Update migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md

v-edmckillop · web-flow · commit 75f81e516d4c · 2023-01-13T14:31:50.000-08:00
diff --git a/articles/active-directory/manage-apps/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md b/articles/active-directory/manage-apps/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md
@@ -7,7 +7,7 @@ manager: martinco
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 01/12/2023
+ms.date: 01/13/2023
 ms.author: gasinh
 ms.subservice: app-mgmt
 ---
@@ -98,126 +98,131 @@ To enable hybrid Azure AD join on your Azure AD Connect server, run the configur
 
 Hybrid Azure AD join replaces Okta device trust on Windows. Conditional Access policies can include compliance for devices enrolled in Endpoint Manager:
 
-* **Compliance overview**: Refer to [device compliance policies in Intune](/mem/intune/protect/device-compliance-get-started#:~:text=Reference%20for%20non-compliance%20and%20Conditional%20Access%20on%20the,applicable%20%20...%20%203%20more%20rows)
-* **Device compliance**: Create [policies in Intune](/mem/intune/protect/create-compliance-policy)
-* **Windows enrollment**: If you've opted to deploy hybrid Azure AD join, you can deploy another group policy to complete the [auto-enrollment process of these devices in Intune](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy)
-* **iOS/iPadOS enrollment**: Before you enroll an iOS device, you must make [more configurations](/mem/intune/enrollment/ios-enroll) in the Endpoint Management console
-* **Android enrollment**: Before you enroll an Android device, you must make [more configurations](/mem/intune/enrollment/android-enroll) in the Endpoint Management console.
+#### Device compliance policy
 
-## Configure Azure AD Multi-Factor Authentication tenant settings
-
-Before you convert to Conditional Access, confirm the base Azure AD Multi-Factor Authentication tenant settings for your organization.
-
-1. Go to the [Azure portal](https://portal.azure.com) and sign in with a global administrator account.
+* [Use compliance policies to set rules for devices you manage with Intune](/mem/intune/protect/device-compliance-get-started)
+* [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy)
 
-1. Select **Azure Active Directory** > **Users** > **Multi-Factor Authentication** to go to the legacy Azure AD Multi-Factor Authentication portal.
+#### Windows 10/11, iOS, iPadOS, and Android enrollment
 
-   ![Screenshot that shows the legacy Azure AD Multi-Factor Authentication portal.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/legacy-azure-ad-portal.png)
+If you deployed hybrid Azure AD join, you can deploy another group policy to complete auto-enrollment of these devices in Intune.
 
-   You can also use the legacy link to the [Azure AD Multi-Factor Authentication portal](https://aka.ms/mfaportal).
+* [What is device enrollment in Intune?](mem/intune/enrollment/device-enrollment)
+* [Quickstart: Set up automatic enrollment for Windows 10/11 devices](/mem/intune/enrollment/quickstart-setup-auto-enrollment)
+* [Enroll Android devices](/mem/intune/enrollment/android-enroll)
+* [Enroll iOS/iPadOS devices in Intune](/mem/intune/enrollment/ios-enroll)
 
-1. On the legacy **multi-factor authentication** menu, change the status menu through **Enabled** and **Enforced** to confirm you have no users enabled for legacy MFA. If your tenant has users in the following views, you must disable them in the legacy menu. Only then will Conditional Access policies take effect on their account.
+## Configure Azure AD Multi-Factor Authentication tenant settings
 
-   ![Screenshot that shows disabling a user in the legacy Azure AD Multi-Factor Authentication portal.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/disable-user-legacy-azure-ad-portal.png)
+Before you convert to Conditional Access, confirm the base MFA tenant settings for your organization.
 
-   The **Enforced** field should also be empty.
+1. Go to the [Azure portal](https://portal.azure.com).
+2. Sign in as a Global Administrator.
+3. Select **Azure Active Directory** > **Users** > **Multi-Factor Authentication**.
+4. The legacy Azure AD Multi-Factor Authentication portal appears. Or select [Azure AD MFA portal](https://aka.ms/mfaportal).
 
-1. Select the **Service settings** option. Change the **App passwords** selection to **Do not allow users to create app passwords to sign in to non-browser apps**.
+    ![Screenshot of the multi-factor authentication screen.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/legacy-azure-ad-portal.png)
 
-   ![Screenshot that shows the application password settings not allowing users to create app passwords.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/app-password-selection.png)
+5. Confirm there are no users enabled for legacy MFA: On the **multi-factor authentication** menu, on **Multi-Factor Auth status**, select **Enabled** and **Enforced**. If the tenant has users in the following views, disable them in the legacy menu.
 
-1. Ensure the **Skip multi-factor authentication for requests from federated users on my intranet** and **Allow users to remember multi-factor authentication on devices they trust (between one to 365 days)** checkboxes are cleared, and then select **Save**.
+    ![Screenshot of the multi-factor authentication screen with the search feature highlighted.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/disable-user-legacy-azure-ad-portal.png)
 
-  >[!NOTE]
-   >See [best practices for configuring the MFA prompt settings](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).
+6. Esure the **Enforced** field is empty.
+7. Select the **Service settings** option. 
+8. Change the **App passwords** selection to **Do not allow users to create app passwords to sign in to non-browser apps**.
 
-![Screenshot that shows cleared checkboxes in the legacy Azure AD Multi-Factor Authentication portal.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/uncheck-fields-legacy-azure-ad-portal.png)
+   ![Screenshot of the multi-factor authentication screen with service settings highlighted.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/app-password-selection.png)
 
-## Configure Conditional Access policies
+9. Clear the checkboxes for **Skip multi-factor authentication for requests from federated users on my intranet** and **Allow users to remember multi-factor authentication on devices they trust (between one to 365 days)**.
+10. Select **Save**.
 
-After you've configured the prerequisites and established the base settings, it's time to build the first Conditional Access policy.
+    ![Screenshot of cleared checkboxes on the Require Trusted Devices for Access screen.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/uncheck-fields-legacy-azure-ad-portal.png)
 
-1. To configure Conditional Access policies in Azure AD, go to the [Azure portal](https://portal.azure.com). On **Manage Azure Active Directory**, select **View**.
+    >[!NOTE]
+    >See [Optimize reauthentication prompts and understand session lifetime for Azure AD MFA](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).
 
-   Configure Conditional Access policies by following [best
-practices for deploying and designing Conditional Access](../conditional-access/plan-conditional-access.md#understand-conditional-access-policy-components).
+## Build a Conditional Access policy
 
-1. To mimic the global sign-on MFA policy from Okta, [create a policy](../conditional-access/howto-conditional-access-policy-all-users-mfa.md).
+After you configure the prerequisites and established base settings, you can build Conditional Access policy. Policy can be targeted to an application, a test group of users, or both.
 
-1. Create a [device trust-based Conditional Access rule](../conditional-access/require-managed-devices.md).
+Before you get started: 
 
-   This policy as any other in this tutorial can be targeted to a specific application, a test group of users, or both.
+* [Understand Conditional Access policy components](/articles/active-directory/conditional-access/plan-conditional-access.md#understand-conditional-access-policy-components)
+* [Building a Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-policies)
 
-   ![Screenshot that shows testing a user.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/test-user.png)
+1. Go to the [Azure portal](https://portal.azure.com). 
+2. On **Manage Azure Active Directory**, select **View**.
+3. Create a policy. See, [Common Conditional Access policy: Require MFA for all users](/articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md).
+4. Create a device trust-based Conditional Access rule.
 
-   ![Screenshot that shows success in testing a user.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/success-test-user.png)
+   ![Screenshot of entries for Require Trusted Devices for Access, under Conditional Access.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/test-user.png)
 
-1. After you've configured the location-based policy and device trust policy, it's time to configure the equivalent [block legacy authentication](../conditional-access/howto-conditional-access-policy-block-legacy.md) policy.
+   ![Screenshot of the Keep you account secure dialog with the success message.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/success-test-user.png)
 
-With these three Conditional Access policies, the original Okta sign-on policies experience has been replicated in Azure AD. Next steps involve enrolling the user via Azure AD Multi-Factor Authentication and testing the policies.
+5. After you configure the location-based policy and device trust policy, [Block legacy authentication with Azure AD with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication).
 
-## Enroll pilot members in Azure AD Multi-Factor Authentication
+With these three Conditional Access policies, the original Okta sign-on policies experience is replicated in Azure AD. 
 
-After you configure the Conditional Access policies, users must register for Azure AD Multi-Factor Authentication methods. Users can be required to register through several different methods.
+## Enroll pilot members in MFA
 
-1. For individual registration, direct users to the [Microsoft Sign-in pane](https://aka.ms/mfasetup) to manually enter the registration information.
+Users register for MFA methods. 
 
-1. Users can go to the [Microsoft Security info page](https://aka.ms/mysecurityinfo) to enter information or manage the form of MFA registration.
+For individual registration, users go to [Microsoft Sign-in pane](https://aka.ms/mfasetup).
 
-See [this guide](../authentication/howto-registration-mfa-sspr-combined.md) to fully understand the MFA registration process.
+To manage registration, users go to [Microsoft My Sign-Ins | Security Info](https://aka.ms/mysecurityinfo).
 
-Go to the [Microsoft Sign-in pane](https://aka.ms/mfasetup). After you sign in with Okta MFA, you're instructed to register for MFA with Azure AD.
+Learn more: [Enable combined security information registration in Azure Active Directory](/articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md).
 
 >[!NOTE]
->If registration already happened in the past for a user, they're taken to the **My Security** information page after they satisfy the MFA prompt.
-See the [user documentation for MFA enrollment](../user-help/security-info-setup-signin.md).
+>If users registered, they're redirected to the **My Security** page, after they satisfy MFA.
 
 ## Enable Conditional Access policies
 
-1. To roll out testing, change the policies created in the earlier examples to **Enabled test user login**.
+1. To test, change the created policies to **Enabled test user login**.
 
-   ![Screenshot that shows enabling a test user.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/enable-test-user.png)
+   ![Screenshot of policies on the Conditinal Access, Policies screen.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/enable-test-user.png)
 
-1. On the next Office 365 **Sign-In** pane, the test user John Smith is prompted to sign in with Okta MFA and Azure AD Multi-Factor Authentication.
+2. On the Office 365 **Sign-In** pane, the test user John Smith is prompted to sign in with Okta MFA and Azure AD MFA.
 
-   ![Screenshot that shows the Azure Sign-In pane.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/sign-in-through-okta.png)
+   ![Screenshot of the Azure Sign-In pane.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/sign-in-through-okta.png)
 
-1. Complete the MFA verification through Okta.
+3. Complete the MFA verification through Okta.
 
-   ![Screenshot that shows MFA verification through Okta.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/mfa-verification-through-okta.png)
+   ![Screenshot of MFA verification through Okta.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/mfa-verification-through-okta.png)
 
-1. After the user completes the Okta MFA prompt, the user is prompted for Conditional Access. Ensure that the policies were configured appropriately and are within conditions to be triggered for MFA.
+4. The user is prompted for Conditional Access. 
+5. Ensure the policies were configured to be triggered for MFA.
 
-   ![Screenshot that shows MFA verification through Okta prompted for Conditional Access.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/mfa-verification-through-okta-prompted-ca.png)
+   ![Screenshot of MFA verification through Okta prompted for Conditional Access.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/mfa-verification-through-okta-prompted-ca.png)
 
-## Cut over from sign-on to Conditional Access policies
+## Add organization members to Conditional Access policies
 
-After you conduct thorough testing on the pilot members to ensure that Conditional Access is in effect as expected, the remaining organization members can be added to Conditional Access policies after registration has been completed.
+After you conduct testing on pilot members, add the remaining organization members to Conditional Access policies, after registration.
 
-To avoid double-prompting between Azure AD Multi-Factor Authentication and Okta MFA, opt out from Okta MFA by modifying sign-on policies.
+To avoid double-prompting between Azure AD MFA and Okta MFA, opt out from Okta MFA: modify sign-on policies.
 
-The final migration step to Conditional Access can be done in a staged or cut-over fashion.
 
-1. Go to the Okta admin console, select **Security** > **Authentication**, and then go to **Sign-on Policy**.
+1. Go to the Okta admin console
+2. Select **Security** > **Authentication**
+3. Go to **Sign-on Policy**.
 
    >[!NOTE]
-   > Set global policies to **Inactive** only if all applications from Okta are protected by their own application sign-on policies.
-1. Set the **Enforce MFA** policy to **Inactive**. You can also assign the policy to a new group that doesn't include the Azure AD users.
+   > Set global policies to **Inactive** if all applications from Okta are protected by application sign-on policies.
 
-   ![Screenshot that shows Global MFA Sign On Policy as Inactive.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/mfa-policy-inactive.png)
+4. Set the **Enforce MFA** policy to **Inactive**. You can assign the policy to a new group that doesn't include the Azure AD users.
 
-1. On the application-level sign-on policy pane, update the policies to **Inactive** by selecting the **Disable Rule** option. You can also assign the policy to a new group that doesn't include the Azure AD users.
+    ![Screenshot of Global MFA Sign On Policy as Inactive.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/mfa-policy-inactive.png)
 
-1. Ensure there's at least one application-level sign-on policy that's enabled for the application that allows access without MFA.
+5. On the application-level sign-on policy pane, select the **Disable Rule** option. 
+6. Select **Inactive**. You can assign the policy to a new group that doesn't include the Azure AD users.
+7. Ensure there's at least one application-level sign-on policy enabled for the application that allows access without MFA.
 
-   ![Screenshot that shows application access without MFA.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/application-access-without-mfa.png)
+    ![Screenshot of application access without MFA.](media/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access/application-access-without-mfa.png)
 
-1. After you disable the Okta sign-on policies or exclude the migrated Azure AD users from the enforcement groups, users are prompted *only* for Conditional Access the next time they sign in.
+8. Users are prompted for Conditional Access the next time they sign in.
 
 ## Next steps
 
-For more information about migrating from Okta to Azure AD, see:
-
-- [Migrate applications from Okta to Azure AD](migrate-applications-from-okta-to-azure-active-directory.md)
-- [Migrate Okta federation to Azure AD](migrate-okta-federation-to-azure-active-directory.md)
-- [Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning-to-azure-active-directory.md)
+- [Tutorial: Migrate your applications from Okta to Azure Active Directory](migrate-applications-from-okta-to-azure-active-directory.md)
+- [Tutorial: Migrate Okta federation to Azure Active Directory-managed authentication](migrate-okta-federation-to-azure-active-directory.md)
+- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning-to-azure-active-directory.md)
