Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into mrb_08_02_2023_rbac

Author: mrbullwinkle

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -117,7 +117,7 @@ For passwordless sign-in to work, users should disable legacy notification throu
 1. Follow the steps at [Enable passwordless phone sign-in authentication](../authentication/howto-authentication-passwordless-phone.md#enable-passwordless-phone-sign-in-authentication-methods)
 
    >[!IMPORTANT]
-   >In the above configuration under step 4, please choose **Passwordless** option. Change the mode for each groups added for PSI for **Authentication mode**, choose      **Passwordless** for passwordless sign-in to work with CBA. If the admin configures "Any", the user can use either push or passwordless. If passwordless is preferred over push but still wants to allow push, admin can still choose "Any" but configure system preferred MFA or configure authentication strengths. 
+   >In the above configuration under step 4, please choose **Passwordless** option. Change the mode for each groups added for PSI for **Authentication mode**, choose **Passwordless** for passwordless sign-in to work with CBA. If the admin configures "Any", CBA + PSI will not work.
 
 1. Select **Azure Active Directory** > **Security** > **Multifactor authentication** > **Additional cloud-based multifactor authentication settings**.
 

articles/active-directory/conditional-access/plan-conditional-access.md

@@ -140,8 +140,6 @@ Access control: Block access <br>
 
 Now when User B attempts to access the **PAYROLL APP** they're blocked.
 
-![Diagram showing access token issuance](media/plan-conditional-access/CA-policy-token-issuance.png)
-
 ## Recommendations
 
 Taking into account our learnings in the use of Conditional Access and supporting other customers, here are a few recommendations based on our learnings.

articles/active-directory/devices/concept-directory-join.md

@@ -32,8 +32,7 @@ Any organization can deploy Azure AD joined devices no matter the size or indust
 |   | Windows Autopilot |
 | **Device sign in options** | Organizational accounts using: |
 |   | Password |
-|   | Windows Hello for Business |
-|   | FIDO2.0 security keys (preview) |
+|   | [Passwordless](/azure/active-directory/authentication/concept-authentication-passwordless) options like [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-planning-guide) and FIDO2.0 security keys. |
 | **Device management** | Mobile Device Management (example: Microsoft Intune) |
 |   | [Configuration Manager standalone or co-management with Microsoft Intune](/mem/configmgr/comanage/overview) |
 | **Key capabilities** | SSO to both cloud and on-premises resources |

articles/active-directory/devices/concept-hybrid-join.md

@@ -35,7 +35,7 @@ Hybrid Azure AD joined devices require network line of sight to your on-premises
 |   | Windows 8.1, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 - Require MSI |
 | **Device sign in options** | Organizational accounts using: |
 |   | Password |
-|   | Windows Hello for Business for Windows 10 or newer |
+|   | [Passwordless](/azure/active-directory/authentication/concept-authentication-passwordless) options like [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-planning-guide) and FIDO2.0 security keys. |
 | **Device management** | [Group Policy](/mem/configmgr/comanage/faq#my-environment-has-too-many-group-policy-objects-and-legacy-authenticated-apps--do-i-have-to-use-hybrid-azure-ad-) |
 |   | [Configuration Manager standalone or co-management with Microsoft Intune](/mem/configmgr/comanage/overview) |
 | **Key capabilities** | SSO to both cloud and on-premises resources |

articles/active-directory/devices/device-join-plan.md

@@ -51,7 +51,7 @@ Consider Azure AD join if your goals align with the following criteria:
 
 ## Review your identity infrastructure  
 
-Azure AD join works in managed and federated environments. We think most organizations will deploy with managed domains. Managed domain scenarios don't require configuring and managing a federation server like Active Directory Federation Services (AD FS).
+Azure AD join works in managed and federated environments. We think most organizations will deploy managed domains. Managed domain scenarios don't require configuring and managing a federation server like Active Directory Federation Services (AD FS).
 
 ### Managed environment
 
@@ -189,7 +189,7 @@ Currently, Azure AD joined devices don't support RADIUS authentication for conne
 You can provision Azure AD joined devices using the following approaches:
 
 - **Self-service in OOBE/Settings** - In the self-service mode, users go through the Azure AD join process either during Windows Out of Box Experience (OOBE) or from Windows Settings. For more information, see [Join your work device to your organization's network](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973). 
-- **Windows Autopilot** - Windows Autopilot enables pre-configuration of devices for a smoother Azure AD join experience in OOBE. For more information, see the [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot). 
+- **Windows Autopilot** - Windows Autopilot enables preconfiguration of devices for a smoother Azure AD join experience in OOBE. For more information, see the [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot). 
 - **Bulk enrollment** - Bulk enrollment enables an administrator driven Azure AD join by using a bulk provisioning tool to configure devices. For more information, see [Bulk enrollment for Windows devices](/intune/windows-bulk-enroll).
 
 Here’s a comparison of these three approaches 
@@ -297,3 +297,4 @@ You can use this implementation to [require managed devices for cloud app access
 
 - [Join a new Windows 10 device to Azure AD during a first run](device-join-out-of-box.md)
 - [Join your work device to your organization's network](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973)
+- [Planning a Windows Hello for Business Deployment](/windows/security/identity-protection/hello-for-business/hello-planning-guide)

articles/active-directory/devices/how-to-hybrid-join.md

@@ -118,7 +118,7 @@ With Windows 10 1803 or newer, if instantaneous hybrid Azure AD join for a feder
 
 ## Other scenarios
 
-Organizations can test hybrid Azure AD join on a subset of their environment before a full rollout. The steps to complete a targeted deployment can be found in the article [Hybrid Azure AD join targeted deployment](hybrid-join-control.md). Organizations should include a sample of users from varying roles and profiles in this pilot group. A targeted rollout will help identify any issues your plan may not have addressed before you enable for the entire organization.
+Organizations can test hybrid Azure AD join on a subset of their environment before a full rollout. The steps to complete a targeted deployment can be found in the article [Hybrid Azure AD join targeted deployment](hybrid-join-control.md). Organizations should include a sample of users from varying roles and profiles in this pilot group. A targeted rollout helps identify any issues your plan may not have addressed before you enable for the entire organization.
 
 Some organizations may not be able to use Azure AD Connect to configure AD FS. The steps to configure the claims manually can be found in the article [Configure hybrid Azure Active Directory join manually](hybrid-join-manual.md).
 
@@ -145,3 +145,4 @@ If you experience issues with completing hybrid Azure AD join for domain-joined
 - [Downlevel device enablement](how-to-hybrid-join-downlevel.md)
 - [Hybrid Azure AD join verification](how-to-hybrid-join-verify.md)
 - [Use Conditional Access to require compliant or hybrid Azure AD joined device](../conditional-access/howto-conditional-access-policy-compliant-device.md)
+- [Planning a Windows Hello for Business Deployment](/windows/security/identity-protection/hello-for-business/hello-planning-guide)

articles/active-directory/governance/deploy-access-reviews.md

@@ -63,9 +63,10 @@ The following videos help you learn about access reviews:
 
 ### Licenses
 
-You need a valid Azure AD Premium (P2) license for each person, other than Global administrators or User administrators, who will create or do access reviews. For more information, see [Access reviews license requirements](access-reviews-overview.md).
+[!INCLUDE [active-directory-p2-governance-license.md](../../../includes/active-directory-p2-governance-license.md)]
 
-You might also need other Identity Governance features, such as [entitlement lifecycle management](entitlement-management-overview.md) or PIM. In that case, you might also need related licenses. For more information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+>[!NOTE]
+>Creating a review on inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license.
 
 ## Plan the access reviews deployment project
 

articles/active-directory/governance/entitlement-management-access-package-create.md

@@ -36,7 +36,7 @@ All access packages must have at least one policy for users to be assigned to th
 
 ![Diagram of an example marketing catalog, including its resources and its access package.](./media/entitlement-management-access-package-create/access-package-create.png)
 
-Here are the high-level steps to create an access package:
+Here are the high-level steps to create an access package with an initial policy:
 
 1. In Identity Governance, start the process to create an access package.
 
@@ -46,9 +46,9 @@ Here are the high-level steps to create an access package:
 
 1. Specify an initial policy for users who can request access.
 
-1. Specify approval settings.
+1. Specify approval settings and lifecycle settings in that policy.
 
-1. Specify lifecycle settings.
+Then once the access package is created, you can [change the hidden setting](entitlement-management-access-package-edit.md#change-the-hidden-setting), [add or remove resource roles](entitlement-management-access-package-resources.md), and [add additional policies](entitlement-management-access-package-request-policy.md).
 
 ## Start the creation process
 
@@ -135,6 +135,8 @@ On the **Review + create** tab, you can review your settings and check for any v
 
     The new access package appears in the list of access packages.
 
+1. If the access package is intended to be visible to everyone in scope of the policies, then leave the **Hidden** setting of the access package at **No**. Optionally, if you intend to only allow users with the direct link to request the access package, [edit the access package](entitlement-management-access-package-edit.md#change-the-hidden-setting) to change the **Hidden** setting to **Yes**.  Then [copy the link to request the access package](entitlement-management-access-package-settings.md#share-link-to-request-an-access-package) and share it with users who need access.
+
 ## Create an access package programmatically
 
 There are two ways to create an access package programmatically: through Microsoft Graph and through the PowerShell cmdlets for Microsoft Graph.

articles/active-directory/governance/entitlement-management-access-package-settings.md

@@ -22,9 +22,9 @@ ms.collection: M365-identity-device-management
 ---
 # Share link to request an access package in entitlement management
 
-Most users in your directory can sign in to the My Access portal and automatically see a list of access packages they can request. However, for external business partner users that aren't yet in your directory, you'll need to send them a link that they can use to request an access package. 
+Most users in your directory can sign in to the My Access portal and automatically see a list of access packages they are in scope of a policy and can request. In addition, users from outside of your directory that are in scope, can also see access packages they are in scope of a policy and can request.  However, if you have sensitive access packages or external business partner users that aren't yet in your directory but aren't part of an existing connected organization, those access packages should be hidden.  Even though the user can request a hidden access package, they won't see it in the My access portal if they don't have the link. Instead, you'll need to send them a link that they can use to request that access package.
 
-As long as the catalog for the access package is [enabled for external users](entitlement-management-catalog-create.md) and you have a [policy for the external user's directory](entitlement-management-access-package-request-policy.md), the external user can use the My Access portal link to request the access package.
+In order for the external user from another directory to use the My Access portal link to request the access package, the catalog for the access package must be [enabled for external users](entitlement-management-catalog-create.md) and there must be a [policy for the external user's directory](entitlement-management-access-package-request-policy.md) in the access package.
 
 ## Share link to request an access package
 
@@ -34,6 +34,8 @@ As long as the catalog for the access package is [enabled for external users](en
 
 1. In the left menu, select **Access packages** and then open the access package.
 
+1. On the Overview page, check the **Hidden** setting.  If the **Hidden** setting is **Yes**, then even users who do not have the My Access portal link can browse and request the access package. If you do not wish to have them browse for the access package, then change the setting to **No**.
+
 1. On the Overview page, copy the **My Access portal link**.
 
     ![Access package overview - My Access portal link](./media/entitlement-management-shared/my-access-portal-link.png)
@@ -42,7 +44,7 @@ As long as the catalog for the access package is [enabled for external users](en
 
     `https://myaccess.microsoft.com/@<directory_hint>#/access-packages/<access_package_id>`
 
-1. Email or send the link to your external business partner. They can share the link with their users to request the access package.
+1. Email or send the link to your external business partner. They can share the link with their users in their organization to request the access package.
 
 ## Next steps
 

articles/active-directory/governance/entitlement-management-catalog-create.md

@@ -49,7 +49,7 @@ To create a catalog:
 
 1. If you want the access packages in this catalog to be available for users to request as soon as they're created, set **Enabled** to **Yes**.
 
-1. If you want to allow users in selected external directories to be able to request access packages in this catalog, set **Enabled for external users** to **Yes**.
+1. If you want to allow users in external directories from connected organizations to be able to request access packages in this catalog, set **Enabled for external users** to **Yes**.  The access packages must also have a policy allowing users from connected organizations to request.  If the access packages in this catalog are intended only for users already in the directory, then set **Enabled for external users** to **No**.
 
     ![Screenshot that shows the New catalog pane.](./media/entitlement-management-shared/new-catalog.png)