Merge pull request #110302 from MicrosoftDocs/master

Merge master to live, 4 AM

Author: ShannonLeavitt

articles/active-directory-b2c/customize-ui-overview.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/19/2020
+ms.date: 04/04/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -87,7 +87,10 @@ Review the following guidance before using your own HTML and CSS files to custom
 
 When using your own HTML and CSS files to customize the UI, you can host your UI content on any publicly available HTTPS endpoint that supports CORS. For example, [Azure Blob storage](../storage/blobs/storage-blobs-introduction.md), web servers, CDNs, AWS S3, or file sharing systems.
 
-The important point is that you host the content on a publicly available HTTPS endpoint with CORS enabled. You must use an absolute URL when you specify it in your content.
+The important point is that you host the content on a publicly available HTTPS endpoint with [CORS enabled](https://enable-cors.org/server.html). You must use an absolute URL when you specify it in your content.
+
+> [!NOTE]
+> For details about creating HTML content, uploading content to Azure Blob storage, and configuring CORS, see the [Custom page content walkthrough](custom-policy-ui-customization.md#custom-page-content-walkthrough) section in the UI customization article.
 
 ## Get started with custom HTML and CSS
 

articles/active-directory/authentication/concept-mfa-howitworks.md

@@ -1,12 +1,12 @@
 ---
-title: How it works Azure MFA - Azure Active Directory
-description: Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process.
+title: Azure Multi-Factor Authentication overview
+description: Learn how Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process.
 
 services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/21/2019
+ms.date: 04/03/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -17,40 +17,50 @@ ms.collection: M365-identity-device-management
 ---
 # How it works: Azure Multi-Factor Authentication
 
-The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods:
+Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
 
-* Something you know (typically a password)
-* Something you have (a trusted device that is not easily duplicated, like a phone)
-* Something you are (biometrics)
+If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.
 
-<center>
+![Conceptual image of the different forms of multi-factor authentication](./media/concept-mfa-howitworks/methods.png)
 
-![Conceptual authentication methods image](./media/concept-mfa-howitworks/methods.png)</center>
+Azure Multi-Factor Authentication works by requiring two or more of the following authentication methods:
 
-Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use [authentication methods](concept-authentication-methods.md). Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.
+* Something you know, typically a password.
+* Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
+* Something you are - biometrics like a fingerprint or face scan.
 
-## How to get Multi-Factor Authentication?
+Users can register themselves for both self-service password reset and Azure Multi-Factor Authentication in one step to simplify the on-boarding experience. Administrators can define what forms of secondary authentication can be used. Azure Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.
 
-Multi-Factor Authentication comes as part of the following offerings:
+![Authentication methods in use at the sign-in screen](media/concept-authentication-methods/overview-login.png)
 
-* **Azure Active Directory Premium** or **Microsoft 365 Business** - Full featured use of Azure Multi-Factor Authentication using Conditional Access policies to require multi-factor authentication.
+Azure Multi-Factor Authentication helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use [authentication methods](concept-authentication-methods.md). Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.
 
-* **Azure AD Free** or standalone **Office 365** licenses - Use [Security Defaults](../fundamentals/concept-fundamentals-security-defaults.md) to require multi-factor authentication for your users and administrators.
+Your applications or services don't need to make any changes to use Azure Multi-Factor Authentication. The verification prompts are part of the Azure AD sign-in event, which automatically requests and processes the MFA challenge when required.
 
-* **Azure Active Directory Global Administrators** - A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.
+## Available verification methods
 
-> [!NOTE]
-> New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.
+When a user signs in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these Azure Multi-Factor Authentication verification methods, or the user can access their own [My Profile](https://myprofile.microsoft.com) to edit or add verification methods.
 
-## Supportability
+The following additional forms of verification can be used with Azure Multi-Factor Authentication:
 
-Since most users are accustomed to using only passwords to authenticate, it is important that your organization communicates to all users regarding this process. Awareness can reduce the likelihood that users call your help desk for minor issues related to MFA. However, there are some scenarios where temporarily disabling MFA is necessary. Use the following guidelines to understand how to handle those scenarios:
+* Microsoft Authenticator app
+* OATH Hardware token
+* SMS
+* Voice call
 
-* Train your support staff to handle scenarios where the user can't sign in because they do not have access to their authentication methods or they are not working correctly.
-   * Using Conditional Access policies for Azure MFA Service, your support staff can add a user to a group that is excluded from a policy requiring MFA.
-* Consider using Conditional Access named locations as a way to minimize two-step verification prompts. With this functionality, administrators can bypass two-step verification for users that are signing in from a secure trusted network location such as a network segment used for new user onboarding.
-* Deploy [Azure AD Identity Protection](../active-directory-identityprotection.md) and trigger two-step verification based on risk detections.
+## How to enable and use Azure Multi-Factor Authentication
+
+Users and groups can be enabled for Azure Multi-Factor Authentication to prompt for additional verification during the sign-in event. [Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) are available for all Azure AD tenants to quickly enable the use of the Microsoft Authenticator app for all users.
+
+For more granular controls, [Conditional Access](../conditional-access/overview.md) policies can be used to define events or applications that require MFA. These policies can allow regular sign-in events when the user is on the corporate network or a registered device, but prompt for additional verification factors when remote or on a personal device.
+
+![Overview diagram of how Conditional Access works to secure the sign-in process](media/tutorial-enable-azure-mfa/conditional-access-overview.png)
 
 ## Next steps
 
-- [Step-by-step Azure Multi-Factor Authentication deployment](howto-mfa-getstarted.md)
+To learn about licensing, see [Features and licenses for Azure Multi-Factor Authentication](concept-mfa-licensing.md).
+
+To see MFA in action, enable Azure Multi-Factor Authentication for a set of test users in the following tutorial:
+
+> [!div class="nextstepaction"]
+> [Enable Azure Multi-Factor Authentication](tutorial-mfa-applications.md)

articles/active-directory/authentication/howto-mfa-getstarted.md

@@ -1,6 +1,6 @@
 ---
-title: Deploy Azure Multi-Factor Authentication - Azure Active Directory
-description: Microsoft Azure Multi-Factor Authentication deployment planning
+title: Deployment considerations for Azure Multi-Factor Authentication
+description: Learn about deployment considerations and strategy for successful implementation of Azure Multi-Factor Authentication
 
 services: multi-factor-authentication
 ms.service: active-directory
@@ -15,12 +15,19 @@ ms.reviewer: michmcla
 
 ms.collection: M365-identity-device-management
 ---
-# Planning a cloud-based Azure Multi-Factor Authentication deployment
+# Plan an Azure Multi-Factor Authentication deployment
 
 People are connecting to organizational resources in increasingly complicated scenarios. People connect from organization-owned, personal, and public devices on and off the corporate network using smart phones, tablets, PCs, and laptops, often on multiple platforms. In this always-connected, multi-device and multi-platform world, the security of user accounts is more important than ever. Passwords, no matter their complexity, used across devices, networks, and platforms are no longer sufficient to ensure the security of the user account, especially when users tend to reuse passwords across accounts. Sophisticated phishing and other social engineering attacks can result in usernames and passwords being posted and sold across the dark web.
 
 [Azure Multi-Factor Authentication (MFA)](concept-mfa-howitworks.md) helps safeguard access to data and applications. It provides an additional layer of security using a second form of authentication. Organizations can use [Conditional Access](../conditional-access/overview.md) to make the solution fit their specific needs.
 
+This deployment guide shows you how to plan and then test an Azure Multi-Factor Authentication roll-out.
+
+To quickly see Azure Multi-Factor Authentication in action and then come back to understand additional deployment considerations:
+
+> [!div class="nextstepaction"]
+> [Enable Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md)
+
 ## Prerequisites
 
 Before starting a deployment of Azure Multi-Factor Authentication, there are prerequisite items that should be considered.
@@ -170,7 +177,7 @@ Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-
 
 If your users were enabled using per-user enabled and enforced Azure Multi-Factor Authentication the following PowerShell can assist you in making the conversion to Conditional Access based Azure Multi-Factor Authentication.
 
-Run this PowerShell in an ISE window or save as a .PS1 file to run locally.
+Run this PowerShell in an ISE window or save as a `.PS1` file to run locally.
 
 ```PowerShell
 # Sets the MFA requirement state
@@ -314,7 +321,7 @@ On each AD FS server, in the local computer My Store, there will be a self-signe
 
 If the validity period of your certificates is nearing expiration, [generate and verify a new MFA certificate on each AD FS server](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa#configure-the-ad-fs-servers).
 
-The following guidance details how to manage the Azure MFA certificates on your AD FS servers. When you configure AD FS with Azure MFA, the certificates generated via the `New-AdfsAzureMfaTenantCertificate` PowerShell cmdlet are valid for 2 years. Renew and install the renewed certificates prior to expiration to ovoid disruptions in MFA service.
+The following guidance details how to manage the Azure MFA certificates on your AD FS servers. When you configure AD FS with Azure MFA, the certificates generated via the `New-AdfsAzureMfaTenantCertificate` PowerShell cmdlet are valid for two years. Renew and install the renewed certificates prior to expiration to ovoid disruptions in MFA service.
 
 ## Implement your plan
 
@@ -354,6 +361,7 @@ Find solutions for common issues with Azure MFA at the [Troubleshooting Azure Mu
 
 ## Next steps
 
-* [What are authentication methods?](concept-authentication-methods.md)
-* [Enable converged registration for Azure Multi-Factor Authentication and Azure AD self-service password reset](concept-registration-mfa-sspr-converged.md)
-* Why was a user prompted or not prompted to perform MFA? See the section [Azure AD sign-ins report in the Reports in Azure Multi-Factor Authentication document](howto-mfa-reporting.md#azure-ad-sign-ins-report).
+To see Azure Multi-Factor Authentication in action, complete the following tutorial:
+
+> [!div class="nextstepaction"]
+> [Enable Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md)

articles/active-directory/authentication/howto-mfa-nps-extension.md

@@ -75,6 +75,7 @@ The NPS server needs to be able to communicate with the following URLs over port
 
 - https:\//adnotifications.windowsazure.com
 - https:\//login.microsoftonline.com
+- https:\//credentials.azure.com
 
 Additionally, connectivity to the following URLs is required to complete the [setup of the adapter using the provided PowerShell script](#run-the-powershell-script)