Merge pull request #251393 from Justinha/steps-auth-7

revised portal steps

Author: Stacyrch140

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Plan and deploy on-premises Azure Active Directory Password Protection
 
-Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, Azure Active Directory (Azure AD) Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list.
+Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, Azure Active Directory (Azure AD) Password Protection provides a global and custom banned password list. A password change request fails if there's a match in this banned password list.
 
 To protect your on-premises Active Directory Domain Services (AD DS) environment, you can install and configure Azure AD Password Protection to work with your on-prem DC. This article shows you how to install and register the Azure AD Password Protection proxy service and Azure AD Password Protection DC agent in your on-premises environment.
 
@@ -243,7 +243,7 @@ To install the Azure AD Password Protection proxy service, complete the followin
         >
         > You may also see MFA required if Azure Device Registration (which is used under the covers by Azure AD Password Protection) has been configured to globally require MFA. To workaround this requirement you may use a different account that supports MFA with one of the previous two authentication modes, or you may also temporarily relax the Azure Device Registration MFA requirement.
         >
-        > To make this change, search for and select then select **Devices > Device Settings** in the Microsoft Entra admin center. Set **Require Multi-Factor Auth to join devices** to *No*. Be sure to reconfigure this setting back to *Yes* once registration is complete.
+        > To make this change, select **Identity** in the [Microsoft Entra admin center](https://entra.microsoft.com), then select **Devices** > **Device Settings**. Set **Require Multi-Factor Auth to join devices** to *No*. Be sure to reconfigure this setting back to *Yes* once registration is complete.
         >
         > We recommend that MFA requirements be bypassed for test purposes only.
 
@@ -296,7 +296,7 @@ To install the Azure AD Password Protection proxy service, complete the followin
         >
         > You may also see MFA required if Azure Device Registration (which is used under the covers by Azure AD Password Protection) has been configured to globally require MFA. To workaround this requirement you may use a different account that supports MFA with one of the previous two authentication modes, or you may also temporarily relax the Azure Device Registration MFA requirement.
         >
-        > To make this change, search for and select **Devices > Device Settings** in the Microsoft Entra admin center. Set **Require Multi-Factor Auth to join devices** to *No*. Be sure to reconfigure this setting back to *Yes* once registration is complete.
+        > To make this change, select **Identity** in the [Microsoft Entra admin center](https://entra.microsoft.com), then select **Devices** > **Device Settings**. Set **Require Multi-Factor Auth to join devices** to *No*. Be sure to reconfigure this setting back to *Yes* once registration is complete.
         >
         > We recommend that MFA requirements be bypassed for test purposes only.
 

articles/active-directory/authentication/howto-password-ban-bad-on-premises-faq.yml

@@ -33,7 +33,7 @@ sections:
           
           On-premises Azure AD Password Protection is supported in both Azure Global and Azure Government clouds.
           
-          The Azure portal does allow modification of the on-premises-specific "Password protection for Windows Server Active Directory" configuration even in non-supported clouds; such changes will be persisted but otherwise will never take effect. Registration of on-premises proxy agents or forests is unsupported in non-supported clouds, and any such registration attempts will always fail.
+          The Microsoft Entra admin center does allow modification of the on-premises-specific "Password protection for Windows Server Active Directory" configuration even in non-supported clouds; such changes will be persisted but otherwise will never take effect. Registration of on-premises proxy agents or forests is unsupported in non-supported clouds, and any such registration attempts will always fail.
           
           ### How can I apply Azure AD Password Protection benefits to a subset of my on-premises users?
           
@@ -79,7 +79,7 @@ sections:
           
           ### How can I modify the contents of the policy at the Active Directory level?
           
-          Not supported. The policy can only be administered using the Azure portal. Also see previous question.
+          Not supported. The policy can only be administered using the Microsoft Entra admin center. Also see previous question.
           
           ### Why is DFSR required for sysvol replication?
           
@@ -142,7 +142,7 @@ sections:
           
           ### Why is custom smart lockout not working even after the agents are installed in my on-premises Active Directory environment?
           
-          Custom smart lockout is only supported in Azure AD. Changes to the custom smart lockout settings in the Azure portal have no effect on the on-premises Active Directory environment, even with the agents installed.
+          Custom smart lockout is only supported in Azure AD. Changes to the custom smart lockout settings in the Microsoft Entra admin center have no effect on the on-premises Active Directory environment, even with the agents installed.
           
           ### Is a System Center Operations Manager management pack available for Azure AD Password Protection?
           
@@ -192,8 +192,9 @@ sections:
              net.exe user ContosoUser /add <password>
              ```
           
-          1. Open a web browser (you may need to use a separate device instead of your domain controller), sign in to the [Azure portal](https://portal.azure.com), and browse to Azure Active Directory > Security > Authentication methods > Password protection.
-          1. Modify the Azure AD Password Protection policy as needed for the testing you want to perform.  For example, you may decide to configure either Enforced or Audit Mode, or you may decide to modify the list of banned terms in your custom banned passwords list.
+          1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+          1. Browse to Protection > Authentication methods > Password protection.
+          1. Modify the Azure AD Password Protection policy as needed for the testing you want to perform. For example, you may decide to configure either Enforced or Audit Mode, or you may decide to modify the list of banned terms in your custom banned passwords list.
           1. Synchronize the new policy by stopping and restarting the DC agent service.
           
              This step can be accomplished in various ways. One way would be to use the Service Management administrative console, by right-clicking on the Azure AD Password Protection DC Agent service and choosing "Restart". Another way may be performed from the command prompt window like so:
@@ -290,7 +291,7 @@ sections:
              FullName: 
              ```
           
-          1. Continue testing various passwords of your choice and checking the results in the event viewer using the procedures outlined in the previous steps. If you need to change the policy in the Azure portal, don't forget to synchronize the new policy down to the DC agent as described earlier.
+          1. Continue testing various passwords of your choice and checking the results in the event viewer using the procedures outlined in the previous steps. If you need to change the policy in the Microsoft Entra admin center, don't forget to synchronize the new policy down to the DC agent as described earlier.
           
           We've covered procedures that enable you to do controlled testing of Azure AD Password Protection's password validation behavior. Resetting user passwords from the command line directly on a domain controller may seem an odd means of doing such testing, but as described previously it is designed to produce repeatable results. As you are testing various passwords, keep the [password evaluation algorithm](concept-password-ban-bad.md#how-are-passwords-evaluated) in mind as it may help to explain results that you did not expect.
           

articles/active-directory/authentication/howto-password-ban-bad-on-premises-operations.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 09/13/2023
 
 ms.author: justinha
 author: justinha
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, Azure Active Directory (Azure AD) Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list.
 
-To protect your on-premises Active Directory Domain Services (AD DS) environment, you can install and configure Azure AD Password Protection to work with your on-prem DC. This article shows you how to enable Azure AD Password Protection for your on-premises environment.
+To protect your on-premises Active Directory Domain Services (AD DS) environment, you can install and configure Azure AD Password Protection to work with your on-premises DC. This article shows you how to enable Azure AD Password Protection for your on-premises environment.
 
 For more information on how Azure AD Password Protection works in an on-premises environment, see [How to enforce Azure AD Password Protection for Windows Server Active Directory](concept-password-ban-bad-on-premises.md).
 
@@ -31,15 +31,16 @@ This article shows you how to enable Azure AD Password Protection for your on-pr
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Password protection**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Password protection**.
 1. Set the option for **Enable password protection on Windows Server Active Directory** to *Yes*.
 
     When this setting is set to *No*, all deployed Azure AD Password Protection DC agents go into a quiescent mode where all passwords are accepted as-is. No validation activities are performed, and audit events aren't generated.
 
 1. It's recommended to initially set the **Mode** to *Audit*. After you're comfortable with the feature and the impact on users in your organization, you can switch the **Mode** to *Enforced*. For more information, see the following section on [modes of operation](#modes-of-operation).
 1. When ready, select **Save**.
 
-    [![Enable on-premises password protection under Authentication Methods in the Azure portal](media/howto-password-ban-bad-on-premises-operations/enable-configure-custom-banned-passwords-cropped.png)](media/howto-password-ban-bad-on-premises-operations/enable-configure-custom-banned-passwords.png#lightbox)
+    [![Enable on-premises password protection under Authentication Methods in the Microsoft Entra admin center](media/howto-password-ban-bad-on-premises-operations/enable-configure-custom-banned-passwords-cropped.png)](media/howto-password-ban-bad-on-premises-operations/enable-configure-custom-banned-passwords.png#lightbox)
 
 ## Modes of operation
 
@@ -70,4 +71,4 @@ Affected end users may need to work with their IT staff to understand the new re
 
 To customize the banned password list for your organization, see [Configure the Azure AD Password Protection custom banned password list](tutorial-configure-custom-password-protection.md).
 
-To monitor on-prem events, see [Monitoring on-prem Azure AD Password Protection](howto-password-ban-bad-on-premises-monitor.md).
+To monitor on-premises events, see [Monitoring on-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-monitor.md).

articles/active-directory/authentication/howto-password-smart-lockout.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 09/23/2023
 
 ms.author: justinha
 author: justinha
@@ -66,8 +66,8 @@ Based on your organizational requirements, you can customize the Azure AD smart
 
 To check or modify the smart lockout values for your organization, complete the following steps:
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).
-1. Search for and select *Azure Active Directory*, then select **Security** > **Authentication methods** > **Password protection**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Password protection**.
 1. Set the **Lockout threshold**, based on how many failed sign-ins are allowed on an account before its first lockout.
 
     The default is 10 for Azure Public tenants and 3 for Azure US Government tenants.
@@ -79,7 +79,7 @@ To check or modify the smart lockout values for your organization, complete the
 > [!NOTE]
 > If the first sign-in after a lockout period has expired also fails, the account locks out again. If an account locks repeatedly, the lockout duration increases.
 
-![Customize the Azure AD smart lockout policy in the Azure portal](./media/howto-password-smart-lockout/azure-active-directory-custom-smart-lockout-policy.png)
+![Customize the Azure AD smart lockout policy in the Microsoft Entra admin center](./media/howto-password-smart-lockout/azure-active-directory-custom-smart-lockout-policy.png)
 
 ## Testing Smart lockout