Merge pull request #221165 from MicrosoftDocs/main

12/12 AM Publish

Author: huypub

.openpublishing.redirection.defender-for-cloud.json

@@ -642,8 +642,8 @@
         },
         {
             "source_path_from_root": "/articles/security-center/security-center-planning-and-operations-guide.md",
-            "redirect_url": "/azure/defender-for-cloud/security-center-planning-and-operations-guide",
-            "redirect_document_id": true
+            "redirect_url": "/azure/defender-for-cloud/defender-for-cloud-planning-and-operations-guide",
+            "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/security-center/sql-information-protection-policy.md",
@@ -769,6 +769,16 @@
             "source_path_from_root": "/articles/defender-for-cloud/defender-for-servers-introduction.md",
             "redirect_url": "/azure/defender-for-cloud/plan-defender-for-servers",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/security-center-readiness-roadmap.md",
+            "redirect_url": "/azure/defender-for-cloud/defender-for-cloud-planning-and-operations-guide",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/security-center-planning-and-operations-guide.md",
+            "redirect_url": "/azure/defender-for-cloud/defender-for-cloud-planning-and-operations-guide",
+            "redirect_document_id": true
         }
       ]
 }

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -179,7 +179,7 @@ With inbound settings, you select which external users and groups will be able t
 
    - **Trust multi-factor authentication from Azure AD tenants**: Select this checkbox to allow your Conditional Access policies to trust MFA claims from external organizations. During authentication, Azure AD will check a user's credentials for a claim that the user has completed MFA. If not, an MFA challenge will be initiated in the user's home tenant.  
 
-   - **Trust compliant devices**: Allows your Conditional Access policies to trust compliant device claims from an external organization when their users access your resources.
+   - **Trust compliant devices**: Allows your Conditional Access policies to trust [compliant device claims](../conditional-access/howto-conditional-access-policy-compliant-device.md) from an external organization when their users access your resources.
 
    - **Trust hybrid Azure AD joined devices**: Allows your Conditional Access policies to trust hybrid Azure AD joined device claims from an external organization when their users access your resources.
 

articles/active-directory/external-identities/user-token.md

@@ -1,23 +1,25 @@
 ---
 title: Understand user tokens in B2B collaboration - Azure AD
-description: User token reference for Azure Active Directory B2B collaboration
+description: User token reference for Azure Active Directory B2B collaboration.
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 02/28/2018
+ms.date: 12/12/2022
 
 ms.author: mimart
 author: msmimart
 manager: celestedg
 
-ms.collection: M365-identity-device-management
+ms.collection: engagement-fy23, M365-identity-device-management
+
+# Customer intent: As a tenant administrator, I want to know what the token looks like for a B2B collaboration user in the resource tenant.
 ---
 
 # Understand user tokens in Azure AD B2B collaboration
 
-If you want to know what the token looks like for a B2B collaboration user, here are the bearer token details and token content for an Azure Active Directory (Azure AD) guest and a Microsoft account guest in the resource tenant (for tenantid 04dcc6ab-388a-4559-b527-fbec656300ea). To see the JSON Web Token (JWT) contents, use [https://jwt.io/](https://jwt.io/) or [https://jwt.ms/](https://jwt.ms/).
+If you want to know what the token looks like for a B2B collaboration user, here are the bearer token details and token content for an Azure Active Directory (Azure AD) guest and a Microsoft account guest in the resource tenant (for tenant ID 04dcc6ab-388a-4559-b527-fbec656300ea). To see the JSON Web Token (JWT) contents, use [https://jwt.io/](https://jwt.io/) or [https://jwt.ms/](https://jwt.ms/).
 
 ## Azure AD guest token
 ```
@@ -31,7 +33,7 @@ Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ilk0dWVLMm9hSU
 
 ## Next steps
 
-* [What is Azure AD B2B collaboration?](what-is-b2b.md)
-* [B2B collaboration user properties](user-properties.md)
+* [B2B collaboration overview](what-is-b2b.md)
+* [B2B collaboration for hybrid organizations](hybrid-organizations.md)
 * [B2B collaboration user claims mapping](claims-mapping.md)
 

articles/active-directory/roles/includes/authentication-table-include.md

@@ -16,7 +16,7 @@ The following table compares the capabilities of this role with related roles.
 
 | Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
 | ---- | ---- | ---- | ---- | ---- | ---- | ---- | --- |
-| [Authentication Administrator](#authentication-administrator) | Yes for some users | Yes for some users | No | No | No | Yes for some users | Yes for some users |
+| [Authentication Administrator](#authentication-administrator) | Yes for [some users](#who-can-perform-sensitive-actions) | Yes for [some users](#who-can-perform-sensitive-actions) | No | No | No | Yes for [some users](#who-can-perform-sensitive-actions) | Yes for [some users](#who-can-perform-sensitive-actions) |
 | [Privileged Authentication Administrator](#privileged-authentication-administrator) | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
 | [Authentication Policy Administrator](#authentication-policy-administrator) | No | No | Yes | Yes | Yes | No | No |
-| [User Administrator](#user-administrator) | No | No | No | No | No | Yes for some users | Yes for some users |
+| [User Administrator](#user-administrator) | No | No | No | No | No | Yes for [some users](#who-can-perform-sensitive-actions) | Yes for [some users](#who-can-perform-sensitive-actions) |

articles/active-directory/standards/nist-about-authenticator-assurance-levels.md

@@ -10,20 +10,20 @@ author: gargi-sinha
 ms.author: gasinh
 manager: martinco
 ms.reviewer: martinco
-ms.date: 09/13/2022
+ms.date: 11/23/2022
 ms.custom: it-pro
 ms.collection: M365-identity-device-management
 ---
 
-# About authenticator assurance levels
+# Authenticator assurance levels 
 
-The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies that are implementing identity solutions. [NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) defines the technical guidelines for the implementation of digital authentication. It does so with a framework of authenticator assurance levels (AALs). AALs characterize the strength of the authentication of a digital identity. The guidance also covers the management of the lifecycle of authenticators, including revocation. 
+The National Institute of Standards and Technology (NIST) develops technical requirements for US federal agencies implementing identity solutions. [NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) has the technical guidelines for digital authentication implementation, using an authenticator assurance levels (AALs) framework. AALs characterize the authentication strength of a digital identity. You can also learn about authenticator lifecycle management, including revocation. 
 
-The standard includes AAL requirements for these requirement categories:
+The standard includes AAL requirements for the following categories:
 
 * Permitted authenticator types
 
-* Federal Information Processing Standards 140 (FIPS 140) verification level (FIPS 140 requirements are satisfied by [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final) or newer revisions)
+* Federal Information Processing Standards 140 (FIPS 140) verification level. FIPS 140 requirements are satisfied by [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final), or newer revisions.
 
 * Reauthentication
 
@@ -43,28 +43,29 @@ The standard includes AAL requirements for these requirement categories:
 
 * Privacy controls
 
-## Apply NIST AALs in your environment
+## NIST AALs in your environment
 
-> [!TIP]
-> We recommend that you meet at least AAL2. Meet AAL3 if necessary for business reasons, industry standards, or compliance requirements.
+In general, AAL1 isn't recommended because it accepts password-only solutions, the most easily compromised authentication. For more information, see the blog post, [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984). 
 
-In general, AAL1 isn't recommended because it accepts password-only solutions, and passwords are the most easily compromised form of authentication. For more information, see the following blog post: [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984). 
+While NIST doesn't require verifier impersonation (credential phishing) resistance until AAL3, we advise you to address this threat at all levels. You can select authenticators that provide verifier impersonation resistance, such as requiring devices are joined to Azure Active Directory (Azure AD) or hybrid Azure AD. If you're using Office 365, you can use Office 365 Advanced Threat Protection, and its [anti-phishing policies](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies).
 
-While NIST doesn't require verifier impersonation (also known as credential phishing) resistance until AAL3, we highly advise that you address this threat at all levels. You can select authenticators that provide verifier impersonation resistance, such as requiring that devices be joined to Azure Active Directory (Azure AD) or hybrid Azure AD. If you're using Office 365, you can use Office 365 Advanced Threat Protection, and specifically its [Anti-phishing policies](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies).
+As you evaluate the needed NIST AAL for your organization, consider whether your entire organization must meet NIST standards. If there are specific user groups and resources that can be segregated, you can apply NIST AAL configurations to those user groups and resources. 
 
-As you evaluate the appropriate NIST AAL for your organization, consider whether your entire organization must meet NIST standards. If there are specific groups of users and resources that can be segregated, you might be able to apply the NIST AAL configurations to only a specific group of users and resources. 
+> [!TIP]
+> We recommend you meet at least AAL2. If necessary, meet AAL3 for business reasons, industry standards, or compliance requirements.
 
 ## Security controls, privacy controls, records retention policy
 
-Azure and Azure Government have earned a provisional authority to operate (P-ATO) at the [NIST SP 800-53 High Impact level](https://nvd.nist.gov/800-53/Rev4/impact/high) from the Joint Authorization Board. This level represents the highest bar for FedRAMP accreditation, and it authorizes the use of Azure and Azure Government to process highly sensitive data.
+From the Joint Authorization Board, Azure and Azure Government have provisional authority to operate (P-ATO) at the [NIST SP 800-53 High Impact](https://nvd.nist.gov/800-53/Rev4/impact/high) level. This FedRAMP accreditation authorizes Azure and Azure Government to process highly sensitive data.
 
-These Azure and Azure Government certifications satisfy the security controls, privacy controls, and records retention policy requirements for AAL1, AAL2, and AAL3.
+> [!IMPORTANT]
+> Azure and Azure Government certifications satisfy the security controls, privacy controls, and records retention policy requirements for AAL1, AAL2, and AAL3.
 
-The FedRAMP audit of Azure and Azure Government included the information security management system that encompasses infrastructure, development, operations, management, and support of in-scope services. When a P-ATO is granted, a cloud service provider still requires an authorization (an ATO) from any government agency it works with. For Azure, a government agency, or organizations working with them, can use the Azure P-ATO in its own security authorization process. The agency or organization can rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.
+The FedRAMP audit of Azure and Azure Government included the information security management system for infrastructure, development, operations, management, and support of in-scope services. When a P-ATO is granted, a cloud service provider requires an authorization (an ATO) from government agencies it works with. Government agencies, or organizations, can use the Azure P-ATO in their security authorization process, and use it as the basis for issuing an agency ATO that meets FedRAMP requirements.
 
-Azure continues to support more services at FedRAMP High Impact levels than any other cloud provider. And while FedRAMP High in the Azure public cloud meets the needs of many US government customers, agencies with more stringent requirements rely on Azure Government. Azure Government provides additional safeguards, such as the heightened screening of personnel. Microsoft lists all Azure public services currently available in Azure Government to the FedRAMP High boundary, as well as services planned for the current year.
+Azure supports multiple services at FedRAMP High Impact. FedRAMP High in the Azure public cloud meets the needs of US government customers, however agencies with more stringent requirements use Azure Government. Azure Government safeguards include heightened personnel screening. In Azure Government, Microsoft lists available Azure public services, up to the FedRAMP High boundary, and services for the current year.
 
-In addition, Microsoft is fully committed to [protecting and managing customer data](https://www.microsoft.com/trust-center/privacy/data-management) with clearly stated records retention policies. As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist you. To view a complete list of our compliance offerings, see [Microsoft compliance offering](/compliance/regulatory/offering-home). 
+In addition, Microsoft is committed to [protecting and managing customer data](https://www.microsoft.com/trust-center/privacy/data-management) with clearly stated records retention policies. Microsoft has a large compliance portfolio. To see more, go to [Microsoft compliance offerings](/compliance/regulatory/offering-home). 
 
 ## Next steps 
 
@@ -80,5 +81,4 @@ In addition, Microsoft is fully committed to [protecting and managing customer d
 
 [Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
 
-[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md) 
-‎
+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)