Merge pull request #195801 from MicrosoftDocs/main

4/21 PM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -10700,6 +10700,11 @@
       "redirect_url": "/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory-b2c/partner-azure-web-application-firewall.md",
+      "redirect_url": "/azure/active-directory-b2c/partner-gallery",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory-b2c/troubleshoot-custom-policies.md",
       "redirect_url": "/azure/active-directory-b2c/troubleshoot",

articles/active-directory-b2c/TOC.yml

@@ -386,8 +386,6 @@
       items:
       - name: Akamai
         href: partner-akamai.md
-      - name: Azure WAF
-        href: partner-azure-web-application-firewall.md
       - name: Cloudflare
         href: partner-cloudflare.md
     - name: Fraud protection partners

articles/active-directory-b2c/partner-azure-web-application-firewall.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 01/11/2021
+ms.date: 04/21/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -95,7 +95,6 @@ Microsoft partners with the following ISVs for Web Application Firewall (WAF).
 | ISV partner | Description and integration walkthroughs |
 |:-------------------------|:--------------|
 |  ![Screenshot of Akamai logo](./media/partner-gallery/akamai-logo.png) | [Akamai WAF](./partner-akamai.md) allows fine grained manipulation of traffic to protect and secure your identity infrastructure against malicious attacks.  |
-|  ![Screenshot of Azure WAF logo](./media/partner-gallery/azure-web-application-firewall-logo.png) | [Azure WAF](./partner-azure-web-application-firewall.md) provides centralized protection of your web applications from common exploits and vulnerabilities.  |
 ![Screenshot of Cloudflare logo](./media/partner-gallery/cloudflare-logo.png) | [Cloudflare](./partner-cloudflare.md) is a WAF provider that helps organizations protect against malicious attacks that aim to exploit vulnerabilities such as SQLi, and XSS. |
 
 

articles/active-directory-b2c/partner-gallery.md

@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 If your organization is federated with Azure Active Directory, use Azure AD Multi-Factor Authentication or Active Directory Federation Services (AD FS) to secure resources that are accessed by Azure AD. Use the following procedures to secure Azure Active Directory resources with either Azure AD Multi-Factor Authentication or Active Directory Federation Services.
 
 >[!NOTE]
->Set the domain setting [federatedIdpMfaBehavior](/graph/api/resources/federatedIdpMfaBehavior?view=graph-rest-beta&preserve-view=true) to `enforceMfaByFederatedIdp` (recommended) or **SupportsMFA** to `$True`. The **federatedIdpMfaBehavior** setting overrides **SupportsMFA** when both are set.
+>Set the domain setting [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values) to `enforceMfaByFederatedIdp` (recommended) or **SupportsMFA** to `$True`. The **federatedIdpMfaBehavior** setting overrides **SupportsMFA** when both are set.
 
 ## Secure Azure AD resources using AD FS
 

articles/active-directory/authentication/howto-mfa-adfs.md

@@ -21,7 +21,7 @@ Token expiration and refresh are a standard mechanism in the industry. When a cl
 
 Customers have expressed concerns about the lag between when conditions change for a user, and when policy changes are enforced. Azure AD has experimented with the "blunt object" approach of reduced token lifetimes but found they can degrade user experiences and reliability without eliminating risks.
 
-Timely response to policy violations or security issues really requires a "conversation" between the token issuer (Azure AD), and the relying party (enlightened app). This two-way conversation gives us two important capabilities. The relying party can see when properties change, like network location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user because of account compromise, disablement, or other concerns. The mechanism for this conversation is continuous access evaluation (CAE). The goal is for response to be near real time, but latency of up to 15 minutes may be observed because of event propagation time.
+Timely response to policy violations or security issues really requires a "conversation" between the token issuer (Azure AD), and the relying party (enlightened app). This two-way conversation gives us two important capabilities. The relying party can see when properties change, like network location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user because of account compromise, disablement, or other concerns. The mechanism for this conversation is continuous access evaluation (CAE). The goal for critical event evaluation is for response to be near real time, but latency of up to 15 minutes may be observed because of event propagation time; however, IP locations policy enforcement is instant.
 
 The initial implementation of continuous access evaluation focuses on Exchange, Teams, and SharePoint Online.
 

articles/active-directory/conditional-access/concept-continuous-access-evaluation.md

@@ -2,16 +2,16 @@
 title: Microsoft identity platform scopes, permissions, & consent
 description: Learn about authorization in the Microsoft identity platform endpoint, including scopes, permissions, and consent.
 services: active-directory
-author: rwike77
+author: mmacy
 manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 01/14/2022
-ms.author: ryanwi
-ms.reviewer: ludwignick, phsignor
+ms.date: 04/21/2022
+ms.author: marsma
+ms.reviewer: jawoods, ludwignick, phsignor
 ms.custom: aaddev, fasttrack-edit, contperf-fy21q1, identityplatformtop40, has-adal-ref
 ---
 
@@ -21,7 +21,7 @@ Applications that integrate with the Microsoft identity platform follow an autho
 
 ## Scopes and permissions
 
-The Microsoft identity platform implements the [OAuth 2.0](active-directory-v2-protocols.md) authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user. Any web-hosted resource that integrates with the Microsoft identity platform has a resource identifier, or *application ID URI*. 
+The Microsoft identity platform implements the [OAuth 2.0](active-directory-v2-protocols.md) authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user. Any web-hosted resource that integrates with the Microsoft identity platform has a resource identifier, or *application ID URI*.
 
 Here are some examples of Microsoft web-hosted resources:
 
@@ -73,7 +73,7 @@ If you request the OpenID Connect scopes and a token, you'll get a token to call
 
 ### openid
 
-If an app signs in by using [OpenID Connect](active-directory-v2-protocols.md), it must request the `openid` scope. The `openid` scope appears on the work account consent page as the **Sign you in** permission. On the personal Microsoft account consent page, it appears as the **View your profile and connect to apps and services using your Microsoft account** permission. 
+If an app signs in by using [OpenID Connect](active-directory-v2-protocols.md), it must request the `openid` scope. The `openid` scope appears on the work account consent page as the **Sign you in** permission.
 
 By using this permission, an app can receive a unique identifier for the user in the form of the `sub` claim. The permission also gives the app access to the UserInfo endpoint. The `openid` scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication.
 

articles/active-directory/develop/v2-permissions-and-consent.md

@@ -93,10 +93,10 @@ Before you can begin enabling modern authentication on-premises, please be sure
 Steps for enabling modern authentication can be found in the following articles:
 
 * [How to configure Exchange Server on-premises to use Hybrid Modern Authentication](/office365/enterprise/configure-exchange-server-for-hybrid-modern-authentication)
-* [How to use Modern Authentication (ADAL) with Skype for Business](/skypeforbusiness/manage/authentication/use-adal)
+* [How to use Modern Authentication with Skype for Business](/skypeforbusiness/manage/authentication/use-adal)
 
 ## Next steps
 
 - [How to configure Exchange Server on-premises to use Hybrid Modern Authentication](/office365/enterprise/configure-exchange-server-for-hybrid-modern-authentication)
-- [How to use Modern Authentication (ADAL) with Skype for Business](/skypeforbusiness/manage/authentication/use-adal)
-- [Block legacy authentication](../conditional-access/block-legacy-authentication.md)
+- [How to use Modern Authentication with Skype for Business](/skypeforbusiness/manage/authentication/use-adal)
+- [Block legacy authentication](../conditional-access/block-legacy-authentication.md)

articles/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication.md

@@ -8,29 +8,26 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 3/1/2021
+ms.date: 04/21/2022
 ms.author: baselden
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
-
-# Introduction to securing Azure service accounts
+# Securing cloud-based service accounts
 
 There are three types of service accounts native to Azure Active Directory: Managed identities, service principals, and user-based service accounts. Service accounts are a special type of account that is intended to represent a non-human entity such as an application, API, or other service. These entities operate within the security context provided by the service account. 
 
 ## Types of Azure Active Directory service accounts
 
 For services hosted in Azure, we recommend using a managed identity if possible, and a service principal if not. Managed identities can’t be used for services hosted outside of Azure. In that case, we recommend a service principal. If you can use a managed identity or a service principal, do so. We recommend that you not use an Azure Active Directory user account as a service account. See the following table for a summary.
- 
 
 | Service hosting| Managed identity| Service principal| Azure user account |
 | - | - | - | - |
 |Service is hosted in Azure.| Yes. <br>Recommended if the service <br>supports a Managed Identity.| Yes.| Not recommended. |
 | Service is not hosted in Azure.| No| Yes. Recommended.| Not recommended. |
 | Service is multi-tenant| No| Yes. Recommended.| No. |
 
-
 ## Managed identities
 
 Managed identities are secure Azure Active Directory (Azure AD) identities created to provide identities for Azure resources. There are [two types of managed identities](../managed-identities-azure-resources/overview.md#managed-identity-types): 
@@ -50,11 +47,9 @@ A service principal is the local representation of an application object in a si
 There are two mechanisms for authentication using service principals—client certificates and client secrets. Certificates are more secure: use client certificates if possible. Unlike client secrets, client certificates cannot accidentally be embedded in code.
 
 For information on securing service principals, see [Securing service principals](service-accounts-principal.md).
-
 
 ## Next steps
 
-
 For more information on securing Azure service accounts, see:
 
 [Securing managed identities](service-accounts-managed-identities.md)

articles/active-directory/fundamentals/service-accounts-introduction-azure.md

@@ -1,5 +1,5 @@
 ---
-title: Introduction to Active Directory service accounts | Azure Active Directory
+title: Introduction to Active Directory service accounts
 description: An introduction to the types of service accounts in Active Directory, and how to secure them.
 services: active-directory
 author: BarbaraSelden
@@ -8,14 +8,13 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 2/15/2021
+ms.date: 04/21/2022
 ms.author: baselden
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
-
-# Introduction to Active Directory service accounts
+# Securing on-premises service accounts
 
 A service has a primary security identity that determines the access rights for local and network resources. The security context for a Microsoft Win32 service is determined by the service account that's used to start the service. You use a service account to:
 * Identify and authenticate a service.
@@ -57,7 +56,6 @@ A local user account (name format: *.\UserName*) exists only in the Security Acc
 
 ## Choose the right type of service account
 
-
 | Criterion| gMSA| sMSA| Computer account| User account |
 | - | - | - | - | - |
 | App runs on a single server| Yes| Yes. Use a gMSA if possible.| Yes. Use an MSA if possible.| Yes. Use an MSA if possible. |
@@ -68,7 +66,6 @@ A local user account (name format: *.\UserName*) exists only in the Security Acc
 | Requirement to restrict service account to single server| No| Yes| Yes. Use an sMSA if possible.| No |
 | | |
 
-
 ### Use server logs and PowerShell to investigate
 
 You can use server logs to determine which servers, and how many servers, an application is running on.
@@ -113,8 +110,6 @@ After you've found the service accounts in your on-premises environment, documen
 
 * **Password security**: For user and local computer accounts, where the password is stored. Ensure that passwords are kept secure, and document who has access. Consider using [Privileged Identity Management](../privileged-identity-management/pim-configure.md) to secure stored passwords. 
 
-  
-
 ## Next steps
 
 To learn more about securing service accounts, see the following articles:
@@ -124,4 +119,3 @@ To learn more about securing service accounts, see the following articles:
 * [Secure computer accounts](service-accounts-computer.md)  
 * [Secure user accounts](service-accounts-user-on-premises.md)  
 * [Govern on-premises service accounts](service-accounts-govern-on-premises.md)
-