Merge pull request #98727 from MicrosoftDocs/master

12/11 PM Publish

Author: huypub

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -105,7 +105,7 @@ This flowchart describes which methods are shown to a user when interrupted to r
 
 If you have both Multi-Factor Authentication and SSPR enabled, we recommend that you enforce Multi-Factor Authentication registration.
 
-If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up-to-date, or they can make changes if they need to.
+If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up-to-date, or they can make changes if they need to. Users must perform multi-factor authentication when accessing this page.
 
 ### Manage mode
 

articles/active-directory/authentication/howto-mfa-nps-extension-errors.md

@@ -93,6 +93,10 @@ If you encounter one of these errors, we recommend that you [contact support](#c
 
 If your users are [Having trouble with two-step verification](../user-help/multi-factor-authentication-end-user-troubleshoot.md), help them self-diagnose problems.
 
+### Health check script
+
+The [Azure MFA NPS Extension health check script](https://gallery.technet.microsoft.com/Azure-MFA-NPS-Extension-648de6bb) is available on the TechNet Gallery to perform a basic health check when troubleshooting the NPS extension. Run the script and choose option 3.
+
 ### Contact Microsoft support
 
 If you need additional help, contact a support professional through [Azure Multi-Factor Authentication Server support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, the ID of the user who saw the error, and debug logs.

articles/active-directory/authentication/howto-mfa-reporting.md

@@ -131,6 +131,16 @@ Identify users who have not registered for MFA using the PowerShell that follows
 
 ```Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName```
 
+Identify users and output methods registered. 
+
+```PowerShell
+Get-MsolUser -All | Select-Object @{N='UserPrincipalName';E={$_.UserPrincipalName}},
+
+@{N='MFA Status';E={if ($_.StrongAuthenticationRequirements.State){$_.StrongAuthenticationRequirements.State} else {"Disabled"}}},
+
+@{N='MFA Methods';E={$_.StrongAuthenticationMethods.methodtype}} | Export-Csv -Path c:\MFA_Report.csv -NoTypeInformation
+```
+
 ## Possible results in activity reports
 
 The following table may be used to troubleshoot multi-factor authentication using the downloaded version of the multi-factor authentication activity report. They will not appear directly in the Azure portal.

articles/active-directory/authentication/howto-mfaserver-deploy.md

@@ -120,6 +120,9 @@ Now that you have downloaded the server you can install and configure it. Be sur
 
 5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Azure MFA Server in the boxes provided and click **Activate**.
 
+> [!NOTE]
+> Only global administrators are able to generate activation credentials in the Azure portal.
+
 ## Send users an email
 
 To ease rollout, allow MFA Server to communicate with your users. MFA Server can send an email to inform them that they have been enrolled for two-step verification.

articles/active-directory/authentication/multi-factor-authentication-faq.md

@@ -23,10 +23,13 @@ This FAQ answers common questions about Azure Multi-Factor Authentication and us
 
 > [!IMPORTANT]
 > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> 
+> Consumption-based licensing is no longer available to new customers effective September 1, 2018.
+> Effective September 1, 2018 new auth providers may no longer be created. Existing auth providers may continue to be used and updated. Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.
+
 > [!NOTE]
 > The information shared below regarding the Azure Multi-Factor Authentication Server is only applicable for users who already have the MFA server running.
 
-
 **Q: How does Azure Multi-Factor Authentication Server handle user data?**
 
 With Multi-Factor Authentication Server, user data is stored only on the on-premises servers. No persistent user data is stored in the cloud. When the user performs two-step verification, Multi-Factor Authentication Server sends data to the Azure Multi-Factor Authentication cloud service for authentication. Communication between Multi-Factor Authentication Server and the Multi-Factor Authentication cloud service uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) over port 443 outbound.

articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md

@@ -46,6 +46,10 @@ The following steps will help create a Conditional Access policy to require devi
 1. Confirm your settings and set **Enable policy** to **On**.
 1. Select **Create** to create to enable your policy.
 
+### Known behavior
+
+On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.
+
 ## Next steps
 
 [Conditional Access common policies](concept-conditional-access-policy-common.md)

articles/active-directory/conditional-access/require-managed-devices.md

@@ -89,8 +89,9 @@ For a device that is marked as compliant, you can assume that:
 - Your company information is protected by helping to control the way your workforce accesses and shares it
 - The device and its apps are compliant with company security requirements
 
-> [!NOTE]
-> If you configure a policy to require compliant devices users may be prompted on Mac, iOS, and Android to select a device certificate during policy evaluation. This is a known behavior.
+### Known behavior
+
+On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.
 
 ## Next steps
 

articles/active-directory/conditional-access/technical-reference.md

@@ -233,6 +233,7 @@ This setting applies to the following client apps:
 - The approved client apps support the Intune mobile application management feature.
 - The **Require approved client app** requirement:
    - Only supports the iOS and Android for [device platform condition](#device-platform-condition).
+- Conditional Access cannot consider Microsoft Edge in InPrivate mode an approved client app.
 
 ## App protection policy requirement 
 

articles/active-directory/fundamentals/active-directory-groups-membership-azure-portal.md

@@ -26,7 +26,7 @@ This article helps you to add and remove a group from another group using Azure
 You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time.
 
 >[!Important]
->We don't currently support:<ul><li>Adding groups to a group synced with on-premises Active Directory.</li><li>Adding Security groups to Office 365 groups.</li><li>Adding Office 365 groups to Security groups or other Office 365 groups.</li><li>Assigning apps to nested groups.</li><li>Applying licenses to nested groups.</li></ul>
+>We don't currently support:<ul><li>Adding groups to a group synced with on-premises Active Directory.</li><li>Adding Security groups to Office 365 groups.</li><li>Adding Office 365 groups to Security groups or other Office 365 groups.</li><li>Assigning apps to nested groups.</li><li>Applying licenses to nested groups.</li><li>Adding distribution groups in nesting scenarios.</li></ul>
 
 ### To add a group as a member of another group
 
@@ -45,16 +45,12 @@ You can add an existing Security group to another existing Security group (also
 
     The **MDM policy - West** group is now a member of the **MDM policy - All org** group, inheriting all the properties and configuration of the MDM policy - All org group.
 
-    ![Create a group membership by adding group to another group](media/active-directory-groups-membership-azure-portal/add-group-membership.png)
+    ![Create a group membership by adding group to another group](media/active-directory-groups-membership-azure-portal/group-add-group-membership.png)
 
 5. Review the **MDM policy - West - Group memberships** page to see the group and member relationship.
 
-    ![MDM policy - West - Group memberships page showing the parent group](media/active-directory-groups-membership-azure-portal/group-membership-blade.png)
-
 6. For a more detailed view of the group and member relationship, select the group name (**MDM policy - All org**) and take a look at the **MDM policy - West** page details.
 
-    ![Group membership page showing both the member and the group details](media/active-directory-groups-membership-azure-portal/group-membership-review.png)
-
 ## Remove a group from another group
 You can remove an existing Security group from another Security group. However, removing the group also removes any inherited attributes and properties for its members.
 
@@ -63,13 +59,10 @@ You can remove an existing Security group from another Security group. However,
 
 2. On the **MDM policy - West overview** page, select **Group memberships**.
 
-    ![MDM policy - West overview page](media/active-directory-groups-membership-azure-portal/group-membership-overview.png)
-
 3. Select the **MDM policy - All org** group from the **MDM policy - West - Group memberships** page, and then select **Remove** from the **MDM policy - West** page details.
 
     ![Group membership page showing both the member and the group details](media/active-directory-groups-membership-azure-portal/group-membership-remove.png)
 
-
 ## Additional information
 These articles provide additional information on Azure Active Directory.
 

articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md

@@ -57,7 +57,7 @@ We tend to think that administrator accounts are the only accounts that need ext
 
 After these attackers gain access, they can request access to privileged information on behalf of the original account holder. They can even download the entire directory to perform a phishing attack on your whole organization. 
 
-One common method to improve protection for all users is to require a stronger form of account verification, such as Multi-Factor Authentication, for everyone. After users finish Multi-Factor Authentication registration, they'll be prompted for additional authentication whenever necessary.
+One common method to improve protection for all users is to require a stronger form of account verification, such as Multi-Factor Authentication, for everyone. After users complete Multi-Factor Authentication registration, they'll be prompted for additional authentication whenever necessary.
 
 ### Blocking legacy authentication
 
@@ -94,14 +94,14 @@ The following additional considerations are related to deployment of security de
 
 Mail clients use older authentication protocols (like IMAP, SMTP, and POP3) to make authentication requests. These protocols don't support Multi-Factor Authentication. Most of the account compromises that Microsoft sees are from attacks against older protocols that are trying to bypass Multi-Factor Authentication. 
 
-To ensure that Multi-Factor Authentication is required for signing in to an administrative account and that attackers can't bypass it, security defaults block all authentication requests made to administrator accounts from older protocols.
+To ensure that Multi-Factor Authentication is required for signing in to an administrative account and attackers can't bypass it, security defaults block all authentication requests made to administrator accounts from older protocols.
 
 > [!WARNING]
 > Before you enable this setting, make sure your administrators aren't using older authentication protocols. For more information, see [How to move away from legacy authentication](concept-fundamentals-block-legacy-authentication.md).
 
 ### Conditional Access
 
-You can use Conditional Access to configure policies that provide the same behavior enabled by security defaults. If you're using Conditional Access and have Conditional Access policies enabled in your environment, security defaults won't be available to you. If you have a license that provides Conditional Access but don't have any Conditional Access policies enabled in your environment, you are welcome to use security defaults until you enable Conditional Access policies.
+You can use Conditional Access to configure policies similar to security defaults, but with more granularity. If you're using Conditional Access and have Conditional Access policies enabled in your environment, security defaults won't be available to you. If you have a license that provides Conditional Access but don't have any Conditional Access policies enabled in your environment, you are welcome to use security defaults until you enable Conditional Access policies. More information about Azure AD licensing can be found on the [Azure AD pricing page](https://azure.microsoft.com/pricing/details/active-directory/).
 
 ![Warning message that you can have security defaults or Conditional Access not both](./media/concept-fundamentals-security-defaults/security-defaults-conditional-access.png)