Merge pull request #188495 from MicrosoftDocs/main

2/14 AM Publish

Author: huypub

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -96,7 +96,7 @@ The following are sample scenarios where users might be prompted to register or
 - *SSPR registration enforced:* Users are asked to register during sign-in. They register only SSPR methods.
 - *SSPR refresh enforced:* Users are required to review their security info at an interval set by the admin. Users are shown their info and can confirm the current info or make changes if needed.
 
-When registration is enforced, users are shown the minimum number of methods needed to be compliant with both Multi-Factor Authentication and SSPR policies, from most to least secure.
+When registration is enforced, users are shown the minimum number of methods needed to be compliant with both Multi-Factor Authentication and SSPR policies, from most to least secure. Users going through combined registration where both MFA and SSPR registration is enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc.)
 
 Consider the following example scenario:
 
@@ -158,4 +158,4 @@ To get started, see the tutorials to [enable self-service password reset](tutori
 
 Learn how to [enable combined registration in your tenant](howto-registration-mfa-sspr-combined.md) or [force users to re-register authentication methods](howto-mfa-userdevicesettings.md#manage-user-authentication-options).
 
-You can also review the [available methods for Azure AD Multi-Factor Authentication and SSPR](concept-authentication-methods.md).
+You can also review the [available methods for Azure AD Multi-Factor Authentication and SSPR](concept-authentication-methods.md).

articles/active-directory/authentication/concept-sspr-howitworks.md

@@ -32,7 +32,6 @@ A user can reset or change their password using the [SSPR portal](https://aka.ms
 * Is the user account valid?
 * What organization does the user belong to?
 * Where is the user's password managed?
-* Is the user licensed to use the feature?
 
 When a user selects the **Can't access your account** link from an application or page, or goes directly to [https://aka.ms/sspr](https://passwordreset.microsoftonline.com), the language used in the SSPR portal is based on the following options:
 
@@ -42,8 +41,8 @@ When a user selects the **Can't access your account** link from an application o
 
 After the SSPR portal is displayed in the required language, the user is prompted to enter a user ID and pass a captcha. Azure AD now verifies that the user is able to use SSPR by doing the following checks:
 
-* Checks that the user has SSPR enabled and is assigned an Azure AD license.
-  * If the user isn't enabled for SSPR or doesn't have a license assigned, the user is asked to contact their administrator to reset their password.
+* Checks that the user has SSPR enabled.
+  * If the user isn't enabled for SSPR, the user is asked to contact their administrator to reset their password.
 * Checks that the user has the right authentication methods defined on their account in accordance with administrator policy.
   * If the policy requires only one method, check that the user has the appropriate data defined for at least one of the authentication methods enabled by the administrator policy.
     * If the authentication methods aren't configured, the user is advised to contact their administrator to reset their password.

articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md

@@ -53,11 +53,11 @@ The following table lists all audit events generated by combined registration:
 
 ## Disable combined registration
 
-When a user registers a phone number and/or mobile app in the new combined experience, our service stamps a set of flags (StrongAuthenticationMethods) for those methods on that user. This functionality allows the user to perform Multi-Factor Authentication with those methods whenever Multi-Factor Authentication is required.
+When a user registers a phone number and/or mobile app in the combined registration experience, our service stamps a set of flags (StrongAuthenticationMethods) for those methods on that user. This functionality allows the user to perform Multi-Factor Authentication with those methods whenever Multi-Factor Authentication is required.
 
-If an admin enables the preview, users register through the new experience, and then the admin disables the preview, users might unknowingly be registered for Multi-Factor Authentication also.
+If an admin enables combined registration, users register through the combined registration experience, and then the admin disables combined registration, users might unknowingly be registered for Multi-Factor Authentication also.
 
-If a user who has completed combined registration goes to the current self-service password reset (SSPR) registration page at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup), the user will be prompted to perform Multi-Factor Authentication before they can access that page. This step is expected from a technical standpoint, but it's new for users who were previously registered for SSPR only. Though this extra step does improve the user's security posture by providing another level of security, admins might want to roll back their users so that they're no longer able to perform Multi-Factor Authentication.  
+If a user who has completed combined registration goes to the legacy self-service password reset (SSPR) registration page at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup), the user will be prompted to perform Multi-Factor Authentication before they can access that page. This step is expected from a technical standpoint, but it's new for users who were previously registered for SSPR only. Though this extra step does improve the user's security posture by providing another level of security, admins might want to roll back their users so that they're no longer able to perform Multi-Factor Authentication.  
 
 ### How to roll back users
 

articles/active-directory/conditional-access/service-dependencies.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 09/21/2020
+ms.date: 02/14/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 
 With Conditional Access policies, you can specify access requirements to websites and services. For example, your access requirements can include requiring multi-factor authentication (MFA) or [managed devices](require-managed-devices.md). 
 
-When you access a site or service directly, the impact of a related policy is typically easy to assess. For example, if you have a policy that requires multi-factor authentication (MFA) for SharePoint Online configured, MFA is enforced for each sign-in to the SharePoint web portal. However, it is not always straight-forward to assess the impact of a policy because there are cloud apps with dependencies to other cloud apps. For example, Microsoft Teams can provide access to resources in SharePoint Online. So, when you access Microsoft Teams in our current scenario, you are also subject to the SharePoint MFA policy. 
+When you access a site or service directly, the impact of a related policy is typically easy to assess. For example, if you have a policy that requires multi-factor authentication (MFA) for SharePoint Online configured, MFA is enforced for each sign-in to the SharePoint web portal. However, it isn't always straight-forward to assess the impact of a policy because there are cloud apps with dependencies to other cloud apps. For example, Microsoft Teams can provide access to resources in SharePoint Online. So, when you access Microsoft Teams in our current scenario, you're also subject to the SharePoint MFA policy. 
 
 > [!TIP]
 > Using the [Office 365](concept-conditional-access-cloud-apps.md#office-365) app will target all Office apps to avoid issues with service dependencies in the Office stack.
@@ -38,9 +38,9 @@ The diagram below illustrates MS Teams service dependencies. Solid arrows indica
 
 As a best practice, you should set common policies across related apps and services whenever possible. Having a consistent security posture provides you with the best user experience. For example, setting a common policy across Exchange Online, SharePoint Online, Microsoft Teams, and Skype for business significantly reduces unexpected prompts that may arise from different policies being applied to downstream services. 
 
-A great way to accomplish this with applications in the Office stack is to use the [Office 365 app](concept-conditional-access-cloud-apps.md#office-365) instead of targeting individual applications.
+A great way to accomplish a common policy with applications in the Office stack is to use the [Office 365 app](concept-conditional-access-cloud-apps.md#office-365) instead of targeting individual applications.
 
-The below table lists additional service dependencies, where the client apps must satisfy  
+The below table lists some more service dependencies, where the client apps must satisfy. This list isn't exhaustive.
 
 | Client apps         | Downstream service                          | Enforcement |
 | :--                 | :--                                         | ---         | 
@@ -52,6 +52,7 @@ The below table lists additional service dependencies, where the client apps mus
 |                     | Microsoft Stream                            | Late-bound  |
 |                     | SharePoint                                  | Early-bound |
 |                     | Skype for Business Online                   | Early-bound |
+|                     | Microsoft Whiteboard                        | Late-bound  |
 | Office Portal       | Exchange                                    | Late-bound  |
 |                     | SharePoint                                  | Late-bound  |
 | Outlook groups      | Exchange                                    | Early-bound |

articles/active-directory/devices/concept-azure-ad-join-hybrid.md

@@ -27,15 +27,15 @@ Hybrid Azure AD joined devices require network line of sight to your on-premises
 | **Primary audience** | Suitable for hybrid organizations with existing on-premises AD infrastructure |
 |   | Applicable to all users in an organization |
 | **Device ownership** | Organization |
-| **Operating Systems** | Windows 10, 8.1 and 7 |
+| **Operating Systems** | Windows 10 and above, 8.1 and 7 |
 |   | Windows Server 2008/R2, 2012/R2, 2016 and 2019 |
 | **Provisioning** | Windows 10, Windows Server 2016/2019 |
 |   | Domain join by IT and autojoin via Azure AD Connect or ADFS config |
 |   | Domain join by Windows Autopilot and autojoin via Azure AD Connect or ADFS config |
 |   | Windows 8.1, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 - Require MSI |
 | **Device sign in options** | Organizational accounts using: |
 |   | Password |
-|   | Windows Hello for Business for Win10 |
+|   | Windows Hello for Business for Win10 and above |
 | **Device management** | [Group Policy](/mem/configmgr/comanage/faq#my-environment-has-too-many-group-policy-objects-and-legacy-authenticated-apps--do-i-have-to-use-hybrid-azure-ad-) |
 |   | [Configuration Manager standalone or co-management with Microsoft Intune](/mem/configmgr/comanage/overview) |
 | **Key capabilities** | SSO to both cloud and on-premises resources |

articles/active-directory/external-identities/external-identities-overview.md

@@ -114,7 +114,7 @@ When you're considering B2B collaboration with a specific external Azure AD orga
 
 Azure AD B2C is a separate consumer-based directory that you manage in the Azure portal through the Azure AD B2C service. Each Azure AD B2C tenant is separate and distinct from other Azure Active Directory and Azure AD B2C tenants. The Azure AD B2C portal experience is similar to Azure AD, but there are key differences, such as the ability to customize your user journeys using the Identity Experience Framework.
 
-For details about configuring and managing Azure AD B2C, see the [Azure AD B2B documentation](../../active-directory-b2c/index.yml).
+For details about configuring and managing Azure AD B2C, see the [Azure AD B2C documentation](../../active-directory-b2c/index.yml).
 
 ## Related Azure AD technologies
 

articles/active-directory/saas-apps/workday-inbound-tutorial.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Configure Workday for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+title: 'Tutorial: Configure Workday for automatic user provisioning with on-premises Active Directory | Microsoft Docs'
 description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Workday.
 services: active-directory
 author: cmmdesai
@@ -1071,4 +1071,4 @@ With respect to data retention, the Azure AD provisioning service does not gener
 * [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
 * [Learn how to configure single sign-on between Workday and Azure Active Directory](workday-tutorial.md)
 * [Learn how to configure Workday Writeback](workday-writeback-tutorial.md)
-* [Learn how to use Microsoft Graph APIs to manage provisioning configurations](/graph/api/resources/synchronization-overview)
+* [Learn how to use Microsoft Graph APIs to manage provisioning configurations](/graph/api/resources/synchronization-overview)

articles/aks/api-server-authorized-ip-ranges.md

@@ -155,6 +155,9 @@ Add another IP address to the approved ranges with the following command.
 ```bash
 # Retrieve your IP address
 CURRENT_IP=$(dig +short "myip.opendns.com" "@resolver1.opendns.com")
+````
+
+```azurelci
 # Add to AKS approved list
 az aks update -g $RG -n $AKSNAME --api-server-authorized-ip-ranges $CURRENT_IP/32
 ```

articles/aks/certificate-rotation.md

@@ -41,12 +41,12 @@ curl https://{apiserver-fqdn} -k -v 2>&1 |grep expire
 ```
 
 * Check expiration date of certificate on VMAS agent node
-```console
+```azurecli
 az vm run-command invoke -g MC_rg_myAKSCluster_region -n vm-name --command-id RunShellScript --query 'value[0].message' -otsv --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate"
 ```
 
 * Check expiration date of certificate on one VMSS agent node
-```console
+```azurecli
 az vmss run-command invoke -g MC_rg_myAKSCluster_region -n vmss-name --instance-id 0 --command-id RunShellScript --query 'value[0].message' -otsv --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate"
 ```
 

articles/aks/ingress-tls.md

@@ -247,7 +247,7 @@ Note that this sample is for a Bash shell.
 
 ### [Azure CLI](#tab/azure-cli)
 
-```bash
+```azurecli
 # Public IP address of your ingress controller
 IP="MY_EXTERNAL_IP"