You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/billing.md
+15-1Lines changed: 15 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,6 +11,7 @@ ms.workload: identity
11
11
ms.date: 10/25/2019
12
12
ms.author: mimart
13
13
ms.subservice: B2C
14
+
ms.custom: fasttrack-edit
14
15
---
15
16
16
17
# Billing model for Azure Active Directory B2C
@@ -128,12 +129,25 @@ The management of Azure AD B2C using role-based access control is not affected b
128
129
129
130
## Change the Azure AD B2C tenant billing subscription
130
131
131
-
Azure AD B2C tenants can be moved to another subscription if the source and destination subscriptions exist within the same Azure Active Directory tenant.
132
+
### Move using Azure Resource Manager
133
+
134
+
Azure AD B2C tenants can be moved to another subscription using Azure Resource Manager if the source and destination subscriptions exist within the same Azure Active Directory tenant.
132
135
133
136
To learn how to move Azure resources like your Azure AD B2C tenant to another subscription, see [Move resources to new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md).
134
137
135
138
Before you initiate the move, be sure to read the entire article to fully understand the limitations and requirements for such a move. In addition to instructions for moving resources, it includes critical information like a pre-move checklist and how to validate the move operation.
136
139
140
+
### Move by un-linking and re-linking
141
+
142
+
If the source and destination subscriptions are associated with different Azure Active Directory tenants, you can't perform the move via Azure Resource Manager as explained above. However, you can still achieve the same end result by un-linking the Azure AD B2C tenant from the source subscription and re-linking it to the destination subscription. This method is safe because the only object you delete is the *billing link*, not the Azure AD B2C tenant itself. None of the users, apps, user flows, etc. will be affected.
143
+
144
+
1. In the Azure AD B2C directory itself, [invite a guest user](user-overview.md#guest-user) from the destination Azure AD tenant (the one that the destination Azure subscription is linked to) and ensure this user has the **Global administrator** role in Azure AD B2C.
145
+
1. Navigate to the *Azure resource* representing Azure AD B2C in your source Azure subscription as explained in the [Manage your Azure AD B2C tenant resources](#manage-your-azure-ad-b2c-tenant-resources) section above. Don't switch to the actual Azure AD B2C tenant.
146
+
1. Click the **Delete** button on the **Overview** page. This does *not* delete the related Azure AD B2C tenant's users or applications. It merely removes the billing link from the source subscription.
147
+
1. Sign in to the Azure portal with the user account that was added as an administrator in Azure AD B2C in step 1. Then navigate to the destination Azure subscription, which is linked to the destination Azure Active Directory tenant.
148
+
1. Re-establish the billing link in the destination subscription by following the [Create the link](#create-the-link) procedure above.
149
+
1. Your Azure AD B2C resource has now moved to the destination Azure subscription (linked to the target Azure Active Directory) and will be billed through this subscription going forward.
150
+
137
151
## Next steps
138
152
139
153
For the latest pricing information, see [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md
Azure Active Directory (Azure AD) has multiple settings that determine how often users need to reauthenticate. This reauthentication could be with a first factor such as password, FIDO, or passwordless Microsoft Authenticator, or to perform multi-factor authentication (MFA). You can configure these reauthentication settings as needed for your own environment and the user experience you want.
20
20
21
+
The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt.
22
+
23
+
It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken).
24
+
21
25
This article details recommended configurations and how different settings work and interact with each other.
22
26
23
27
## Recommended settings
@@ -31,6 +35,7 @@ To give your users the right balance of security and ease of use by asking them
31
35
* If you have Office 365 apps licenses or the free Azure AD tier:
32
36
* Enable single sign-on (SSO) across applications using [managed devices](../devices/overview.md) or [Seamless SSO](../hybrid/how-to-connect-sso.md).
33
37
* Keep the *Remain signed-in* option enabled and guide your users to accept it.
38
+
* For mobile devices scenarios, make sure your users use the Microsoft Authenticator app. This app is used as a broker to other Azure AD federated apps, and reduces authentication prompts on the device.
34
39
35
40
Our research shows that these settings are right for most tenants. Some combinations of these settings, such as *Remember MFA* and *Remain singed-in*, can result in prompts for your users to authenticate too often. Regular reauthentication prompts are bad for user productivity and can make them more vulnerable to attacks.
36
41
@@ -67,11 +72,11 @@ For more information on configuring the option to let users remain signed-in, se
67
72
68
73
### Remember Multi-Factor Authentication
69
74
70
-
This setting lets you configure values between 1-60 days and sets a persistent cookie on the browser when a user selects the **Don't ask again for X days** option at sign-in.
75
+
This setting lets you configure values between 1-365 days and sets a persistent cookie on the browser when a user selects the **Don't ask again for X days** option at sign-in.
71
76
72
77
73
78
74
-
While this setting reduces the number of authentications on web apps, it increases the number of authentications for modern authentication clients, such as Office clients. These clients normally prompt only after password reset or inactivity of 90 days. However, the maximum value of *Remember MFA* is 60 days. When used in combined with **Remain signed-in** or Conditional Access policies, it may increase the number of authentication requests.
79
+
While this setting reduces the number of authentications on web apps, it increases the number of authentications for modern authentication clients, such as Office clients. These clients normally prompt only after password reset or inactivity of 90 days. However, setting this value to less than 90 days shortens the default MFA prompts for Office clients, and increases reauthentication frequency. When used in combined with **Remain signed-in** or Conditional Access policies, it may increase the number of authentication requests.
75
80
76
81
If you use *Remember MFA* and have Azure AD Premium 1 licenses, consider migrating these settings to Conditional Access Sign-in Frequency. Otherwise, consider using *Keep me signed in?* instead.
0 commit comments