Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into apimfreecert

Author: dlepow

.github/workflows/stale.yml

@@ -19,8 +19,7 @@ jobs:
         close-pr-label: auto-close
         exempt-pr-labels: keep-open
         operations-per-run: 1200
-        ascending: true
-        start-date: '2021-07-29'
+        ascending: false
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
           If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.

.openpublishing.redirection.active-directory.json

@@ -10,6 +10,11 @@
           "redirect_url": "/azure/active-directory/manage-apps/what-is-application-management",
           "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/active-directory/authentication/how-to-nudge-authenticator-app.md",
+            "redirect_url": "/azure/active-directory/authentication/how-to-mfa-registration-campaign",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/active-directory/develop/active-directory-v2-limitations.md",
             "redirect_url": "/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison",

articles/active-directory-b2c/TOC.yml

@@ -53,6 +53,7 @@
       href: ../active-directory/develop/v2-app-types.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
     - name: Authentication library
       href: ../active-directory/develop/msal-overview.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
+      displayName: MSAL, client library, Microsoft Authentication Library
   - name: Azure AD B2C best practices
     href: best-practices.md
   - name: Application types
@@ -595,6 +596,7 @@
     href: app-registrations-training-guide.md
   - name: Billing model
     href: billing.md
+    displayName: pricing model
   - name: Code samples
     href: /samples/browse/?terms=b2c
   - name: Cookie definitions

articles/active-directory-b2c/billing.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.topic: reference
 ms.workload: identity
-ms.date: 11/11/2021
+ms.date: 11/16/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -48,7 +48,7 @@ MAU billing went into effect for Azure AD B2C tenants on **November 1, 2019**. A
 
 Your Azure AD B2C tenant must also be linked to the appropriate Azure pricing tier based on the features you want to use. Premium features require Azure AD B2C [Premium P1 or P2 pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/). You might need to upgrade your pricing tier as you use new features. For example, for risk-based Conditional Access policies, you’ll need to select the Azure AD B2C Premium P2 pricing tier for your tenant.
 > [!NOTE]
->  Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features, but **this free tier doesn’t apply to subscriptions with free trial credits**. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.
+>  Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features, but the **free tier doesn’t apply to free trial, credit-based, or sponsorship subscriptions**. Once the free trial period or credits expire for these types of subscriptions, you'll begin to be charged for Azure AD B2C MAUs. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.
 ## Link an Azure AD B2C tenant to a subscription
 
 Usage charges for Azure Active Directory B2C (Azure AD B2C) are billed to an Azure subscription. You need to explicitly link an Azure AD B2C tenant to an Azure subscription by creating an Azure AD B2C *resource* within the target Azure subscription. Several Azure AD B2C resources can be created in a single Azure subscription, along with other Azure resources like virtual machines, Storage accounts, and Logic Apps. You can see all of the resources within a subscription by going to the Azure Active Directory (Azure AD) tenant that the subscription is associated with.

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 07/07/2021
+ms.date: 11/15/2021
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -253,6 +253,7 @@ The request format in the PATCH and POST differ. To ensure that POST and PATCH a
   - **Things to consider**
     - All roles will be provisioned as primary = false.
     - The POST contains the role type. The PATCH request does not contain type. We are working on sending the type in both POST and PATCH requests.
+    - AppRoleAssignmentsComplex is not compatible with setting scope to "Sync All users and groups." 
 
   - **Example output** 
 

articles/active-directory/authentication/TOC.yml

@@ -162,8 +162,12 @@
       href: howto-password-ban-bad-on-premises-faq.yml
     - name: Agent version history
       href: howto-password-ban-bad-on-premises-agent-versions.md
-  - name: Nudge Microsoft Authenticator setup (Preview)
-    href: how-to-nudge-authenticator-app.md
+  - name: Run a registration campaign
+    href: how-to-mfa-registration-campaign.md
+  - name: Use number matching (Preview)
+    href: how-to-mfa-number-match.md
+  - name: Use additional context (Preview)
+    href: how-to-mfa-additional-context.md
   - name: Use Microsoft managed settings 
     href: how-to-mfa-microsoft-managed.md
   - name: Use a Temporary Access Pass (Preview)

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -124,7 +124,6 @@ The following providers offer FIDO2 security keys of different form factors that
 | KONA I                    | ![y]              | ![n]| ![y]| ![y]| ![n]           | https://konai.com/business/security/fido                                                            |
 | NEOWAVE                   | ![n]              | ![y]| ![y]| ![n]| ![n]           | https://neowave.fr/en/products/fido-range/                                                          |
 | Nymi                      | ![y]              | ![n]| ![y]| ![n]| ![n]           | https://www.nymi.com/nymi-band                                                                      | 
-| Octatco                   | ![y]              | ![y]| ![n]| ![n]| ![n]           | https://octatco.com/                                                                                |
 | OneSpan Inc.              | ![n]              | ![y]| ![n]| ![y]| ![n]           | https://www.onespan.com/products/fido                                                               |
 | Thales Group              | ![n]              | ![y]| ![y]| ![n]| ![n]           | https://cpl.thalesgroup.com/access-management/authenticators/fido-devices                           |
 | Thetis                    | ![y]              | ![y]| ![y]| ![y]| ![n]           | https://thetis.io/collections/fido2                                                                 |

articles/active-directory/authentication/how-to-mfa-additional-context.md

@@ -0,0 +1,196 @@
+---
+title: Use additional context in multifactor authentication (MFA) notifications (Preview) - Azure Active Directory
+description: Learn how to use additional context in MFA notifications
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 11/16/2021
+
+ms.author: justinha
+author: mjsantani
+manager: daveba
+
+ms.collection: M365-identity-device-management
+
+# Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
+---
+# How to use additional context in multifactor authentication (MFA) notifications (Preview) - Authentication Methods Policy
+
+This topic covers how to improve the security of user sign-in by adding application location based on IP address in Microsoft Authenticator push notifications.  
+
+## Prerequisites
+
+Your organization will need to enable Microsoft Authenticator push notifications for some users or groups using the new Authentication Methods Policy API. 
+
+>[!NOTE]
+>Additional context can be targeted to only a single group, which can be dynamic or nested. On-premises synchronized security groups and cloud-only security groups are supported for the Authentication Method Policy.
+
+## Passwordless phone sign-in and multifactor authentication 
+
+When a user receives a Passwordless phone sign-in or MFA push notification in the Microsoft Authenticator app, they'll see the name of the application that requests the approval and the app location based on its IP address.
+
+![Screenshot of additional context in the MFA push notification.](media/howto-authentication-passwordless-phone/location.png)
+
+The additional context can be combined with [number matching](how-to-mfa-number-match.md) to further improve sign-in security. 
+
+![Screenshot of additional context with number matching in the MFA push notification.](media/howto-authentication-passwordless-phone/location-with-number-match.png)
+
+### Policy schema changes 
+
+Identify a single target group for the schema configuration. Then use the following API endpoint to change the displayAppInformationRequiredState property to **enabled**:
+
+https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+
+
+#### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties
+
+**PROPERTIES**
+
+| Property | Type | Description |
+|---------|------|-------------|
+| id | String | The authentication method policy identifier. |
+| state | authenticationMethodState | Possible values are: **enabled**<br>**disabled** |
+ 
+**RELATIONSHIPS**
+
+| Relationship | Type | Description |
+|--------------|------|-------------|
+| includeTargets | [microsoftAuthenticatorAuthenticationMethodTarget](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget.md?view=graph-rest-beta) |
+| collection | A collection of users or groups who are enabled to use the authentication method. |
+ 
+#### MicrosoftAuthenticator includeTarget properties
+ 
+**PROPERTIES**
+
+| Property | Type | Description |
+|----------|------|-------------|
+| authenticationMode | String | Possible values are:<br>**any**: Both passwordless phone sign-in and traditional second factor notifications are allowed.<br>**deviceBasedPush**: Only passwordless phone sign-in notifications are allowed.<br>**push**: Only traditional second factor push notifications are allowed. |
+| id | String | Object ID of an Azure AD user or group. |
+| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.<br>You can only set one group or user for additional context. |
+| displayAppInformationRequiredState | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |
+
+>[!NOTE]
+>Additional context can only be enabled for a single group.
+
+#### Example of how to enable additional context for all users
+
+Change the **displayAppInformationRequiredState** from **default** to **enabled**. 
+
+The value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we'll use **any**, but if you do not want to allow passwordless, use **push**.
+
+You need to PATCH the entire includeTarget to prevent overwriting any previous configuration. In that case, do a GET first, update only the relevant fields, and then PATCH. The following example only shows the update to the **displayAppInformationRequiredState**. 
+
+```json
+//Retrieve your existing policy via a GET. 
+//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.
+//Change the Query to PATCH and Run query
+ 
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
+    "id": "MicrosoftAuthenticator",
+    "state": "enabled",
+    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "includeTargets": [
+        {
+            "targetType": "group",
+            "id": "all_users",
+            "authenticationMode": "any",
+            "displayAppInformationRequiredState": "enabled",
+            "numberMatchingRequiredState": "enabled"
+        }
+    ]
+}
+ 
+```
+ 
+To confirm this update has applied, run the GET request below using the endpoint below.
+GET - https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+ 
+ 
+#### Example of how to enable additional context for a single group
+ 
+Change the **displayAppInformationRequiredState** value from **default** to **enabled.** 
+Change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.
+
+You need to PATCH the entire includeTarget to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **displayAppInformationRequiredState**. 
+
+```json
+//Copy paste the below in the Request body section as shown below.
+//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.
+//Change query to PATCH and run query
+
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
+    "id": "MicrosoftAuthenticator",
+    "state": "enabled",
+    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "includeTargets": [
+        {
+            "targetType": "group",
+            "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a”,
+            "authenticationMode": "any",
+            "displayAppInformationRequiredState": "enabled",
+            "numberMatchingRequiredState": "enabled"
+        }
+    ]
+}
+```
+ 
+To verify, RUN GET again and verify the ObjectID
+GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+ 
+
+#### Example of error when enabling additional context for multiple groups
+
+The PATCH request will fail with 400 Bad Request and the error will contain the following message: 
+
+`Persistance of policy failed with error: You cannot enable multiple targets for feature 'Require Display App Information'. Choose only one of the following includeTargets to enable: aede0efe-c1b4-40dc-8ae7-2c402f23e312,aede0efe-c1b4-40dc-8ae7-2c402f23e317.`
+
+### Test the end-user experience
+Add the test user account to the Microsoft Authenticator app. The account **doesn't** need to be enabled for phone sign-in. 
+
+See the end-user experience of an Authenticator MFA push notification with additional context by signing into aka.ms/MFAsetup. 
+
+### Turn off additional context
+
+To turn off additional context, you'll need to PATCH remove **displayAppInformationRequiredState** from **enabled** to **disabled**/**default**.
+
+```json
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
+    "id": "MicrosoftAuthenticator",
+    "state": "enabled",
+    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "includeTargets": [
+        {
+            "targetType": "group",
+            "id": "all_users",
+            "authenticationMode": "any",
+            "displayAppInformationRequiredState": "enabled",
+            "numberMatchingRequiredState": "default"
+        }
+    ]
+}
+```
+
+## Enable additional context in the portal
+
+To enable additional context in the Azure AD portal, complete the following steps:
+
+1. In the Azure AD portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
+1. Select the target users, click the three dots on the right, and click **Configure**.
+   
+   ![Screenshot of how to configure number match.](media/howto-authentication-passwordless-phone/configure.png)
+
+1. Select the **Authentication mode**, and then for **Show additional context in notifications (Preview)**, click **Enable**, and then click **Done**.
+
+   ![Screenshot of enabling additional context.](media/howto-authentication-passwordless-phone/enable-additional-context.png)
+
+## Next steps
+
+[Authentication methods in Azure Active Directory - Microsoft Authenticator app](concept-authentication-authenticator-app.md)
+

articles/active-directory/authentication/how-to-mfa-microsoft-managed.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/03/2021
+ms.date: 11/11/2021
 
 ms.author: justinha
 author: mjsantani
@@ -18,17 +18,21 @@ ms.collection: M365-identity-device-management
 ---
 # How to use Microsoft managed settings - Authentication Methods Policy
 
+<!---what API--->
+
 In addition to configuring Authentication Methods Policy settings to be either **Enabled** or **Disabled**, IT admins can configure some settings to be **Microsoft managed**. A setting that is configured as **Microsoft managed** allows Azure AD to enable or disable the setting. 
 
+The option to let Azure AD manage the setting is a convenient way for an organization to allow Microsoft to enable or disable a feature by default. Organizations can more easily improve their security posture by trusting Microsoft to manage when a feature should be enabled by default. By configuring a setting as **Microsoft managed** (named *default* in Graph APIs), IT admins can trust Microsoft to enable a security feature they have not explicitly disabled. 
+
 ## Settings that can be Microsoft managed
 
 The following table lists settings that can be set to Microsoft managed and whether it is enabled or disabled. 
 
-| Setting         | Configuration |
-|-----------------|---------------|
-| [Registration campaign](how-to-nudge-authenticator-app.md)  | Disabled      |
-| Number match        | Disabled      |
-| Additional context  | Disabled      |
+| Setting                                                                                                                         | Configuration |
+|---------------------------------------------------------------------------------------------------------------------------------|---------------|
+| [Registration campaign](how-to-mfa-registration-campaign.md)                                                      | Disabled      |
+| [Number match](how-to-mfa-number-match.md)                                             | Disabled      |
+| [Additional context in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled      |
 
 ## Next steps