Skip to content

Commit 92928bf

Browse files
committed
Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into users/chcomley/swa-blazor-1995786
2 parents 0ff5afd + f97c70b commit 92928bf

File tree

456 files changed

+8719
-4101
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

456 files changed

+8719
-4101
lines changed

articles/active-directory-b2c/partner-gallery.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -102,13 +102,13 @@ Microsoft partners with the following ISVs for Web Application Firewall (WAF).
102102
| ![Screenshot of Azure WAF logo](./media/partner-gallery/azure-web-application-firewall-logo.png) | [Azure WAF](./partner-azure-web-application-firewall.md) provides centralized protection of your web applications from common exploits and vulnerabilities. |
103103
![Screenshot of Cloudflare logo](./media/partner-gallery/cloudflare-logo.png) | [Cloudflare](./partner-cloudflare.md) is a WAF provider that helps organizations protect against malicious attacks that aim to exploit vulnerabilities such as SQLi, and XSS. |
104104

105-
## Identity verification tools
105+
## Developer tools
106106

107107
Microsoft partners with the following ISVs for tools that can help with implementation of your authentication solution.
108108

109109
| ISV partner | Description and integration walkthroughs |
110110
|:-------------------------|:--------------|
111-
| ![Screenshot of a grit ief editor logo.](./media/partner-gallery/grit-logo.png) | [Grit Visual Identity Experience Framework Editor](./partner-grit-editor.md) is a tool that saves time during authentication deployment. It supports multiple languages without the need to write code. It also has a no code debugger for user journeys.|
111+
| ![Screenshot of a grit ief editor logo.](./media/partner-gallery/grit-logo.png) | [Grit Visual Identity Experience Framework Editor](./partner-grit-editor.md) provides a low code/no code experience for developers to create sophisticated authentication user journeys. The tool comes with integrated debugger and templates for the most used scenarios.|
112112

113113
## Additional information
114114

articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -134,8 +134,9 @@ To map the pattern supported by certificateUserIds, administrators must use expr
134134
You can use the following expression for mapping to SKI and SHA1-PUKEY:
135135

136136
```
137-
(Contains([alternativeSecurityId],"x509:\<SKI>")>0,[alternativeSecurityId],Error("No altSecurityIdentities SKI match found."))
138-
& IIF(Contains([alternativeSecurityId],"x509:\<SHA1-PUKEY>")>0,[alternativeSecurityId],Error("No altSecurityIdentities SHA1-PUKEY match found."))
137+
IF(IsPresent([alternativeSecurityId]),
138+
Where($item,[alternativeSecurityId],BitOr(InStr($item, "x509:<SKI>"),InStr($item, "x509:<SHA1-PUKEY>"))>0),[alternativeSecurityId]
139+
)
139140
```
140141

141142
## Look up certificateUserIds using Microsoft Graph queries

articles/active-directory/authentication/howto-sspr-windows.md

Lines changed: 12 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: authentication
88
ms.topic: how-to
9-
ms.date: 03/18/2022
9+
ms.date: 10/13/2022
1010

1111
ms.author: justinha
1212
author: justinha
@@ -17,9 +17,9 @@ ms.collection: M365-identity-device-management
1717
---
1818
# Enable Azure Active Directory self-service password reset at the Windows sign-in screen
1919

20-
Self-service password reset (SSPR) gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the [SSPR portal](https://aka.ms/sspr). To improve the experience on computers that run Windows 7, 8, 8.1, and 10, you can enable users to reset their password at the Windows sign-in screen.
20+
Self-service password reset (SSPR) gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the [SSPR portal](https://aka.ms/sspr). To improve the experience on computers that run Windows 7, 8, 8.1, 10, and 11 you can enable users to reset their password at the Windows sign-in screen.
2121

22-
![Example Windows 7 and 10 login screens with SSPR link shown](./media/howto-sspr-windows/windows-reset-password.png)
22+
![Example Windows login screens with SSPR link shown](./media/howto-sspr-windows/windows-reset-password.png)
2323

2424
> [!IMPORTANT]
2525
> This tutorial shows an administrator how to enable SSPR for Windows devices in an enterprise.
@@ -37,7 +37,6 @@ The following limitations apply to using SSPR from the Windows sign-in screen:
3737
- Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. This means that devices must either be on the organization's internal network or on a VPN with network access to an on-premises domain controller.
3838
- If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. More information about this step can be found in the support article [Performance poor when using custom default user profile](https://support.microsoft.com/help/4056823/performance-issue-with-custom-default-user-profile).
3939
- The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices:
40-
- If Ctrl+Alt+Del is required by policy in Windows 10, **Reset password** won't work.
4140
- If lock screen notifications are turned off, **Reset password** won't work.
4241
- *HideFastUserSwitching* is set to enabled or 1
4342
- *DontDisplayLastUserName* is set to enabled or 1
@@ -55,11 +54,11 @@ The following limitations apply to using SSPR from the Windows sign-in screen:
5554
> These limitations also apply to Windows Hello for Business PIN reset from the device lock screen.
5655
>
5756
58-
## Windows 10 password reset
57+
## Windows 11 and 10 password reset
5958

60-
To configure a Windows 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.
59+
To configure a Windows 11 or 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.
6160

62-
### Windows 10 prerequisites
61+
### Windows 11 and 10 prerequisites
6362

6463
- An administrator [must enable Azure AD self-service password reset from the Azure portal](tutorial-enable-sspr.md).
6564
- Users must register for SSPR before using this feature at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup)
@@ -71,17 +70,17 @@ To configure a Windows 10 device for SSPR at the sign-in screen, review the foll
7170
- Azure AD joined
7271
- Hybrid Azure AD joined
7372

74-
### Enable for Windows 10 using Microsoft Endpoint Manager
73+
### Enable for Windows 11 and 10 using Microsoft Endpoint Manager
7574

7675
Deploying the configuration change to enable SSPR from the login screen using Microsoft Endpoint Manager is the most flexible method. Microsoft Endpoint Manager allows you to deploy the configuration change to a specific group of machines you define. This method requires Microsoft Endpoint Manager enrollment of the device.
7776

7877
#### Create a device configuration policy in Microsoft Endpoint Manager
7978

8079
1. Sign in to the [Azure portal](https://portal.azure.com) and select **Endpoint Manager**.
8180
1. Create a new device configuration profile by going to **Device configuration** > **Profiles**, then select **+ Create Profile**
82-
- For **Platform** choose *Windows 10 and later*
81+
- For **Platform** choose *Windows 11 and later*
8382
- For **Profile type**, choose *Custom*
84-
1. Select **Create**, then provide a meaningful name for the profile, such as *Windows 10 sign-in screen SSPR*
83+
1. Select **Create**, then provide a meaningful name for the profile, such as *Windows 11 sign-in screen SSPR*
8584

8685
Optionally, provide a meaningful description of the profile, then select **Next**.
8786
1. Under *Configuration settings*, select **Add** and provide the following OMA-URI setting to enable the reset password link:
@@ -99,7 +98,7 @@ Deploying the configuration change to enable SSPR from the login screen using Mi
9998
1. Configure applicability rules as desired for your environment, such as to *Assign profile if OS edition is Windows 10 Enterprise*, then select **Next**.
10099
1. Review your profile, then select **Create**.
101100

102-
### Enable for Windows 10 using the Registry
101+
### Enable for Windows 11 and 10 using the Registry
103102

104103
To enable SSPR at the sign-in screen using a registry key, complete the following steps:
105104

@@ -112,13 +111,13 @@ To enable SSPR at the sign-in screen using a registry key, complete the followin
112111
"AllowPasswordReset"=dword:00000001
113112
```
114113
115-
### Troubleshooting Windows 10 password reset
114+
### Troubleshooting Windows 11 and 10 password reset
116115
117116
If you have problems with using SSPR from the Windows sign-in screen, the Azure AD audit log includes information about the IP address and *ClientType* where the password reset occurred, as shown in the following example output:
118117
119118
![Example Windows 7 password reset in the Azure AD Audit log](media/howto-sspr-windows/windows-7-sspr-azure-ad-audit-log.png)
120119
121-
When users reset their password from the sign-in screen of a Windows 10 device, a low-privilege temporary account called `defaultuser1` is created. This account is used to keep the password reset process secure.
120+
When users reset their password from the sign-in screen of a Windows 11 or 10 device, a low-privilege temporary account called `defaultuser1` is created. This account is used to keep the password reset process secure.
122121
123122
The account itself has a randomly generated password, which is validated against an organizations password policy, doesn't show up for device sign-in, and is automatically removed after the user resets their password. Multiple `defaultuser` profiles may exist but can be safely ignored.
124123
Loading

articles/active-directory/conditional-access/concept-condition-filters-for-devices.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -112,7 +112,7 @@ The following device attributes can be used with the filter for devices conditio
112112
| --- | --- | --- | --- |
113113
| deviceId | Equals, NotEquals, In, NotIn | A valid deviceId that is a GUID | (device.deviceid -eq "498c4de7-1aee-4ded-8d5d-000000000000") |
114114
| displayName | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | Any string | (device.displayName -contains "ABC") |
115-
| deviceOwnership | Equals, NotEquals | Supported values are "Personal" for bring your own devices and "Company" for corprate owned devices | (device.deviceOwnership -eq "Company") |
115+
| deviceOwnership | Equals, NotEquals | Supported values are "Personal" for bring your own devices and "Company" for corporate owned devices | (device.deviceOwnership -eq "Company") |
116116
| isCompliant | Equals, NotEquals | Supported values are "True" for compliant devices and "False" for non compliant devices | (device.isCompliant -eq "True") |
117117
| manufacturer | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | Any string | (device.manufacturer -startsWith "Microsoft") |
118118
| mdmAppId | Equals, NotEquals, In, NotIn | A valid MDM application ID | (device.mdmAppId -in ["0000000a-0000-0000-c000-000000000000"] |

0 commit comments

Comments
 (0)