MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/custom-policies-series-hello-world.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/custom-policies-series-hello-world.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/concept-system-preferred-multifactor-authentication.md
Lines changed: 5 additions & 2 deletions b/‎articles/active-directory/authentication/concept-system-preferred-multifactor-authentication.md
Lines changed: 5 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/how-to-authentication-sms-supported-apps.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/authentication/how-to-authentication-sms-supported-apps.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/howto-mfa-nps-extension.md
Lines changed: 9 additions & 13 deletions b/‎articles/active-directory/authentication/howto-mfa-nps-extension.md
Lines changed: 9 additions & 13 deletions
diff --git a/‎articles/active-directory/devices/assign-local-admin.md
Lines changed: 2 additions & 1 deletion b/‎articles/active-directory/devices/assign-local-admin.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/devices/manage-stale-devices.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/devices/manage-stale-devices.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/service-accounts-principal.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/service-accounts-principal.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
Lines changed: 53 additions & 33 deletions b/‎articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
Lines changed: 53 additions & 33 deletions
@@ -59,7 +59,7 @@ If you haven't already done so, create the following encryption keys. To automat
 
             <BuildingBlocks>
                 <!-- Building Blocks Here-->
-            <BuildingBlocks>
+            </BuildingBlocks>
 
             <ClaimsProviders>
                 <!-- Claims Providers Here-->
@@ -303,4 +303,4 @@ Next, learn:
 
 - About custom policy [claims data type](claimsschema.md#datatype). 
 
-- About custom policy [user input types](claimsschema.md#userinputtype).
+- About custom policy [user input types](claimsschema.md#userinputtype).
@@ -4,7 +4,7 @@ description: Learn how to use system-preferred multifactor authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/02/2023
+ms.date: 03/16/2023
 ms.author: justinha
 author: justinha
 manager: amycolannino
@@ -24,6 +24,9 @@ System-preferred MFA is a Microsoft managed setting, which is a [tristate policy
 
 After system-preferred MFA is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered. 
 
+>[!NOTE]
+>System-preferred MFA is a key security upgrade to traditional second factor notifications. We highly recommend enabling system-preferred MFA in the near term for improved sign-in security. 
+
 ## Enable system-preferred MFA
 
 To enable system-preferred MFA in advance, you need to choose a single target group for the schema configuration, as shown in the [Request](#request) example. 
@@ -58,7 +61,7 @@ https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
 
 ### Request
 
-The following example excludes a sample target group and includes all users. For more information, see [Update authenticationMethodsPolicy](/graph/api/authenticationmethodspolicy-update?view=graph-rest-beta).
+The following example excludes a sample target group and includes all users. For more information, see [Update authenticationMethodsPolicy](/graph/api/authenticationmethodspolicy-update).
 
 ```http
 PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/16/2023
 ms.author: justinha
 author: aanjusingh
 manager: amycolannino
@@ -47,7 +47,7 @@ For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Compa
 | --- | --- |
 | Native desktop Microsoft apps | Microsoft Teams, O365 apps, Word, Excel, etc.|
 | Native mobile Microsoft apps (except Microsoft Teams, Company Portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, SharePoint, Power Apps, Word, etc.|
-| Microsoft 365 web apps (accessed directly on web) | [Outlook](https://outlook.live.com/owa/), [Word](https://office.live.com/start/Word.aspx), [Excel](https://office.live.com/start/Excel.aspx), [PowerPoint](https://office.live.com/start/PowerPoint.aspx), [OneDrive](https://onedrive.live.com/about/signin)|  
+| Microsoft 365 web apps (accessed directly on web) | [Outlook](https://outlook.live.com/owa/), [Word](https://office.live.com/start/Word.aspx), [Excel](https://office.live.com/start/Excel.aspx), [PowerPoint](https://office.live.com/start/PowerPoint.aspx)|  
 
 ## Support for Non-Microsoft apps 
 
 
@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 03/16/2023
 
 ms.author: justinha
 author: justinha
@@ -106,21 +106,17 @@ When you install the extension, you need the *Tenant ID* and admin credentials f
 
 The NPS server must be able to communicate with the following URLs over TCP port 443:
 
-* *https:\//strongauthenticationservice.auth.microsoft.com* (for Azure Public cloud customers).
-* *https:\//strongauthenticationservice.auth.microsoft.us* (for Azure Government customers).
-* *https:\//strongauthenticationservice.auth.microsoft.cn* (for Azure China 21Vianet customers). 
-* *https:\//adnotifications.windowsazure.com*
-* *https:\//login.microsoftonline.com*
-* *https:\//credentials.azure.com*
+* `https:\//login.microsoftonline.com`
+* `https:\//credentials.azure.com`
 
 Additionally, connectivity to the following URLs is required to complete the [setup of the adapter using the provided PowerShell script](#run-the-powershell-script):
 
-* *https:\//login.microsoftonline.com*
-* *https:\//provisioningapi.microsoftonline.com*
-* *https:\//aadcdn.msauth.net*
-* *https:\//www.powershellgallery.com*
-* *https:\//go.microsoft.com*
-* *https:\//aadcdn.msftauthimages.net*
+* `https:\//login.microsoftonline.com`
+* `https:\//provisioningapi.microsoftonline.com`
+* `https:\//aadcdn.msauth.net`
+* `https:\//www.powershellgallery.com`
+* `https:\//go.microsoft.com`
+* `https:\//aadcdn.msftauthimages.net`
 
 ## Prepare your environment
 
 
@@ -58,7 +58,8 @@ Device administrators are assigned to all Azure AD joined devices. You can’t s
 
 - Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges. 
 - User signs out and signs back in, not lock/unlock, to refresh their profile.
-- Users won't be listed in the local administrator group, the permissions are received through the Primary Refresh Token. 
+
+Users won't be listed in the local administrator group, the permissions are received through the Primary Refresh Token. 
 
 > [!NOTE]
 > The above actions are not applicable to users who have not signed in to the relevant device previously. In this case, the administrator privileges are applied immediately after their first sign-in to the device. 
 
@@ -425,7 +425,7 @@ Share your feedback about this feature or report problems with using it on the [
 
 ### Missing application
 
-If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application isn't in the tenant:
+If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application is in the tenant:
 
 1. Sign in to the Azure portal.
 1. Browse to **Azure Active Directory** > **Enterprise applications**.
 
@@ -90,7 +90,7 @@ If your device is under control of Intune or any other MDM solution, retire the
 
 ### System-managed devices
 
-Don't delete system-managed devices. These devices are generally devices such as Autopilot. Once deleted, these devices can't be reprovisioned. The new `Get-AzureADDevice` cmdlet excludes system-managed devices by default. 
+Don't delete system-managed devices. These devices are generally devices such as Autopilot. Once deleted, these devices can't be reprovisioned.
 
 ### Hybrid Azure AD joined devices
 
 
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 
 # Securing service principals in Azure Active Directory 
 
-An Azure Active Directory (Azure AD) service principals are the local representation of an application object in a tenant or directory. It's the identity of the application instance. Service principals define application access, and resources the application accesses. A service principal is created in each tenant where the application is used, and references the globally unique application object. The tenant secures the service principal sign-in and access to resources. 
+An Azure Active Directory (Azure AD) service principal is the local representation of an application object in a tenant or directory. It's the identity of the application instance. Service principals define application access and resources the application accesses. A service principal is created in each tenant where the application is used and references the globally unique application object. The tenant secures the service principal sign-in and access to resources. 
 
 Learn more: [Application and service principal objects in Azure AD](../develop/app-objects-and-service-principals.md)
 
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: infrastructure-services
 ms.topic: how-to
-ms.date: 01/02/2023
+ms.date: 03/16/2023
 ms.author: jomondi
 ms.reviewer: ludwignick
 ms.custom: seoapril2019, contperf-fy22q2
@@ -33,7 +33,8 @@ For federated users with cloud-enabled credentials, such as SMS sign-in or FIDO
 To configure HRD policy for an application in Azure AD, you need:
 
 - An Azure account with an active subscription. If you don't already have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+- One of the following roles: Global Administrator, or owner of the service principal.
+
 ::: zone pivot="powershell-hrd"
 - The latest Azure AD PowerShell cmdlet preview.
 ::: zone-end
@@ -91,13 +92,17 @@ The following policy auto-accelerates users to a federated identity provider sig
 ::: zone pivot="powershell-hrd"
 
 ```powershell
-New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true}}") -DisplayName BasicAutoAccelerationPolicy -Type HomeRealmDiscoveryPolicy
+New-AzureADPolicy 
+    -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true}}") -DisplayName BasicAutoAccelerationPolicy 
+    -Type HomeRealmDiscoveryPolicy
 ```
 ::: zone-end
 
 ::: zone pivot="graph-hrd"
 
-```json
+```http
+POST /policies/homeRealmDiscoveryPolicies
+
 "HomeRealmDiscoveryPolicy": {
     "AccelerateToFederatedDomain": true
 }
@@ -109,13 +114,18 @@ The following policy auto-accelerates users to a federated identity provider sig
 ::: zone pivot="powershell-hrd"
 
 ```powershell
-New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true, `"PreferredDomain`":`"federated.example.edu`"}}") -DisplayName MultiDomainAutoAccelerationPolicy -Type HomeRealmDiscoveryPolicy
+New-AzureADPolicy 
+    -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true, `"PreferredDomain`":`"federated.example.edu`"}}") 
+    -DisplayName MultiDomainAutoAccelerationPolicy 
+    -Type HomeRealmDiscoveryPolicy
 ```
 ::: zone-end
 
 ::: zone pivot="graph-hrd"
 
-```json
+```http
+POST /policies/homeRealmDiscoveryPolicies
+
 "HomeRealmDiscoveryPolicy": {
     "AccelerateToFederatedDomain": true,
     "PreferredDomain": [
@@ -128,9 +138,22 @@ New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFe
 The following policy enables username/password authentication for federated users directly with Azure AD for specific applications:
 
 
+::: zone pivot="powershell-hrd"
+
+
+```powershell
+New-AzureADPolicy 
+    -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") 
+    -DisplayName EnableDirectAuthPolicy 
+    -Type HomeRealmDiscoveryPolicy
+```
+::: zone-end
+
+
 ::: zone pivot="graph-hrd"
 
-```json
+```http
+POST /policies/homeRealmDiscoveryPolicies
 
 "EnableDirectAuthPolicy": {
     "AllowCloudPasswordValidation": true
@@ -142,10 +165,6 @@ The following policy enables username/password authentication for federated user
 
 ::: zone pivot="powershell-hrd"
 
-```powershell
-New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuthPolicy -Type HomeRealmDiscoveryPolicy
-```
-
 To see your new policy and get its **ObjectID**, run the following command:
 
 ```powershell
@@ -171,7 +190,9 @@ Get-AzureADServicePrincipal
 After you have the **ObjectID** of the service principal of the application for which you want to configure auto-acceleration, run the following command. This command associates the HRD policy that you created in step 1 with the service principal that you located in step 2.
 
 ```powershell
-Add-AzureADServicePrincipalPolicy -Id <ObjectID of the Service Principal> -RefObjectId <ObjectId of the Policy>
+Add-AzureADServicePrincipalPolicy 
+    -Id <ObjectID of the Service Principal> 
+    -RefObjectId <ObjectId of the Policy>
 ```
 
 You can repeat this command for each service principal to which you want to add the policy.
@@ -225,36 +246,35 @@ Use the previous example to get the **ObjectID** of the policy, and that of the
 
 ## Configuring policy through Graph Explorer
 
-Set the HRD policy using Microsoft Graph. See [homeRealmDiscoveryPolicy](/graph/api/resources/homeRealmDiscoveryPolicy?view=graph-rest-1.0&preserve-view=true) resource type for information on how to create the policy.
-
 From the Microsoft Graph explorer window:
 
-1. Grant consent to the *Policy.ReadWrite.ApplicationConfiguration* permission.
-1. Use the URL https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies
-1. POST the new policy to this URL, or PATCH to https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/{policyID} if overwriting an existing one.
-1. POST or PATCH contents:
-
-    ```json
-    {
-        "definition": [
-        "{\"HomeRealmDiscoveryPolicy\":
-        {\"AccelerateToFederatedDomain\":true,
-        \"PreferredDomain\":\"federated.example.edu\",
-        \"AlternateIdLogin\":{\"Enabled\":true}}}"
-    ],
-        "displayName": "Home Realm Discovery auto acceleration",
-        "isOrganizationDefault": true
-    }
+1. Sign in with one of the roles listed in the prerequisites section.
+1. Grant consent to the `Policy.ReadWrite.ApplicationConfiguration` permission.
+1. Use the [Home realm discovery policy](/graph/api/resources/homerealmdiscoverypolicy) to create a new policy.
+1. POST the new policy, or PATCH to update an existing policy.
+
+    ```http
+    PATCH /policies/homeRealmDiscoveryPolicies/{id}
+        {
+            "definition": [
+            "{\"HomeRealmDiscoveryPolicy\":
+            {\"AccelerateToFederatedDomain\":true,
+            \"PreferredDomain\":\"federated.example.edu\",
+            \"AlternateIdLogin\":{\"Enabled\":true}}}"
+        ],
+            "displayName": "Home Realm Discovery auto acceleration",
+            "isOrganizationDefault": true
+        }
     ```
-1. To see your new policy and get its ObjectID, run the following query:  
+1. To view your new policy, run the following query:  
 
     ```http
-    GET https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies
+    GET /policies/homeRealmDiscoveryPolicies/{id}
     ```	
 1. To  delete the HRD policy you created, run the query:
 
     ```http
-    DELETE https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/{policy objectID}
+    DELETE /policies/homeRealmDiscoveryPolicies/{id}
     ```	
 ::: zone-end