Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

articles/active-directory/authentication/certificate-based-authentication-faq.yml

@@ -135,7 +135,7 @@ sections:
       - question: |
           CertificateUserIds update fails with value already there. How can an admin query all the user objects with the same value?
         answer: |
-          Tenant admins can run MS Graph queries to find all the users with a given certificateUserId value. More information can be found at [CertificateUserIds graph queries](concept-certificate-based-authentication-certificateuserids.md#look-up-certificateuserids-using-microsoft-graph-queries)
+          Tenant admins can run MS Graph queries to find all the users with a given certificateUserId value. More information can be found at [CertificateUserIds graph queries](concept-certificate-based-authentication-certificateuserids.md#update-certificateuserids-using-microsoft-graph-queries)
           
           GET all user objects that have the value '[email protected]' value in certificateUserIds:
 

articles/active-directory/authentication/concept-authentication-default-enablement.md

@@ -56,7 +56,7 @@ The following table lists each setting that can be set to Microsoft managed and
 | [Registration campaign](how-to-mfa-registration-campaign.md)                                    | Beginning in July, 2023, enabled for SMS and voice call users with free and trial subscriptions.      |
 | [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)           | Disabled      |
 | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)   | Disabled      |
-| [System-preferred MFA](concept-system-preferred-multifactor-authentication.md)                  | Disabled      |
+| [System-preferred MFA](concept-system-preferred-multifactor-authentication.md)                  | Enabled       |
 | [Authenticator Lite](how-to-mfa-authenticator-lite.md)                                          | Enabled       |  
 
 As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using SMS and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication.

articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md

@@ -19,7 +19,7 @@ ms.custom: has-adal-ref
 
 # Certificate user IDs 
 
-Users in Azure AD can have a multivalued attribute named **certificateUserIds**. The attribute allows up to four values, and each value can be of 120-character length. It can store any value, and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like _bob@woodgrove_ or _bob@local_.
+Users in Azure AD can have a multivalued attribute named **certificateUserIds**. The attribute allows up to four values, and each value can be of 120-character length. It can store any value and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like _bob@woodgrove_ or _bob@local_.
 
 ## Supported patterns for certificate user IDs
 
@@ -35,11 +35,11 @@ The values stored in **certificateUserIds** should be in the format described in
 
 ## Roles to update certificateUserIds
 
-For cloud only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds.
-For sync'd users, AD users with role **Hybrid Identity Administrator** can write into the attribute.
+For cloud-only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds.
+For synched users, AD users with role **Hybrid Identity Administrator** can write into the attribute.
 
 >[!NOTE]
->Active Directory Administrators (including accounts with delegated administrative privilege over sync'd user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Azure AD for any sync'd accounts.
+>Active Directory Administrators (including accounts with delegated administrative privilege over synched user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Azure AD for any synched accounts.
  
 ## Update certificate user IDs in the Azure portal
 
@@ -66,7 +66,98 @@ Tenant admins can use the following steps Azure portal to update certificate use
 1. Enter the value and click **Save**. You can add up to four values, each of 120 characters.
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/save.png" alt-text="Screenshot of a value to enter for CertificateUserId.":::
- 
+
+## Update certificateUserIds using Microsoft Graph queries
+
+**Look up certificateUserIds**
+
+Authorized callers can run Microsoft Graph queries to find all the users with a given certificateUserId value. On the Microsoft Graph [user](/graph/api/resources/user) object, the collection of certificateUserIds is stored in the **authorizationInfo** property.
+
+To retrieve all user objects that have the value '[email protected]' in certificateUserIds:
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/users?$filter=authorizationInfo/certificateUserIds/any(x:x eq '[email protected]')&$count=true
+ConsistencyLevel: eventual
+```
+
+You can also use the `not` and `startsWith` operators to match the filter condition. To filter against the certificateUserIds object, the request must include the `$count=true` query string and the **ConsistencyLevel** header set to `eventual`.
+
+**Update certificateUserIds**
+
+Run a PATCH request to update the certificateUserIds for a given user.
+
+#### Request body:
+
+```http
+PATCH https://graph.microsoft.com/v1.0/users/{id}
+Content-Type: application/json
+{
+    "authorizationInfo": {
+        "certificateUserIds": [
+            "X509:<PN>123456789098765@mil"
+        ]
+    }
+}
+```
+## Update certificateUserIds using PowerShell commands
+
+For the configuration, you can use the [Azure Active Directory PowerShell Version 2](/powershell/microsoftgraph/installation):
+
+1. Start Windows PowerShell with administrator privileges.
+1. Install and Import the Microsoft Graph PowerShell SDK
+
+   ```powershell
+       Install-Module Microsoft.Graph -Scope AllUsers
+       Import-Module Microsoft.Graph.Authentication
+       Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
+   ```
+1. Connect to the tenant and accept all
+
+   ```powershell
+      Connect-MGGraph -Scopes "Directory.ReadWrite.All", "User.ReadWrite.All" -TenantId <tenantId>
+   ```
+1. List CertificateUserIds attribute of a given user
+
+   ```powershell
+     $results = Invoke-MGGraphRequest -Method get -Uri 'https://graph.microsoft.com/v1.0/users/<userId>?$select=authorizationinfo' -OutputType PSObject -Headers @{'ConsistencyLevel' = 'eventual' }
+     #list certificateUserIds
+     $results.authorizationInfo
+   ```
+1. Create a variable with CertificateUserIds values
+   
+   ```powershell
+     #Create a new variable to prepare the change. Ensure that you list any existing values you want to keep as this operation will overwrite the existing value
+     $params = @{
+           authorizationInfo = @{
+                 certificateUserIds = @(
+                 "X509:<SKI>eec6b88788d2770a01e01775ce71f1125cd6ad0f", 
+                 "X509:<PN>[email protected]"
+                 )
+           }
+     }
+   ```
+1. Update CertificateUserIds attribute
+
+   ```powershell
+      $results = Invoke-MGGraphRequest -Method patch -Uri 'https://graph.microsoft.com/v1.0/users/<UserId>/?$select=authorizationinfo' -OutputType PSObject -Headers @{'ConsistencyLevel' = 'eventual' } -Body $params
+   ```
+
+**Update CertificateUserIds using user object**
+
+1. Get the user object
+
+   ```powershell
+     $userObjectId = "6b2d3bd3-b078-4f46-ac53-f862f35e10b6"
+     $user = get-mguser -UserId $userObjectId -Property AuthorizationInfo
+   ```
+
+1. Update the CertificateUserIds attribute of the user object
+
+   ```powershell
+      $user.AuthorizationInfo.certificateUserIds = @("X509:<SKI>eec6b88788d2770a01e01775ce71f1125cd6ad0f", "X509:<PN>[email protected]") 
+      Update-MgUser -UserId $userObjectId -AuthorizationInfo $user.AuthorizationInfo
+   ```
+   
 ## Update certificate user IDs using Azure AD Connect
 
 To update certificate user IDs for federated users, configure Azure AD Connect to sync userPrincipalName to certificateUserIds. 
@@ -101,7 +192,7 @@ To synchronize X509:\<PN>PrincipalNameValue, create an outbound synchronization
 
 ### Synchronize X509:\<RFC822>RFC822Name
 
-To synchronize X509:\<RFC822>RFC822Name, create an outbound synchronization rule, choose **Expression** in the flow type. Choose the target attribute as **certificateUserIds**, and in the source field, add the following expression. If your source attribute isn't userPrincipalName, you can change the expression accordingly.  
+To synchronize X509:\<RFC822>RFC822Name, create an outbound synchronization rule and choose **Expression** in the flow type. Choose the target attribute as **certificateUserIds**, and in the source field, add the following expression. If your source attribute isn't userPrincipalName, you can change the expression accordingly.  
 
 ```
 "X509:\<RFC822>"&[userPrincipalName]
@@ -150,7 +241,7 @@ alt-security-identity-add.
    |Option | Value |
    |-------|-------|
    |Name | Descriptive name of the rule, such as: Out to AAD - certificateUserIds |
-   |Connected System | Your Azure AD doamin |
+   |Connected System | Your Azure AD domain |
    |Connected System Object Type | user |
    |Metaverse Object Type | person |
    |Precedence | Choose a random high number not currently used |
@@ -169,39 +260,6 @@ IIF(IsPresent([alternativeSecurityId]),
 )
 ```
 
-## Look up certificateUserIds using Microsoft Graph queries
-
-Authorized callers can run Microsoft Graph queries to find all the users with a given certificateUserId value. On the Microsoft Graph [user](/graph/api/resources/user) object, the collection of certificateUserIds are stored in the **authorizationInfo** property.
-          
-To retrieve all user objects that have the value '[email protected]' in certificateUserIds:
-
-```msgraph-interactive
-GET https://graph.microsoft.com/v1.0/users?$filter=authorizationInfo/certificateUserIds/any(x:x eq '[email protected]')&$count=true
-ConsistencyLevel: eventual
-```
-
-You can also use the `not` and `startsWith` operators to match the filter condition. To filter against the certificateUserIds object, the request must include the `$count=true` query string and the **ConsistencyLevel** header set to `eventual`.
-            
-## Update certificateUserIds using Microsoft Graph queries
-
-Run a PATCH request to update the certificateUserIds for a given user.
-
-#### Request body:
-
-```http
-PATCH https://graph.microsoft.com/v1.0/users/{id}
-Content-Type: application/json
-
-{
-    "authorizationInfo": {
-        "certificateUserIds": [
-            "X509:<PN>123456789098765@mil"
-        ]
-    }
-}
-```
-
-
 ## Next steps
 
 - [Overview of Azure AD CBA](concept-certificate-based-authentication.md)

articles/active-directory/authentication/how-to-mfa-authenticator-lite.md

@@ -29,7 +29,7 @@ Users receive a notification in Outlook mobile to approve or deny sign-in, or th
 
 ## Prerequisites
 
-- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the modern Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API.
+- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the modern Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. Organizations with an active MFA server or that have not started migration from per-user MFA are not eligible for this feature.
 
   >[!TIP]
   >We recommend that you also enable [system-preferred multifactor authentication (MFA)](concept-system-preferred-multifactor-authentication.md) when you enable Authenticator Lite. With system-preferred MFA enabled, users try to sign-in with Authenticator Lite before they try less secure telephony methods like SMS or voice call. 
@@ -56,7 +56,7 @@ To disable Authenticator Lite in the Azure portal, complete the following steps:
 
   2. On the Enable and Target tab, click Yes and All users to enable the Authenticator policy for everyone or add selected users and groups. Set the Authentication mode for these users/groups to Any or Push.
 
-  Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook.
+  Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application.
 
 <img width="1112" alt="Entra portal Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png">
 

articles/active-directory/external-identities/tenant-restrictions-v2.md

@@ -162,7 +162,7 @@ To configure tenant restrictions, you'll need the following:
 
 - Azure AD Premium P1 or P2
 - Account with a role of Global administrator or Security administrator
-- Windows devices running Windows 10, Windows 11, or Windows Server 2022 with the latest updates
+- Windows devices running Windows 10, Windows 11 with the latest updates
 
 ## Step 1: Configure default tenant restrictions V2
 
@@ -306,6 +306,13 @@ Suppose you use tenant restrictions to block access by default, but you want to
 
    :::image type="content" source="media/tenant-restrictions-v2/add-app-save.png" alt-text="Screenshot showing the selected application.":::
 
+> [!NOTE]
+   >
+   > Blocking MSA tenant will not block 
+   > - user-less traffic for devices. This includes traffic for Autopilot, Windows Update, and organizational telemetry.
+   > - B2B authentication of consumer accounts.
+   > - "Passthrough" authentication, used by many Azure apps and Office.com, where apps use Azure AD to sign in consumer users in a consumer context.
+
 ## Step 3: Enable tenant restrictions on Windows managed devices
 
 After you create a tenant restrictions V2 policy, you can enforce the policy on each Windows 10, Windows 11, and Windows Server 2022 device by adding your tenant ID and the policy ID to the device's **Tenant Restrictions** configuration. When tenant restrictions are enabled on a Windows device, corporate proxies aren't required for policy enforcement. Devices don't need to be Azure AD managed to enforce tenant restrictions V2; domain-joined devices that are managed with Group Policy are also supported.