Skip to content

Commit 76b48a2

Browse files
authored
Merge pull request #97710 from MicrosoftDocs/master
12/03 PM Publish
2 parents 6bb9865 + 004f6d9 commit 76b48a2

File tree

379 files changed

+5055
-1761
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

379 files changed

+5055
-1761
lines changed

articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,14 +33,17 @@ This topic:
3333

3434
To configure certificate-based authentication, the following statements must be true:
3535

36-
- Certificate-based authentication (CBA) is only supported for Federated environments for browser applications or native clients using modern authentication (ADAL). The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts.
36+
- Certificate-based authentication (CBA) is only supported for Federated environments for browser applications, native clients using modern authentication (ADAL), or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts.
3737
- The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.
3838
- Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.
3939
- You must have at least one certificate authority configured in Azure Active Directory. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.
4040
- For Exchange ActiveSync clients, the client certificate must have the user’s routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.
4141
- Your client device must have access to at least one certificate authority that issues client certificates.
4242
- A client certificate for client authentication must have been issued to your client.
4343

44+
>[!IMPORTANT]
45+
>The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds. If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.
46+
4447
## Step 1: Select your device platform
4548

4649
As a first step, for the device platform you care about, you need to review the following:

articles/active-directory/authentication/howto-mfa-userstates.md

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,14 @@ Enabled by Azure AD Identity Protection - This method uses the Azure AD Identity
3838

3939
User accounts in Azure Multi-Factor Authentication have the following three distinct states:
4040

41+
> [!IMPORTANT]
42+
> Enabling Azure MFA through a Conditional Access policy will not change the state of the user. Do not be alarmed users appear disabled. Conditional Access does not change the state. **Organizations should not enable or enforce users if they are utilizing Conditional Access policies.**
43+
4144
| Status | Description | Non-browser apps affected | Browser apps affected | Modern authentication affected |
42-
|:---:|:---:|:---:|:--:|:--:|
43-
| Disabled |The default state for a new user not enrolled in Azure MFA. |No |No |No |
44-
| Enabled |The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. |No. They continue to work until the registration process is completed. | Yes. After the session expires, Azure MFA registration is required.| Yes. After the access token expires, Azure MFA registration is required. |
45-
| Enforced |The user has been enrolled and has completed the registration process for Azure MFA. |Yes. Apps require app passwords. |Yes. Azure MFA is required at login. | Yes. Azure MFA is required at login. |
45+
|:---:| --- |:---:|:--:|:--:|
46+
| Disabled | The default state for a new user not enrolled in Azure MFA. | No | No | No |
47+
| Enabled | The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. | No. They continue to work until the registration process is completed. | Yes. After the session expires, Azure MFA registration is required.| Yes. After the access token expires, Azure MFA registration is required. |
48+
| Enforced | The user has been enrolled and has completed the registration process for Azure MFA. | Yes. Apps require app passwords. | Yes. Azure MFA is required at login. | Yes. Azure MFA is required at login. |
4649

4750
A user's state reflects whether an admin has enrolled them in Azure MFA, and whether they completed the registration process.
4851

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
- name: Cloud provisioning
2+
href: index.yml
3+
- name: Overview
4+
items:
5+
- name: What is identity provisioning?
6+
href: what-is-provisioning.md
7+
- name: What is Azure AD Connect cloud provisioning?
8+
href: what-is-cloud-provisioning.md
9+
maintainContext: true
10+
- name: Tutorials
11+
expanded: true
12+
items:
13+
- name: Integrate a single AD forest with a single Azure AD tenant
14+
href: tutorial-single-forest.md
15+
- name: Integrate an existing forest and a new forest with a single Azure AD tenant
16+
href: tutorial-existing-forest.md
17+
- name: Pilot cloud provisioning for an existing synced AD forest
18+
href: tutorial-pilot-aadc-aadccp.md
19+
20+
21+
22+
23+
24+
- name: Concepts
25+
items:
26+
- name: What is password hash sync?
27+
href: /azure/active-directory/hybrid/whatis-phs?context=azure/active-directory/cloud-provisioning/context/cloud-provisioning-context
28+
- name: Understanding the Azure AD schema, attributes, and expressions
29+
href: concept-attributes.md
30+
- name: Writing Expressions for Attribute Mappings in Azure Active Directory
31+
href: reference-expressions.md
32+
33+
34+
35+
- name: How-to guides
36+
items:
37+
- name: Installation and upgrade
38+
items:
39+
- name: Installation Prerequisites
40+
href: how-to-prerequisites.md
41+
- name: Install the Azure AD Connect cloud provisioning agent
42+
href: how-to-install.md
43+
- name: Cloud provisioning configuration
44+
href: how-to-configure.md
45+
- name: Plan and design
46+
items:
47+
- name: Topologies and scenarios for Azure AD Connect cloud provisioning
48+
href: plan-cloud-provisioning-topologies.md
49+
50+
51+
- name: Manage
52+
items:
53+
- name: Agent automatic upgrade
54+
href: how-to-automatic-upgrade.md
55+
- name: Develop
56+
items:
57+
- name: Transformations
58+
href: how-to-transformation.md
59+
- name: Azure AD synchronization API
60+
href: https://docs.microsoft.com/graph/api/resources/synchronization-overview
61+
62+
- name: Troubleshoot
63+
items:
64+
- name: Troubleshoot cloud provisioning
65+
href: how-to-troubleshoot.md
66+
- name: Duplicate attributes
67+
href: https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync
68+
69+
- name: Reference
70+
items:
71+
- name: Azure AD Connect cloud provisioning agent version history
72+
href: /azure/active-directory/manage-apps/provisioning-agent-release-version-history?context=azure/active-directory/cloud-provisioning/context/cp-context
73+
- name: Azure AD Connect cloud provisioning FAQ
74+
href: reference-cloud-provisioning-faq.md
75+
- name: Attributes that are synchronized
76+
href: /azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized?context=azure/active-directory/cloud-provisioning/context/cp-context
77+
- name: Basic Active Directory and Azure AD environment
78+
href: tutorial-basic-ad-azure.md
79+
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
- name: Azure
2+
tocHref: /azure/
3+
topicHref: /azure/index
4+
items:
5+
- name: Active Directory
6+
tocHref: /azure/active-directory/manage-apps/
7+
topicHref: /azure/active-directory/index
8+
items:
9+
- name: Cloud provisioning
10+
tocHref: /azure/active-directory/manage-apps/
11+
topicHref: /azure/active-directory/cloud-provisioning/index
12+
13+
- name: Azure
14+
tocHref: /azure/
15+
topicHref: /azure/index
16+
items:
17+
- name: Active Directory
18+
tocHref: /azure/active-directory/hybrid/
19+
topicHref: /azure/active-directory/index
20+
items:
21+
- name: Cloud provisioning
22+
tocHref: /azure/active-directory/hybrid/
23+
topicHref: /azure/active-directory/cloud-provisioning/index
24+

0 commit comments

Comments
 (0)