Updates to MFA article

Author: rolyon

articles/active-directory/privileged-identity-management/TOC.yml

@@ -11,6 +11,8 @@
     href: pim-roles.md
   - name: Secure privileged access
     href: ../users-groups-roles/directory-admin-roles-secure.md?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json
+  - name: MFA and PIM
+    href: pim-how-to-require-mfa.md
   - name: Overview dashboards
     href: pim-resource-roles-overview-dashboards.md
   - name: Email notifications
@@ -44,8 +46,6 @@
       href: pim-how-to-add-role-to-user.md
     - name: Configure role settings
       href: pim-how-to-change-default-settings.md
-    - name: Require MFA
-      href: pim-how-to-require-mfa.md
     - name: Configure alerts
       href: pim-how-to-configure-security-alerts.md
     - name: Approve requests

articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md

@@ -77,7 +77,7 @@ Use the **Multi-Factor Authentication** switch to specify whether to require use
   * Skype for Business administrator  
   * User account administrator  
 
-For more information about using MFA with PIM, see [Require multi-factor authentication for Azure AD directory roles in PIM](pim-how-to-require-mfa.md).
+For more information, see [Multi-factor authentication (MFA) and PIM](pim-how-to-require-mfa.md).
 
 ## Require approval
 
@@ -105,5 +105,4 @@ If you want to require approval to activate a role, follow these steps.
 ## Next steps
 
 - [Assign Azure AD directory roles in PIM](pim-how-to-add-role-to-user.md)
-- [Require multi-factor authentication for Azure AD directory roles in PIM](pim-how-to-require-mfa.md)
 - [Configure security alerts for Azure AD directory roles in PIM](pim-how-to-configure-security-alerts.md)

articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md

@@ -62,4 +62,3 @@ This alert triggers if a user goes a certain amount of time without activating a
 ## Next steps
 
 - [Configure Azure AD directory role settings in PIM](pim-how-to-change-default-settings.md)
-- [Require multi-factor authentication for Azure AD directory roles in PIM](pim-how-to-require-mfa.md)

articles/active-directory/privileged-identity-management/pim-how-to-require-mfa.md

@@ -1,6 +1,6 @@
 ---
-title: Require multi-factor authentication for Azure AD directory roles in PIM | Microsoft Docs
-description: Learn how to require multi-factor authentication (MFA) for Azure AD directory roles in Azure AD Privileged Identity Management (PIM).
+title: Multi-factor authentication (MFA) and PIM - Azure | Microsoft Docs
+description: Learn how Azure AD Privileged Identity Management (PIM) validates multi-factor authentication (MFA).
 services: active-directory
 documentationcenter: ''
 author: rolyon
@@ -11,36 +11,28 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.component: pim
-ms.date: 06/06/2017
+ms.date: 08/31/2018
 ms.author: rolyon
 ms.custom: pim
 ---
-# Require multi-factor authentication for Azure AD directory roles in PIM
-We recommend that you require multi-factor authentication (MFA) for all of your administrators. This reduces the risk of an attack due to a compromised password.
+# Multi-factor authentication (MFA) and PIM
 
-You can require that users complete an MFA challenge when they sign in. The blog post [MFA for Office 365 and MFA for Azure](https://blogs.technet.microsoft.com/ad/2014/02/11/mfa-for-office-365-and-mfa-for-azure/) compares what is included in Office and Azure subscriptions, with the features contained in the Microsoft Azure Multi-Factor Authentication offering.
+We recommend that you require multi-factor authentication (MFA) for all your administrators. This reduces the risk of an attack due to a compromised password.
 
-You can also require that users complete an MFA challenge when they activate a role in Azure AD PIM. This way, if the user didn't complete an MFA challenge when they signed in, they will be prompted to do so by PIM.
-
-## Requiring MFA in Azure AD Privileged Identity Management
-When you manage identities in PIM as a privileged role administrator, you may see alerts that recommend MFA for privileged accounts. Click the security alert in the PIM dashboard, and a new blade will open with a list of the administrator accounts that should require MFA.  You can require MFA by selecting multiple roles and then clicking the **Fix** button, or you can click the ellipses next to individual roles and then click the **Fix** button.
+You can require that users complete an MFA challenge when they sign in. You can also require that users complete an MFA challenge when they activate a role in Azure AD Privileged Identity Management (PIM). This way, if the user didn't complete an MFA challenge when they signed in, they will be prompted to do so by PIM.
 
 > [!IMPORTANT]
-> Right now, Azure MFA only works with work or school accounts, not Microsoft accounts (usually a personal account that's used to sign in to Microsoft services like Skype, Xbox, Outlook.com, etc.). Because of this, anyone using a Microsoft account can't be an eligible admin because they can't use MFA to activate their roles. If these users need to continue managing workloads using a Microsoft account, elevate them to permanent administrators for now.
-> 
-> 
+> Right now, Azure MFA only works with work or school accounts, not Microsoft accounts (usually a personal account that's used to sign in to Microsoft services like Skype, Xbox, Outlook.com, etc.). Because of this, anyone using a Microsoft account can't be an eligible administrator because they can't use MFA to activate their roles. If these users need to continue managing workloads using a Microsoft account, elevate them to permanent administrators for now.
 
-Additionally, you can change the MFA requirement for a specific role by clicking on it in the Roles section of the PIM dashboard. Then, click on **Settings** in the role blade and then selecting **Enable** under multi-factor authentication.
+## How PIM validates MFA
 
-## How Azure AD PIM validates MFA
 There are two options for validating MFA when a user activates a role.
 
-The simplest option is to rely on Azure MFA for users who are activating a privileged role. To do this, first check that those users are licensed, if necessary, and have registered for Azure MFA. More information on how to do this is in [Getting started with Azure Multi-Factor Authentication in the cloud](../authentication/howto-mfa-getstarted.md). It is recommended, but not required, that you configure Azure AD to enforce MFA for these users when they sign in. This is because the MFA checks will be made by Azure AD PIM itself.
+The simplest option is to rely on Azure MFA for users who are activating a privileged role. To do this, first check that those users are licensed, if necessary, and have registered for Azure MFA. For more information about how to deploy Azure MFA, see [Deploy cloud-based Azure Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md). It is recommended, but not required, that you configure Azure AD to enforce MFA for these users when they sign in. This is because the MFA checks will be made by PIM itself.
 
-Alternatively, if users authenticate on-premises you can have your identity provider be responsible for MFA. For example, if you have configured AD Federation Services to require smartcard-based authentication before accessing Azure AD, [Securing cloud resources with Azure Multi-Factor Authentication and AD FS](../authentication/howto-mfa-adfs.md) includes instructions for configuring AD FS to send claims to Azure AD. When a user tries to activate a role, Azure AD PIM will accept that MFA has already been validated for the user once it receives the appropriate claims.
+Alternatively, if users authenticate on-premises you can have your identity provider be responsible for MFA. For example, if you have configured AD Federation Services to require smartcard-based authentication before accessing Azure AD, [Securing cloud resources with Azure Multi-Factor Authentication and AD FS](../authentication/howto-mfa-adfs.md) includes instructions for configuring AD FS to send claims to Azure AD. When a user tries to activate a role, PIM will accept that MFA has already been validated for the user once it receives the appropriate claims.
 
-<!--Every topic should have next steps and links to the next logical set of content to keep the customer engaged-->
 ## Next steps
 
 - [Configure Azure AD directory role settings in PIM](pim-how-to-change-default-settings.md)
-- [Configure security alerts for Azure AD directory roles in PIM](pim-how-to-configure-security-alerts.md)
+- [Configure Azure resource role settings in PIM](pim-resource-roles-configure-role-settings.md)

articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md

@@ -85,6 +85,8 @@ You can require eligible members of a role to run MFA before they can activate.
 
 To require an eligible member to run MFA before activation, check the **Require Multi-Factor Authentication on activation** box.
 
+For more information, see [Multi-factor authentication (MFA) and PIM](pim-how-to-require-mfa.md).
+
 ## Activation maximum duration
 
 Use the **Activation maximum duration** slider to set the maximum time, in hours, that a role stays active before it expires. This value can be between 1 and 24 hours.