Merge pull request #229074 from MicrosoftDocs/main

Publish to Live Wednesday 4AM PST, 03/01

Author: PMEds28

.openpublishing.redirection.active-directory.json

@@ -75,6 +75,11 @@
       "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/saas-apps/usertesting-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/saas-apps/otsuka-shokai-tutorial.md",
       "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",
@@ -4405,7 +4410,7 @@
       "source_path_from_root": "/articles/active-directory/reports-monitoring/recommendations-integrate-third-party-apps.md",
       "redirect_url": "/azure/active-directory/reports-monitoring/overview-recommendations",
       "redirect_document_id": false
-     },
+    },
     {
       "source_path_from_root": "/articles/active-directory/reports-monitoring/workbook-legacy authentication.md",
       "redirect_url": "/azure/active-directory/reports-monitoring/workbook-legacy-authentication",

.openpublishing.redirection.healthcare-apis.json

@@ -10808,6 +10808,11 @@
             "redirect_url": "/azure/devtest-labs/add-artifact-repository",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/devtest-labs/devtest-lab-faq.md",
+            "redirect_url": "/azure/devtest-labs/",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/lab-services/devtest-lab-add-claimable-vm.md",
             "redirect_url": "/azure/devtest-labs/devtest-lab-add-claimable-vm",

.openpublishing.redirection.json

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory business-to-customer (B2C)"
 description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)."
-ms.date: 10/31/2022
+ms.date: 03/01/2023
 ms.service: active-directory
 ms.subservice: B2C
 ms.topic: reference
@@ -15,6 +15,15 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md) and [Azure AD B2C developer release notes](custom-policy-developer-notes.md)
 
+## February 2023
+
+### Updated articles
+
+- [Azure Active Directory B2C code samples](integrate-with-app-code-samples.md)
+- [JSON claims transformations](json-transformations.md)
+- [Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C](identity-provider-azure-ad-single-tenant.md)
+- [Page layout versions](page-layout.md)
+
 ## January 2023
 
 ### New articles
@@ -71,128 +80,3 @@ Welcome to what's new in Azure Active Directory B2C documentation. This article
 - [Set up a password reset flow in Azure Active Directory B2C](add-password-reset-policy.md)
 - [What is Azure Active Directory B2C?](overview.md)
 - [Technical and feature overview of Azure Active Directory B2C](technical-overview.md)
-
-## November 2022
-
-### New articles
-
-- [Configure Azure Active Directory B2C with Akamai Enterprise Application Access for SSO and secure hybrid access](partner-akamai-secure-hybrid-access.md)
-
-### Updated articles
-
-- [Manage your Azure Active Directory B2C tenant](tenant-management-manage-administrator.md)
-- [Manage Azure AD B2C with Microsoft Graph](microsoft-graph-operations.md)
-- [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)
-- [Roles and resource access control](roles-resource-access-control.md)
-- [Define an Azure Active Directory technical profile in an Azure Active Directory B2C custom policy](active-directory-technical-profile.md)
-
-## October 2022
-
-### New articles
-
-- [Edit Azure Active Directory B2C Identity Experience Framework (IEF) XML with Grit Visual IEF Editor](partner-grit-editor.md)
-- [Register apps in Azure Active Directory B2C](register-apps.md)
-
-### Updated articles
-
-- [Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C](identity-provider-azure-ad-single-tenant.md)
-- [Set up a password reset flow in Azure Active Directory B2C](add-password-reset-policy.md)
-- [Azure Active Directory B2C documentation landing page](index.yml)
-- [Publish your Azure Active Directory B2C app to the Azure Active Directory app gallery](publish-app-to-azure-ad-app-gallery.md)
-- [JSON claims transformations](json-transformations.md)
-
-## September
-
-### New articles
-
-- [Tutorial: Configure the Grit IAM B2B2C solution with Azure Active Directory B2C](partner-grit-iam.md)
-
-## August 2022
-
-### New articles
-
-- [Configure Azure Active Directory B2C with Deduce to combat identity fraud and create a trusted user experience](partner-deduce.md)
-
-### Updated articles
-
-- [Clean up resources and delete the tenant](tutorial-delete-tenant.md)
-- [Set up sign-up and sign-in with a Twitter account using Azure Active Directory B2C](identity-provider-twitter.md)
-- [JSON claims transformations](json-transformations.md)
-- [Extensions app in Azure AD B2C](extensions-app.md)
-- [Manage Azure AD B2C with Microsoft Graph](microsoft-graph-operations.md)
-- [Define custom attributes in Azure Active Directory B2C](user-flow-custom-attributes.md)
-- [Azure Active Directory B2C: What's new](whats-new-docs.md)
-- [Page layout versions](page-layout.md)
-
-## July 2022
-
-### New articles
-
-- [Configure authentication in a sample React single-page application by using Azure Active Directory B2C](configure-authentication-sample-react-spa-app.md)
-- [Configure authentication options in a React application by using Azure Active Directory B2C](enable-authentication-react-spa-app-options.md)
-- [Enable authentication in your own React Application by using Azure Active Directory B2C](enable-authentication-react-spa-app.md)
-
-### Updated articles
-
-- [Enable custom domains for Azure Active Directory B2C](custom-domain.md)
-- [Set up sign-up and sign-in with a Twitter account using Azure Active Directory B2C](identity-provider-twitter.md)
-- [Page layout versions](page-layout.md)
-- [Monitor Azure AD B2C with Azure Monitor](azure-monitor.md)
-- [Enable JavaScript and page layout versions in Azure Active Directory B2C](javascript-and-page-layout.md)
-- [Localization string IDs](localization-string-ids.md)
-
-## June 2022
-
-### New articles
-
-- [Configure authentication in an Azure Static Web App by using Azure AD B2C](configure-authentication-in-azure-static-app.md)
-- [Configure authentication in an Azure Web App configuration file by using Azure AD B2C](configure-authentication-in-azure-web-app-file-based.md)
-- [Configure authentication in an Azure Web App by using Azure AD B2C](configure-authentication-in-azure-web-app.md)
-- [Enable authentication options in an Azure Static Web App by using Azure AD B2C](enable-authentication-azure-static-app-options.md)
-- [Enable authentication in your own Python web application using Azure Active Directory B2C](enable-authentication-python-web-app.md)
-- [Set up OAuth 2.0 client credentials flow in Azure Active Directory B2C](client-credentials-grant-flow.md)
-- [Configure WhoIAM Rampart with Azure Active Directory B2C](partner-whoiam-rampart.md)
-
-### Updated articles
-
-- [Configure authentication in a sample Python web app by using Azure AD B2C](configure-authentication-sample-python-web-app.md)
-- [Single-page application sign-in using the OAuth 2.0 implicit flow in Azure Active Directory B2C](implicit-flow-single-page-application.md)
-- [Set up OAuth 2.0 client credentials flow in Azure Active Directory B2C](client-credentials-grant-flow.md)
-- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](tutorial-create-user-flows.md)
-- [Configure TheAccessHub Admin Tool by using Azure Active Directory B2C](partner-n8identity.md)
-- [Monitor Azure AD B2C with Azure Monitor](azure-monitor.md)
-
-
-## May 2022
-
-### Updated articles
-
-- [Set redirect URLs to b2clogin.com for Azure Active Directory B2C](b2clogin.md)
-- [Enable custom domains for Azure Active Directory B2C](custom-domain.md)
-- [Configure xID with Azure Active Directory B2C for passwordless authentication](partner-xid.md)
-- [UserJourneys](userjourneys.md)
-- [Secure your API used an API connector in Azure AD B2C](secure-rest-api.md)
-
-## April 2022
-
-### New articles
-
-- [Tutorial: Configure Azure Web Application Firewall with Azure Active Directory B2C](partner-azure-web-application-firewall.md)
-- [Configure Asignio with Azure Active Directory B2C for multi-factor authentication](partner-asignio.md)
-- [Set up sign-up and sign-in with Mobile ID using Azure Active Directory B2C](identity-provider-mobile-id.md)
-- [Find help and open a support ticket for Azure Active Directory B2C](find-help-open-support-ticket.md)
-
-### Updated articles
-
-- [Configure authentication in a sample single-page application by using Azure AD B2C](configure-authentication-sample-spa-app.md)
-- [Configure xID with Azure Active Directory B2C for passwordless authentication](partner-xid.md)
-- [Azure Active Directory B2C service limits and restrictions](service-limits.md)
-- [Localization string IDs](localization-string-ids.md)
-- [Manage your Azure Active Directory B2C tenant](tenant-management-manage-administrator.md)
-- [Page layout versions](page-layout.md)
-- [Secure your API used an API connector in Azure AD B2C](secure-rest-api.md)
-- [Azure Active Directory B2C: What's new](whats-new-docs.md)
-- [Application types that can be used in Active Directory B2C](application-types.md)
-- [Publish your Azure Active Directory B2C app to the Azure Active Directory app gallery](publish-app-to-azure-ad-app-gallery.md)
-- [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](quickstart-native-app-desktop.md)
-- [Register a single-page application (SPA) in Azure Active Directory B2C](tutorial-register-spa.md)

articles/active-directory-b2c/whats-new-docs.md

@@ -54,12 +54,14 @@
       href: concept-sspr-policy.md
     - name: Licenses
       href: concept-sspr-licensing.md
-  - name: Multi-Factor Authentication
+  - name: Multifactor Authentication
     items:
     - name: How MFA works
       href: concept-mfa-howitworks.md
     - name: Default protection 
       href: concept-authentication-default-enablement.md
+    - name: System-preferred MFA 
+      href: concept-system-preferred-multifactor-authentication.md
     - name: Prompts and session lifetime
       href: concepts-azure-multi-factor-authentication-prompts-session-lifetime.md
     - name: Data residency

articles/active-directory/authentication/TOC.yml

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 10/26/2022
+ms.date: 02/24/2023
 
 ms.author: justinha
 author: mjsantani
@@ -58,6 +58,7 @@ The following table lists each setting that can be set to Microsoft managed and
 | [Registration campaign](how-to-mfa-registration-campaign.md)                                    | Disabled      |
 | [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)           | Disabled      |
 | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)   | Disabled      |
+| [System-preferred MFA](concept-system-preferred-multifactor-authentication.md)                  | Disabled      |
 
 As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). 
 

articles/active-directory/authentication/concept-authentication-default-enablement.md

@@ -0,0 +1,132 @@
+---
+title: System-preferred multifactor authentication (MFA) - Azure Active Directory
+description: Learn how to use system-preferred multifactor authentication
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 02/28/2023
+ms.author: justinha
+author: justinha
+manager: amycolannino
+ms.reviewer: msft-poulomi
+ms.collection: M365-identity-device-management
+
+
+# Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
+---
+# System-preferred multifactor authentication  - Authentication methods policy
+
+System-preferred multifactor authentication (MFA) prompts users to sign in by using the most secure method they registered. Administrators can enable system-preferred MFA to improve sign-in security and discourage less secure sign-in methods like SMS.
+
+For example, if a user registered both SMS and Microsoft Authenticator push notifications as methods for MFA, system-preferred MFA prompts the user to sign in by using the more secure push notification method. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered. 
+
+System-preferred MFA is a Microsoft managed setting, which is a [tristate policy](#authentication-method-feature-configuration-properties). For preview, the **default** state is disabled. If you want to turn it on for all users or a group of users during preview, you need to explicitly change the Microsoft managed state to **enabled** by using Microsoft Graph API. Sometime after general availability, the Microsoft managed state for system-preferred MFA will change to **enabled**. 
+
+After system-preferred MFA is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered. 
+
+## Enable system-preferred MFA
+
+To enable system-preferred MFA in advance, you need to choose a single target group for the schema configuration, as shown in the [Request](#request) example. 
+
+### Authentication method feature configuration properties
+
+By default, system-preferred MFA is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) and disabled during preview. After generally availability, the Microsoft managed state default value will change to enable system-preferred MFA. 
+
+| Property | Type | Description |
+|----------|------|-------------|
+| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br>You can only exclude one group from system-preferred MFA, which can be a dynamic or nested group.|
+| includeTarget | featureTarget | A single entity that is included in this feature. <br>You can only include one group for system-preferred MFA, which can be a dynamic or nested group.|
+| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |
+
+### Feature target properties
+
+System-preferred MFA can be enabled only for a single group, which can be a dynamic or nested group. 
+
+| Property | Type | Description |
+|----------|------|-------------|
+| id | String | ID of the entity targeted. |
+| targetType | featureTargetType | The kind of entity targeted, such as group, role, or administrative unit. The possible values are: 'group', 'administrativeUnit', 'role', 'unknownFutureValue'. |
+
+Use the following API endpoint to enable **systemCredentialPreferences** and include or exclude groups:
+
+```
+https://graph.microsoft.com/beta/authenticationMethodsPolicy
+```
+
+>[!NOTE]
+>In Graph Explorer, you need to consent to the **Policy.ReadWrite.AuthenticationMethod** permission. 
+
+### Request
+
+The following example excludes a sample target group and includes all users. For more information, see [Update authenticationMethodsPolicy](/graph/api/authenticationmethodspolicy-update?view=graph-rest-beta).
+
+```http
+PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
+Content-Type: application/json
+
+{
+    "systemCredentialPreferences": {
+        "state": "enabled",
+        "excludeTargets": [
+            {
+                "id": "d1411007-6fcf-4b4c-8d70-1da1857ed33c",
+                "targetType": "group"
+            }
+        ],
+        "includeTargets": [
+            {
+                "id": "all_users",
+                "targetType": "group"
+            }
+        ]
+    }
+}
+```
+
+## Known issues
+
+- [FIDO2 security key isn't supported on iOS mobile devices](../develop/support-fido2-authentication.md#mobile). This issue might surface when system-preferred MFA is enabled. Until a fix is available, we recommend not using FIDO2 security keys on iOS devices. 
+
+## Common questions
+
+### How does system-preferred MFA determine the most secure method?
+
+When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is prompted to sign-in with the most secure method according to the following order. The order of authentication methods is dynamic. It's updated as the security landscape changes, and as better authentication methods emerge.
+
+1. Temporary Access Pass
+1. Certificate-based authentication
+1. FIDO2 security key
+1. Microsoft Authenticator notification
+1. Companion app notification
+1. Microsoft Authenticator time-based one-time password (TOTP)
+1. Companion app TOTP
+1. Hardware token based TOTP
+1. Software token based TOTP
+1. SMS over mobile
+1. OnewayVoiceMobileOTP
+1. OnewayVoiceAlternateMobileOTP
+1. OnewayVoiceOfficeOTP
+1. TwowayVoiceMobile
+1. TwowayVoiceAlternateMobile
+1. TwowayVoiceOffice
+1. TwowaySMSOverMobile
+
+### How does system-preferred MFA affect AD FS or NPS extension?
+
+System-preferred MFA doesn't affect users who sign in by using Active Directory Federation Services (AD FS) or Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience.
+
+### What if the most secure MFA method isn't available? 
+
+If the user doesn't have that have the most secure method available, they can sign in with another method. After sign-in, they're redirected to their Security info page to remove the registration of the authentication method that isn't available. 
+
+For example, let's say an end user misplaces their FIDO2 security key. When they try to sign in without their security key, they can click **I can't use my security key right now** and continue to sign in by using another method, like a time-based one-time password (TOTP). After sign-in, their Security info page appears and they need to remove their FIDO2 security key registration. They can register the method again later if they find their FIDO2 security key.  
+
+### What happens for users who aren't specified in the Authentication methods policy but enabled in the legacy MFA tenant-wide policy?
+
+The system-preferred MFA also applies for users who are enabled for MFA in the legacy MFA policy.
+:::image type="content" border="true" source="./media/how-to-mfa-number-match/legacy-settings.png" alt-text="Screenshot of legacy MFA settings.":::
+
+## Next steps
+
+* [Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)
+* [How to run a registration campaign to set up Microsoft Authenticator](how-to-mfa-registration-campaign.md)