Merge pull request #226148 from MicrosoftDocs/main

2/02 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -22661,6 +22661,11 @@
             "redirect_URL": "/azure/route-server/tutorial-protect-route-server-ddos",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/external-attack-surface-management/data-connections-overview.md",
+            "redirect_URL": "/azure/external-attack-surface-management/index",
+            "redirect_document_id": true
+        },
         {
             "source_path": "articles/virtual-network/nat-gateway/tutorial-protect-nat-gateway.md",
             "redirect_URL": "/azure/virtual-network/nat-gateway/tutorial-protect-nat-gateway-ddos",

articles/active-directory/authentication/certificate-based-authentication-faq.yml

@@ -123,7 +123,7 @@ sections:
           How can I use single-factor certificates to complete MFA?
         answer: |
           We have support for single factor CBA to get MFA. CBA SF + PSI (passwordless phone sign in) and CBA SF + FIDO2 are the two supported combinations to get MFA using single factor certificates.
-          [MFA with single factor certificates](../authentication/concept-certificate-based-authentication-technical-deep-dive.md#single-factor-certificate-based-authentication) 
+          [MFA with single factor certificates](../authentication/concept-certificate-based-authentication-technical-deep-dive.md#mfa-authentication-flow-using-single-factor-certificates-and-passwordless-sign-in) 
           
       - question: |
           Will the changes to the Authentication methods policy take effect immediately?

articles/active-directory/authentication/concept-certificate-based-authentication-migration.md

@@ -39,6 +39,9 @@ To configure Staged Rollout, follow these steps:
 
 For more information, see [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).
 
+>[!NOTE]
+> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Azure AD. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.
+
 ## Use Azure AD connect to update certificateUserIds attribute
 
 An AD FS admin can use **Synchronization Rules Editor** to create rules to sync the values of attributes from AD FS to Azure AD user objects. For more information, see [Sync rules for certificateUserIds](concept-certificate-based-authentication-certificateuserids.md#update-certificate-user-ids-using-azure-ad-connect).

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -74,7 +74,10 @@ Now we'll walk through each step:
 
 ## MFA with Single-factor certificate-based authentication
 
-Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
+Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
+
+>[!IMPORTANT]
+>A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods. More info on [Azure AD MFA](../authentication/concept-mfa-howitworks.md)
 
 **Steps to set up passwordless phone signin(PSI) with CBA**
 

articles/active-directory/develop/console-quickstart-portal-nodejs.md

@@ -25,8 +25,7 @@ ms.custom: mode-api
 
 > [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
 > # Quickstart: Acquire a token and call Microsoft Graph API from a Node.js console app using app's identity
->
-> [!div renderon="portal" class="sxs-lookup"]
+> 
 > In this quickstart, you download and run a code sample that demonstrates how a Node.js console application can get an access token using the app's identity to call the Microsoft Graph API and display a [list of users](/graph/api/user-list) in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.
 > 
 > This quickstart uses the [Microsoft Authentication Library for Node.js (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) with the [client credentials grant](v2-oauth2-client-creds-grant-flow.md).

articles/active-directory/develop/daemon-quickstart-portal-python.md

@@ -25,8 +25,8 @@ ms.custom: aaddev, identityplatformtop40, devx-track-python, "scenarios:getting-
 > We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
 
 > [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Acquire a token and call Microsoft Graph API from a Python console app using app's identity
 > 
-> [!div renderon="portal" class="sxs-lookup"]
 > In this quickstart, you download and run a code sample that demonstrates how a Python application can get an access token using the app's identity to call the Microsoft Graph API and display a [list of users](/graph/api/user-list) in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity. 
 > 
 > ## Prerequisites

articles/active-directory/develop/web-app-quickstart-portal-java.md

@@ -22,7 +22,7 @@ ms.custom: aaddev, "scenarios:getting-started", "languages:Java", devx-track-jav
 > 
 > We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
 
-> > [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
 > # Quickstart: Add sign-in with Microsoft to a Java web app
 >
 > In this quickstart, you download and run a code sample that demonstrates how a Java web application can sign in users and call the Microsoft Graph API. Users from any Azure Active Directory (Azure AD) organization can sign in to the application.
@@ -187,4 +187,4 @@ ms.custom: aaddev, "scenarios:getting-started", "languages:Java", devx-track-jav
 > For a more in-depth discussion of building web apps that sign in users on the Microsoft identity platform, see the multipart scenario series:
 > 
 > > [!div class="nextstepaction"]
-> > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md?tabs=java)
+> > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md?tabs=java)