Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into sanUpdates2

Author: roygara

.openpublishing.redirection.active-directory.json

@@ -1,5 +1,15 @@
 {
   "redirections": [
+    {
+      "source_path_from_root": "/articles/active-directory/authentication/concept-certificate-based-authentication-mobile.md",
+      "redirect_url": "/azure/active-directory/authentication/concept-certificate-based-authentication-mobile-ios",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/authentication/troubleshoot-certificate-based-authentication.md",
+      "redirect_url": "/azure/active-directory/authentication/certificate-based-authentication-faq",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/manage-apps/my-apps-deployment-plan.md",
       "redirect_url": "/azure/active-directory/manage-apps/myapps-overview",

articles/active-directory/authentication/TOC.yml

@@ -190,24 +190,26 @@
     href: howto-password-smart-lockout.md
   - name: Certificate-based authentication
     items:
-    - name: Azure AD CBA (Preview)
+    - name: Azure AD CBA
       items:
       - name: Overview
         href: concept-certificate-based-authentication.md
       - name: How Azure AD CBA works
         href: concept-certificate-based-authentication-technical-deep-dive.md
-      - name: Limitations
-        href: concept-certificate-based-authentication-limitations.md
       - name: Configure Azure AD CBA
         href: how-to-certificate-based-authentication.md
       - name: Windows SmartCard logon
         href: concept-certificate-based-authentication-smartcard.md
-      - name: Mobile devices
-        href: concept-certificate-based-authentication-mobile.md
+      - name: iOS devices
+        href: concept-certificate-based-authentication-mobile-ios.md
+      - name: Android devices
+        href: concept-certificate-based-authentication-mobile-android.md
+      - name: Certificate user IDs
+        href: concept-certificate-based-authentication-certificateuserids.md
+      - name: Migrate federated users
+        href: concept-certificate-based-authentication-migration.md
       - name: FAQ
         href: certificate-based-authentication-faq.yml
-      - name: Troubleshoot
-        href: troubleshoot-certificate-based-authentication.md
     - name: Federated CBA with Azure AD
       items:
       - name: Configure CBA with federation

articles/active-directory/authentication/active-directory-certificate-based-authentication-android.md

@@ -1,12 +1,12 @@
 ---
-title: Android certificate-based authentication - Azure Active Directory
+title: Android certificate-based authentication with federation - Azure Active Directory
 description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication in solutions with Android devices
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 02/16/2022
+ms.date: 09/30/2022
 
 ms.author: justinha
 author: justinha
@@ -15,7 +15,7 @@ ms.reviewer: annaba
 
 ms.collection: M365-identity-device-management
 ---
-# Azure Active Directory certificate-based authentication on Android
+# Azure Active Directory certificate-based authentication with federation on Android
 
 Android devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory using a client certificate on their device when connecting to:
 
@@ -46,26 +46,28 @@ The device OS version must be Android 5.0 (Lollipop) and above.
 
 A federation server must be configured.
 
-For Azure Active Directory to revoke a client certificate, the ADFS token must have the following claims:
+For Azure Active Directory to revoke a client certificate, the AD FS token must have the following claims:
 
 * `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>`
   (The serial number of the client certificate)
 * `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>`
   (The string for the issuer of the client certificate)
 
-Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
+Azure Active Directory adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
 
-As a best practice, you should update your organization's ADFS error pages with the following information:
+As a best practice, you should update your organization's AD FS error pages with the following information:
 
 * The requirement for installing the Microsoft Authenticator on Android.
 * Instructions on how to get a user certificate.
 
 For more information, see [Customizing the AD FS Sign-in Pages](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn280950(v=ws.11)).
 
-Some Office apps (with modern authentication enabled) send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to ADFS as '*wauth=usernamepassworduri*' (asks ADFS to do U/P Auth) and '*wfresh=0*' (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
+Office apps with modern authentication enabled send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
 You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task:
 
-`Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled`
+```powershell
+Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled
+```
 
 ## Exchange ActiveSync clients support
 

articles/active-directory/authentication/active-directory-certificate-based-authentication-ios.md

@@ -1,20 +1,20 @@
 ---
-title: Certificate-based authentication on iOS - Azure Active Directory
+title: Certificate-based authentication with federation on iOS - Azure Active Directory
 description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication for Azure Active Directory in solutions with iOS devices
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 05/04/2022
+ms.date: 09/30/2022
 
 ms.author: justinha
 author: justinha
 manager: amycolannino
 
 ms.collection: M365-identity-device-management
 ---
-# Azure Active Directory certificate-based authentication on iOS
+# Azure Active Directory certificate-based authentication with federation on iOS
 
 To improve security, iOS devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory (Azure AD) using a client certificate on their device when connecting to the following applications or services:
 
@@ -46,21 +46,21 @@ To use CBA with iOS, the following requirements and considerations apply:
 
 * The device OS version must be iOS 9 or above.
 * Microsoft Authenticator is required for Office applications on iOS.
-* An identity preference must be created in the macOS Keychain that include the authentication URL of the ADFS server. For more information, see [Create an identity preference in Keychain Access on Mac](https://support.apple.com/guide/keychain-access/create-an-identity-preference-kyca6343b6c9/mac).
+* An identity preference must be created in the macOS Keychain that includes the authentication URL of the AD FS server. For more information, see [Create an identity preference in Keychain Access on Mac](https://support.apple.com/guide/keychain-access/create-an-identity-preference-kyca6343b6c9/mac).
 
-The following Active Directory Federation Services (ADFS) requirements and considerations apply:
+The following Active Directory Federation Services (AD FS) requirements and considerations apply:
 
-* The ADFS server must be enabled for certificate authentication and use federated authentication.
+* The AD FS server must be enabled for certificate authentication and use federated authentication.
 * The certificate needs to have to use Enhanced Key Usage (EKU) and contain the UPN of the user in the *Subject Alternative Name (NT Principal Name)*.
 
-## Configure ADFS
+## Configure AD FS
 
-For Azure AD to revoke a client certificate, the ADFS token must have the following claims. Azure AD adds these claims to the refresh token if they're available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
+For Azure AD to revoke a client certificate, the AD FS token must have the following claims. Azure AD adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
 
 * `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` - add the serial number of your client certificate
 * `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` - add the string for the issuer of your client certificate
 
-As a best practice, you also should update your organization's ADFS error pages with the following information:
+As a best practice, you also should update your organization's AD FS error pages with the following information:
 
 * The requirement for installing the Microsoft Authenticator on iOS.
 * Instructions on how to get a user certificate.
@@ -69,7 +69,7 @@ For more information, see [Customizing the AD FS sign in page](/previous-version
 
 ## Use modern authentication with Office apps
 
-Some Office apps with modern authentication enabled send `prompt=login` to Azure AD in their request. By default, Azure AD translates `prompt=login` in the request to ADFS as `wauth=usernamepassworduri` (asks ADFS to do U/P Auth) and `wfresh=0` (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Azure AD behavior.
+Some Office apps with modern authentication enabled send `prompt=login` to Azure AD in their request. By default, Azure AD translates `prompt=login` in the request to AD FS as `wauth=usernamepassworduri` (asks AD FS to do U/P Auth) and `wfresh=0` (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Azure AD behavior.
 
 To update the default behavior, set the '*PromptLoginBehavior*' in your federated domain settings to *Disabled*. You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task, as shown in the following example: