MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/custom-policies-series-overview.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/custom-policies-series-overview.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/how-to-mfa-authenticator-lite.md
Lines changed: 36 additions & 19 deletions b/‎articles/active-directory/authentication/how-to-mfa-authenticator-lite.md
Lines changed: 36 additions & 19 deletions
diff --git a/‎articles/active-directory/authentication/howto-mfa-mfasettings.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/authentication/howto-mfa-mfasettings.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/develop/custom-extension-get-started.md
Lines changed: 2 additions & 4 deletions b/‎articles/active-directory/develop/custom-extension-get-started.md
Lines changed: 2 additions & 4 deletions
diff --git a/‎articles/active-directory/develop/custom-extension-troubleshoot.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/develop/custom-extension-troubleshoot.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/develop/troubleshoot-publisher-verification.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/develop/troubleshoot-publisher-verification.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/develop/userinfo.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/develop/userinfo.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/develop/workload-identities-faqs.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/develop/workload-identities-faqs.md
Lines changed: 2 additions & 2 deletions
@@ -22,7 +22,7 @@ In Azure Active Directory B2C (Azure AD B2C), you can create user experiences by
 
 User flows are already customizable such as [changing UI](customize-ui.md), [customizing language](language-customization.md) and using [custom attributes](user-flow-custom-attributes.md). However, these customizations might not cover all your business specific needs, which is the reason why you need custom policies.   
 
-While you can use pre-made [custom policy starter pack](/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#custom-policy-starter-pack), it's important for you understand how custom policy is built from scratch. In this how-to guide series, you'll learn what you need to understand for you to customize the behavior of your user experience by using custom policies. At the end of this how-to guide series, you should be able to read and understand existing custom policies or write your own from scratch.
+While you can use pre-made [custom policy starter pack](./tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack), it's important for you understand how custom policy is built from scratch. In this how-to guide series, you'll learn what you need to understand for you to customize the behavior of your user experience by using custom policies. At the end of this how-to guide series, you should be able to read and understand existing custom policies or write your own from scratch.
 
 ## Prerequisites
 
@@ -48,4 +48,4 @@ This how-to guide series consists of multiple articles. We recommend that you st
 
 - Learn about [Azure AD B2C TrustFrameworkPolicy BuildingBlocks](buildingblocks.md)
 
-- [Write your first Azure Active Directory B2C custom policy - Hello World!](custom-policies-series-hello-world.md)
+- [Write your first Azure Active Directory B2C custom policy - Hello World!](custom-policies-series-hello-world.md)
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/14/2023
+ms.date: 03/15/2023
 
 ms.author: justinha
 author: sabina-smith
@@ -23,6 +23,9 @@ Microsoft Authenticator Lite is another surface for Azure Active Directory (Azur
 
 Users receive a notification in Outlook mobile to approve or deny sign-in, or they can copy a TOTP to use during sign-in. 
 
+>[!NOTE]
+>This is an important security enhancement for users authenticating via telecom transports. The 'Microsoft managed' setting for this feature will be set to enabled on May 26th, 2023. This will enable the feature for all users in tenants where the feature is set to Microsoft managed. If you wish to change the state of this feature, please do so before May 26th, 2023.
+
 ## Prerequisites
 
 - Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API.
@@ -56,26 +59,40 @@ https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMetho
 
 ### Request
 
-```http
-PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
-Content-Type: application/json
- 
+```JSON
+//Retrieve your existing policy via a GET. 
+//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.
+//Change the Query to PATCH and Run query
+
 {
-    "CompanionAppAllowedState": {
-        "state": "enabled",
-        "excludeTargets": [
-            {
-                "id": "s4432809-3bql-5m2l-0p42-8rq4707rq36m",
-                "targetType": "group"
-            }
-        ],
-        "includeTargets": [
-            {
-                "id": "all_users",
-                "targetType": "group"
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
+    "id": "MicrosoftAuthenticator",
+    "state": "enabled",
+    "isSoftwareOathEnabled": false,
+    "excludeTargets": [],
+    "featureSettings": {
+        "companionAppAllowedState": {
+            "state": "enabled",
+            "includeTarget": {
+                "targetType": "group",
+                "id": "s4432809-3bql-5m2l-0p42-8rq4707rq36m"
+            },
+            "excludeTarget": {
+                "targetType": "group",
+                "id": "00000000-0000-0000-0000-000000000000"
             }
-        ]
-    }
+        }
+    },
+    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "includeTargets": [
+        {
+            "targetType": "group",
+            "id": "all_users",
+            "isRegistrationRequired": false,
+            "authenticationMode": "any"
+        }
+    ]
 }
 ```
 
 
@@ -78,9 +78,9 @@ To unblock a user, complete the following steps:
 
 ## Report suspicious activity
 
-A preview of **Report Suspicious Activity**, the updated MFA **Fraud Alert** feature, is now available. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt by using Microsoft Authenticator or through their phone. These alerts are integrated with [Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection) for more comprehensive coverage and capability. 
+A preview of **Report Suspicious Activity**, the updated MFA **Fraud Alert** feature, is now available. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt by using Microsoft Authenticator or through their phone. These alerts are integrated with [Identity Protection](../identity-protection/overview-identity-protection.md) for more comprehensive coverage and capability. 
 
-Users who report an MFA prompt as suspicious are set to **High User Risk**. Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own. If you previously used the **Fraud Alert** automatic blocking feature and don't have an Azure AD P2 license for risk-based policies, you can use risk detection events to identify and disable impacted users and automatically prevent their sign-in. For more information about using risk-based policies, see [Risk-based access policies](/azure/active-directory/identity-protection/concept-identity-protection-policies).  
+Users who report an MFA prompt as suspicious are set to **High User Risk**. Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own. If you previously used the **Fraud Alert** automatic blocking feature and don't have an Azure AD P2 license for risk-based policies, you can use risk detection events to identify and disable impacted users and automatically prevent their sign-in. For more information about using risk-based policies, see [Risk-based access policies](../identity-protection/concept-identity-protection-policies.md).  
 
 To enable **Report Suspicious Activity** from the Authentication Methods Settings:   
 
@@ -100,7 +100,7 @@ When a user reports a MFA prompt as suspicious, the event shows up in the Sign-i
 
 ### Manage suspicious activity events 
 
-Once a user has reported a prompt as suspicious, the risk should be investigated and remediated with [Identity Protection](/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock). 
+Once a user has reported a prompt as suspicious, the risk should be investigated and remediated with [Identity Protection](../identity-protection/howto-identity-protection-remediate-unblock.md). 
 
 ### Report suspicious activity and fraud alert 
 
@@ -384,4 +384,4 @@ After you enable the **remember multi-factor authentication** feature, users can
 
 ## Next steps
 
-To learn more, see [What authentication and verification methods are available in Azure Active Directory?](concept-authentication-methods.md)
+To learn more, see [What authentication and verification methods are available in Azure Active Directory?](concept-authentication-methods.md)
@@ -58,7 +58,7 @@ Sign-in frequency previously applied to only to the first factor authentication
 
 ### User sign-in frequency and device identities
 
-On Azure AD joined and hybrid Azure AD joined devices, unlocking the device, or signing in interactively will only refresh the Primary Refresh Token (PRT) every 4 hours. The last refresh timestamp recorded for PRT compared with the current timestamp must be within the time allotted in SIF policy for PRT to satisfy SIF and grant access to a PRT that has an existing MFA claim. On [Azure AD registered devices](/azure/active-directory/devices/concept-azure-ad-register), unlock/sign-in would not satisfy the SIF policy because the user is not accessing an Azure AD registered device via an Azure AD account. However, the [Azure AD WAM](../develop/scenario-desktop-acquire-token-wam.md) plugin can refresh a PRT during native application authentication using WAM.
+On Azure AD joined and hybrid Azure AD joined devices, unlocking the device, or signing in interactively will only refresh the Primary Refresh Token (PRT) every 4 hours. The last refresh timestamp recorded for PRT compared with the current timestamp must be within the time allotted in SIF policy for PRT to satisfy SIF and grant access to a PRT that has an existing MFA claim. On [Azure AD registered devices](../devices/concept-azure-ad-register.md), unlock/sign-in would not satisfy the SIF policy because the user is not accessing an Azure AD registered device via an Azure AD account. However, the [Azure AD WAM](../develop/scenario-desktop-acquire-token-wam.md) plugin can refresh a PRT during native application authentication using WAM.
 
 Note: The timestamp captured from user log-in is not necessarily the same as the last recorded timestamp of PRT refresh because of the 4-hour refresh cycle. The case when it is the same is when a PRT has expired and a user log-in refreshes it for 4 hours. In the following examples, assume SIF policy is set to 1 hour and PRT is refreshed at 00:00.
 
@@ -196,4 +196,4 @@ We factor for five minutes of clock skew, so that we don’t prompt users more o
 
 ## Next steps
 
-* If you're ready to configure Conditional Access policies for your environment, see the article [Plan a Conditional Access deployment](plan-conditional-access.md).
+* If you're ready to configure Conditional Access policies for your environment, see the article [Plan a Conditional Access deployment](plan-conditional-access.md).
@@ -43,7 +43,7 @@ In this step, you create an HTTP trigger function API in the Azure portal. The f
     | Setting      | Suggested value  | Description |
     | ------------ | ---------------- | ----------- |
     | **Subscription** | Your subscription | The subscription under which the new function app will be created in. |
-    | **[Resource Group](/azure/azure-resource-manager/management/overview)** |  *myResourceGroup* | Select and existing resource group, or name for the new one in which you'll create your function app. |
+    | **[Resource Group](../../azure-resource-manager/management/overview.md)** |  *myResourceGroup* | Select and existing resource group, or name for the new one in which you'll create your function app. |
     | **Function App name** | Globally unique name | A name that identifies the new function app. Valid characters are `a-z` (case insensitive), `0-9`, and `-`.  |
     |**Publish**| Code | Option to publish code files or a Docker container. For this tutorial, select **Code**. |
     | **Runtime stack** | .NET | Your preferred programming language. For this tutorial, select **.NET**.  |
@@ -549,6 +549,4 @@ To test your custom claim provider, follow these steps:
 
 - Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.
 
-- Learn how to [troubleshoot your custom extensions API](custom-extension-troubleshoot.md).
-
-
+- Learn how to [troubleshoot your custom extensions API](custom-extension-troubleshoot.md).
@@ -36,9 +36,9 @@ In order to troubleshoot issues with your custom claims provider REST API endpoi
 
 ## Azure AD sign-in logs
 
-You can also use [Azure AD sign-in logs](/azure/active-directory/reports-monitoring/concept-sign-ins) in addition to your REST API logs, and hosting environment diagnostics solutions. Using Azure AD sign-in logs, you can find errors, which may affect the users' sign-ins. The Azure AD sign-in logs provide  information about the HTTP status, error code, execution duration, and number of retries that occurred the API was called by Azure AD.
+You can also use [Azure AD sign-in logs](../reports-monitoring/concept-sign-ins.md) in addition to your REST API logs, and hosting environment diagnostics solutions. Using Azure AD sign-in logs, you can find errors, which may affect the users' sign-ins. The Azure AD sign-in logs provide  information about the HTTP status, error code, execution duration, and number of retries that occurred the API was called by Azure AD.
 
-Azure AD sign-in logs also integrate with [Azure Monitor](/azure/azure-monitor/). You can set up alerts and monitoring, visualize the data, and integrate with security information and event management (SIEM)  tools. For example, you can set up notifications if the number of errors exceed a certain threshold that you choose.
+Azure AD sign-in logs also integrate with [Azure Monitor](../../azure-monitor/index.yml). You can set up alerts and monitoring, visualize the data, and integrate with security information and event management (SIEM)  tools. For example, you can set up notifications if the number of errors exceed a certain threshold that you choose.
 
 To access the Azure AD sign-in logs:
 
@@ -189,4 +189,4 @@ One of the most common issues is that your custom claims provider API doesn't re
 
 - Learn how to [create and register a custom claims provider](custom-extension-get-started.md) with a sample Open ID Connect application.
 - If you already have a custom claims provider registered, you can configure a [SAML application](custom-extension-configure-saml-app.md) to receive tokens with claims sourced from an external store.
-- Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.
+- Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.
@@ -243,7 +243,7 @@ The target application (`AppId`) must have a Publisher Domain set. Set a Publish
 Occurs when a [Publisher Domain](howto-configure-publisher-domain.md) isn't configured on the app.
 
 **Remediation Steps**
-1. Follow the directions [here](/azure/active-directory/develop/howto-configure-publisher-domain#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain
+1. Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain
 
 ### PublisherDomainMismatch
 
@@ -333,4 +333,4 @@ If you've reviewed all of the previous information and are still receiving an er
 - TenantId where app is registered
 - MPN ID
 - REST request being made 
-- Error code and message being returned
+- Error code and message being returned
@@ -17,7 +17,7 @@ ms.custom: aaddev
 
 # Microsoft identity platform UserInfo endpoint
 
-As part of the OpenID Connect (OIDC) standard, the [UserInfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) returns information about an authenticated user. In the Microsoft identity platform, the UserInfo endpoint is hosted by Microsoft Graph at https://graph.microsoft.com/oidc/userinfo. 
+As part of the OpenID Connect (OIDC) standard, the [UserInfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) returns information about an authenticated user. 
 
 ## Find the .well-known configuration endpoint
 
@@ -85,7 +85,7 @@ You can't add to or customize the information returned by the UserInfo endpoint.
 
 To customize the information returned by the identity platform during authentication and authorization, use [claims mapping]( active-directory-claims-mapping.md) and [optional claims]( active-directory-optional-claims.md) to modify security token configuration.
 
-## Next Steps
+## Next steps
 
 * [Review the contents of ID tokens](id-tokens.md).
 * [Customize the contents of an ID token using optional claims](active-directory-optional-claims.md).
 
@@ -18,7 +18,7 @@ ms.custom: aaddev
 
 [Workload identities](workload-identities-overview.md) is now available in two editions: **Free** and **Workload Identities Premium**. The free edition of workload identities is included with a subscription of a commercial online service such as [Azure](https://azure.microsoft.com/) and [Power Platform](https://powerplatform.microsoft.com/). The Workload
 Identities Premium offering is available through a Microsoft representative, the [Open Volume License
-Program](https://www.microsoft.com/licensing/how-to-buy/how-to-buy), and the [Cloud Solution Providers program](/azure/lighthouse/concepts/cloud-solution-provider). Azure and Microsoft 365 subscribers can also purchase Workload
+Program](https://www.microsoft.com/licensing/how-to-buy/how-to-buy), and the [Cloud Solution Providers program](../../lighthouse/concepts/cloud-solution-provider.md). Azure and Microsoft 365 subscribers can also purchase Workload
 Identities Premium online.
 
 For more information, see [what are workload identities?](workload-identities-overview.md)
@@ -129,4 +129,4 @@ Yes, it's available.
 
 ## Is it possible to have a mix of Azure AD Premium P1, Azure AD Premium P2 and Workload Identities Premium licenses in one tenant?
 
-Yes, customers can have a mixture of license plans in one tenant.
+Yes, customers can have a mixture of license plans in one tenant.