Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs into amsolomo-azure-docs-local

Author: ms-amsolo

articles/active-directory-b2c/conditional-access-identity-protection-overview.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 03/03/2021
+ms.date: 05/13/2021
 
 ms.author: mimart
 author: msmimart
@@ -16,8 +16,6 @@ ms.collection: M365-identity-device-management
 ---
 # Identity Protection and Conditional Access for Azure AD B2C
 
-[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
-
 Enhance the security of Azure Active Directory B2C (Azure AD B2C) with Azure AD Identity Protection and Conditional Access. The Identity Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine actions and enforce organizational policies. Together, these capabilities give Azure AD B2C application owners greater control over risky authentications and access policies.
 
 If you're already familiar with [Identity Protection](../active-directory/identity-protection/overview-identity-protection.md) and [Conditional Access](../active-directory/conditional-access/overview.md) in Azure AD, using these capabilities with Azure AD B2C will be a familiar experience, with the minor differences discussed in this article.

articles/active-directory-b2c/conditional-access-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 04/19/2021
+ms.date: 05/13/2021
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -20,8 +20,6 @@ ms.subservice: B2C
 
 Azure Active Directory (Azure AD) Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies. Automating risk assessment with policy conditions means risky sign-ins are at once identified and remediated or blocked.
 
-[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
-
 ## Protocol
 
 The **Name** attribute of the **Protocol** element needs to be set to `Proprietary`. The **handler** attribute must contain the fully qualified name of the protocol handler assembly that is used by Azure AD B2C:

articles/active-directory-b2c/conditional-access-user-flow.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 05/06/2021
+ms.date: 05/13/2021
 ms.custom: project-no-code
 ms.author: mimart
 author: msmimart
@@ -24,8 +24,6 @@ Conditional Access can be added to your Azure Active Directory B2C (Azure AD B2C
 
 Automating risk assessment with policy conditions means risky sign-ins are identified immediately and then either remediated or blocked.
 
-[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
-
 ## Service overview
 
 Azure AD B2C evaluates each sign-in event and ensures that all policy requirements are met before granting the user access. During this **Evaluation** phase, the Conditional Access service evaluates the signals collected by Identity Protection risk detections during sign-in events. The outcome of this evaluation process is a set of claims that indicates whether the sign-in should be granted or blocked. The Azure AD B2C policy uses these claims to take an action within the user flow, such as blocking access or challenging the user with a specific remediation like multi-factor authentication (MFA). “Block access” overrides all other settings.
@@ -52,13 +50,13 @@ In the *Remediation* phase that follows, the user is challenged with MFA. Once c
 
 The remediation may also happen through other channels. For example, when the account's password is reset, either by the administrator or by the user. You can check the the user *Risk state* in the [risky users report](identity-protection-investigate-risk.md#navigating-the-risky-users-report).
 
+::: zone pivot="b2c-custom-policy"
+
 > [!IMPORTANT]
 > To remediate the risk successfully within the journey, make sure the *Remediation* technical profile is called after the *Evaluation* technical profile is executed. If  *Evaluation* is invoked without *Remediation*, the risk state will be *At risk*.
 
 When the *Evaluation* technical profile recommendation returns `Block`, the call to the *Evaluation* technical profile is not required. The risk state is set to *At risk*.
 
-::: zone pivot="b2c-custom-policy"
-
 The following example shows a Conditional Access technical profile used to remediate the identified threat:
 
 ```XML
@@ -123,7 +121,7 @@ A Conditional Access policy is an if-then statement of assignments and access co
 To add a Conditional Access policy:
 
 1. In the Azure portal, search for and select **Azure AD B2C**.
-1. Under **Security**, select **Conditional Access (Preview)**. The **Conditional Access Policies** page opens.
+1. Under **Security**, select **Conditional Access**. The **Conditional Access Policies** page opens.
 1. Select **+ New policy**.
 1. Enter a name for the policy, such as *Block risky sign-in*.
 1. Under **Assignments**, choose **Users and groups**, and then select the one of the following supported configurations:
@@ -233,11 +231,17 @@ Multiple Conditional Access policies may apply to an individual user at any time
 
 ## Enable multi-factor authentication (optional)
 
-When adding Conditional Access to a user flow, consider the use of **Multi-factor authentication (MFA)**. Users can use a one-time code via SMS or voice, or a one-time password via email for multi-factor authentication. MFA settings are independent from Conditional Access settings. You can choose from these MFA options:
+When adding Conditional Access to a user flow, consider using **Multi-factor authentication (MFA)**. Users can use a one-time code via SMS or voice, or a one-time password via email for multi-factor authentication. MFA settings are configured separately from Conditional Access settings. You can choose from these MFA options:
+
+- **Off** - MFA is never enforced during sign-in, and users are not prompted to enroll in MFA during sign-up or sign-in.
+- **Always on** - MFA is always required, regardless of your Conditional Access setup. During sign-up, users are prompted to enroll in MFA. During sign-in, if users aren't already enrolled in MFA, they're prompted to enroll.
+- **Conditional** - During sign-up and sign-in, users are prompted to enroll in MFA (both new users and existing users who aren't enrolled in MFA). During sign-in, MFA is enforced only when an active Conditional Access policy evaluation requires it:
+
+   - If the result is an MFA challenge with no risk, MFA is enforced. If the user isn't already enrolled in MFA, they're prompted to enroll.
+   - If the result is an MFA challenge due to risk *and* the user is not enrolled in MFA, sign-in is blocked.
 
-   - **Off** - MFA is never enforced during sign-in, and users are not prompted to enroll in MFA during sign-up or sign-in.
-   - **Always on** - MFA is always required regardless of your Conditional Access setup. If users aren't already enrolled in MFA, they're prompted to enroll during sign-in. During sign-up, users are prompted to enroll in MFA.
-   - **Conditional (Preview)** - MFA is required only when an active Conditional Access Policy requires it. If the result of the Conditional Access evaluation is an MFA challenge with no risk, MFA is enforced during sign-in. If the result is an MFA challenge due to risk *and* the user is not enrolled in MFA, sign-in is blocked. During sign-up, users aren't prompted to enroll in MFA.
+   > [!NOTE]
+   > With general availability of Conditional Access in Azure AD B2C, users are now prompted to enroll in an MFA method during sign-up. Any sign-up user flows you created prior to general availability won't automatically reflect this new behavior, but you can include the behavior by creating new user flows.
 
 ::: zone pivot="b2c-user-flow"
 
@@ -255,9 +259,9 @@ To enable Conditional Access for a user flow, make sure the version supports Con
 
    ![Configure MFA and Conditional Access in Properties](media/conditional-access-user-flow/add-conditional-access.png)
 
-1. In the **Multifactor authentication** section, select the desired **Type of method**, and then under **MFA enforcement**, select **Conditional (Preview)**.
+1. In the **Multifactor authentication** section, select the desired **Type of method**, and then under **MFA enforcement**, select **Conditional**.
 
-1. In the **Conditional access (Preview)** section, select the **Enforce conditional access policies** check box.
+1. In the **Conditional access** section, select the **Enforce conditional access policies** check box.
 
 1. Select **Save**.
 

articles/active-directory-b2c/identity-protection-investigate-risk.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 03/03/2021
+ms.date: 05/13/2021
 ms.custom: project-no-code
 ms.author: mimart
 author: msmimart
@@ -16,8 +16,6 @@ zone_pivot_groups: b2c-policy-type
 ---
 # Investigate risk with Identity Protection in Azure AD B2C
 
-[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
-
 Identity Protection provides ongoing risk detection for your Azure AD B2C tenant. It allows organizations to discover, investigate, and remediate identity-based risks. Identity Protection comes with risk reports that can be used to investigate identity risks in Azure AD B2C tenants. In this article, you learn how to investigate and mitigate risks.
 
 ## Overview
@@ -89,7 +87,7 @@ An administrator can choose to dismiss a user's risk in the Azure portal or prog
 
 1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
 
-1. Under **Security**, select **Risky users (Preview)**.
+1. Under **Security**, select **Risky users**.
 
    ![Risky users](media/identity-protection-investigate-risk/risky-users.png)
 
@@ -113,7 +111,7 @@ Administrators can then choose to return to the user's risk or sign-ins report t
 ### Navigating the risk detections report
 
 1. In the Azure portal, search for and select **Azure AD B2C**.
-1. Under **Security**, select **Risk detections (Preview)**.
+1. Under **Security**, select **Risk detections**.
 
    ![Risk detections](media/identity-protection-investigate-risk/risk-detections.png)
 

articles/active-directory-b2c/media/conditional-access-identity-protection-overview/conditional-access-b2c.png

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/22/2021
+ms.date: 05/13/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -39,14 +39,16 @@ This feature helps applications handle scenarios such as:
 1. In the **Multifactor authentication** section, select the desired **Type of method**. Then under **MFA enforcement** select an option:
 
    - **Off** - MFA is never enforced during sign-in, and users are not prompted to enroll in MFA during sign-up or sign-in.
-   - **Always on** - MFA is always required (regardless of any Conditional Access setup). If users aren't already enrolled in MFA, they're prompted to enroll during sign-in. During sign-up, users are prompted to enroll in MFA.
-   - **Conditional (Preview)** - MFA is enforced only when a Conditional Access policy requires it. The policy and sign-in risk determine how MFA is presented to the user:
-      - If no risk is detected, an MFA challenge is presented to the user during sign-in. If the user isn't already enrolled in MFA, they're prompted to enroll during sign-in.
-      - If risk is detected and the user isn't already enrolled in MFA, the sign-in is blocked. During sign-up, users aren't prompted to enroll in MFA.
+   - **Always on** - MFA is always required, regardless of your Conditional Access setup. During sign-up, users are prompted to enroll in MFA. During sign-in, if users aren't already enrolled in MFA, they're prompted to enroll.
+   - **Conditional** - During sign-up and sign-in, users are prompted to enroll in MFA (both new users and existing users who aren't enrolled in MFA). During sign-in, MFA is enforced only when an active Conditional Access policy evaluation requires it:
+
+      - If the result is an MFA challenge with no risk, MFA is enforced. If the user isn't already enrolled in MFA, they're prompted to enroll.
+      - If the result is an MFA challenge due to risk *and* the user is not enrolled in MFA, sign-in is blocked.
 
    > [!NOTE]
    >
-   > - If you select **Conditional (Preview)**, you'll also need to [add Conditional Access to user flows](conditional-access-user-flow.md), and specify the apps you want the policy to apply to.
+   > - With general availability of Conditional Access in Azure AD B2C, users are now prompted to enroll in an MFA method during sign-up. Any sign-up user flows you created prior to general availability won't automatically reflect this new behavior, but you can include the behavior by creating new user flows.
+   > - If you select **Conditional**, you'll also need to [add Conditional Access to user flows](conditional-access-user-flow.md), and specify the apps you want the policy to apply to.
    > - Multi-factor authentication (MFA) is disabled by default for sign-up user flows. You can enable MFA in user flows with phone sign-up, but because a phone number is used as the primary identifier, email one-time passcode is the only option available for the second authentication factor.
 
 1. Select **Save**. MFA is now enabled for this user flow.

articles/active-directory-b2c/media/conditional-access-user-flow/add-conditional-access.png

@@ -81,7 +81,7 @@ Following is an example:
 
 ## Deploy the UI templates
 
-1. Deploy the provided [Azure AD B2C UI templates](https://github.com/azure-ad-b2c/partner-integrations/blob/adstoffe/remove-middle-layer-api/samples/Dynamics-Fraud-Protection/ui-templates) to a public facing internet hosting service such as Azure Blob Storage.
+1. Deploy the provided [Azure AD B2C UI templates](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Dynamics-Fraud-Protection/ui-templates) to a public facing internet hosting service such as Azure Blob Storage.
 
 2. Replace the value `https://<YOUR-UI-BASE-URL>/` with the root URL for your deployment location.
 
@@ -107,7 +107,7 @@ See [UI customization documentation](https://docs.microsoft.com/azure/active-dir
 
 ### Replace the configuration values
 
-In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Dynamics-Fraud-Protection/Policies), find the following placeholders and replace them with the corresponding values from your instance.
+In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Dynamics-Fraud-Protection/policies), find the following placeholders and replace them with the corresponding values from your instance.
 
 | Placeholder | Replace with | Notes |
 | :-------- | :------------| :-----------|
@@ -134,7 +134,7 @@ In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integr
 
 ## Configure the Azure AD B2C policy
 
-1. Go to the [Azure AD B2C policy](https://github.com/azure-ad-b2c/partner-integrations/tree/adstoffe/remove-middle-layer-api/samples/Dynamics-Fraud-Protection/policies) in the Policies folder.
+1. Go to the [Azure AD B2C policy](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Dynamics-Fraud-Protection/policies) in the Policies folder.
 
 2. Follow this [document](./tutorial-create-user-flows.md?pivots=b2c-custom-policy?tabs=applications#custom-policy-starter-pack) to download [LocalAccounts starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/LocalAccounts)