30 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 30 additions & 0 deletions
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-conditions.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/conditional-access/concept-conditional-access-conditions.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/conditional-access/concept-continuous-access-evaluation.md
Lines changed: 11 additions & 6 deletions b/‎articles/active-directory/conditional-access/concept-continuous-access-evaluation.md
Lines changed: 11 additions & 6 deletions
@@ -1,5 +1,35 @@
 {
     "redirections": [
+    {
+      "source_path": "articles/security/develop/security-code-analysis-customize.md",
+      "redirect_url": "/previous-versions/azure/security/develop/security-code-analysis-customize",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/develop/security-code-analysis-faq.yml",
+      "redirect_url": "/previous-versions/azure/security/develop/security-code-analysis-faq",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/develop/security-code-analysis-onboard.md",
+      "redirect_url": "/previous-versions/azure/security/develop/security-code-analysis-onboard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/develop/security-code-analysis-overview.md",
+      "redirect_url": "/previous-versions/azure/security/develop/security-code-analysis-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/develop/security-code-analysis-releases.md",
+      "redirect_url": "/previous-versions/azure/security/develop/security-code-analysis-releases",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/develop/yaml-configuration.md",
+      "redirect_url": "/previous-versions/azure/security/develop/yaml-configuration",
+      "redirect_document_id": false
+    },
         {
             "source_path": "articles/vmware-cloudsimple/access-cloudsimple-portal.md",
             "redirect_url": "/previous-versions/azure/vmware-cloudsimple/access-cloudsimple-portal",
 
@@ -54,7 +54,7 @@ We don't support selecting macOS or Linux device platforms when selecting **Requ
 
 ## Locations
 
-When configuring location as a condition, organizations can choose to include or exclude locations. These named locations may include the public IPv4 network information, country or region, or even unknown areas that don't map to specific countries or regions. Only IP ranges can be marked as a trusted location.
+When configuring location as a condition, organizations can choose to include or exclude locations. These named locations may include the public IPv4 or IPv6 network information, country or region, or even unknown areas that don't map to specific countries or regions. Only IP ranges can be marked as a trusted location.
 
 When including **any location**, this option includes any IP address on the internet not just configured named locations. When selecting **any location**, administrators can choose to exclude **all trusted** or **selected locations**.
 
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 11/17/2022
+ms.date: 01/31/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -85,11 +85,14 @@ This process enables the scenario where users lose access to organizational file
 
 > \* Token lifetimes for Office web apps are reduced to 1 hour when a Conditional Access policy is set.
 
+> [!NOTE]
+> Teams is made up of multiple services and among these the calls and chat services don't adhere to IP-based Conditional Access policies.
+
 ## Client Capabilities
 
 ### Client-side claim challenge
 
-Before continuous access evaluation, clients would replay the access token from its cache as long as it hadn't expired. With CAE, we introduce a new case where a resource provider can reject a token when it isn't expired. To inform clients to bypass their cache even though the cached tokens haven't expired, we introduce a mechanism called **claim challenge** to indicate that the token was rejected and a new access token need to be issued by Azure AD. CAE requires a client update to understand claim challenge. The latest version of the following applications below support claim challenge:
+Before continuous access evaluation, clients would replay the access token from its cache as long as it hadn't expired. With CAE, we introduce a new case where a resource provider can reject a token when it isn't expired. To inform clients to bypass their cache even though the cached tokens haven't expired, we introduce a mechanism called **claim challenge** to indicate that the token was rejected and a new access token need to be issued by Azure AD. CAE requires a client update to understand claim challenge. The latest version of the following applications support claim challenge:
 
 | | Web | Win32 | iOS | Android | Mac |
 | :--- | :---: | :---: | :---: | :---: | :---: |
@@ -195,8 +198,8 @@ The following table summarizes Conditional Access and CAE feature behaviors and
 | Network Type | Example | IPs seen by Azure AD | IPs seen by RP | Applicable CA Configuration (Trusted Named Location) | CAE enforcement | CAE access token | Recommendations |
 |---|---|---|---|---|---|---|---|
 | 1. Egress IPs are dedicated and enumerable for both Azure AD and all RPs traffic | All to network traffic to Azure AD and RPs egresses through 1.1.1.1 and/or 2.2.2.2 | 1.1.1.1 | 2.2.2.2 | 1.1.1.1 <br> 2.2.2.2 | Critical Events <br> IP location Changes | Long lived – up to 28 hours | If CA Named Locations are defined, ensure that they contain all possible egress IPs (seen by Azure AD and all RPs) |
-| 2. Egress IPs are dedicated and enumerable for Azure AD, but not for RPs traffic | Network traffic to Azure AD egresses through 1.1.1.1. RP traffic egresses through x.x.x.x | 1.1.1.1 | x.x.x.x | 1.1.1.1 | Critical Events | Default access token lifetime – 1 hour | Do not add non dedicated or non-enumerable egress IPs (x.x.x.x) into Trusted Named Location CA rules as it can weaken security |
-| 3. Egress IPs are non-dedicated/shared or not enumerable for both Azure AD and RPs traffic | Network traffic to Azure AD egresses through y.y.y.y. RP traffic egresses through x.x.x.x | y.y.y.y | x.x.x.x | N/A -no IP CA policies/Trusted Locations configured | Critical Events | Long lived – up to 28 hours | Do not add non dedicated or non-enumerable egress IPs (x.x.x.x/y.y.y.y) into Trusted Named Location CA rules as it can weaken security |
+| 2. Egress IPs are dedicated and enumerable for Azure AD, but not for RPs traffic | Network traffic to Azure AD egresses through 1.1.1.1. RP traffic egresses through x.x.x.x | 1.1.1.1 | x.x.x.x | 1.1.1.1 | Critical Events | Default access token lifetime – 1 hour | Do not add non dedicated or non-enumerable egress IPs (x.x.x.x) into Trusted Named Location Conditional Access rules as it can weaken security |
+| 3. Egress IPs are non-dedicated/shared or not enumerable for both Azure AD and RPs traffic | Network traffic to Azure AD egresses through y.y.y.y. RP traffic egresses through x.x.x.x | y.y.y.y | x.x.x.x | N/A -no IP CA policies/Trusted Locations configured | Critical Events | Long lived – up to 28 hours | Don't add non dedicated or non-enumerable egress IPs (x.x.x.x/y.y.y.y) into Trusted Named Location CA rules as it can weaken security |
 
 Networks and network services used by clients connecting to identity and resource providers continue to evolve and change in response to modern trends. These changes may affect Conditional Access and CAE configurations that rely on the underlying IP addresses. When deciding on these configurations, factor in future changes in technology and upkeep of the defined list of addresses in your plan.
 
@@ -239,9 +242,11 @@ If you enable a user right after disabling, there's some latency before the acco
 
 ### Push notifications
 
-An IP address policy isn't evaluated before push notifications are released. This scenario exists because push notifications are outbound and don't have an associated IP address to be evaluated against. If a user clicks into that push notification, for example an email in Outlook, CAE IP address policies are still enforced before the email can display. Push notifications display a message preview, which isn't protected by an IP address policy. All other CAE checks are done before the push notification being sent. If a user or device has its access removed, enforcement occurs within the documented period. 
+An IP address policy isn't evaluated before push notifications are released. This scenario exists because push notifications are outbound and don't have an associated IP address to be evaluated against. If a user selects that push notification, for example an email in Outlook, CAE IP address policies are still enforced before the email can display. Push notifications display a message preview, which isn't protected by an IP address policy. All other CAE checks are done before the push notification being sent. If a user or device has its access removed, enforcement occurs within the documented period. 
+
+### Guest users
 
-## FAQs
+Guest user accounts aren't supported by CAE. CAE revocation events and IP based Conditional Access policies aren't enforced instantaneously.
 
 ### How will CAE work with Sign-in Frequency?