Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into ultBUp

Author: roygara

articles/active-directory/authentication/TOC.yml

@@ -15,7 +15,7 @@
     href: tutorial-enable-sspr-writeback.md
   - name: Configure custom banned password lists
     href: tutorial-configure-custom-password-protection.md
-  - name: Integrate Azure Identity Protection
+  - name: Enable risk-based sign-in protection
     href: tutorial-risk-based-sspr-mfa.md
 - name: Concepts
   expanded: true

articles/active-directory/authentication/media/tutorial-risk-based-sspr-mfa/enable-mfa-registration.png

@@ -1,90 +1,135 @@
 ---
-title: Risk-based MFA and SSPR with Azure Identity Protection
-description: In this tutorial, you will enable Azure Identity Protection integrations, for Multi-Factor Authentication and self-service password reset, to reduce risky behavior.
+title: Risk-based user sign-in protection in Azure Active Directory
+description: In this tutorial, you learn how to enable Azure Identity Protection to protect users when risky sign-in behavior is detected on their account.
 
-services: multi-factor-authentication
+services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 01/31/2018
+ms.date: 05/11/2020
 
 ms.author: iainfou
 author: iainfoulds
 manager: daveba
-ms.reviewer: sahenry
 
-# Customer intent: How, as an Azure AD Administrator, do I utilize Azure AD Identity Protection to better protect the sign-in process.
+# Customer intent: As an Azure AD Administrator, I want to learn how to use Azure Identity Protection to protect users by automatically detecting risk sign-in behavior and prompting for additional forms of authentication or request a password change.
 ms.collection: M365-identity-device-management
 ---
-# Tutorial: Use risk detections to trigger Multi-Factor Authentication and password changes
+# Tutorial: Use risk detections for user sign-ins to trigger Azure Multi-Factor Authentication or password changes
 
-In this tutorial, you will enable features of Azure Active Directory (Azure AD) Identity Protection, an Azure AD Premium P2 feature that is more than just a monitoring and reporting tool. To protect your organization's identities, you can configure risk-based policies that automatically respond to risky behaviors. These policies, can either automatically block or initiate remediation, including requiring password changes and enforcing Multi-Factor Authentication.
+To protect your users, you can configure risk-based policies in Azure Active Directory (Azure AD) that automatically respond to risky behaviors. Azure AD Identity Protection policies can automatically block a sign-in attempt or require additional action, such as require a password change or prompt for Azure Multi-Factor Authentication. These policies work with existing Azure AD Conditional Access policies as an extra layer of protection for org organization. Users may never trigger a risky behavior in one of these policies, but your organization is protected if an attempt to compromise your security is made.
 
-Azure AD Identity Protection policies can be used in addition to existing Conditional Access policies as an extra layer of protection. Your users may never trigger a risky behavior requiring one of these policies, but as an administrator you know they are protected.
-
-Some items that may trigger a risk detection include:
-
-* Users with leaked credentials
-* Sign-ins from anonymous IP addresses
-* Impossible travel to atypical locations
-* Sign-ins from infected devices
-* Sign-ins from IP addresses with suspicious activity
-* Sign-ins from unfamiliar locations
-
-More information about Azure AD Identity Protection can be found in the article [What is Azure AD Identity Protection](../active-directory-identityprotection.md)
+In this tutorial, you learn how to:
 
 > [!div class="checklist"]
-> * Enable Azure MFA registration
+> * Understand the available policies for Azure AD Identity Protection
+> * Enable Azure Multi-Factor Authentication registration
 > * Enable risk-based password changes
 > * Enable risk-based Multi-Factor Authentication
+> * Test risk-based policies for user sign-in attempts
 
 ## Prerequisites
 
-* Access to a working Azure AD tenant with at least a trial Azure AD Premium P2 license assigned.
-* An account with Global Administrator privileges in your Azure AD tenant.
-* Have completed the previous self-service password reset (SSPR) and Multi-Factor Authentication (MFA) tutorials.
+To complete this tutorial, you need the following resources and privileges:
+
+* A working Azure AD tenant with at least an Azure AD Premium P2 trial license enabled.
+    * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* An account with *Global Administrator* privileges.
+* Azure AD configured for self-service password reset and Azure Multi-Factor Authentication
+    * If needed, [complete the tutorial to enable Azure AD SSPR](tutorial-enable-sspr.md).
+    * If needed, [complete the tutorial to enable Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md).
+
+## Overview of Azure AD Identity Protection
+
+Each day, Microsoft collects and analyses trillions of anonymized signals as part of user sign-in attempts. These signals help build patterns of good user sign-in behavior, and identify potential risky sign-in attempts. Azure AD Identity Protection can review user sign-in attempts and take additional action if there's suspicious behavior:
+
+Some of the following actions may trigger Azure AD Identity Protection risk detection:
+
+* Users with leaked credentials.
+* Sign-ins from anonymous IP addresses.
+* Impossible travel to atypical locations.
+* Sign-ins from infected devices.
+* Sign-ins from IP addresses with suspicious activity.
+* Sign-ins from unfamiliar locations.
+
+The following three policies are available in Azure AD Identity Protection to protect users and respond to suspicious activity. You can choose to turn the policy enforcement on or off, select users or groups for the policy to apply to, and decide if you want to block access at sign-in or prompt for additional action.
+
+* User risk policy
+    * Identifies and responds to user accounts that may have compromised credentials. Can prompt the user to create a new password.
+* Sign in risk policy
+    * Identifies and responds to suspicious sign-in attempts. Can prompt the user to provide additional forms of verification using Azure Multi-Factor Authentication.
+* MFA registration policy
+    * Makes sure users are registered for Azure Multi-Factor Authentication. If a sign-in risk policy prompts for MFA, the user must already be registered for Azure Multi-Factor Authentication.
+
+When you enable a policy user or sign in risk policy, you can also choose the threshold for risk level - *low and above*, *medium and above*, or *high*. This flexibility lets you decide how aggressive you want to be in enforcing any controls for suspicious sign-in events.
+
+For more information about Azure AD Identity Protection, see [What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)
+
+## Enable MFA registration policy
 
-## Enable risk-based policies for SSPR and MFA
+Azure AD Identity Protection includes a default policy that can help get users registered for Azure Multi-Factor Authentication. If you use additional policies to protect sign-in events, you would need users to have already registered for MFA. When you enable this policy, it doesn't require users to perform MFA at each sign-in event. The policy only checks the registration status for a user and asks them to pre-register if needed.
 
-Enabling the risk-based policies is a straightforward process. The steps below will guide you through a sample configuration.
+It's recommended to enable the MFA registration policy for users that are to be enabled for additional Azure AD Identity Protection policies. To enable this policy, complete the following steps:
 
-### Enable users to register for Multi-Factor Authentication
+1. Sign in to the [Azure portal](https://portal.azure.com) using a global administrator account.
+1. Search for and select **Azure Active Directory**, select **Security**, then under the *Protect* menu heading choose **Identity Protection**.
+1. Select the **MFA registration policy** from the menu on the left-hand side.
+1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on.
+1. Under *Controls*, select **Access**. Make sure the option for *Require Azure MFA registration* is checked, then choose **Select**.
+1. Set **Enforce Policy** to *On*, then select **Save**.
 
-Azure AD Identity Protection includes a default policy that can help you to get your users registered for Multi-Factor Authentication and easily identify the current registration status. Enabling this policy does not start requiring users to perform Multi-Factor Authentication, but will ask them to pre-register.
+    ![Screenshot of how to require users to register for MFA in the Azure portal](./media/tutorial-risk-based-sspr-mfa/enable-mfa-registration.png)
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Click on **All services**, then browse to **Azure AD Identity Protection**.
-1. Click on **MFA registration**.
-1. Set Enforce Policy to **On**.
-   1. Setting this policy will require all of your users to register methods to prepare to use by Multi-Factor Authentication.
-1. Click **Save**.
+## Enable user risk policy for password change
 
-   ![Require users to register for MFA at sign-in](./media/tutorial-risk-based-sspr-mfa/risk-based-require-mfa-registration.png)
+Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find username and password pairs. When one of these pairs matches an account in your environment, a risk-based password change can be requested. This policy and action requires the user update their password before they can sign in to make sure any previously exposed credentials no longer work.
 
-### Enable risk-based password changes
+To enable this policy, complete the following steps:
 
-Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find username and password pairs. When one of these pairs matches an account in your environment, a risk-based password change can be triggered using the following policy.
+1. Select the **User risk policy** from the menu on the left-hand side.
+1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on.
+1. Under *Conditions*, choose  **Select conditions > Select a risk level**, then choose *Medium and above*.
+1. Choose **Select**, then **Done**.
+1. Under *Access*, select **Access**. Make sure the option for **Allow access** and *Require password change* is checked, then choose **Select**.
+1. Set **Enforce Policy** to *On*, then select **Save**.
 
-1. Click on User risk policy.
-1. Under **Conditions**, select **User risk**, then choose **Medium and above**.
-1. Click "Select" then "Done"
-1. Under **Access**, choose **Allow access**, and then select **Require password change**.
-1. Click "Select"
-1. Set Enforce Policy to **On**.
-1. Click **Save**
+    ![Screenshot of how to enable the user risk policy in the Azure portal](./media/tutorial-risk-based-sspr-mfa/enable-user-risk-policy.png)
 
-### Enable risk-based Multi-Factor Authentication
+## Enable sign-in risk policy for MFA
 
-Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform a Multi-Factor Authentication to prove that they are really who they say they are. To enable a policy requiring MFA when a risky sign-in is detected, enable the following policy.
+Most users have a normal behavior that can be tracked. When they fall outside of this norm, it could be risky to allow them to successfully sign in. Instead, you may want to block that user, or ask them to perform a multi-factor authentication. If the user successfully completes the MFA challenge, you can consider it a valid sign-in attempt and grant access to the application or service.
 
-1. Click on Sign-in risk policy
-1. Under **Conditions**, select **User risk**, then choose **Medium and above**.
-1. Click "Select" then "Done"
-1. Under **Access**, choose **Allow access**, and then select **Require multi-factor authentication**.
-1. Click "Select"
-1. Set Enforce Policy to **On**.
-1. Click **Save**
+To enable this policy, complete the following steps:
+
+1. Select the **Sign-in risk policy** from the menu on the left-hand side.
+1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on.
+1. Under *Conditions*, choose  **Select conditions > Select a risk level**, then choose *Medium and above*.
+1. Choose **Select**, then **Done**.
+1. Under *Access*, choose **Select a control**. Make sure the option for **Allow access** and *Require multi-factor authentication* is checked, then choose **Select**.
+1. Set **Enforce Policy** to *On*, then select **Save**.
+
+    ![Screenshot of how to enable the sign-in risk policy in the Azure portal](./media/tutorial-risk-based-sspr-mfa/enable-sign-in-risk-policy.png)
+
+## Test risky sign events
+
+Most user sign-in events won't trigger the risk-based policies configured in the previous steps. A user may never see a prompt for additional MFA or to reset their password. If their credentials remain secure and their behavior consistent, their sign-in events would be successful.
+
+To test the Azure AD Identity Protection policies created in the previous steps, you need a way to simulate risky behavior or potential attacks. The steps to do these tests vary based on the Azure AD Identity Protection policy you want to validate. For more information on scenarios and steps, see [Simulate risk detections in Azure AD Identity Protection](../identity-protection/howto-identity-protection-simulate-risk.md).
 
 ## Clean up resources
 
-If you have completed testing and no longer want to have the risk-based policies enabled, return to each policy you want to disable, and set **Enforce Policy** to **Off**.
+If you have completed tests and no longer want to have the risk-based policies enabled, return to each policy you want to disable and set **Enforce Policy** to *Off*.
+
+## Next steps
+
+In this tutorial, you enabled risk-based user policies for Azure AD Identity Protection. You learned how to:
+
+> [!div class="checklist"]
+> * Understand the available policies for Azure AD Identity Protection
+> * Enable Azure Multi-Factor Authentication registration
+> * Enable risk-based password changes
+> * Enable risk-based Multi-Factor Authentication
+> * Test risk-based policies for user sign-in attempts
+
+> [!div class="nextstepaction"]
+> [Learn more about Azure AD Identity Protection](../identity-protection/overview-identity-protection.md)

articles/active-directory/authentication/media/tutorial-risk-based-sspr-mfa/enable-sign-in-risk-policy.png

@@ -315,6 +315,8 @@
       href: search-security-overview.md
     - name: Create a private endpoint
       href: service-create-private-endpoint.md
+    - name: Configure an IP firewall
+      href: service-configure-firewall.md
     - name: Service key management
       href: search-security-api-keys.md
     - name: Role-based admin access

articles/active-directory/authentication/media/tutorial-risk-based-sspr-mfa/enable-user-risk-policy.png

@@ -0,0 +1,58 @@
+---
+title: Configure an IP firewall for your Azure Cognitive Search service
+titleSuffix: Azure Cognitive Search
+description: Configure IP control policies to restrict access to your Azure Cognitive Search service.
+
+manager: nitinme
+author: mrcarter8
+ms.author: mcarter
+ms.service: cognitive-search
+ms.topic: conceptual
+ms.date: 05/11/2020
+---
+
+# Configure IP firewall for Azure Cognitive Search
+
+Azure Cognitive Search supports IP rules for inbound firewall support. This model provides an additional layer of security for your search service similar to the IP rules you'll find in an Azure virtual network security group. With these IP rules, you can configure your search service to be accessible only from an approved set of machines and/or cloud services. Access to data stored in your search service from these approved sets of machines and services will still require the caller to present a valid authorization token.
+
+> [!Important]
+> IP rules on your Azure Cognitive Search service can be configured using the Azure portal or the [Management REST API version 2020-03-13](https://docs.microsoft.com/rest/api/searchmanagement/).
+
+## <a id="configure-ip-policy"></a> Configure an IP firewall using the Azure portal
+
+To set the IP access control policy in the Azure portal, go to your Azure Cognitive Search service page and select **Networking** on the navigation menu. Endpoint networking connectivity must be **Public**. If your connectivity is set to **Private**, you can only access your search service via a Private Endpoint.
+
+![Screenshot showing how to configure the IP firewall in the Azure portal](./media/service-configure-firewall/azure-portal-firewall.png)
+
+The Azure portal provides the ability to specify IP addresses and IP address ranges in the CIDR format. An example of CIDR notation is 8.8.8.0/24, which represents the IPs that range from 8.8.8.0 to 8.8.8.255.
+
+> [!NOTE]
+> After you enable the IP access control policy for your Azure Cognitive Search service, all requests to the data plane from machines outside the allowed list of IP address ranges are rejected. When IP rules are configured, some features of the Azure portal are disabled. You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.
+
+### Requests from your current IP
+
+To simplify development, the Azure portal helps you identify and add the IP of your client machine to the allowed list. Apps running on your machine can then access your Azure Cognitive Search service.
+
+The portal automatically detects your client IP address. It might be the client IP address of your machine or network gateway. Make sure to remove this IP address before you take your workload to production.
+
+To add your current IP to the list of IPs, check **Add your client IP address**. Then select **Save**.
+
+![Screenshot showing a how to configure IP firewall settings to allow the current IP](./media/service-configure-firewall/enable-current-ip.png)
+
+## <a id="troubleshoot-ip-firewall"></a>Troubleshoot issues with an IP access control policy
+
+You can troubleshoot issues with an IP access control policy by using the following options:
+
+### Azure portal
+
+Enabling an IP access control policy for your Azure Cognitive Search service blocks all requests from machines outside the allowed list of IP address ranges, including the Azure portal.  You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons. 
+
+### SDKs
+
+When you access Azure Cognitive Search service using the SDK from machines that are not in the allowed list, a generic **403 Forbidden** response is returned with no additional details. Verify the allowed IP list for your account, and make sure that the correct configuration updated for your search service.
+
+## Next steps
+
+For more information on accessing your search service via Private Link, see the following article:
+
+* [Create a Private Endpoint for a secure connection to Azure Cognitive Search](service-create-private-endpoint.md)