Merge pull request #182925 from MicrosoftDocs/master

12/15 AM Publish

Author: huypub

articles/active-directory/authentication/concept-mfa-licensing.md

@@ -39,20 +39,26 @@ The following table details the different ways to get Azure AD Multi-Factor Auth
 
 The following table provides a list of the features that are available in the various versions of Azure AD Multi-Factor Authentication. Plan out your needs for securing user authentication, then determine which approach meets those requirements. For example, although Azure AD Free provides security defaults that provide Azure AD Multi-Factor Authentication, only the mobile authenticator app can be used for the authentication prompt, not a phone call or SMS. This approach may be a limitation if you can't ensure the mobile authentication app is installed on a user's personal device. See [Azure AD Free tier](#azure-ad-free-tier) later in this topic for more details. 
 
-| Feature | Azure AD Free - Security defaults (enabled for all users) | Azure AD Free - Global Administrators only | Office 365 | Azure AD Premium P1 or P2 |
-| --- |:---:|:---:|:---:|:---:|
-| Protect Azure AD tenant admin accounts with MFA | ● | ● (*Azure AD Global Administrator* accounts only) | ● | ● |
-| Mobile app as a second factor | ● | ● | ● | ● |
-| Phone call as a second factor | | ● | ● | ● |
-| SMS as a second factor | | ● | ● | ● |
-| Admin control over verification methods | | ● | ● | ● |
-| Fraud alert | | | | ● |
-| MFA Reports | | | | ● |
-| Custom greetings for phone calls | | | | ● |
-| Custom caller ID for phone calls | | | | ● |
-| Trusted IPs | | | | ● |
-| Remember MFA for trusted devices | | ● | ● | ● |
-| MFA for on-premises applications | | | | ● |
+| Feature | Azure AD Free - Security defaults (enabled for all users) | Azure AD Free - Global Administrators only | Office 365 | Azure AD Premium P1 | Azure AD Premium P2 | 
+| --- |:---:|:---:|:---:|:---:|:---:|
+| Protect Azure AD tenant admin accounts with MFA | ● | ● (*Azure AD Global Administrator* accounts only) | ● | ● | ● |
+| Mobile app as a second factor | ● | ● | ● | ● | ● |
+| Phone call as a second factor | | ● | ● | ● | ● |
+| SMS as a second factor | | ● | ● | ● | ● |
+| Admin control over verification methods | | ● | ● | ● | ● |
+| Fraud alert | | | | ● | ● |
+| MFA Reports | | | | ● | ● |
+| Custom greetings for phone calls | | | | ● | ● |
+| Custom caller ID for phone calls | | | | ● | ● |
+| Trusted IPs | | | | ● | ● |
+| Remember MFA for trusted devices | | ● | ● | ● | ● |
+| MFA for on-premises applications | | | | ● | ● |
+| Conditional access | | | | ● | ● |
+| Risk-based conditional access | | | | | ● |
+| Identity Protection (Risky sign-ins, risky users) | | | | | ● |
+| Access Reviews | | | | | ● |
+| Entitlements Management | | | | | ● |
+| Privileged Identity Management (PIM), just-in-time access | | | | | ● |
 
 ## Compare multi-factor authentication policies
 

articles/active-directory/develop/msal-authentication-flows.md

@@ -80,7 +80,7 @@ The [OAuth 2 client credentials flow](v2-oauth2-client-creds-grant-flow.md) allo
 The client credentials grant flow permits a web service (a confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. In this scenario, the client is typically a middle-tier web service, a daemon service, or a website. For a higher level of assurance, the Microsoft identity platform also allows the calling service to use a certificate (instead of a shared secret) as a credential.
 
 > [!NOTE]
-> The confidential client flow isn't available on mobile platforms like UWP, Xamarin.iOS, and Xamarin.Android because they support only public client applications. Public client applications don't know how to prove the application's identity to the identity provider. A secure connection can be achieved on web app or web API back-ends by deploying a certificate.
+> The confidential client flow isn't available on mobile platforms like UWP, iOS, and Android because they support only public client applications. Public client applications don't know how to prove the application's identity to the identity provider. A secure connection can be achieved on web app or web API back-ends by deploying a certificate.
 
 ### Application secrets
 

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -261,7 +261,7 @@ The AADLoginForWindows extension must install successfully in order for the VM t
    | `curl -H @{"Metadata"="true"} "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"` | Valid access token issued by Azure Active Directory for the managed identity that is assigned to this VM |
 
    > [!NOTE]
-   > The access token can be decoded using a tool like [calebb.net](http://calebb.net/). Verify the `appid` in the access token matches the managed identity assigned to the VM.
+   > The access token can be decoded using a tool like [calebb.net](http://calebb.net/). Verify the `oid` in the access token matches the managed identity assigned to the VM.
 
 1. Ensure the required endpoints are accessible from the VM using PowerShell:
 

articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md

@@ -81,7 +81,7 @@ We tend to think that administrator accounts are the only accounts that need ext
 
 After these attackers gain access, they can request access to privileged information for the original account holder. They can even download the entire directory to do a phishing attack on your whole organization. 
 
-One common method to improve protection for all users is to require a stronger form of account verification, such as Multi-Factor Authentication, for everyone. After users complete Multi-Factor Authentication registration, they'll be prompted for another authentication whenever necessary. Users will be prompted primarily when they authenticate using a new device or application, or when doing critical roles and tasks. This functionality protects all applications registered with Azure AD including SaaS applications.
+One common method to improve protection for all users is to require a stronger form of account verification, such as Multi-Factor Authentication, for everyone. After users complete Multi-Factor Authentication registration, they'll be prompted for another authentication whenever necessary. Users will be prompted primarily when they authenticate using a new device from a new location, or when doing critical roles and tasks. This functionality protects all applications registered with Azure AD including SaaS applications.
 
 ### Blocking legacy authentication
 

articles/active-directory/hybrid/tshoot-connect-connectivity.md

@@ -48,7 +48,7 @@ Of these URLs, the following table is the absolute bare minimum to be able to co
 | mscrl.microsoft.com |HTTP/80 |Used to download CRL lists. |
 | \*.verisign.com |HTTP/80 |Used to download CRL lists. |
 | \*.entrust.net |HTTP/80 |Used to download CRL lists for MFA. |
-| \*.windows.net |HTTPS/443 |Used to sign in to Azure AD. |
+| \*.asazure.windows.net (Analysis Services)</br>\*.core.windows.net (Azure Storage)</br>\*.database.windows.net (SQL Server) </br>\*.graph.windows.net (Azure AD Graph)</br>\*.kusto.windows.net (Azure Data Explorer/Kusto)</br>\*.search.windows.net (search)</br>\*.servicebus.windows.net (Azure Service Bus)</br>|HTTPS/443|Used for the various Azure services|
 | secure.aadcdn.microsoftonline-p.com |HTTPS/443 |Used for MFA. |
 | \*.microsoftonline.com |HTTPS/443 |Used to configure your Azure AD directory and import/export data. |
 | \*.crl3.digicert.com |HTTP/80 |Used to verify certificates. |

articles/active-directory/manage-apps/f5-big-ip-kerberos-advanced.md

@@ -32,7 +32,9 @@ To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD i
 
 For this scenario, you will configure a critical line of business (LOB) application for **Kerberos authentication**, also known as **Integrated Windows Authentication (IWA)**.
 
-To integrate the application directly with Azure AD, it’d need to support some form of federation-based protocol such as Security Assertion Markup Language (SAML), or better. But as modernizing the application introduces risk of potential downtime, there are other options. While using Kerberos Constrained Delegation (KCD) for SSO, you can use [Azure AD Application Proxy](../app-proxy/application-proxy.md) to access the application remotely. In this arrangement, you can achieve the protocol transitioning required to bridge the legacy application to the modern identity control plane. Another approach is to use an F5 BIG-IP Application Delivery Controller (ADC). This enables overlay of the application with Azure AD pre-authentication and KCD SSO, and significantly improves the overall Zero Trust posture of the application.
+To integrate the application directly with Azure AD, it’d need to support some form of federation-based protocol such as Security Assertion Markup Language (SAML), or better. But as modernizing the application introduces risk of potential downtime, there are other options. While using Kerberos Constrained Delegation (KCD) for SSO, you can use [Azure AD Application Proxy](../app-proxy/application-proxy.md) to access the application remotely. 
+
+In this arrangement, you can achieve the protocol transitioning required to bridge the legacy application to the modern identity control plane. Another approach is to use an F5 BIG-IP Application Delivery Controller (ADC). This enables overlay of the application with Azure AD pre-authentication and KCD SSO, and significantly improves the overall Zero Trust posture of the application.
 
 ## Scenario architecture
 

articles/active-directory/manage-apps/toc.yml

@@ -158,19 +158,19 @@
         href: datawiza-with-azure-ad.md 
       - name: F5
         items:
-        - name: F5 BIG-IP and Azure AD integration
+        - name: Integrate F5 BIG-IP with Azure Active Directory
           href: f5-aad-integration.md
-        - name: F5 BIG-IP VE deployment in Azure IaaS
+        - name: Deploy F5 BIG-IP Virtual Edition VM in Azure
           href: f5-bigip-deployment-guide.md
-        - name: F5 BIG-IP with Azure AD for passwordless VPN
+        - name: Configure F5 BIG-IP SSL-VPN solution in Azure AD
           href: f5-aad-password-less-vpn.md
-        - name: F5 BIG-IP with Azure AD for forms-based authentication SSO
+        - name: Configure F5 BIG-IP Access Policy Manager for form-based SSO
           href: f5-big-ip-forms-advanced.md
-        - name: F5 BIG-IP with Azure AD SSO for header based authentication
+        - name: Configure F5 BIG-IP Access Policy Manager for header-based SSO
           href: f5-big-ip-header-advanced.md
-        - name: Protect on-premises applications with F5 BIG-IP and Azure AD B2C
+        - name: Extend Azure Active Directory B2C to protect on-premises applications using F5 BIG-IPC
           href: https://docs.microsoft.com/azure/active-directory-b2c/partner-f5
-        - name: F5 BIG-IP for SSO to header-based and LDAP applications          
+        - name: Configure F5 BIG-IP Easy Button for Header-based and LDAP SSO        
           href: f5-big-ip-ldap-header-easybutton.md
         - name: Configure F5 BIG-IP Access Policy Manager for Kerberos authentication    
           href: f5-big-ip-kerberos-advanced.md

articles/active-directory/reports-monitoring/concept-all-sign-ins.md

@@ -64,7 +64,7 @@ The sign-in log provides answers to questions like:
 
 ## What Azure AD license do you need?
 
-Your tenant must have an Azure AD Premium license associated with it to see sign-in activities. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in the logs after you upgrade to a premium license with no data activities before the upgrade.
+The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you also can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade.
 
 
 

articles/active-directory/reports-monitoring/overview-reports.md

@@ -31,33 +31,6 @@ Azure Active Directory (Azure AD) reports provide a comprehensive view of activi
 - Detect potential risks affecting the health of your environment
 - Troubleshoot issues preventing your users from getting their work done  
 
-The reporting architecture relies on two main pillars:
-
-- [Security reports](#security-reports)
-- [Activity reports](#activity-reports)
-
-![Reporting](./media/overview-reports/01.png)
-
-
-## Security reports
-
-Security reports help you to protect your organization's identities. There are two types of security reports:
-
-- **Users flagged for risk** - From the [users flagged for risk security report](../identity-protection/overview-identity-protection.md), you get an overview of user accounts that might have been compromised.
-
-- **Risky sign-ins** - With the [risky sign-in security report](../identity-protection/overview-identity-protection.md), you get an indicator for sign-in attempts that might have been performed by someone who is not the legitimate owner of a user account. 
-
-### What Azure AD license do you need to access a security report?  
-
-All editions of Azure AD provide you with users flagged for risk and risky sign-ins reports. However, the level of report granularity varies between the editions: 
-
-- In the **Azure Active Directory Free and Basic editions**, you get a list of users flagged for risk and risky sign-ins. 
-
-- The **Azure Active Directory Premium 1** edition extends this model by also enabling you to examine some of the underlying risk detections that have been detected for each report. 
-
-- The **Azure Active Directory Premium 2** edition provides you with the most detailed information about the underlying risk detections and it also enables you to configure security policies that automatically respond to configured risk levels.
-
-
 ## Activity reports
 
 Activity reports help you understand the behavior of users in your organization. There are two types of activity reports in Azure AD:
@@ -70,9 +43,6 @@ Activity reports help you understand the behavior of users in your organization.
 
 > [!VIDEO https://www.youtube.com/embed/ACVpH6C_NL8]
 
-
-
-
 ### Audit logs report 
 
 The [audit logs report](concept-audit-logs.md) provides you with records of system activities for compliance. This data enables you to address common scenarios such as:
@@ -108,4 +78,4 @@ In addition to the user interface, Azure AD also provides you with [programmatic
 
 - [Risky sign-ins report](../identity-protection/overview-identity-protection.md)
 - [Audit logs report](concept-audit-logs.md)
-- [Sign-ins logs report](concept-sign-ins.md)
+- [Sign-ins logs report](concept-sign-ins.md)