Merge pull request #226974 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 2/10

Author: ttorble

.openpublishing.redirection.healthcare-apis.json

@@ -634,7 +634,11 @@
         "redirect_document_id": false
     },
     {   "source_path_from_root": "/articles/healthcare-apis/iot/how-to-use-calculated-functions-mappings.md",
-        "redirect_url": "/azure/healthcare-apis/iot/how-to-use-calculatedcontenttemplate-mappings",
+        "redirect_url": "/azure/healthcare-apis/iot/how-to-use-calculatedcontent-mappings",
+        "redirect_document_id": false
+    },
+    {   "source_path_from_root": "/articles/healthcare-apis/iot/how-to-use-calculatedcontenttemplate-mappings.md",
+        "redirect_url": "/azure/healthcare-apis/iot/how-to-use-calculatedcontent-mappings",
         "redirect_document_id": false
     },
     {   "source_path_from_root": "/articles/healthcare-apis/iot/how-to-use-iot-jsonpath-content-mappings.md",

articles/active-directory/app-provisioning/user-provisioning.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: overview
 ms.workload: identity
-ms.date: 10/20/2022
+ms.date: 02/09/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -18,7 +18,7 @@ In Azure Active Directory (Azure AD), the term *app provisioning* refers to auto
 
 ![Diagram that shows provisioning scenarios.](../governance/media/what-is-provisioning/provisioning.png)
 
-Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and more.
+Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and many more.
 
 Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://aka.ms/scimoverview), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support those as well. 
 
@@ -91,4 +91,4 @@ For other applications that support SCIM 2.0, follow the steps in [Build a SCIM
 
 - [List of tutorials on how to integrate SaaS apps](../saas-apps/tutorial-list.md)
 - [Customizing attribute mappings for user provisioning](customize-application-attributes.md)
-- [Scoping filters for user provisioning](define-conditional-rules-for-provisioning-user-accounts.md)
+- [Scoping filters for user provisioning](define-conditional-rules-for-provisioning-user-accounts.md)

articles/active-directory/authentication/TOC.yml

@@ -120,18 +120,6 @@
           href: how-to-mfa-microsoft-managed.md
       - name: Windows Hello for Business
         href: /windows/security/identity-protection/hello-for-business/hello-identity-verification
-      - name: Use a Temporary Access Pass
-        href: howto-authentication-temporary-access-pass.md
-      - name: Use SMS-based authentication
-        items:  
-        - name: Manage
-          href: howto-authentication-sms-signin.md
-        - name: Supported apps for SMS-based authentication
-          href: how-to-authentication-sms-supported-apps.md
-        - name: Two-way SMS unsupported
-          href: how-to-authentication-two-way-sms-unsupported.md
-      - name: Use email address sign-in
-        href: howto-authentication-use-email-signin.md
       - name: Certificate-based authentication
         items:
         - name: Azure AD CBA
@@ -144,7 +132,7 @@
             href: how-to-certificate-based-authentication.md
           - name: Windows smart card logon
             href: concept-certificate-based-authentication-smartcard.md
-          - name: iOS devices
+          - name: Apple devices
             href: concept-certificate-based-authentication-mobile-ios.md
           - name: Android devices
             href: concept-certificate-based-authentication-mobile-android.md
@@ -162,6 +150,18 @@
             href: active-directory-certificate-based-authentication-android.md
           - name: Use on iOS Devices
             href: active-directory-certificate-based-authentication-ios.md
+      - name: Use a Temporary Access Pass
+        href: howto-authentication-temporary-access-pass.md
+      - name: Use SMS-based authentication
+        items:  
+        - name: Manage
+          href: howto-authentication-sms-signin.md
+        - name: Supported apps for SMS-based authentication
+          href: how-to-authentication-sms-supported-apps.md
+        - name: Two-way SMS unsupported
+          href: how-to-authentication-two-way-sms-unsupported.md
+      - name: Use email address sign-in
+        href: howto-authentication-use-email-signin.md
   - name: Self-service password reset
     items:
     - name: Deployment guide

articles/active-directory/authentication/concept-certificate-based-authentication-mobile-ios.md

@@ -1,44 +1,61 @@
 ---
-title: Azure Active Directory certificate-based authentication on iOS devices - Azure Active Directory
-description: Learn about Azure Active Directory certificate-based authentication on iOS devices
+title: Azure Active Directory certificate-based authentication on Apple devices - Azure Active Directory
+description: Learn about Azure Active Directory certificate-based authentication on Apple devices that run macOS or iOS
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 02/09/2023
 
 ms.author: justinha
 author: justinha
-manager: daveba
+manager: amycolannino
 ms.reviewer: vimrang
 
 ms.collection: M365-identity-device-management
 ms.custom: has-adal-ref
 ---
-# Azure Active Directory certificate-based authentication on iOS
+# Azure Active Directory certificate-based authentication on iOS and macOS
 
+This topic covers Azure Active Directory (Azure AD) certificate-based authentication (CBA) support for macOS and iOS devices.
+
+## Azure Active Directory certificate-based authentication on macOS devices
+
+Devices that run macOS can use CBA to authenticate against Azure AD by using their X.509 client certificate. Azure AD CBA is supported with certificates on-device and external hardware protected security keys. On macOS, Azure AD CBA is supported on all browsers and on Microsoft first-party applications.
+
+### Browsers supported on macOS
+
+|Edge | Chrome | Safari | Firefox |
+|--------|---------|------|-------|
+|✅ |✅ | ✅ |✅ |
+
+### macOS device sign-in with Azure AD CBA
+
+Azure AD CBA today isn't supported for device-based sign-in to macOS machines. The certificate used to sign in to the device can be the same certificate used to authenticate to Azure AD from a browser or desktop application, but the device sign-in itself isn't supported against Azure AD yet. 
+
+## Azure Active Directory certificate-based authentication on iOS devices
 Devices that run iOS can use certificate-based authentication (CBA) to authenticate to Azure Active Directory (Azure AD) using a client certificate on their device when connecting to:
 
 - Office mobile applications such as Microsoft Outlook and Microsoft Word
 - Exchange ActiveSync (EAS) clients
 
 Azure AD CBA is supported for certificates on-device on native browsers and on Microsoft first-party applications on iOS devices. 
 
-## Prerequisites
+### Prerequisites
 
 - iOS version must be iOS 9 or later.
 - Microsoft Authenticator is required for Office applications and Outlook on iOS.
 
-## Support for on-device certificates and external storage
+### Support for on-device certificates and external storage
 
 On-device certificates are provisioned on the device. Customers can use Mobile Device Management (MDM) to provision the certificates on the device. Since iOS doesn't support hardware protected keys out of the box, customers can use external storage devices for certificates.
 
-## Supported platforms
+### Supported platforms
 
 - Only native browsers are supported 
 - Applications using latest MSAL libraries or Microsoft Authenticator can do CBA
-- Edge with profile, when users add account and logged in a profile will support CBA
+- Edge with profile, when users add account and logged in a profile support CBA
 - Microsoft first party apps with latest MSAL libraries or Microsoft Authenticator can do CBA
 
 ### Browsers
@@ -47,7 +64,7 @@ On-device certificates are provisioned on the device. Customers can use Mobile D
 |--------|---------|------|-------|
 |❌ | ❌ | ✅ |❌ |
 
-## Microsoft mobile applications support
+### Microsoft mobile applications support
 
 | Applications | Support | 
 |:---------|:------------:|
@@ -63,7 +80,7 @@ On-device certificates are provisioned on the device. Customers can use Mobile D
 |Word / Excel / PowerPoint	 |  ✅ |
 |Yammer	 |  ✅ |
 
-## Support for Exchange ActiveSync clients
+### Support for Exchange ActiveSync clients
 
 On iOS 9 or later, the native iOS mail client is supported. 
 
@@ -74,7 +91,7 @@ To determine if your email application supports Azure AD CBA, contact your appli
 Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access. 
 Microsoft's mobile certificate-based solution coupled with the hardware security keys is a simple, convenient, FIPS (Federal Information Processing Standards) certified phishing-resistant MFA method. 
 
-As for iOS 16/iPadOS 16.1, Apple devices provide native driver support for USB-C or Lightning connected CCID-compliant smart cards. This means Apple devices on iOS 16/iPadOS 16.1 will see a USB-C or Lightning connected CCID-compliant device as a smart card without the use of additional drivers or 3rd party apps. Azure AD CBA will work on these USB-A or USB-C, or Lightning connected CCID-compliant smart cards. 
+As for iOS 16/iPadOS 16.1, Apple devices provide native driver support for USB-C or Lightning connected CCID-compliant smart cards. This means Apple devices on iOS 16/iPadOS 16.1 see a USB-C or Lightning connected CCID-compliant device as a smart card without the use of additional drivers or third-party apps. Azure AD CBA works on these USB-A, USB-C, or Lightning connected CCID-compliant smart cards. 
 
 
 ### Advantages of certificates on hardware security key 
@@ -89,7 +106,7 @@ Security keys with certificates:
 
 ### Azure AD CBA on iOS mobile with YubiKey 
 
-Even though the native Smartcard/CCID driver is available on iOS/iPadOS for Lightning connected CCID-compliant smart cards, the YubiKey 5Ci Lightning connector is not seen as a connected smart card on these devices without the use of PIV (Personal Identity Verification) middleware like the Yubico Authenticator.  
+Even though the native Smartcard/CCID driver is available on iOS/iPadOS for Lightning connected CCID-compliant smart cards, the YubiKey 5Ci Lightning connector isn't seen as a connected smart card on these devices without the use of PIV (Personal Identity Verification) middleware like the Yubico Authenticator.  
 
 ### One-time registration prerequisite
 
@@ -102,7 +119,7 @@ Even though the native Smartcard/CCID driver is available on iOS/iPadOS for Ligh
 1. Install the latest Microsoft Authenticator app.
 1. Open Outlook and plug in your YubiKey. 
 1. Select **Add account** and enter your user principal name (UPN).
-1. Click **Continue** and the iOS certificate picker will appear. 
+1. Click **Continue** and the iOS certificate picker appears. 
 1. Select the public certificate copied from YubiKey that is associated with the user’s account.  
 1. Click **YubiKey required** to open the YubiKey authenticator app. 
 1. Enter the PIN to access YubiKey and select the back button at the top left corner. 
@@ -111,18 +128,18 @@ The user should be successfully logged in and redirected to the Outlook homepage
 
 ### Troubleshoot certificates on hardware security key
 
-#### What will happen if the user has certificates both on the iOS device and YubiKey? 
+#### What happens if the user has certificates both on the iOS device and YubiKey? 
 
-The iOS certificate picker will show all the certificates on both iOS device and the ones copied from YubiKey into iOS device. Depending on the certificate user picks they will be either taken to YubiKey authenticator to enter PIN or directly authenticated. 
+The iOS certificate picker shows all the certificates on both iOS device and the ones copied from YubiKey into iOS device. Depending on the certificate user picks, they may be taken to YubiKey authenticator to enter a PIN, or directly authenticated. 
 
 #### My YubiKey is locked after incorrectly typing PIN 3 times. How do I fix it? 
 
 - Users should see a dialog informing you that too many PIN attempts have been made. This dialog also pops up during subsequent attempts to select **Use Certificate or smart card**.
 - [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) can reset a YubiKey’s PIN. 
 
-#### Once CBA fails, clicking on the CBA option again in the ‘Other ways to signin’ link on the error page fails. 
+#### After CBA fails, the CBA option in the ‘Other ways to sign in’ link also fails. Is there a workaround? 
 
-This issue happens because of certificate caching. We are working to add a fix to clear the cache. As a workaround, clicking cancel and restarting the login flow will let the user choose a new certificate and successfully login. 
+This issue happens because of certificate caching. We're working on an update to clear the cache. As a workaround, click **Cancel**, retry sign-in, and choose a new certificate. 
 
 #### Azure AD CBA with YubiKey is failing. What information would help debug the issue? 
 
@@ -134,9 +151,9 @@ This issue happens because of certificate caching. We are working to add a fix t
 
 #### How can I enforce phishing-resistant MFA using a hardware security key on browser-based applications on mobile? 
 
-Certificate based authentication and Conditional Access authentication strength capability makes it powerful for customers to enforce authentication needs. Edge as a profile (add an account) will work with a hardware security key like YubiKey and conditional access policy with authentication strength capability can enforce phishing-resistant authentication with CBA.
+Certificate-based authentication and Conditional Access authentication strength capability makes it powerful for customers to enforce authentication needs. Edge as a profile (add an account) works with a hardware security key like YubiKey and a Conditional Access policy with authentication strength capability can enforce phishing-resistant authentication with CBA.
 
-CBA support for YubiKey is available in the latest Microsoft Authentication Library (MSAL) libraries, any third-party application that integrates the latest MSAL, and all Microsoft first party applications can leverage CBA and Conditional Access authentication strength. 
+CBA support for YubiKey is available in the latest Microsoft Authentication Library (MSAL) libraries, and any third-party application that integrates the latest MSAL. All Microsoft first-party applications can use CBA and Conditional Access authentication strength. 
 
 ### Supported operating systems
 
@@ -158,7 +175,7 @@ CBA support for YubiKey is available in the latest Microsoft Authentication Libr
 
 ## Known issue
 
-On iOS, users will see a "double prompt", where they must click the option to use certificate-based authentication twice. We're working to create a seamless user experience.
+On iOS, users see a "double prompt", where they must click the option to use certificate-based authentication twice. We're working to create a seamless user experience.
 
 ## Next steps
 

articles/active-directory/authentication/how-to-certificate-based-authentication.md

@@ -5,7 +5,7 @@ description: Topic that shows how to configure Azure AD certificate-based authen
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/30/2023
+ms.date: 02/09/2023
 
 ms.author: justinha
 author: justinha
@@ -129,6 +129,9 @@ For more information, see [Understanding the certificate revocation process](./c
 
 ## Step 2: Enable CBA on the tenant
 
+>[!IMPORTANT]
+>A user is considered capable for MFA when the user is in scope for **Certificate-based authentication** in the Authentication methods policy. This policy requirement means a user can't use proof up as part of their authentication to register other available methods. For more information, see [Azure AD MFA](concept-mfa-howitworks.md).
+
 To enable the certificate-based authentication in the Azure portal, complete the following steps:
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) as an Authentication Policy Administrator.

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/03/2023
+ms.date: 02/09/2023
 ms.author: justinha
 author: justinha
 ms.collection: M365-identity-device-management
@@ -16,7 +16,7 @@ ms.collection: M365-identity-device-management
 This topic covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security.  
 
 >[!NOTE]
->Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users starting February 27, 2023.<br> 
+>Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023.<br> 
 >We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance. 
 
 ## Prerequisites
@@ -37,7 +37,7 @@ Number matching is available for the following scenarios. When enabled, all scen
 - [AD FS adapter](#ad-fs-adapter)
 - [NPS extension](#nps-extension)
 
-Number matching isn't supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.
+Number matching isn't supported for push notifications for Apple Watch or Android wearable devices. Wearable device users need to use their phone to approve notifications when number matching is enabled.  
 
 ### Multifactor authentication