Merge pull request #179844 from MicrosoftDocs/master

Merge master to live, 4 AM

Author: ttorble

.openpublishing.redirection.defender-for-cloud.json

@@ -1,5 +1,15 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/security-center/release-notes.md",
+            "redirect_url": "/azure/defender-for-cloud/release-notes",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/security-center/release-notes-archive.md",
+            "redirect_url": "/azure/defender-for-cloud/release-notes-archive",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/azure-defender.md",
             "redirect_url": "/azure/defender-for-cloud/defender-for-cloud-introduction",
@@ -35,6 +45,11 @@
             "redirect_url": "/azure/defender-for-cloud/just-in-time-access-overview",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/apply-security-baseline.md",
+            "redirect_url": "/azure/defender-for-cloud/apply-security-baseline",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-adaptive-application.md",
             "redirect_url": "/azure/defender-for-cloud/adaptive-application-controls",
@@ -105,11 +120,21 @@
             "redirect_url": "/azure/defender-for-cloud/threat-intelligence-reports",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/threat-intelligence-reports.md",
+            "redirect_url": "/azure/defender-for-cloud/threat-intelligence-reports",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-data-security.md",
             "redirect_url": "/azure/defender-for-cloud/data-security",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/data-security.md",
+            "redirect_url": "/azure/defender-for-cloud/data-security",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-remediate-recommendations.md",
             "redirect_url": "/azure/defender-for-cloud/implement-security-recommendations",
@@ -120,11 +145,21 @@
             "redirect_url": "/azure/defender-for-cloud/permissions",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/tenant-wide-permissions-management.md",
+            "redirect_url": "/azure/defender-for-cloud/tenant-wide-permissions-management",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-cross-tenant-management.md",
             "redirect_url": "/azure/defender-for-cloud/cross-tenant-management",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/cross-tenant-management.md",
+            "redirect_url": "/azure/defender-for-cloud/cross-tenant-management",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-management-groups.md",
             "redirect_url": "/azure/defender-for-cloud/management-groups-roles",
@@ -140,6 +175,11 @@
             "redirect_url": "/azure/defender-for-cloud/troubleshooting-guide",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/troubleshooting-guide.md",
+            "redirect_url": "/azure/defender-for-cloud/troubleshooting-guide",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-endpoint-protection.md",
             "redirect_url": "/azure/defender-for-cloud/endpoint-protection-recommendations-technical",
@@ -195,6 +235,11 @@
             "redirect_url": "/azure/defender-for-cloud/enable-data-collection",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/features-paas.md",
+            "redirect_url": "/azure/defender-for-cloud/features-paas",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-alerts-overview.md",
             "redirect_url": "/azure/defender-for-cloud/alerts-overview",
@@ -205,6 +250,21 @@
             "redirect_url": "/azure/defender-for-cloud/alert-validation",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/alert-validation.md",
+            "redirect_url": "/azure/defender-for-cloud/alert-validation",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/security-center/incidents.md",
+            "redirect_url": "/azure/defender-for-cloud/incidents",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/security-center/implement-security-recommendations.md",
+            "redirect_url": "/azure/defender-for-cloud/implement-security-recommendations",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-provide-security-contact-details.md",
             "redirect_url": "/azure/defender-for-cloud/configure-email-notifications",
@@ -235,6 +295,11 @@
             "redirect_url": "/azure/defender-for-cloud/alerts-overview",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/security-center/alerts-schemas.md",
+            "redirect_url": "/azure/defender-for-cloud/alerts-schemas",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/security-center/alerts-reference.md",
             "redirect_url": "/azure/defender-for-cloud/alerts-reference",
@@ -410,11 +475,6 @@
             "redirect_url": "/azure/defender-for-cloud/harden-docker-hosts",
             "redirect_document_id": true
         },
-        {
-            "source_path_from_root": "/articles/security-center/implement-security-recommendations.md",
-            "redirect_url": "/azure/defender-for-cloud/implement-security-recommendations",
-            "redirect_document_id": true
-        },
         {
             "source_path_from_root": "/articles/security-center/index.yml",
             "redirect_url": "/azure/defender-for-cloud/index",
@@ -485,6 +545,16 @@
             "redirect_url": "/azure/defender-for-cloud/quickstart-onboard-aws",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/security-center/auto-deploy-vulnerability-assessment.md",
+            "redirect_url": "/azure/defender-for-cloud/auto-deploy-vulnerability-assessment",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/security-center/security-policy-concept.md",
+            "redirect_url": "/azure/defender-for-cloud/security-policy-concept",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/security-center/quickstart-onboard-gcp.md",
             "redirect_url": "/azure/defender-for-cloud/quickstart-onboard-gcp",
@@ -515,6 +585,11 @@
             "redirect_url": "/azure/defender-for-cloud/secure-score-security-controls",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/security-center/secure-score-access-and-track.md",
+            "redirect_url": "/azure/defender-for-cloud/secure-score-access-and-track",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/security-center/security-center-planning-and-operations-guide.md",
             "redirect_url": "/azure/defender-for-cloud/security-center-planning-and-operations-guide",
@@ -530,11 +605,31 @@
             "redirect_url": "/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/security-center/tutorial-protect-resources.md",
+            "redirect_url": "/azure/defender-for-cloud/tutorial-protect-resources",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/security-center/tutorial-security-incident.md",
+            "redirect_url": "/azure/defender-for-cloud/tutorial-security-incident",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/security-center/tutorial-security-policy.md",
             "redirect_url": "/azure/defender-for-cloud/tutorial-security-policy",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/security-center/update-regulatory-compliance-packages.md",
+            "redirect_url": "/azure/defender-for-cloud/update-regulatory-compliance-packages",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/security-center/windows-admin-center-integration.md",
+            "redirect_url": "/azure/defender-for-cloud/windows-admin-center-integration",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/security-center/workflow-automation.md",
             "redirect_url": "/azure/defender-for-cloud/workflow-automation",

articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 08/12/2021
+ms.date: 11/12/2021
 
 ms.author: justinha
 author: justinha
@@ -16,7 +16,7 @@ ms.collection: M365-identity-device-management
 ---
 # Optimize reauthentication prompts and understand session lifetime for Azure AD Multi-Factor Authentication
 
-Azure Active Directory (Azure AD) has multiple settings that determine how often users need to reauthenticate. This reauthentication could be with a first factor such as password, FIDO, or passwordless Microsoft Authenticator, or to perform multi-factor authentication (MFA). You can configure these reauthentication settings as needed for your own environment and the user experience you want.
+Azure Active Directory (Azure AD) has multiple settings that determine how often users need to reauthenticate. This reauthentication could be with a first factor such as password, FIDO, or passwordless Microsoft Authenticator, or to perform multifactor authentication (MFA). You can configure these reauthentication settings as needed for your own environment and the user experience you want.
 
 The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt.
 
@@ -96,15 +96,19 @@ This setting allows configuration of lifetime for token issued by Azure Active D
 
 ## Review your tenant configuration  
 
-Now that you understand how different settings works and the recommended configuration, it's time to check your tenants configuration and make changes accordingly:
+Now that you understand how different settings works and the recommended configuration, it's time to check your tenants. You can start by looking at the sign-in logs to understand which session lifetime policies were applied during sign-in.
+
+Under each sign-in log, go to the **Authentication Details** tab and explore **Session Lifetime Policies Applied**. For more information, see [Authentication details](../reports-monitoring/concept-sign-ins.md#authentication-details).
+
+![Screenshot of authentication details.](./media/concepts-azure-multi-factor-authentication-prompts-session-lifetime/details.png)
 
 To configure or review the *Remain signed-in* option, complete the following steps:
 
 1. In the Azure AD portal, search for and select *Azure Active Directory*.
 1. Select **Company Branding**, then for each locale, choose **Show option to remain signed in**.
 1. Choose *Yes*, then select **Save**.
 
-To remember Multi-factor authentication settings on trusted devices, complete the following steps:
+To remember multifactor authentication settings on trusted devices, complete the following steps:
 
 1. In the Azure AD portal, search for and select *Azure Active Directory*.
 1. Select **Security**, then **MFA**.

articles/active-directory/authentication/howto-authentication-use-email-signin.md

@@ -27,7 +27,9 @@ Some organizations haven't moved to hybrid authentication for the following reas
 * Changing the Azure AD UPN creates a mismatch between on-premises and Azure AD environments that could cause problems with certain applications and services.
 * Due to business or compliance reasons, the organization doesn't want to use the on-premises UPN to sign in to Azure AD.
 
-To help with the move to hybrid authentication, you can configure Azure AD to let users sign in with their email as an alternate login ID. For example, if *Contoso* rebranded to *Fabrikam*, rather than continuing to sign in with the legacy `[email protected]` UPN, email as an alternate login ID can be used. To access an application or service, users would sign in to Azure AD using their non-UPN email, such as `[email protected]`.
+To help with the move to hybrid authentication, you can configure Azure AD to let users sign in with their email as an alternate login ID. For example, if *Contoso* rebranded to *Fabrikam*, rather than continuing to sign in with the legacy `[email protected]` UPN, email as an alternate login ID can be used. To access an application or service, users would sign in to Azure AD using their non-UPN email, such as `[email protected]`.
+
+![Diagram of email as an alternate login ID.](media/howto-authentication-use-email-signin/email-alternate-login-id.png)
 
 This article shows you how to enable and use email as an alternate login ID.
 
@@ -36,7 +38,7 @@ This article shows you how to enable and use email as an alternate login ID.
 Here's what you need to know about email as an alternate login ID:
 
 * The feature is available in Azure AD Free edition and higher.
-* The feature enables sign-in with verified domain *ProxyAddresses* for cloud-authenticated Azure AD users.
+* The feature enables sign-in with *ProxyAddresses*, in addition to UPN, for cloud-authenticated Azure AD users. More on how this applies to Azure AD B2B scenarios in the [B2B](#b2b-guest-user-sign-in-with-an-email-address) section.
 * When a user signs in with a non-UPN email, the `unique_name` and `preferred_username` claims (if present) in the [ID token](../develop/id-tokens.md) will return the non-UPN email.
 * The feature supports managed authentication with Password Hash Sync (PHS) or Pass-Through Authentication (PTA).
 * There are two options for configuring the feature:
@@ -54,8 +56,7 @@ In the current preview state, the following limitations apply to email as an alt
 
 * **Unsupported flows** - Some flows are currently not compatible with non-UPN emails, such as the following:
     * Identity Protection doesn't match non-UPN emails with *Leaked Credentials* risk detection. This risk detection uses the UPN to match credentials that have been leaked. For more information, see [Azure AD Identity Protection risk detection and remediation][identity-protection].
-    * B2B invites sent to a non-UPN email are not fully supported. After accepting an invite sent to a non-UPN email, sign-in with the non-UPN email may not work for the guest user on the resource tenant endpoint.
-    * When a user is signed-in with a non-UPN email, they cannot change their password. Azure AD self-service password reset (SSPR) should work as expected. During SSPR, the user may see their UPN if they verify their identity via alternate email.
+    * When a user is signed-in with a non-UPN email, they cannot change their password. Azure AD self-service password reset (SSPR) should work as expected. During SSPR, the user may see their UPN if they verify their identity using a non-UPN email.
 
 * **Unsupported scenarios** - The following scenarios are not supported. Sign-in with non-UPN email for:
     * [Hybrid Azure AD joined devices](../devices/concept-azure-ad-join-hybrid.md)
@@ -65,8 +66,6 @@ In the current preview state, the following limitations apply to email as an alt
     * Applications using legacy authentication such as POP3 and SMTP
     * Skype for Business
     * Microsoft Office on macOS
-    * Microsoft Teams on web
-    * OneDrive, when the sign-in flow does not involve Multi-Factor Authentication.
     * Microsoft 365 Admin Portal
 
 * **Unsupported apps** - Some third-party applications may not work as expected if they assume that the `unique_name` or `preferred_username` claims are immutable or will always match a specific user attribute, such as UPN.
@@ -121,6 +120,12 @@ One of the user attributes that's automatically synchronized by Azure AD Connect
 >
 > For more information, see [Add and verify a custom domain name in Azure AD][verify-domain].
 
+## B2B guest user sign-in with an email address
+
+![Diagram of email as an alternate login ID for B2B guest user sign-in.](media/howto-authentication-use-email-signin/email-alternate-login-id-b2b.png)
+
+Email as an alternate login ID applies to [Azure AD business-to-business (B2B) collaboration](../external-identities/what-is-b2b.md) under a "bring your own sign-in identifiers" model. When email as an alternate login ID is enabled in the home tenant, Azure AD users can perform guest sign in with non-UPN email on the resource tenanted endpoint. No action is required from the resource tenant to enable this functionality.
+
 ## Enable user sign-in with an email address
 
 > [!NOTE]
@@ -313,7 +318,7 @@ To test that users can sign in with email, go to [https://myprofile.microsoft.co
 
 ## Troubleshoot
 
-If users have trouble signing-in with their email address, review the following troubleshooting steps:
+If users have trouble signing in with their email address, review the following troubleshooting steps:
 
 1. Make sure it's been at least 1 hour since email as an alternate login ID was enabled. If the user was recently added to a group for staged rollout policy, make sure it's been at least 24 hours since they were added to the group.
 1. If using HRD policy, confirm that the Azure AD *HomeRealmDiscoveryPolicy* has the *AlternateIdLogin* definition property set to *"Enabled": true* and the *IsOrganizationDefault* property set to *True*:

articles/active-directory/authentication/media/concepts-azure-multi-factor-authentication-prompts-session-lifetime/details.png

@@ -185,6 +185,11 @@ sections:
         answer: |
           For information about what licenses your organization needs to use Azure AD B2B, see [External Identities pricing](external-identities-pricing.md).
 
+      - question: |
+          Can B2B collaboration users sign in with their non-UPN email address?
+        answer: |
+          Yes. For more information about email as an alternate login ID for B2B collaboration, see [B2B guest user sign-in with an email address](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-use-email-signin#b2b-guest-user-sign-in-with-an-email-address).
+
 additionalContent: |
 
   ## Next steps

articles/active-directory/authentication/media/howto-authentication-use-email-signin/email-alternate-login-id-b2b.png

@@ -299,7 +299,7 @@ If your Azure Active Directory is connected to on-premises Active Directory, the
 
 #### Establish integrated monitoring
 
-The [Microsoft Defender for Cloud](../../security-center/security-center-introduction.md):
+The [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md):
 
 * Provides integrated security monitoring and policy management across your Azure subscriptions
 * Helps detect threats that may otherwise go unnoticed