Merge branch 'main' into cm-linkfix-20220211-0

Author: cmcclister

.openpublishing.redirection.azure-monitor.json

@@ -10,6 +10,11 @@
             "redirect_url": "/azure/azure-monitor/app/performance-counters",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/application-insights/cloudservices.md",
+            "redirect_url": "/azure/azure-monitor/app/azure-web-apps-net",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/insights/service-bus-insights.md",
             "redirect_url": "/azure/service-bus-messaging/service-bus-insights",

.openpublishing.redirection.json

@@ -77,7 +77,7 @@ try {
         $FileExists = Test-Path -Path $filePath -PathType Leaf
 
         if ($FileExists) {
-            $policycontent = Get-Content $filePath
+            $policycontent = Get-Content $filePath -Encoding UTF8
 
             # Optional: Change the content of the policy. For example, replace the tenant-name with your tenant name.
             # $policycontent = $policycontent.Replace("your-tenant.onmicrosoft.com", "contoso.onmicrosoft.com")     

articles/active-directory-b2c/deploy-custom-policies-devops.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 02/09/2022
+ms.date: 02/15/2022
 
 ms.author: justinha
 author: vimrang
 manager: daveba
-ms.reviewer: tommma
+ms.reviewer: vimrang
 
 ms.collection: M365-identity-device-management
 ms.custom: has-adal-ref
@@ -49,7 +49,9 @@ Let's cover each step:
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-alt.png" alt-text="Screenshot of the Sign-in if FIDO2 is also enabled.":::
 
-1. After the user clicks the link, the client is redirected to the certauth endpoint [http://certauth.login.microsoftonline.com](http://certauth.login.microsoftonline.com). The endpoint performs mutual authentication and requests the client certificate as part of the TLS handshake. You will see an entry for this request in the Sign-in logs. There is a [known issue](#known-issues) where User ID is displayed instead of Username.
+1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [http://certauth.login.microsoftonline.com](http://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](/azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [http://certauth.login.microsoftonline.us](http://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs. 
+
+   The endpoint performs mutual authentication and requests the client certificate as part of the TLS handshake. You will see an entry for this request in the Sign-in logs. There is a [known issue](#known-issues) where User ID is displayed instead of Username.
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-in log in Azure AD." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
 

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -96,7 +96,7 @@ The following are sample scenarios where users might be prompted to register or
 - *SSPR registration enforced:* Users are asked to register during sign-in. They register only SSPR methods.
 - *SSPR refresh enforced:* Users are required to review their security info at an interval set by the admin. Users are shown their info and can confirm the current info or make changes if needed.
 
-When registration is enforced, users are shown the minimum number of methods needed to be compliant with both Multi-Factor Authentication and SSPR policies, from most to least secure.
+When registration is enforced, users are shown the minimum number of methods needed to be compliant with both Multi-Factor Authentication and SSPR policies, from most to least secure. Users going through combined registration where both MFA and SSPR registration is enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc.)
 
 Consider the following example scenario:
 
@@ -158,4 +158,4 @@ To get started, see the tutorials to [enable self-service password reset](tutori
 
 Learn how to [enable combined registration in your tenant](howto-registration-mfa-sspr-combined.md) or [force users to re-register authentication methods](howto-mfa-userdevicesettings.md#manage-user-authentication-options).
 
-You can also review the [available methods for Azure AD Multi-Factor Authentication and SSPR](concept-authentication-methods.md).
+You can also review the [available methods for Azure AD Multi-Factor Authentication and SSPR](concept-authentication-methods.md).

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -32,7 +32,6 @@ A user can reset or change their password using the [SSPR portal](https://aka.ms
 * Is the user account valid?
 * What organization does the user belong to?
 * Where is the user's password managed?
-* Is the user licensed to use the feature?
 
 When a user selects the **Can't access your account** link from an application or page, or goes directly to [https://aka.ms/sspr](https://passwordreset.microsoftonline.com), the language used in the SSPR portal is based on the following options:
 
@@ -42,8 +41,8 @@ When a user selects the **Can't access your account** link from an application o
 
 After the SSPR portal is displayed in the required language, the user is prompted to enter a user ID and pass a captcha. Azure AD now verifies that the user is able to use SSPR by doing the following checks:
 
-* Checks that the user has SSPR enabled and is assigned an Azure AD license.
-  * If the user isn't enabled for SSPR or doesn't have a license assigned, the user is asked to contact their administrator to reset their password.
+* Checks that the user has SSPR enabled.
+  * If the user isn't enabled for SSPR, the user is asked to contact their administrator to reset their password.
 * Checks that the user has the right authentication methods defined on their account in accordance with administrator policy.
   * If the policy requires only one method, check that the user has the appropriate data defined for at least one of the authentication methods enabled by the administrator policy.
     * If the authentication methods aren't configured, the user is advised to contact their administrator to reset their password.

articles/active-directory/authentication/concept-sspr-howitworks.md

@@ -53,11 +53,11 @@ The following table lists all audit events generated by combined registration:
 
 ## Disable combined registration
 
-When a user registers a phone number and/or mobile app in the new combined experience, our service stamps a set of flags (StrongAuthenticationMethods) for those methods on that user. This functionality allows the user to perform Multi-Factor Authentication with those methods whenever Multi-Factor Authentication is required.
+When a user registers a phone number and/or mobile app in the combined registration experience, our service stamps a set of flags (StrongAuthenticationMethods) for those methods on that user. This functionality allows the user to perform Multi-Factor Authentication with those methods whenever Multi-Factor Authentication is required.
 
-If an admin enables the preview, users register through the new experience, and then the admin disables the preview, users might unknowingly be registered for Multi-Factor Authentication also.
+If an admin enables combined registration, users register through the combined registration experience, and then the admin disables combined registration, users might unknowingly be registered for Multi-Factor Authentication also.
 
-If a user who has completed combined registration goes to the current self-service password reset (SSPR) registration page at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup), the user will be prompted to perform Multi-Factor Authentication before they can access that page. This step is expected from a technical standpoint, but it's new for users who were previously registered for SSPR only. Though this extra step does improve the user's security posture by providing another level of security, admins might want to roll back their users so that they're no longer able to perform Multi-Factor Authentication.  
+If a user who has completed combined registration goes to the legacy self-service password reset (SSPR) registration page at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup), the user will be prompted to perform Multi-Factor Authentication before they can access that page. This step is expected from a technical standpoint, but it's new for users who were previously registered for SSPR only. Though this extra step does improve the user's security posture by providing another level of security, admins might want to roll back their users so that they're no longer able to perform Multi-Factor Authentication.  
 
 ### How to roll back users
 

articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md

@@ -4,7 +4,7 @@ description: Learn how to improve your security posture by blocking legacy authe
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 11/12/2021
+ms.date: 02/14/2022
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
@@ -13,7 +13,7 @@ ms.collection: M365-identity-device-management
 ---
 # How to: Block legacy authentication to Azure AD with Conditional Access   
 
-To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy authentication does not support multifactor authentication (MFA). MFA is in many environments a common requirement to address identity theft. 
+To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy authentication doesn't support multifactor authentication (MFA). MFA is in many environments a common requirement to address identity theft. 
 
 > [!NOTE]
 > Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication.
@@ -31,13 +31,13 @@ Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020
 
 If your environment is ready to block legacy authentication to improve your tenant's protection, you can accomplish this goal with Conditional Access. This article explains how you can configure Conditional Access policies that block legacy authentication for all workloads within your tenant. 
 
-While rolling out legacy authentication blocking protection, we recommend a phased approach, rather than disabling it for all users all at once. Customers may choose to first begin disabling basic authentication on a per-protocol basis, by leveraging Exchange Online authentication policies, then (optionally) also blocking legacy authentication via Conditional Access policies when ready.
+While rolling out legacy authentication blocking protection, we recommend a phased approach, rather than disabling it for all users all at once. Customers may choose to first begin disabling basic authentication on a per-protocol basis, by applying Exchange Online authentication policies, then (optionally) also blocking legacy authentication via Conditional Access policies when ready.
 
 Customers without licenses that include Conditional Access can make use of [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to block legacy authentication.
 
 ## Prerequisites
 
-This article assumes that you are familiar with the [basic concepts](overview.md) of Azure AD Conditional Access.
+This article assumes that you're familiar with the [basic concepts](overview.md) of Azure AD Conditional Access.
 
 > [!NOTE]
 > Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
@@ -51,11 +51,11 @@ Azure AD supports several of the most widely used authentication and authorizati
 
 For more information about modern authentication support in Office, see [How modern authentication works for Office client apps](/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016).
 
-Single factor authentication (for example, username and password) is not enough these days. Passwords are bad as they are easy to guess and we (humans) are bad at choosing good passwords. Passwords are also vulnerable to various attacks, like phishing and password spray. One of the easiest things you can do to protect against password threats is to implement multifactor authentication (MFA). With MFA, even if an attacker gets in possession of a user's password, the password alone is not sufficient to successfully authenticate and access the data.
+Single factor authentication (for example, username and password) isn't enough these days. Passwords are bad as they're easy to guess and we (humans) are bad at choosing good passwords. Passwords are also vulnerable to various attacks, like phishing and password spray. One of the easiest things you can do to protect against password threats is to implement multifactor authentication (MFA). With MFA, even if an attacker gets in possession of a user's password, the password alone isn't sufficient to successfully authenticate and access the data.
 
 How can you prevent apps using legacy authentication from accessing your tenant's resources? The recommendation is to just block them with a Conditional Access policy. If necessary, you allow only certain users and specific network locations to use apps that are based on legacy authentication.
 
-Conditional Access policies are enforced after the first-factor authentication has been completed. Therefore, Conditional Access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (for example, the sign-in risk level, location of the request, and so on) to determine access.
+Conditional Access policies are enforced after the first-factor authentication has been completed. Therefore, Conditional Access isn't intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (for example, the sign-in risk level, location of the request, and so on) to determine access.
 
 ## Implementation
 
@@ -86,13 +86,13 @@ For more information about these authentication protocols and services, see [Sig
 Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. Azure AD sign-in logs can be used to understand if you're using legacy authentication.
 
 1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
-1. Add the Client App column if it is not shown by clicking on **Columns** > **Client App**.
+1. Add the Client App column if it isn't shown by clicking on **Columns** > **Client App**.
 1. **Add filters** > **Client App** > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.
-1. If you have activated the [new sign-in activity reports preview](../reports-monitoring/concept-all-sign-ins.md), repeat the above steps also on the **User sign-ins (non-interactive)** tab.
+1. If you've activated the [new sign-in activity reports preview](../reports-monitoring/concept-all-sign-ins.md), repeat the above steps also on the **User sign-ins (non-interactive)** tab.
 
 Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you more details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
 
-These logs will indicate which users are still depending on legacy authentication and which applications are using legacy protocols to make authentication requests. For users that do not appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.
+These logs will indicate which users are still depending on legacy authentication and which applications are using legacy protocols to make authentication requests. For users that don't appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.
 
 ## Block legacy authentication 
 
@@ -109,7 +109,7 @@ The easiest way to block legacy authentication across your entire organization i
 
 ### Indirectly blocking legacy authentication
 
-Even if your organization isn't ready to block legacy authentication across the entire organization, you should ensure that sign-ins using legacy authentication aren't bypassing policies that require grant controls such as requiring multifactor authentication or compliant/hybrid Azure AD joined devices. During authentication, legacy authentication clients do not support sending MFA, device compliance, or join state information to Azure AD. Therefore, apply policies with grant controls to all client applications so that legacy authentication based sign-ins that cannot satisfy the grant controls are blocked. With the general availability of the client apps condition in August 2020, newly created Conditional Access policies apply to all client apps by default.
+Even if your organization isn't ready to block legacy authentication across the entire organization, you should ensure that sign-ins using legacy authentication aren't bypassing policies that require grant controls such as requiring multifactor authentication or compliant/hybrid Azure AD joined devices. During authentication, legacy authentication clients don't support sending MFA, device compliance, or join state information to Azure AD. Therefore, apply policies with grant controls to all client applications so that legacy authentication based sign-ins that can’t satisfy the grant controls are blocked. With the general availability of the client apps condition in August 2020, newly created Conditional Access policies apply to all client apps by default.
 
 ![Client apps condition default configuration](./media/block-legacy-authentication/client-apps-condition-configured-no.png)
 
@@ -123,13 +123,9 @@ Configuring a policy for **Other clients** blocks the entire organization from c
 
 You can select all available grant controls for the **Other clients** condition; however, the end-user experience is always the same - blocked access.
 
-### SharePoint Online
-
-To block user access via legacy authentication to SharePoint Online, organizations must disable legacy authentication on SharePoint using the `Set-SPOTenant` PowerShell command and setting the `-LegacyAuthProtocolsEnabled` parameter to `$false`. More information about setting this parameter can be found in the SharePoint PowerShell reference document regarding [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant)
-
 ## Next steps
 
 - [Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
-- If you are not familiar with configuring Conditional Access policies yet, see [require MFA for specific apps with Azure Active Directory Conditional Access](../authentication/tutorial-enable-azure-mfa.md) for an example.
+- If you aren't familiar with configuring Conditional Access policies yet, see [require MFA for specific apps with Azure Active Directory Conditional Access](../authentication/tutorial-enable-azure-mfa.md) for an example.
 - For more information about modern authentication support, see [How modern authentication works for Office client apps](/office365/enterprise/modern-auth-for-office-2013-and-2016) 
 - [How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365)