MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/concept-authentication-strengths.md
Lines changed: 4 additions & 2 deletions b/‎articles/active-directory/authentication/concept-authentication-strengths.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/how-to-mfa-server-migration-utility.md
Lines changed: 5 additions & 6 deletions b/‎articles/active-directory/authentication/how-to-mfa-server-migration-utility.md
Lines changed: 5 additions & 6 deletions
diff --git a/‎articles/active-directory/authentication/howto-mfaserver-deploy.md
Lines changed: 20 additions & 22 deletions b/‎articles/active-directory/authentication/howto-mfaserver-deploy.md
Lines changed: 20 additions & 22 deletions
diff --git a/‎articles/active-directory/roles/includes/authentication-table-include.md
Lines changed: 22 additions & 0 deletions b/‎articles/active-directory/roles/includes/authentication-table-include.md
Lines changed: 22 additions & 0 deletions
@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 10/04/2022
+ms.date: 10/13/2022
 
 ms.author: justinha
 author: justinha
@@ -188,6 +188,7 @@ In external user scenarios, the authentication methods that can satisfy authenti
 |FIDO2 security key                           | &#x2705;        |          |
 |Windows Hello for Business                   | &#x2705;        |          |
 
+For more information about how to set authentication strengths for external users, see [Conditional Access: Require an authentication strength for external users](../conditional-access/howto-conditional-access-policy-authentication-strength-external.md).
 
 ### User experience for external users
 
@@ -209,7 +210,8 @@ An authentication strength Conditional Access policy works together with [MFA tr
 - **Authentication strength is not enforced on Register security information user action** – If an Authentication strength Conditional Access policy targets **Register security information** user action, the policy would not apply. 
 
 - **Conditional Access audit log** – When a Conditional Access policy with the authentication strength grant control is created or updated in the Azure AD portal, the auditing log includes details about the policy that was updated, but doesn't include the details about which authentication strength is referenced by the Conditional Access policy. This issue doesn't exist when a policy is created or updated By using Microsoft Graph APIs.
-<!-- Namrata to update about B2B--->
+
+- **Using 'Require one of the selected controls' with 'require authentication strength' control** - After you select authentication strengths grant control and additional controls, all the selected controls must be satisfied in order to gain access to the resource. Using **Require one of the selected controls** isn't applicable, and will default to requiring all the controls in the policy.
 
 ## Limitations
 
 
@@ -6,12 +6,12 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 09/14/2022
+ms.date: 10/10/2022
 
 ms.author: justinha
 author: justinha
 manager: martinco
-ms.reviewer: michmcla
+ms.reviewer: jpettere
 
 ms.collection: M365-identity-device-management
 ---
@@ -27,8 +27,7 @@ Admins can use the MFA Server Migration Utility to target single users or groups
 
 ## Limitations and requirements
 
-- The MFA Server Migration Utility is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-- The MFA Server Migration Utility requires a new preview build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You don’t have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically.
+- The MFA Server Migration Utility requires a new build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You don’t have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically.
 - The MFA Server Migration Utility copies the data from the database file onto the user objects in Azure AD. During migration, users can be targeted for Azure AD MFA for testing purposes using [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md). Staged migration lets you test without making any changes to your domain federation settings. Once migrations are complete, you must finalize your migration by making changes to your domain federation settings.
 - AD FS running Windows Server 2016 or higher is required to provide MFA authentication on any AD FS relying parties, not including Azure AD and Office 365. 
 - Review your AD FS claims rules and make sure none requires MFA to be performed on-premises as part of the authentication process.
@@ -130,7 +129,7 @@ Open MFA Server, click **User Portal**:
 |- OATH token|See [OATH token documentation](howto-mfa-mfasettings.md#oath-tokens)|
 |Allow users to select language|Language settings will be automatically applied to a user based on the locale settings in their browser|
 |Allow users to activate mobile app|See [MFA Service settings](howto-mfa-mfasettings.md#mfa-service-settings)|
-|- Device limit|Azure AD limits users to 5 cumulative devices (mobile app instances + hardware OATH token + software OATH token) per user|
+|- Device limit|Azure AD limits users to five cumulative devices (mobile app instances + hardware OATH token + software OATH token) per user|
 |Use security questions for fallback|Azure AD allows users to choose a fallback method at authentication time should the chosen authentication method fail|
 |- Questions to answer|Security Questions in Azure AD can only be used for SSPR. See more details for [Azure AD Custom Security Questions](concept-authentication-security-questions.md#custom-security-questions)|
 |Allow users to associate third-party OATH token|See [OATH token documentation](howto-mfa-mfasettings.md#oath-tokens)|
@@ -249,7 +248,7 @@ Once you've successfully migrated user data, you can validate the end-user exper
 
 1. Navigate to the following url: [Enable staged rollout features - Microsoft Azure](https://portal.azure.com/?mfaUIEnabled=true%2F#view/Microsoft_AAD_IAM/StagedRolloutEnablementBladeV2).
 
-1. Change **Azure multifactor authentication (preview)** to **On**, and then click **Manage groups**.
+1. Change **Azure multifactor authentication** to **On**, and then click **Manage groups**.
 
    :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/staged-rollout.png" alt-text="Screenshot of Staged Rollout.":::
 
 
@@ -6,35 +6,33 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/21/2019
+ms.date: 10/10/2022
 
 ms.author: justinha
 author: justinha
 manager: amycolannino
-ms.reviewer: michmcla
+ms.reviewer: jpettere
 
 ms.collection: M365-identity-device-management
 ---
-# Getting started with the Azure Multi-Factor Authentication Server
+# Getting started with the Azure AD Multi-Factor Authentication Server
 
 <center>
 
 ![Getting started with MFA Server on-premises](./media/howto-mfaserver-deploy/server2.png)</center>
 
-This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see [Upgrade to the latest Azure Multi-Factor Authentication Server](howto-mfaserver-deploy-upgrade.md). If you're looking for information on installing just the web service, see [Deploying the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).
+This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see [Upgrade to the latest Azure AD Multi-Factor Authentication Server](howto-mfaserver-deploy-upgrade.md). If you're looking for information on installing just the web service, see [Deploying the Azure AD Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).
 
 > [!IMPORTANT]
-> As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers that want to require multi-factor authentication (MFA) during sign-in events should use cloud-based Azure AD Multi-Factor Authentication.
->
+> In September 2022, Microsoft announced deprecation of Azure AD Multi-Factor Authentication Server. Beginning September 30, 2024, Azure AD Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).  
+
 > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication](tutorial-enable-azure-mfa.md).
->
-> Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual.
 
 ## Plan your deployment
 
-Before you download the Azure Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy.
+Before you download the Azure AD Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy.
 
-A good guideline for the amount of memory you need is the number of users you expect to authenticate on a regular basis.
+A good guideline for the amount of memory you need is the number of users you expect to authenticate regularly.
 
 | Users | RAM |
 | ----- | --- |
@@ -44,15 +42,15 @@ A good guideline for the amount of memory you need is the number of users you ex
 | 100,000-200,001 | 16 GB |
 | 200,001+ | 32 GB |
 
-Do you need to set up multiple servers for high availability or load balancing? There are a number of ways to set up this configuration with Azure MFA Server. When you install your first Azure MFA Server, it becomes the master. Any additional servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.
+Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Azure MFA Server. When you install your first Azure MFA Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.
 
 When a master Azure MFA Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted.
 
 ### Prepare your environment
 
-Make sure the server  that you're using for Azure Multi-Factor Authentication meets the following requirements:
+Make sure the server  that you're using for Azure AD Multi-Factor Authentication meets the following requirements:
 
-| Azure Multi-Factor Authentication Server Requirements | Description |
+| Azure AD Multi-Factor Authentication Server Requirements | Description |
 |:--- |:--- |
 | Hardware |<li>200 MB of hard disk space</li><li>x32 or x64 capable processor</li><li>1 GB or greater RAM</li> |
 | Software |<li>Windows Server 2016</li><li>Windows Server 2012 R2</li><li>Windows Server 2012</li><li>Windows Server 2008/R2 (with [ESU](/lifecycle/faq/extended-security-updates) only)</li><li>Windows 10</li><li>Windows 8.1, all editions</li><li>Windows 8, all editions</li><li>Windows 7, all editions (with [ESU](/lifecycle/faq/extended-security-updates) only)</li><li>Microsoft .NET 4.0 Framework</li><li>IIS 7.0 or greater if installing the user portal or web service SDK</li> |
@@ -63,10 +61,10 @@ Make sure the server  that you're using for Azure Multi-Factor Authentication me
 There are three web components that make up Azure MFA Server:
 
 * Web Service SDK - Enables communication with the other components and is installed on the Azure MFA application server
-* User Portal - An IIS web site that allows users to enroll in Azure Multi-Factor Authentication (MFA) and maintain their accounts.
+* User portal - An IIS web site that allows users to enroll in Azure AD Multi-Factor Authentication (MFA) and maintain their accounts.
 * Mobile App Web Service - Enables using a mobile app like the Microsoft Authenticator app for two-step verification.
 
-All three components can be installed on the same server if the server is internet-facing. If breaking up the components, the Web Service SDK is installed on the Azure MFA application server and the User Portal and Mobile App Web Service are installed on an internet-facing server.
+All three components can be installed on the same server if the server is internet-facing. If breaking up the components, the Web Service SDK is installed on the Azure MFA application server and the User portal and Mobile App Web Service are installed on an internet-facing server.
 
 ### Azure Multi-Factor Authentication Server firewall requirements
 
@@ -106,7 +104,7 @@ If you aren't using the Event Confirmation feature, and your users aren't using
 
 ## Download the MFA Server
 
-Follow these steps to download the Azure Multi-Factor Authentication Server from the Azure portal:
+Follow these steps to download the Azure AD Multi-Factor Authentication Server from the Azure portal:
 
 > [!IMPORTANT]
 > As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers who would like to require multi-factor authentication (MFA) from their users should use cloud-based Azure AD Multi-Factor Authentication.
@@ -144,7 +142,7 @@ Now that you have downloaded the server you can install and configure it. Be sur
 
 To ease rollout, allow MFA Server to communicate with your users. MFA Server can send an email to inform them that they have been enrolled for two-step verification.
 
-The email you send should be determined by how you configure your users for two-step verification. For example, if you are able to import phone numbers from the company directory, the email should include the default phone numbers so that users know what to expect. If you do not import phone numbers, or your users are going to use the mobile app, send them an email that directs them to complete their account enrollment. Include a hyperlink to the Azure Multi-Factor Authentication User Portal in the email.
+The email you send should be determined by how you configure your users for two-step verification. For example, if you are able to import phone numbers from the company directory, the email should include the default phone numbers so that users know what to expect. If you do not import phone numbers, or your users are going to use the mobile app, send them an email that directs them to complete their account enrollment. Include a hyperlink to the Azure AD Multi-Factor Authentication User portal in the email.
 
 The content of the email also varies depending on the method of verification that has been set for the user (phone call, SMS, or mobile app). For example, if the user is required to use a PIN when they authenticate, the email tells them what their initial PIN has been set to. Users are required to change their PIN during their first verification.
 
@@ -179,7 +177,7 @@ Now that the server is installed you want to add users. You can choose to create
 4. In the **Add Synchronization Item** box that appears choose the Domain, OU **or** security group, Settings, Method Defaults, and Language Defaults for this synchronization task and click **Add**.
 5. Check the box labeled **Enable synchronization with Active Directory** and choose a **Synchronization interval** between one minute and 24 hours.
 
-## How the Azure Multi-Factor Authentication Server handles user data
+## How the Azure AD Multi-Factor Authentication Server handles user data
 
 When you use the Multi-Factor Authentication (MFA) Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Azure MFA cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the Multi-Factor Authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are:
 
@@ -221,8 +219,8 @@ Once you have upgraded to or installed MFA Server version 8.x or higher, it is r
 
 ## Next steps
 
-- Set up and configure the [User Portal](howto-mfaserver-deploy-userportal.md) for user self-service.
+- Set up and configure the [User portal](howto-mfaserver-deploy-userportal.md) for user self-service.
 - Set up and configure the Azure MFA Server with [Active Directory Federation Service](multi-factor-authentication-get-started-adfs.md), [RADIUS Authentication](howto-mfaserver-dir-radius.md), or [LDAP Authentication](howto-mfaserver-dir-ldap.md).
-- Set up and configure [Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md).
-- [Deploy the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).
-- [Advanced scenarios with Azure Multi-Factor Authentication and third-party VPNs](howto-mfaserver-nps-vpn.md).
+- Set up and configure [Remote Desktop Gateway and Azure AD Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md).
+- [Deploy the Azure AD Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).
+- [Advanced scenarios with Azure AD Multi-Factor Authentication and third-party VPNs](howto-mfaserver-nps-vpn.md).
@@ -0,0 +1,22 @@
+---
+title: include file
+description: include file
+author: rolyon
+manager: amycolannino
+ms.service: active-directory
+ms.workload: identity
+ms.subservice: roles
+ms.topic: include
+ms.date: 10/12/2022
+ms.author: rolyon
+ms.custom: include file
+---
+
+The following table compares the capabilities of this role with related roles.
+
+| Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
+| ---- | ---- | ---- | ---- | ---- | ---- | ---- | --- |
+| [Authentication Administrator](#authentication-administrator) | Yes for some users | Yes for some users | No | No | No | Yes for some users | Yes for some users |
+| [Privileged Authentication Administrator](#privileged-authentication-administrator) | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
+| [Authentication Policy Administrator](#authentication-policy-administrator) | No | No | Yes | Yes | Yes | No | No |
+| [User Administrator](#user-administrator) | No | No | No | No | No | Yes for some users | Yes for some users |