Merge pull request #76959 from MicrosoftDocs/master

5/16 OOB Publish

Author: huypub

articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/18/2019
+ms.date: 05/1/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: daveba
-ms.reviewer: sahenry
+ms.reviewer: sahenry, calebb
 
 ms.collection: M365-identity-device-management
 ---
@@ -48,6 +48,37 @@ If you have configured the Site to Zone Assignment List in Internet Explorer, th
 * [https://mysignins.microsoft.com](https://mysignins.microsoft.com)
 * [https://account.activedirectory.windowsazure.com](https://account.activedirectory.windowsazure.com)
 
+## Conditional access policies for combined registration
+
+Securing when and how users register for Azure Multi-Factor Authentication and self-service password reset is now possible with user actions in conditional access policy. This preview feature is available to organizations who have enabled the [combined registration preview](../authentication/concept-registration-mfa-sspr-combined.md). This functionality may be enabled in organizations where they want users to register for Azure Multi-Factor Authentication and SSPR from a central location such as a trusted network location during HR onboarding. For more information about creating trusted locations in conditional access, see the article [What is the location condition in Azure Active Directory conditional access?](../conditional-access/location-condition.md#named-locations)
+
+### Create a policy to require registration from a trusted location
+
+The following policy applies to all selected users, who attempt to register using the combined registration experience, and blocks access unless they are connecting from a location marked as trusted network.
+
+![Create a CA policy to control security info registration](media/howto-registration-mfa-sspr-combined/conditional-access-register-security-info.png)
+
+1. In the **Azure portal**, browse to **Azure Active Directory** > **Conditional access**
+1. Select **New policy**
+1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**
+1. Under **Assignments**, click **Users and groups**, and select the users and groups you want this policy to apply to
+
+   > [!WARNING]
+   > Users must be enabled for the [combined registration preview](../authentication/howto-registration-mfa-sspr-combined.md).
+
+1. Under **Cloud apps or actions**, select **User actions**, check **Register security information (preview)**
+1. Under **Conditions** > **Locations**
+   1. Configure **Yes**
+   1. Include **Any location**
+   1. Exclude **All trusted locations**
+   1. Click **Done** on the Locations blade
+   1. Click **Done** on the Conditions blade
+1. Under **Access controls** > **Grant**
+   1. Click **Block access**
+   1. Then click **Select**
+1. Set **Enable policy** to **On**
+1. Then click **Create**
+
 ## Next steps
 
 [Available methods for Multi-Factor Authentication and SSPR](concept-authentication-methods.md)
@@ -56,4 +87,6 @@ If you have configured the Site to Zone Assignment List in Internet Explorer, th
 
 [Configure Azure Multi-Factor Authentication](howto-mfa-getstarted.md)
 
-[Troubleshooting combined security info registration](howto-registration-mfa-sspr-combined-troubleshoot.md)
+[Troubleshooting combined security info registration](howto-registration-mfa-sspr-combined-troubleshoot.md)
+
+[What is the location condition in Azure Active Directory conditional access?](../conditional-access/location-condition.md)

articles/active-directory/authentication/media/howto-registration-mfa-sspr-combined/conditional-access-register-security-info.png

@@ -50,6 +50,8 @@
     href: app-protection-based-conditional-access.md
   - name: Require managed devices
     href: require-managed-devices.md
+  - name: Require trusted networks for MFA registration
+    href: ../authentication/howto-registration-mfa-sspr-combined.md#conditional-access-policies-for-combined-registration
   - name: Require MFA for access attempts from untrusted networks
     href: untrusted-networks.md
   - name: Require Terms of use

articles/active-directory/conditional-access/TOC.yml

@@ -56,29 +56,23 @@ When you **Select users and groups**, you can set the following options:
 
 * **Users and groups** targets specific sets of users. For example, you can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of group in Azure AD, including dynamic or assigned security and distribution groups.
 
-You can also exclude specific users or groups from a policy. One common use case is service accounts if your policy enforces multifactor authentication (MFA). 
+You can also exclude specific users or groups from a policy. One common use case is service accounts if your policy enforces multifactor authentication (MFA).
 
-Targeting specific sets of users is useful for the deployment of a new policy. In a new policy, you should target only an initial set of users to validate the policy behavior. 
+Targeting specific sets of users is useful for the deployment of a new policy. In a new policy, you should target only an initial set of users to validate the policy behavior.
 
+## Cloud apps and actions
 
+A cloud app is a website, service, or endpoint protected by Azure AD Application Proxy. For a detailed description of supported cloud apps, see [cloud apps assignments](technical-reference.md#cloud-apps-assignments). The **Cloud apps or actions** condition is mandatory in a conditional access policy. In your policy, you can either select **All cloud apps** or specify apps with **Select apps**.
 
-## Cloud apps 
+Organizations can choose from the following:
 
-A cloud app is a website or service. Websites protected by the Azure AD Application Proxy are also cloud apps. For a detailed description of supported cloud apps, see [cloud apps assignments](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-technical-reference#cloud-apps-assignments). 
-
-The **cloud apps** condition is mandatory in a conditional access policy. In your policy, you can either select **All cloud apps** or select specific apps.
-
-![Include cloud apps](./media/conditions/03.png)
-
-Select:
-
-- **All cloud apps** to baseline policies to apply to the entire organization. Use this selection for policies that require multifactor authentication when sign-in risk is detected for any cloud app. A policy applied to **All cloud apps** applies to access to all websites and services. This setting isn't limited to the cloud apps that appear on the **Select apps** list. 
-
-- **Select apps** to target specific services by your policy. For example, you can require users to have a [compliant device](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-mam#app-based-or-compliant-device-policy-for-exchange-online-and-sharepoint-online) to access SharePoint Online. This policy is also applied to other services when they access SharePoint content. An example is Microsoft Teams. 
-
-You can exclude specific apps from a policy. However, these apps are still subject to the policies applied to the services they access. 
+* **All cloud apps** when applying baseline policies to apply to the entire organization. Use this selection for policies that require multi-factor authentication when sign-in risk is detected for any cloud app. A policy applied to All cloud apps applies to access to all websites and services. This setting isn't limited to the cloud apps that appear on the Select apps list.
+* **Select apps** to target specific services by your policy. For example, you can require users to have a compliant device to access SharePoint Online. This policy is also applied to other services when they access SharePoint content. An example is Microsoft Teams.
 
+> [!NOTE]
+> You can exclude specific apps from a policy. However, these apps are still subject to the policies applied to the services they access.
 
+**User actions** are tasks that can be performed by a user. The only currently supported action is **Register security information (preview)**, which allows conditional access policy to enforce when a user registers their security information.
 
 ## Sign-in risk
 

articles/active-directory/conditional-access/conditions.md

@@ -62,7 +62,7 @@ A conditional access policy is a definition of an access scenario using the foll
 
 - **[Users](conditions.md#users-and-groups)**: The users performing an access attempt (**Who**).
 
-- **[Cloud apps](conditions.md#cloud-apps)**: The targets of an access attempt (**What**).
+- **[Cloud apps](conditions.md#cloud-apps-and-actions)**: The targets of an access attempt (**What**).
 
 These two conditions are mandatory in a conditional access policy. In addition to the two mandatory conditions, you can also include additional conditions that describe how the access attempt is performed. Common examples are using mobile devices or locations that are outside your corporate network. For more information, see [Conditions in Azure Active Directory conditional access](conditions.md).
 

articles/active-directory/conditional-access/overview.md

@@ -31,7 +31,7 @@ If this is not the information you are looking for, please leave a comment at th
 
 ## Cloud apps assignments
 
-With conditional access policies, you control how your users access your [cloud apps](conditions.md#cloud-apps). When you configure a conditional access policy, you need to select at least one cloud app. 
+With conditional access policies, you control how your users access your [cloud apps](conditions.md#cloud-apps-and-actions). When you configure a conditional access policy, you need to select at least one cloud app. 
 
 ![Select the cloud apps for your policy](./media/technical-reference/09.png)
 

articles/active-directory/conditional-access/technical-reference.md

@@ -35,14 +35,16 @@ This article provides you with an overview of both notification emails.
 
 In response to a detected account at risk, Azure AD Identity Protection generates an email alert with **Users at risk detected** as subject. The email includes a link to the **[Users flagged for risk](../reports-monitoring/concept-user-at-risk.md)** report. As a best practice, you should immediately investigate the users at risk.
 
+The configuration for this alert allows you to specify at what user risk level you want the alert to be generated. The email will be generated when the user's risk level reaches what you have specified; however, you will not receive new users at risk detected email alerts for this user after they move to this user risk level. For example, if you set the policy to alert on medium user risk and your user John moves to medium risk, you will receive the users at risk detected email for John. However, you will not receive a second users at risk detected alert if John then moves to high risk or has additional risk events.
+
 ![Users at risk detected email](./media/notifications/01.png)
 
 
 ### Configuration
 
 As an administrator, you can set:
 
-- **The risk level that triggers the generation of this email** - By default, the risk level is set to “High” risk.
+- **The user risk level that triggers the generation of this email** - By default, the risk level is set to “High” risk.
 - **The recipients of this email** - By default, recipients include all Global Admins. Global Admins can also add other Global Admins, Security Admins, Security Readers as recipients.  
 
 

articles/active-directory/identity-protection/notifications.md

@@ -55,13 +55,14 @@ With the MyApps Browser Extension, all internal URLs published with Application
 
 To use this feature, the user needs to download the extension and be logged in. There is no other configuration needed for admins or the users. 
 
- 
+To learn more, including how to configure this option, please see the [MyApps Browser Extension](https://docs.microsoft.com/en-us/azure/active-directory/user-help/my-apps-portal-end-user-access#download-and-install-the-my-apps-secure-sign-in-extension) documentation.
 
 ### Option 3: Link Translation Setting 
 
-When link translation is enabled, the Application Proxy service searches through HTML and CSS for published internal links and translates them so that your users get an uninterrupted experience. 
-
+When link translation is enabled, the Application Proxy service searches through HTML and CSS for published internal links and translates them so that your users get an uninterrupted experience. Using the MyApps Browser Extension is preferred to the Link Translation Setting since it gives a more performant experience to users.
 
+> [!NOTE]
+> If you are using option 2 or 3, only one of these should be enabled at a time.
 
 ## How link translation works
 

articles/active-directory/manage-apps/application-proxy-configure-hard-coded-link-translation.md

@@ -3,14 +3,14 @@ title: Azure AD App Proxy and Qlik Sense| Microsoft Docs
 description:  Turn on Application Proxy in the Azure  portal, and install the Connectors for the reverse proxy.
 services: active-directory
 documentationcenter: ''
-author: CelesteDG
-manager: mtillman
+author: msmimart
+manager: CelesteDG
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: article
 ms.date: 09/06/2018
-ms.author: celested
+ms.author: mimart
 ms.reviewer: japere
 ms.custom: it-pro
 

articles/active-directory/manage-apps/application-proxy-qlik.md

@@ -3,8 +3,8 @@ title: Silent install Azure AD App Proxy connector | Microsoft Docs
 description: Covers how to perform an unattended installation of Azure AD Application Proxy Connector to provide secure remote access to your on-premises apps.
 services: active-directory
 documentationcenter: ''
-author: CelesteDG
-manager: mtillman
+author: msmimart
+manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: app-mgmt
@@ -13,7 +13,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.date: 05/17/2018
-ms.author: celested
+ms.author: mimart
 ms.reviewer: japere
 ms.custom: it-pro
 ms.collection: M365-identity-device-management