acrolinx

shlipsey3 · shlipsey3 · commit 477dd4e01305 · 2023-10-03T16:37:24.000-07:00
diff --git a/articles/active-directory/reports-monitoring/workbook-authentication-prompts-analysis.md b/articles/active-directory/reports-monitoring/workbook-authentication-prompts-analysis.md
@@ -26,7 +26,7 @@ This article provides you with an overview of **Authentication Prompts Analysis*
 
 Have you recently heard of complaints from your users about getting too many authentication prompts?
 
-Overprompting users can affect your user's productivity and often leads users getting phished for MFA. To be clear, MFA is essential! We are not talking about if you should require MFA but how frequently you should prompt your users.
+Overprompting users can affect your user's productivity and often leads users getting phished for MFA. To be clear, MFA is essential! We aren't talking about if you should require MFA but how frequently you should prompt your users.
 
 Typically, this scenario is caused by:
 
@@ -63,11 +63,11 @@ This workbook breaks down authentication prompts by:
 
 ![Authentication prompts by authentication method](./media/workbook-authentication-prompts-analysis/authentication-prompts-by-authentication-method.png)
 
-In many environments, the most used apps are business productivity apps. Anything that isn’t expected should be investigated. The charts below show authentication prompts by application.
+In many environments, the most used apps are business productivity apps. Anything that isn’t expected should be investigated. The following charts show authentication prompts by application.
 
 ![Authentication prompts by application](./media/workbook-authentication-prompts-analysis/authentication-prompts-by-application.png)
 
-The prompts by application list view shows additional information such as timestamps, and request IDs that help with investigations.
+The **prompts by application list view** shows additional information such as timestamps, and request IDs that help with investigations.
 
 Additionally, you get a summary of the average and median prompts count for your tenant. 
 
@@ -98,6 +98,4 @@ Filtering for a specific user that has many authentication requests or only show
 
 - To understand more about the different policies that affect MFA prompts, see [Optimize reauthentication prompts and understand session lifetime for Microsoft Entra multifactor authentication](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md). 
 
-- To learn more about the different vulnerabilities of different MFA methods, see [All your creds belong to us!](https://aka.ms/allyourcreds).
-
 - To learn how to move users from telecom-based methods to the Authenticator app, see [How to run a registration campaign to set up Microsoft Authenticator - Microsoft Authenticator app](../authentication/how-to-mfa-registration-campaign.md).
diff --git a/articles/active-directory/reports-monitoring/workbook-cross-tenant-access-activity.md b/articles/active-directory/reports-monitoring/workbook-cross-tenant-access-activity.md
@@ -24,7 +24,7 @@ This article provides you with an overview of the **Cross-tenant access activity
 
 ![Image showing this workbook is found under the Usage category](./media/workbook-cross-tenant-access-activity/workbook-category.png)
 
-Tenant administrators who are making changes to policies governing cross-tenant access can use this workbook to visualize and review existing access activity patterns before making policy changes. For example, you can identify the apps your users are accessing in external organizations so that you don't inadvertently block critical business processes. Understanding how external users access resources in your tenant (inbound access) and how users in your tenant access resources in external tenants (outbound access) will help ensure you have the right cross-tenant policies in place.
+Tenant administrators who are making changes to policies governing cross-tenant access can use this workbook to visualize and review existing access activity patterns before making policy changes. For example, you can identify the apps your users are accessing in external organizations so that you don't inadvertently block critical business processes. Understanding how external users access resources in your tenant (inbound access) and how users in your tenant access resources in external tenants (outbound access) helps ensure you have the right cross-tenant policies in place.
 
 For more information, see the [Microsoft Entra External ID documentation](../external-identities/index.yml).
 
@@ -49,15 +49,15 @@ The total number of external tenants that have had cross-tenant access activity
 
 ![Screenshot of the first section of the workbook.](./media/workbook-cross-tenant-access-activity/cross-tenant-activity-top.png)
 
-The **External Tenant** list shows all the tenants that have had inbound or outbound activity with your tenant. When you select an external tenant in the table, the sections after the table update with information about outbound and inbound activity for that tenant.
+The **External Tenant** list shows all the tenants that have had inbound or outbound activity with your tenant. When you select an external tenant in the table, the sections after the table display information about outbound and inbound activity for that tenant.
 
 ![Screenshot of the external tenant list.](./media/workbook-cross-tenant-access-activity/cross-tenant-activity-external-tenant-list.png)
 
 When you select an external tenant from the list with outbound activity, associated details appear in the **Outbound activity** table. The same applies when you select an external tenant with inbound activity. Select the **Inbound activity** tab to view the details of an external tenant with inbound activity.
 
 ![Screenshot of the outbound and inbound activity, with the outbound and inbound options highlighted.](./media/workbook-cross-tenant-access-activity/cross-tenant-activity-outbound-inbound-activity.png)
 
-When viewing external tenants with outbound activity, the subsequent two tables display details for the application and user activity appear. When viewing external tenants with inbound activity, the same tables show inbound application and user activity. These tables are dynamic and based on what was previously selected, so make sure you're viewing the correct tenant and activity.
+When you're viewing external tenants with outbound activity, the subsequent two tables display details for the application and user activity appear. When you're viewing external tenants with inbound activity, the same tables show inbound application and user activity. These tables are dynamic and based on what was previously selected, so make sure you're viewing the correct tenant and activity.
 
 ## Filters
 
diff --git a/articles/active-directory/reports-monitoring/workbook-legacy-authentication.md b/articles/active-directory/reports-monitoring/workbook-legacy-authentication.md
@@ -19,7 +19,7 @@ ms.reviewer: besiler
 
 Have you ever wondered how you can determine whether it's safe to turn off legacy authentication in your tenant? The sign-ins using legacy authentication workbook helps you to answer this question.
 
-This article gives you an overview of the **Sign-ins using legacy authenticaion** workbook.
+This article gives you an overview of the **Sign-ins using legacy authentication** workbook.
 
 ## Description
 
@@ -43,7 +43,7 @@ Unfortunately, legacy authentication:
 
 To improve the security of your Microsoft Entra tenant and experience of your users, you should disable legacy authentication. However, important user experiences in your tenant might depend on legacy authentication. Before shutting off legacy authentication, you may want to find those cases so you can migrate them to more secure authentication. 
 
-The sign-ins using legacy authentication workbook lets you see all legacy authentication sign-ins in your environment so you can find and migrate critical workflows to more secure authentication methods before you shut off legacy authentication.
+The **Sign-ins using legacy authentication** workbook lets you see all legacy authentication sign-ins in your environment. This workbook helps you find and migrate critical workflows to more secure authentication methods before you shut off legacy authentication.
 
 ## How to access the workbook
 
@@ -82,7 +82,7 @@ This workbook supports multiple filters:
 
 - Many email protocols that once relied on legacy authentication now support more secure modern authentication methods. If you see legacy email authentication protocols in this workbook, consider migrating to modern authentication for email instead. For more information, see [Deprecation of Basic authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online).
 
-- Some clients can use both legacy authentication or modern authentication depending on client configuration. If you see “modern mobile/desktop client” or “browser” for a client in the Microsoft Entra logs, it's using modern authentication. If it has a specific client or protocol name, such as “Exchange ActiveSync”, it's using legacy authentication to connect to Microsoft Entra ID. The client types in Conditional Access, and the Microsoft Entra reporting page in the Microsoft Entra admin center demarcate modern authentication clients and legacy authentication clients for you, and only legacy authentication is captured in this workbook. 
+- Some clients can use both legacy authentication or modern authentication depending on client configuration. If you see “modern mobile/desktop client” or “browser” for a client in the Microsoft Entra logs, it's using modern authentication. If it has a specific client or protocol name, such as “Exchange ActiveSync,” it's using legacy authentication to connect to Microsoft Entra ID. The client types in Conditional Access, and the Microsoft Entra reporting page in the Microsoft Entra admin center demarcate modern authentication clients and legacy authentication clients for you, and only legacy authentication is captured in this workbook. 
 
 - To learn more about identity protection, see [What is identity protection](../identity-protection/overview-identity-protection.md). 
 
diff --git a/articles/active-directory/reports-monitoring/workbook-mfa-gaps.md b/articles/active-directory/reports-monitoring/workbook-mfa-gaps.md
@@ -17,8 +17,8 @@ ms.reviewer: sarbar
 
 # Multifactor Authentication Gaps workbook
 
-The Multifactor Authentication Gaps workbook helps with identifying user sign-ins and applications that are not protected by multifactor authentication (MFA) requirements. This workbook:
-* Identifies user sign-ins not protected by multi-factor authentication requirements.
+The Multifactor Authentication Gaps workbook helps with identifying user sign-ins and applications that aren't protected by multifactor authentication (MFA) requirements. This workbook:
+* Identifies user sign-ins not protected by MFA requirements.
 * Provides further drill down options using various pivots such as applications, operating systems, and location.
 * Provides several filters such as trusted locations and device states to narrow down the users/applications. 
 * Provides filters to scope the workbook for a subset of users and applications.
@@ -40,7 +40,7 @@ The **MFA gaps** workbook is currently not available as a template, but you can
     ![Screenshot of the GitHub repository with the breadcrumbs and copy file button highlighted.](./media/workbook-mfa-gaps/github-repository.png)
 1. Copy the entire JSON file from the GitHub repository.
 1. Return Advanced Editor window on the Azure portal and paste the JSON file over the exiting text.
-1. Select the **Apply** button. The workbook will take a few moments to populate.
+1. Select the **Apply** button. The workbook may take a few moments to populate.
 1. Select the **Save As** button and provide the required information.
     - Provide a **Title**, **Subscription**, **Resource Group** (you must have the ability to save a workbook for the selected Resource Group), and **Location**.
     - Optionally choose to save your workbook content to an [Azure Storage Account](../../azure-monitor/visualize/workbooks-bring-your-own-storage.md).
@@ -53,15 +53,15 @@ The summary widget provides a detailed look at sign-ins related to multifactor a
 
 * **Number of users signing-in not protected by multi-factor authentication requirement by application:** This widget provides a time based bar-graph representation of the number of user sign-ins not protected by MFA requirement by applications.
 * **Percent of users signing-in not protected by multi-factor authentication requirement by application:** This widget provides a time based bar-graph representation of the percentage of user sign-ins not protected by MFA requirement by applications.
-* **Select an application and user to learn more:** This widget groups the top users signed in without MFA requirement by application. By selecting the application, it will list the user names and the count of sign-ins without MFA.
+* **Select an application and user to learn more:** This widget groups the top users signed in without MFA requirement by application. Select the application to see a list of the user names and the count of sign-ins without MFA.
 
 ### Sign-ins not protected by MFA requirement by users
 * **Sign-ins not protected by multi-factor auth requirement by user:** This widget shows top user and the count of sign-ins not protected by MFA requirement.
-* **Top users with high percentage of authentications not protected by multi-factor authentication requirements:** This widget shows users with top percentage of authentications that are not protected by MFA requirements.
+* **Top users with high percentage of authentications not protected by multi-factor authentication requirements:** This widget shows users with top percentage of authentications that aren't protected by MFA requirements.
 
 ### Sign-ins not protected by MFA requirement by Operating Systems
-* **Number of sign-ins not protected by multi-factor authentication requirement by operating system:** This widget provides time based bar graph of sign-in counts that are not protected by MFA by operating system of the devices.
-* **Percent of sign-ins not protected by multi-factor authentication requirement by operating system:** This widget provides time based bar graph of sign-in percentages that are not protected by MFA by operating system of the devices.
+* **Number of sign-ins not protected by multi-factor authentication requirement by operating system:** This widget provides time based bar graph of sign-in counts that aren't protected by MFA by operating system of the devices.
+* **Percent of sign-ins not protected by multi-factor authentication requirement by operating system:** This widget provides time based bar graph of sign-in percentages that aren't protected by MFA by operating system of the devices.
 
 ### Sign-ins not protected by MFA requirement by locations
-* **Number of sign-ins not protected by multi-factor authentication requirement by location:** This widget shows the sign-ins counts that are not protected by MFA requirement in map bubble chart on the world map.
+* **Number of sign-ins not protected by multi-factor authentication requirement by location:** This widget shows the sign-ins counts that aren't protected by MFA requirement in map bubble chart on the world map.
diff --git a/articles/active-directory/reports-monitoring/workbook-risk-analysis.md b/articles/active-directory/reports-monitoring/workbook-risk-analysis.md
@@ -67,9 +67,9 @@ Risky Users:
 
 ## Best practices
 
-- **[Enable risky sign-in policies](../identity-protection/concept-identity-protection-policies.md#sign-in-risk-based-conditional-access-policy)** - To prompt for multi-factor authentication (MFA) on medium risk or above. Enabling the policy reduces the proportion of active real-time risk detections by allowing legitimate users to self-remediate the risk detections with MFA.
+- **[Enable risky sign-in policies](../identity-protection/concept-identity-protection-policies.md#sign-in-risk-based-conditional-access-policy)** - To prompt for multifactor authentication (MFA) on medium risk or higher. Enabling the policy reduces the proportion of active real-time risk detections by allowing legitimate users to self-remediate the risk detections with MFA.
 
-- **[Enable a risky user policy](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-policy-in-conditional-access)** - To enable users to securely remediate their accounts when they're high risk. Enabling the policy reduces the number of active at-risk users in your organization by returning the user’s credentials to a safe state.
+- **[Enable a risky user policy](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-policy-in-conditional-access)** - To enable users to securely remediate their accounts when they're considered high risk. Enabling the policy reduces the number of active at-risk users in your organization by returning the user’s credentials to a safe state.
 
 - To learn more about identity protection, see [What is identity protection](../identity-protection/overview-identity-protection.md). 
 
diff --git a/articles/active-directory/reports-monitoring/workbook-sensitive-operations-report.md b/articles/active-directory/reports-monitoring/workbook-sensitive-operations-report.md
@@ -29,7 +29,7 @@ This article provides you with an overview of the **Sensitive Operations Report*
 
 This workbook identifies recent sensitive operations that have been performed in your tenant and which may service principal compromise.
 
-If your organization is new to Azure monitor workbooks, you need to integrate your Microsoft Entra sign-in and audit logs with Azure Monitor before accessing the workbook. This integration allows you to store, and query, and visualize your logs using workbooks for up to two years. Only sign-in and audit events created after Azure Monitor integration will be stored, so the workbook won't contain insights prior to that date. Learn more about the prerequisites to Azure Monitor workbooks for Microsoft Entra ID. If you've previously integrated your Microsoft Entra sign-in and audit logs with Azure Monitor, you can use the workbook to assess past information. 
+If your organization is new to Azure monitor workbooks, you need to integrate your Microsoft Entra sign-in and audit logs with Azure Monitor before accessing the workbook. This integration allows you to store, and query, and visualize your logs using workbooks for up to two years. Only sign-in and audit events created after Azure Monitor integration are stored, so the workbook won't contain insights prior to that date. Learn more about the prerequisites to Azure Monitor workbooks for Microsoft Entra ID. If you've previously integrated your Microsoft Entra sign-in and audit logs with Azure Monitor, you can use the workbook to assess past information. 
  
 ## How to access the workbook
 
@@ -66,7 +66,7 @@ This section includes the following data to help you detect:
 
 In cases where the attacker can't find a service principal or an application with a high privilege set of permissions through which to gain access, they'll often attempt to add the permissions to another service principal or app.
 
-This section includes a breakdown of the AppOnly permissions grants to existing service principals. Admins should investigate any instances of excessive high permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph and Azure AD Graph.
+This section includes a breakdown of the AppOnly permissions grants to existing service principals. Admins should investigate any instances of excessive high permissions being granted, including, but not limited to, Exchange Online, and Microsoft Graph.
 
 ### Directory role and group membership updates for service principals 
 
@@ -119,7 +119,7 @@ This paragraph lists the supported filters for each section.
 
 ## Best practices
 
-- **USe modified application and service principal credentials** to look out for credentials being added to service principals that aren't frequently used in your organization. Use the filters present in this section to further investigate any of the suspicious actors or service principals that were modified.
+- * Use modified application and service principal credentials** to look out for credentials being added to service principals that aren't frequently used in your organization. Use the filters present in this section to further investigate any of the suspicious actors or service principals that were modified.
 
 - **Use new permissions granted to service principals** to look out for broad or excessive permissions being added to service principals by actors that may be compromised.  
 
