Merge pull request #110249 from iainfoulds/azuread-authentication-freshness04032020

ttorble · web-flow · commit 556287d28aaf · 2020-04-05T08:14:51.000+01:00
[AzureAD] Updates and edits
diff --git a/articles/active-directory/authentication/concept-mfa-howitworks.md b/articles/active-directory/authentication/concept-mfa-howitworks.md
@@ -1,12 +1,12 @@
 ---
-title: How it works Azure MFA - Azure Active Directory
-description: Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process.
+title: Azure Multi-Factor Authentication overview
+description: Learn how Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process.
 
 services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/21/2019
+ms.date: 04/03/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -17,40 +17,50 @@ ms.collection: M365-identity-device-management
 ---
 # How it works: Azure Multi-Factor Authentication
 
-The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods:
+Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
 
-* Something you know (typically a password)
-* Something you have (a trusted device that is not easily duplicated, like a phone)
-* Something you are (biometrics)
+If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.
 
-<center>
+![Conceptual image of the different forms of multi-factor authentication](./media/concept-mfa-howitworks/methods.png)
 
-![Conceptual authentication methods image](./media/concept-mfa-howitworks/methods.png)</center>
+Azure Multi-Factor Authentication works by requiring two or more of the following authentication methods:
 
-Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use [authentication methods](concept-authentication-methods.md). Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.
+* Something you know, typically a password.
+* Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
+* Something you are - biometrics like a fingerprint or face scan.
 
-## How to get Multi-Factor Authentication?
+Users can register themselves for both self-service password reset and Azure Multi-Factor Authentication in one step to simplify the on-boarding experience. Administrators can define what forms of secondary authentication can be used. Azure Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.
 
-Multi-Factor Authentication comes as part of the following offerings:
+![Authentication methods in use at the sign-in screen](media/concept-authentication-methods/overview-login.png)
 
-* **Azure Active Directory Premium** or **Microsoft 365 Business** - Full featured use of Azure Multi-Factor Authentication using Conditional Access policies to require multi-factor authentication.
+Azure Multi-Factor Authentication helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use [authentication methods](concept-authentication-methods.md). Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.
 
-* **Azure AD Free** or standalone **Office 365** licenses - Use [Security Defaults](../fundamentals/concept-fundamentals-security-defaults.md) to require multi-factor authentication for your users and administrators.
+Your applications or services don't need to make any changes to use Azure Multi-Factor Authentication. The verification prompts are part of the Azure AD sign-in event, which automatically requests and processes the MFA challenge when required.
 
-* **Azure Active Directory Global Administrators** - A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.
+## Available verification methods
 
-> [!NOTE]
-> New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.
+When a user signs in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these Azure Multi-Factor Authentication verification methods, or the user can access their own [My Profile](https://myprofile.microsoft.com) to edit or add verification methods.
 
-## Supportability
+The following additional forms of verification can be used with Azure Multi-Factor Authentication:
 
-Since most users are accustomed to using only passwords to authenticate, it is important that your organization communicates to all users regarding this process. Awareness can reduce the likelihood that users call your help desk for minor issues related to MFA. However, there are some scenarios where temporarily disabling MFA is necessary. Use the following guidelines to understand how to handle those scenarios:
+* Microsoft Authenticator app
+* OATH Hardware token
+* SMS
+* Voice call
 
-* Train your support staff to handle scenarios where the user can't sign in because they do not have access to their authentication methods or they are not working correctly.
-   * Using Conditional Access policies for Azure MFA Service, your support staff can add a user to a group that is excluded from a policy requiring MFA.
-* Consider using Conditional Access named locations as a way to minimize two-step verification prompts. With this functionality, administrators can bypass two-step verification for users that are signing in from a secure trusted network location such as a network segment used for new user onboarding.
-* Deploy [Azure AD Identity Protection](../active-directory-identityprotection.md) and trigger two-step verification based on risk detections.
+## How to enable and use Azure Multi-Factor Authentication
+
+Users and groups can be enabled for Azure Multi-Factor Authentication to prompt for additional verification during the sign-in event. [Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) are available for all Azure AD tenants to quickly enable the use of the Microsoft Authenticator app for all users.
+
+For more granular controls, [Conditional Access](../conditional-access/overview.md) policies can be used to define events or applications that require MFA. These policies can allow regular sign-in events when the user is on the corporate network or a registered device, but prompt for additional verification factors when remote or on a personal device.
+
+![Overview diagram of how Conditional Access works to secure the sign-in process](media/tutorial-enable-azure-mfa/conditional-access-overview.png)
 
 ## Next steps
 
-- [Step-by-step Azure Multi-Factor Authentication deployment](howto-mfa-getstarted.md)
+To learn about licensing, see [Features and licenses for Azure Multi-Factor Authentication](concept-mfa-licensing.md).
+
+To see MFA in action, enable Azure Multi-Factor Authentication for a set of test users in the following tutorial:
+
+> [!div class="nextstepaction"]
+> [Enable Azure Multi-Factor Authentication](tutorial-mfa-applications.md)
diff --git a/articles/active-directory/authentication/howto-mfa-getstarted.md b/articles/active-directory/authentication/howto-mfa-getstarted.md
@@ -1,6 +1,6 @@
 ---
-title: Deploy Azure Multi-Factor Authentication - Azure Active Directory
-description: Microsoft Azure Multi-Factor Authentication deployment planning
+title: Deployment considerations for Azure Multi-Factor Authentication
+description: Learn about deployment considerations and strategy for successful implementation of Azure Multi-Factor Authentication
 
 services: multi-factor-authentication
 ms.service: active-directory
@@ -15,12 +15,19 @@ ms.reviewer: michmcla
 
 ms.collection: M365-identity-device-management
 ---
-# Planning a cloud-based Azure Multi-Factor Authentication deployment
+# Plan an Azure Multi-Factor Authentication deployment
 
 People are connecting to organizational resources in increasingly complicated scenarios. People connect from organization-owned, personal, and public devices on and off the corporate network using smart phones, tablets, PCs, and laptops, often on multiple platforms. In this always-connected, multi-device and multi-platform world, the security of user accounts is more important than ever. Passwords, no matter their complexity, used across devices, networks, and platforms are no longer sufficient to ensure the security of the user account, especially when users tend to reuse passwords across accounts. Sophisticated phishing and other social engineering attacks can result in usernames and passwords being posted and sold across the dark web.
 
 [Azure Multi-Factor Authentication (MFA)](concept-mfa-howitworks.md) helps safeguard access to data and applications. It provides an additional layer of security using a second form of authentication. Organizations can use [Conditional Access](../conditional-access/overview.md) to make the solution fit their specific needs.
 
+This deployment guide shows you how to plan and then test an Azure Multi-Factor Authentication roll-out.
+
+To quickly see Azure Multi-Factor Authentication in action and then come back to understand additional deployment considerations:
+
+> [!div class="nextstepaction"]
+> [Enable Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md)
+
 ## Prerequisites
 
 Before starting a deployment of Azure Multi-Factor Authentication, there are prerequisite items that should be considered.
@@ -170,7 +177,7 @@ Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-
 
 If your users were enabled using per-user enabled and enforced Azure Multi-Factor Authentication the following PowerShell can assist you in making the conversion to Conditional Access based Azure Multi-Factor Authentication.
 
-Run this PowerShell in an ISE window or save as a .PS1 file to run locally.
+Run this PowerShell in an ISE window or save as a `.PS1` file to run locally.
 
 ```PowerShell
 # Sets the MFA requirement state
@@ -314,7 +321,7 @@ On each AD FS server, in the local computer My Store, there will be a self-signe
 
 If the validity period of your certificates is nearing expiration, [generate and verify a new MFA certificate on each AD FS server](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa#configure-the-ad-fs-servers).
 
-The following guidance details how to manage the Azure MFA certificates on your AD FS servers. When you configure AD FS with Azure MFA, the certificates generated via the `New-AdfsAzureMfaTenantCertificate` PowerShell cmdlet are valid for 2 years. Renew and install the renewed certificates prior to expiration to ovoid disruptions in MFA service.
+The following guidance details how to manage the Azure MFA certificates on your AD FS servers. When you configure AD FS with Azure MFA, the certificates generated via the `New-AdfsAzureMfaTenantCertificate` PowerShell cmdlet are valid for two years. Renew and install the renewed certificates prior to expiration to ovoid disruptions in MFA service.
 
 ## Implement your plan
 
@@ -354,6 +361,7 @@ Find solutions for common issues with Azure MFA at the [Troubleshooting Azure Mu
 
 ## Next steps
 
-* [What are authentication methods?](concept-authentication-methods.md)
-* [Enable converged registration for Azure Multi-Factor Authentication and Azure AD self-service password reset](concept-registration-mfa-sspr-converged.md)
-* Why was a user prompted or not prompted to perform MFA? See the section [Azure AD sign-ins report in the Reports in Azure Multi-Factor Authentication document](howto-mfa-reporting.md#azure-ad-sign-ins-report).
+To see Azure Multi-Factor Authentication in action, complete the following tutorial:
+
+> [!div class="nextstepaction"]
+> [Enable Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md)
diff --git a/articles/active-directory/authentication/howto-sspr-deployment.md b/articles/active-directory/authentication/howto-sspr-deployment.md
@@ -1,6 +1,6 @@
 ---
-title: Self-service password reset deployment - Azure Active Directory
-description: Strategy for successful implementation of Azure AD self-service password reset
+title: Deployment considerations for Azure Active Directory self-service password reset
+description: Learn about deployment considerations and strategy for successful implementation of Azure AD self-service password reset
 
 services: active-directory
 ms.service: active-directory
@@ -15,21 +15,28 @@ ms.reviewer: sahenry
 
 ms.collection: M365-identity-device-management
 ---
-# Plan an Azure Active Directory self-service password reset
+# Plan an Azure Active Directory self-service password reset deployment
 
-> [!NOTE]
-> This deployment plan offers planning guidance and best practices for deploying Azure AD self-service password reset (SSPR). <br>**If you are looking for the SSPR tool to get back into your account, go to [https://aka.ms/sspr](https://aka.ms/sspr)**.
+> [!IMPORTANT]
+> This deployment plan offers guidance and best practices for deploying Azure AD self-service password reset (SSPR).
+>
+> **If you're and end user and need to get back into your account, go to [https://aka.ms/sspr](https://aka.ms/sspr)**.
 
-[Self-Service Password Reset (SSPR)](https://www.youtube.com/watch?v=tnb2Qf4hTP8) is an Azure Active Directory (AD) feature that enables users to reset their passwords without contacting IT staff for help. The users can quickly unblock themselves and continue working no matter where they are or time of day. By allowing the employees to unblock themselves, your organization can reduce the non-productive time and high support costs for most common password-related issues. 
+[Self-Service Password Reset (SSPR)](https://www.youtube.com/watch?v=tnb2Qf4hTP8) is an Azure Active Directory (AD) feature that enables users to reset their passwords without contacting IT staff for help. The users can quickly unblock themselves and continue working no matter where they are or time of day. By allowing the employees to unblock themselves, your organization can reduce the non-productive time and high support costs for most common password-related issues.
 
 SSPR has the following key capabilities:
 
 * Self-service allows end users to reset their expired or non-expired passwords without contacting an administrator or helpdesk for support.
-
 * [Password Writeback](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-writeback) allows management of on-premises passwords and resolution of account lockout though the cloud.
-
 * Password management activity reports give administrators insight into password reset and registration activity occurring in their organization.
 
+This deployment guide shows you how to plan and then test an SSPR roll-out.
+
+To quickly see SSPR in action and then come back to understand additional deployment considerations:
+
+> [!div class="nextstepaction"]
+> [Enable self-service password reset (SSPR)](tutorial-enable-sspr.md)
+
 ## Learn about SSPR
 
 Learn more about SSPR. See [How it works: Azure AD self-service password reset](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-howitworks).
@@ -131,7 +138,7 @@ Communication is critical to the success of any new service. You should proactiv
 
 ### Plan a pilot
 
-We recommend that the initial configuration of SSPR be in a test environment. Start with a pilot group by enabling SSPR for a subset of users in your organization. See [Best practices for a pilot](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-deployment-plans).
+We recommend that the initial configuration of SSPR is in a test environment. Start with a pilot group by enabling SSPR for a subset of users in your organization. See [Best practices for a pilot](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-deployment-plans).
 
 To create a group, see how to [create a group and add members in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-create-azure-portal). 
 
@@ -210,7 +217,7 @@ We recommend that you don't sync your on-prem Active Directory admin accounts wi
 
 ### Environments with multiple identity management systems
 
-Some environments have multiple identity management systems. On-premesis identity managers like Oracle AM and SiteMinder, require synchronization with AD for passwords. You can do this using a tool like the Password Change Notification Service (PCNS) with Microsoft Identity Manager (MIM). To find information on this more complex scenario, see the article [Deploy the MIM Password Change Notification Service on a domain controller](https://docs.microsoft.com/microsoft-identity-manager/deploying-mim-password-change-notification-service-on-domain-controller).
+Some environments have multiple identity management systems. On-premises identity managers like Oracle AM and SiteMinder, require synchronization with AD for passwords. You can do this using a tool like the Password Change Notification Service (PCNS) with Microsoft Identity Manager (MIM). To find information on this more complex scenario, see the article [Deploy the MIM Password Change Notification Service on a domain controller](https://docs.microsoft.com/microsoft-identity-manager/deploying-mim-password-change-notification-service-on-domain-controller).
 
 ## Plan Testing and Support
 
@@ -252,7 +259,7 @@ To enable your support team's success, you can create a FAQ based on questions y
 | User can't set a new password| A user completes verification during the password reset flow but can't set a new password. |
 | User doesn't see a Reset Password link on a Windows 10 device| A user is trying to reset password from the Windows 10 lock screen, but the device is either not joined to Azure AD, or the Intune device policy isn't enabled |
 
-### Plan roll back
+### Plan rollback
 
 To roll back the deployment:
 
@@ -292,7 +299,7 @@ See [Enable self-service password reset](https://docs.microsoft.com/azure/active
 1. [On-premises integration](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-writeback)
 
 ### Enable SSPR in Windows
-For machines running Windows 7, 8, 8.1, and 10 you can [enable users to reset their password at the Windows login screen](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows)
+For machines running Windows 7, 8, 8.1, and 10 you can [enable users to reset their password at the Windows sign in screen](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows)
 
 ## Manage SSPR
 
@@ -333,7 +340,7 @@ Audit logs for registration and password reset are available for 30 days. If sec
 
 ## Next steps
 
-* To get started deploying SSPR, see [Complete an Azure AD self-service password reset pilot roll out](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-sspr-pilot)
+* To get started deploying SSPR, see [Enable Azure AD self-service password reset](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr.md)
 
 * [Consider implementing Azure AD password protection](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad)
 
