Merge pull request #176384 from MicrosoftDocs/master

10/19 AM Publish

Author: huypub

articles/active-directory/authentication/TOC.yml

@@ -58,6 +58,8 @@
       href: /office365/admin/security-and-compliance/set-up-multi-factor-authentication
     - name: FAQ
       href: multi-factor-authentication-faq.yml
+    - name: Operator assistance
+      href: concept-authentication-operator-assistance.md
   - name: Password protection
     items:
     - name: Combined password policy check 

articles/active-directory/authentication/concept-authentication-operator-assistance.md

@@ -0,0 +1,37 @@
+---
+title: Operator assistance in Azure Active Directory 
+description: Learn about deprecation of operator assistance feature in Azure Active Directory
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 10/19/2021
+
+ms.author: justinha
+author: justinha
+manager: daveba
+ms.reviewer: ripull
+
+ms.collection: M365-identity-device-management
+---
+# How to enable and disable operator assistance
+
+Operator assistance is a feature within Azure AD that allows an operator to manually transfer phone calls instead of automatic transfer. When this setting is enabled, the office phone number is dialed and when answered, the system asks the operator to transfer the call to a given extension.
+
+Operator assistance can be enabled for an entire tenant or for an individual user. If the setting is **On**, the entire tenant is enabled for operator assistance. If you choose **Phone call** as the default method and have an extension specified as part of your office phone number (delineated by **x**), an operator can manually transfer the phone call.
+
+For example, let's say a customer in U.S has an office phone number 425-555-1234x5678. When operator assistance is enabled, the system will dial 425-555-1234. Once answered, the customer (also known as the operator) is asked to transfer the call to extension 5678. Once transferred and answered, the system recites the normal MFA prompt and awaits approval.
+
+If the setting is **Off**, the system will automatically dial extensions as part of the phone number. Your admin can still specify individual users who should be enabled for operator assistance by prefixing the extension with ‘@’. For example, 425-555-1234x@5678 would indicate that operator assistance should be used, even though the setting is **Off**.
+
+You can check the status of this feature in your own tenant by navigating to the [Azure AD portal](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade), then in the left pane, click **Security** > **MFA** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**. 
+
+![Screenshot of operator assistance settings](./media/concept-authentication-operator-assistance/settings.png)
+
+You can improve the reliability, security, and create a frictionless MFA experience by using the following guidance:
+
+- You have [registered a direct phone number](https://aka.ms/mfasetup) (contains no extension) or [other method](concept-authentication-methods.md) to be used for Multi-Factor Authentication or self-service password reset if enabled. 
+- Your admins have registered a direct phone number (contains no extension) on behalf of the user to be used for [Multi-Factor Authentication](howto-mfa-userdevicesettings.md#add-authentication-methods-for-a-user) or [self-service password reset](tutorial-enable-sspr.md) if enabled. 
+- Phone system supports automated attendant functionality. 
+ 

articles/active-directory/authentication/media/concept-authentication-operator-assistance/settings.png

@@ -7,7 +7,7 @@ manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/17/2021
+ms.date: 10/18/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -21,7 +21,8 @@ You need the following to use Azure AD Connect cloud sync:
 
 - Domain Administrator or Enterprise Administrator credentials to create the Azure AD Connect Cloud Sync gMSA (group Managed Service Account) to run the agent service.	
 - A hybrid identity administrator account for your Azure AD tenant that is not a guest user.
-- An on-premises server for the provisioning agent with Windows 2016 or later.  This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).
+- An on-premises server for the provisioning agent with Windows 2016 or later.  This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).  Installing the agent on a domain controller is supported.
+- High availability refers to the Azure AD Connect cloud sync's ability to operate continuously without failure for a long time.  By having multiple active agents installed and running, Azure AD Connect cloud sync can continue to function even if one agent should fail.  Microsoft recommends having 3 active agents installed for high availability.
 - On-premises firewall configurations.
 
 ## Group Managed Service Accounts

articles/active-directory/cloud-sync/how-to-prerequisites.md

@@ -8,7 +8,7 @@ metadata:
   ms.service: active-directory
   ms.workload: identity
   ms.topic: reference
-  ms.date: 09/10/2021
+  ms.date: 10/18/2021
   ms.subservice: hybrid
   ms.author: billmath
   ms.collection: M365-identity-device-management
@@ -114,6 +114,10 @@ sections:
           Does Azure AD Connect cloud sync support large groups?
         answer: |
           Yes. Today we support up to 50K group members synchronized using the OU scope filtering. 
+      - question: |
+          Does the cloud provisioning agent load balance if I have multiple agents installed?
+        answer: |
+          No. Only one agent is ever active. 
 additionalContent: |
 
   ## Next steps 

articles/active-directory/cloud-sync/reference-cloud-sync-faq.yml

@@ -371,7 +371,7 @@ Define a log storage and retention strategy, design, and implementation to facil
 
    * Risk events 
 
-    Azure AD provides [Azure Monitor integration](../reports-monitoring/concept-activity-logs-azure-monitor.md) for the sign-in activity log and audit logs. Risk events can be ingested through the [Microsoft Graph API](/graph/api/resources/identityriskevent). You can [stream Azure AD logs to Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
+    Azure AD provides [Azure Monitor integration](../reports-monitoring/concept-activity-logs-azure-monitor.md) for the sign-in activity log and audit logs. Risk events can be ingested through the [Microsoft Graph API](/graph/api/resources/identityprotection-root). You can [stream Azure AD logs to Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
 
 * **Hybrid infrastructure OS security logs**: All hybrid identity infrastructure OS logs should be archived and carefully monitored as a tier-0 system, because of the surface-area implications. Include the following elements: 
 

articles/active-directory/fundamentals/protect-m365-from-on-premises-attacks.md

@@ -138,7 +138,8 @@ You can monitor privileged account sign-in events in the Azure AD Sign-in logs.
 | Discover privileged accounts not registered for MFA. | High | Azure AD Graph API| Query for IsMFARegistered eq false for administrator accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http) | Audit and investigate to determine if intentional or an oversight. |
 | Account lockout | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |
 | Account disabled/blocked for sign-ins | Low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>Target = user UPN<br>-and-<br>error code = 50057 | This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked, it's still important to log and alert on this activity. |
-| MFA fraud alert/block | High | Azure AD Sign-ins log/Azure Log Anaylitics | Succeeded = false<br>-and-<br>Result detail = MFA denied<br>-and-<br>Target = user | Privileged user has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
+| MFA fraud alert/block | High | Azure AD Sign-ins log/Azure Log Anaylitics | Sign-ins>Authentication details Result details = MFA denied, Fraud Code Entered | Privileged user has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
+| MFA fraud alert/block | High | Azure AD Audit Log log/Azure Log Anaylitics | Activity Type = Fraud Reported - user is blocked for MFA or Fraud reported - no action taken (based on tenant level settings for fraud report) | Privileged user has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
 | Privileged account sign-ins outside of expected controls. |  | Azure AD Sign-ins log | Status = failure<br>UserPricipalName = \<Admin account\><br>Location = \<unapproved location\><br>IP Address = \<unapproved IP\><br>Device Info= \<unapproved Browser, Operating System\> | Monitor and alert on any entries that you have defined as unapproved. |
 | Outside of normal sign in times | High | Azure AD Sign-ins log | Status =success<br>-and-<br>Location =<br>-and-<br>Time = outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It is important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats. | 
 | Identity protection risk | High | Identity Protection logs | Risk state = at risk<br>-and-<br>Risk level = low/medium/high<br>-and-<br>Activity = Unfamiliar sign-in/TOR, etc. | This indicates there is some abnormality detected with the sign in for the account and should be alerted on. | 
@@ -263,4 +264,4 @@ See these security operations guide articles:
 [Security operations for devices](security-operations-devices.md)
 
 
-[Security operations for infrastructure](security-operations-infrastructure.md)
+[Security operations for infrastructure](security-operations-infrastructure.md)