MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/howto-mfa-userstates.md
Lines changed: 7 additions & 4 deletions b/‎articles/active-directory/authentication/howto-mfa-userstates.md
Lines changed: 7 additions & 4 deletions
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-security-defaults.md
Lines changed: 14 additions & 0 deletions b/‎articles/active-directory/conditional-access/concept-conditional-access-security-defaults.md
Lines changed: 14 additions & 0 deletions
diff --git a/‎articles/active-directory/conditional-access/media/concept-conditional-access-security-defaults/security-defaults-disable-before-conditional-access.png
81.9 KB b/‎articles/active-directory/conditional-access/media/concept-conditional-access-security-defaults/security-defaults-disable-before-conditional-access.png
81.9 KB
diff --git a/‎articles/active-directory/manage-apps/configure-admin-consent-workflow.md
Lines changed: 14 additions & 14 deletions b/‎articles/active-directory/manage-apps/configure-admin-consent-workflow.md
Lines changed: 14 additions & 14 deletions
diff --git a/‎articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method-040419.png
4.54 KB b/‎articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method-040419.png
4.54 KB
diff --git a/‎articles/active-directory/manage-apps/what-is-single-sign-on.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/manage-apps/what-is-single-sign-on.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/saas-apps/kerbf5-tutorial.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/saas-apps/kerbf5-tutorial.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/automation/shared-resources/modules.md
Lines changed: 7 additions & 3 deletions b/‎articles/automation/shared-resources/modules.md
Lines changed: 7 additions & 3 deletions
@@ -33,7 +33,7 @@ This topic:
 
 To configure certificate-based authentication, the following statements must be true:
 
-- Certificate-based authentication (CBA) is only supported for Federated environments for browser applications or native clients using modern authentication (ADAL). The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for  federated and managed accounts.
+- Certificate-based authentication (CBA) is only supported for Federated environments for browser applications, native clients using modern authentication (ADAL), or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for  federated and managed accounts.
 - The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.
 - Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.
 - You must have at least one certificate authority configured in Azure Active Directory. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.
 
@@ -38,11 +38,14 @@ Enabled by Azure AD Identity Protection - This method uses the Azure AD Identity
 
 User accounts in Azure Multi-Factor Authentication have the following three distinct states:
 
+> [!IMPORTANT]
+> Enabling Azure MFA through a Conditional Access policy will not change the state of the user. Do not be alarmed users appear disabled. Conditional Access does not change the state. **Organizations should not enable or enforce users if they are utilizing Conditional Access policies.**
+
 | Status | Description | Non-browser apps affected | Browser apps affected | Modern authentication affected |
-|:---:|:---:|:---:|:--:|:--:|
-| Disabled |The default state for a new user not enrolled in Azure MFA. |No |No |No |
-| Enabled |The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. |No.  They continue to work until the registration process is completed. | Yes. After the session expires, Azure MFA registration is required.| Yes. After the access token expires, Azure MFA registration is required. |
-| Enforced |The user has been enrolled and has completed the registration process for Azure MFA. |Yes. Apps require app passwords. |Yes. Azure MFA is required at login. | Yes. Azure MFA is required at login. |
+|:---:| --- |:---:|:--:|:--:|
+| Disabled | The default state for a new user not enrolled in Azure MFA. | No | No | No |
+| Enabled | The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. | No.  They continue to work until the registration process is completed. | Yes. After the session expires, Azure MFA registration is required.| Yes. After the access token expires, Azure MFA registration is required. |
+| Enforced | The user has been enrolled and has completed the registration process for Azure MFA. | Yes. Apps require app passwords. | Yes. Azure MFA is required at login. | Yes. Azure MFA is required at login. |
 
 A user's state reflects whether an admin has enrolled them in Azure MFA, and whether they completed the registration process.
 
 
@@ -123,6 +123,20 @@ To enable security defaults in your directory:
 1. Set the **Enable security defaults** toggle to **Yes**.
 1. Select **Save**.
 
+## Disabling security defaults
+
+Organizations that choose to implement Conditional Access policies that replace security defaults must disable security defaults. 
+
+![Warning message disable security defaults to enable Conditional Access](./media/concept-conditional-access-security-defaults/security-defaults-disable-before-conditional-access.png)
+
+To disable security defaults in your directory:
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as a security administrator, Conditional Access administrator, or global administrator.
+1. Browse to **Azure Active Directory** > **Properties**.
+1. Select **Manage security defaults**.
+1. Set the **Enable security defaults** toggle to **No**.
+1. Select **Save**.
+
 ## Next steps
 
 [Common Conditional Access policies](concept-conditional-access-policy-common.md)
 
@@ -29,10 +29,10 @@ To approve requests, a reviewer must be a global administrator, cloud applicatio
 
 To enable the admin consent workflow and choose reviewers:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.
-2. Click **All services** at the top of the left-hand navigation menu. The **Azure Active Directory Extension** opens.
-3. In the filter search box, type "**Azure Active Directory**" and select **the Azure Active Directory** item.
-4. From the navigation menu, click **Enterprise applications**. 
+1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.
+2. Click **All services** at the top of the left-hand navigation menu. The **Azure Active Directory Extension** opens.
+3. In the filter search box, type "**Azure Active Directory**" and select **the Azure Active Directory** item.
+4. From the navigation menu, click **Enterprise applications**. 
 5. Under **Manage**, select **User settings**.
 6. Under **Admin consent requests (Preview)**, set **Users can request admin consent to apps they are unable to consent to** to **Yes**.
 
@@ -70,10 +70,10 @@ After the admin consent workflow is enabled, users can request admin approval fo
 
 To review the admin consent requests and take action:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as one of the registered reviewers of the admin consent workflow.
-2. Select **All services** at the top of the left-hand navigation menu. The **Azure Active Directory Extension** opens.
-3. In the filter search box, type "**Azure Active Directory**" and select the **Azure Active Directory** item.
-4. From the navigation menu, click **Enterprise applications**.
+1. Sign in to the [Azure portal](https://portal.azure.com) as one of the registered reviewers of the admin consent workflow.
+2. Select **All services** at the top of the left-hand navigation menu. The **Azure Active Directory Extension** opens.
+3. In the filter search box, type "**Azure Active Directory**" and select the **Azure Active Directory** item.
+4. From the navigation menu, click **Enterprise applications**.
 5. Under **Activity**, select **Admin consent requests (Preview)**.
 
    > [!NOTE]
@@ -116,12 +116,12 @@ The table below outlines the scenarios and audit values available for the admin
 
 |Scenario  |Audit Service  |Audit Category  |Audit Activity  |Audit Actor  |Audit log limitations  |
 |---------|---------|---------|---------|---------|---------|
-|Admin enabling the consent request workflow        |Access Reviews           |UserManagement           |Create governance policy template          |App context            |Currently you cannot find the user context            |
-|Admin disabling the  consent request workflow       |Access Reviews           |UserManagement           |Delete governance policy template          |App context            |Currently you cannot find the user context           |
-|Admin updating the consent workflow configurations        |Access Reviews           |UserManagement           |Update governance policy template          |App context            |Currently you cannot find the user context           |
-|End user creating an admin consent request for an app       |Access Reviews           |Policy         |Create request           |App context            |Currently you cannot find the user context           |
-|Reviewers approving an admin consent request       |Access Reviews           |UserManagement           |Approve all requests in business flow          |App context            |Currently you cannot find the user context or the app ID that was granted admin consent.           |
-|Reviewers denying an admin consent request       |Access Reviews           |UserManagement           |Approve all requests in business flow          |App context            | Currently you cannot find the user context of the actor that denied an admin consent request          |
+|Admin enabling the consent request workflow        |Access Reviews           |UserManagement           |Create governance policy template          |App context            |Currently you cannot find the user context            |
+|Admin disabling the  consent request workflow       |Access Reviews           |UserManagement           |Delete governance policy template          |App context            |Currently you cannot find the user context           |
+|Admin updating the consent workflow configurations        |Access Reviews           |UserManagement           |Update governance policy template          |App context            |Currently you cannot find the user context           |
+|End user creating an admin consent request for an app       |Access Reviews           |Policy         |Create request           |App context            |Currently you cannot find the user context           |
+|Reviewers approving an admin consent request       |Access Reviews           |UserManagement           |Approve all requests in business flow          |App context            |Currently you cannot find the user context or the app ID that was granted admin consent.           |
+|Reviewers denying an admin consent request       |Access Reviews           |UserManagement           |Approve all requests in business flow          |App context            | Currently you cannot find the user context of the actor that denied an admin consent request          |
 
 ## FAQ 
 
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 11/14/2019
+ms.date: 12/03/2019
 ms.author: mimart
 ms.reviewer: arvindh, japere
 
 
@@ -269,7 +269,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
     ![F5 (Kerberos) configuration](./media/kerbf5-tutorial/configure12.png)
 
-1. Once the application has been click on **Finish**.
+1. Once the application has been configured click on **Finish**.
 
     ![F5 (Kerberos) configuration](./media/kerbf5-tutorial/configure13.png)
 
 
@@ -3,9 +3,9 @@ title: Manage Modules in Azure Automation
 description: This article describes how to manage modules in Azure Automation
 services: automation
 ms.service: automation
-author: bobbytreed
-ms.author: robreed
-ms.date: 06/05/2019
+author: mgoedtel
+ms.author: magoedte
+ms.date: 12/03/2019
 ms.topic: conceptual
 manager: carmonm
 ---
@@ -73,6 +73,10 @@ Remove-AzureRmAutomationModule -Name <moduleName> -AutomationAccountName <automa
 
 The following is a listing of cmdlets in the internal `Orchestrator.AssetManagement.Cmdlets` module that is imported into every Automation Account. These cmdlets are accessible in your runbooks and DSC configurations and allow you to interact with your assets within your Automation Account. Additionally, the internal cmdlets allow you to retrieve secrets from encrypted **Variable** values, **Credentials**, and encrypted **Connection** fields. The Azure PowerShell cmdlets are not able to retrieve these secrets. These cmdlets do not require you to implicitly connect to Azure when using them, such as using a Run As Account to authenticate to Azure.
 
+>[!NOTE]
+>These internal cmdlets are not available on a Hybrid Runbook Worker, they are only accessible from runbooks running in Azure. Use the corresponding [AzureRM.Automation](https://docs.microsoft.com/powershell/module/AzureRM.Automation/?view=azurermps-6.13.0) or [Az modules](../az-modules.md) for runbooks running directly on the computer or against resources in your environment. 
+>
+
 |Name|Description|
 |---|---|
 |Get-AutomationCertificate|`Get-AutomationCertificate [-Name] <string> [<CommonParameters>]`|