Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into CAConceptual

Author: MicrosoftGuyJFlo

articles/active-directory/conditional-access/howto-conditional-access-adoption-kit.md

@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 In a mobile-first, cloud-first world, users can access your organization's resources from anywhere using different kinds of devices and apps. As a result, just focusing on who can access a resource is no longer enough. You can control who has access and identify where the user is and what device is being used and much more.
 
-To provide this control, **Azure Active Directory (AD) Conditional Access** allows you to specify the conditions any user must meet for access to an application, such as Multi-Factor Authentication (MFA). Using Conditional Access policies controls how authorized users (users that have been granted access to a cloud app) access cloud apps under specific conditions. Refer to [What is Conditional Access in Azure Active Directory](overview.md#conditional-access-policies) for more information.
+To provide this control, **Azure Active Directory (AD) Conditional Access** allows you to specify the conditions any user must meet for access to an application, such as Multi-Factor Authentication (MFA). Using Conditional Access policies controls how authorized users (users that have been granted access to a cloud app) access cloud apps under specific conditions. Refer to [What is Conditional Access in Azure Active Directory](overview.md) for more information.
 
 ## Key benefits
 

articles/active-directory/conditional-access/media/overview/81.png

@@ -1,83 +1,82 @@
 ---
-title: What is Conditional Access in Azure Active Directory? | Microsoft Docs
-description: Learn how Conditional Access in Azure Active Directory helps you to implement automated access decisions that are not only based on who tries to access a resource but also how a resource is accessed.
+title: What is Conditional Access in Azure Active Directory?
+description: Learn how Conditional Access is at the heart of the new identity driven control plane.
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 02/14/2019
+ms.date: 09/17/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: daveba
 ms.reviewer: calebb
 
-#Customer intent: As an IT admin, I want to understand Conditional Access well enough so that I can control how users are accessing my resources.
 ms.collection: M365-identity-device-management
 ---
 # What is Conditional Access?
 
-Security is a top concern for organizations using the cloud. A key aspect of cloud security is identity and access when it comes to managing your cloud resources. In a mobile-first, cloud-first world, users can access your organization's resources using a variety of devices and apps from anywhere. As a result of this, just focusing on who can access a resource is not sufficient anymore. To master the balance between security and productivity, you also need to factor how a resource is accessed into an access control decision. With Azure Active Directory (Azure AD) Conditional Access, you can address this requirement. Conditional Access is a capability of Azure Active Directory. With Conditional Access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions.
+The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can utilize these identity signals as part of their access control decisions. 
 
-Conditional Access policies are enforced after the first-factor authentication has been completed. Therefore, Conditional Access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (for example, the sign-in risk level, location of the request, and so on) to determine access.  
+Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.
 
-![Control](./media/overview/81.png)
+![Conceptual Conditional signal plus decision to get enforcement](./media/overview/conditional-access-signal-decision-enforcement.png)
 
-This article provides you with a conceptual overview of Conditional Access in Azure AD.
+Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.
 
-## Common scenarios
-
-In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and third-party SaaS apps, you are faced with two opposing goals:
+Administrators are faced with two primary goals:
 
 - Empower users to be productive wherever and whenever
-- Protect the corporate assets at any time
-
-By using Conditional Access policies, you can apply the right access controls under the required conditions. Azure AD Conditional Access provides you with added security when needed and stays out of your user’s way when it isn’t.
-
-Following are some common access concerns that Conditional Access can help you with:
-
-- **[Sign-in risk](conditions.md#sign-in-risk)**: Azure AD Identity Protection detects sign-in risks. How do you restrict access if a detected sign-in risk indicates a bad actor? What if you would like to get stronger evidence that a sign-in was  performed by the legitimate user? What if your doubts are strong enough to even block specific users from accessing an app?  
-- **[Network location](location-condition.md)**: Azure AD is accessible from anywhere. What if an access attempt is performed from a network location that is not under the control of your IT department? A username and password combination might be good enough as proof of identity for access attempts from your corporate network. What if you demand a stronger proof of identity for access attempts that are initiated from other unexpected countries or regions of the world? What if you even want to block access attempts from certain locations?  
-- **[Device management](conditions.md#device-platforms)**: In Azure AD, users can access cloud apps from a broad range of devices including mobile and also personal devices. What if you demand that access attempts should only be performed with devices that are managed by your IT department? What if you even want to block certain device types from accessing cloud apps in your environment?
-- **[Client application](conditions.md#client-apps)**: Today, you can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. What if an access attempt is performed using a client app type that causes known issues? What if you require a device that is managed by your IT department for certain app types?
-
-These questions and the related answers represent common access scenarios for Azure AD Conditional Access.
-Conditional Access is a capability of Azure Active Directory that enables you to handle access scenarios using a policy-based approach.
-
-> [!VIDEO https://www.youtube.com/embed/eLAYBwjCGoA]
-
-## Conditional Access policies
+- Protect the organization's assets
 
-A Conditional Access policy is a definition of an access scenario using the following pattern:
+By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed.
 
-![Control](./media/overview/10.png)
+![Conceptual Conditional Access process flow](./media/overview/conditional-access-overview-how-it-works.png)
 
+Conditional Access policies are enforced after the first-factor authentication has been completed. Conditional Access is not intended as an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but can use signals from these events to determine access.
 
-**When this happens** defines the reason for triggering your policy. This reason is characterized by a group of conditions that have been satisfied. In Azure AD Conditional Access, the two assignment conditions play a special role:
+## Common signals
 
-- **[Users](conditions.md#users-and-groups)**: The users performing an access attempt (**Who**).
-- **[Cloud apps](conditions.md#cloud-apps-and-actions)**: The targets of an access attempt (**What**).
+Common signals that Conditional Access can take in to account when making a policy decision include the following signals:
 
-These two conditions are mandatory in a Conditional Access policy. In addition to the two mandatory conditions, you can also include additional conditions that describe how the access attempt is performed. Common examples are using mobile devices or locations that are outside your corporate network. For more information, see [Conditions in Azure Active Directory Conditional Access](conditions.md).
+- User or group membership
+   - Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
+- IP Location information
+   - Organizations can create trusted IP address ranges that can be used when making policy decisions. 
+   - Administrators can specify entire countries IP ranges to block or allow traffic from.
+- Device
+   - Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.
+- Application
+   - Users attempting to access specific applications can trigger different Conditional Access policies. 
+- Real-time and calculated risk detection
+   - Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multi-factor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.
+- Microsoft Cloud App Security (MCAS)
+   - Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities performed within your cloud environment.
 
-The combination of conditions with your access controls represents a Conditional Access policy.
+## Common decisions
 
-![Control](./media/overview/51.png)
+- Block access
+   - Most restrictive decision
+- Grant access
+   - Least restrictive decision, can still require one or more of the following options:
+      - Require multi-factor authentication
+      - Require device to be marked as compliant
+      - Require Hybrid Azure AD joined device
+      - Require approved client app
+      - Require app protection policy (preview)
 
-With Azure AD Conditional Access, you can control how authorized users can access your cloud apps. The objective of a Conditional Access policy is to enforce additional access controls on an access attempt to a cloud app based on how an access attempt is performed.
+## Commonly applied policies
 
-A policy-based approach to protect access to your cloud apps enables you to start drafting the policy requirements for your environment using the structure outlined in this article without worrying about the technical implementation.
+Many organizations have common access concerns that Conditional Access policies can help with such as:
 
-## Azure AD Conditional Access and federated authentication
-
-Conditional Access policies work seamlessly with [federated authentication](../../security/fundamentals/choose-ad-authn.md#federated-authentication). This support includes all supported conditions and controls and visibility into how policy is applied to active user sign-ins using [Azure AD reporting](../reports-monitoring/concept-sign-ins.md).
-
-*Federated authentication with Azure AD* means that a trusted authentication service handles user authentication to Azure AD. A trusted authentication service is, for example, Active Directory Federation Services (AD FS), or any other federation service. In this configuration, primary user authentication is performed at the service and then Azure AD is used to sign into individual applications. Azure AD Conditional Access is applied before access is granted to the application the user is accessing. 
-
-When the configured Conditional Access policy requires multi-factor authentication, Azure AD defaults to using Azure MFA. If you use the federation service for MFA, you can configure Azure AD to redirect to the federation service when MFA is needed by setting `-SupportsMFA` to `$true` in [PowerShell](https://docs.microsoft.com/powershell/module/msonline/set-msoldomainfederationsettings). This setting works for federated authentication services that support the MFA challenge request issued by Azure AD using `wauth= http://schemas.microsoft.com/claims/multipleauthn`.
-
-After the user has signed in to the federated authentication service, Azure AD handles other policy requirements such as device compliance or an approved application.
+- Requiring multi-factor authentication for users with administrative roles
+- Requiring multi-factor authentication for Azure management tasks
+- Blocking sign-ins for users attempting to use legacy authentication protocols
+- Requiring trusted locations for Azure Multi-Factor Authentication registration
+- Blocking or granting access from specific locations
+- Blocking risky sign-in behaviors
+- Requiring organization-managed devices for specific applications
 
 ## License requirements
 
@@ -88,3 +87,9 @@ Customers with [Microsoft 365 Business licenses](https://docs.microsoft.com/offi
 ## Next steps
 
 To learn how to implement Conditional Access in your environment, see [Plan your Conditional Access deployment in Azure Active Directory](plan-conditional-access.md).
+
+[Learn about Identity Protection](../identity-protection/overview-v2.md)
+
+[Learn about Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security)
+
+[Learn about Microsoft Intune](https://docs.microsoft.com/intune/index)

articles/active-directory/conditional-access/media/overview/conditional-access-overview-how-it-works.png

@@ -43,6 +43,10 @@ Name     ResourceGroup     MasterVersion    NodePoolVersion    Upgrades
 -------  ----------------  ---------------  -----------------  ---------------
 default  myResourceGroup   1.12.8           1.12.8             1.13.9, 1.13.10
 ```
+If no upgrade is available, you will get:
+```console
+ERROR: Table output unavailable. Use the --query option to specify an appropriate query. Use --debug for more info.
+```
 
 ## Upgrade an AKS cluster