Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into mpio

Author: roygara

.openpublishing.redirection.active-directory.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+    {
+      "source_path_from_root": "/articles/active-directory/authentication/how-to-mfa-microsoft-managed.md",
+      "redirect_url": "/azure/active-directory/authentication/concept-authentication-default-enablement",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/authentication/concept-certificate-based-authentication-mobile.md",
       "redirect_url": "/azure/active-directory/authentication/concept-certificate-based-authentication-mobile-ios",

.openpublishing.redirection.json

@@ -45,6 +45,16 @@
             "redirect_url": "/azure/storage/blobs/storage-quickstart-blobs-python",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/pytorch-enterprise/pte-overview.md",
+            "redirect_url": "https://aka.ms/PTELandingPage",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "articles/pytorch-enterprise/support-boundaries.md",
+            "redirect_url": "https://aka.ms/PTELandingPage",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/storage/blobs/storage-quickstart-blobs-xamarin.md",
             "redirect_url": "/azure/storage/blobs/storage-quickstart-blobs-dotnet",
@@ -9563,6 +9573,11 @@
             "redirect_url": "/azure/azure-toolkit-for-intelliJ",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-vmware/enable-public-internet-access.md",
+            "redirect_url": "/azure/azure-vmware/enable-public-ip-nsx-edge",
+            "redirect_document_id": false
+          },
         {
             "source_path_from_root": "/articles/azure-vmware/concepts-monitor-protection.md",
             "redirect_url": "/azure/azure-vmware/integrate-azure-native-services",
@@ -9620,7 +9635,7 @@
         },
         {
             "source_path_from_root": "/articles/azure-vmware/public-ip-usage.md",
-            "redirect_url": "/azure/azure-vmware/enable-public-internet-access",
+            "redirect_url": "/azure/azure-vmware/enable-public-ip-nsx-edge",
             "redirect_document_id": false
         },
         {

articles/active-directory-b2c/threat-management.md

@@ -55,7 +55,7 @@ The smart lockout feature uses many factors to determine when an account should
 - Passwords such as 12456! and 1234567! (or newAccount1234 and newaccount1234) are so similar that the algorithm interprets them as human error and counts them as a single try.
 - Larger variations in pattern, such as 12456! and ABCD2!, are counted as separate tries.
 
-When testing the smart lockout feature, use a distinctive pattern for each password you enter. Consider using password generation web apps, such as `https://password-generator.net/`.
+When testing the smart lockout feature, use a distinctive pattern for each password you enter. Consider using password generation web apps, such as `https://password-gen.com/`.
 
 When the smart lockout threshold is reached, you'll see the following message while the account is locked: **Your account is temporarily locked to prevent unauthorized use. Try again later**. The error messages can be [localized](localization-string-ids.md#sign-up-or-sign-in-error-messages).
 

articles/active-directory/authentication/TOC.yml

@@ -56,6 +56,8 @@
     items:
     - name: How MFA works
       href: concept-mfa-howitworks.md
+    - name: Default enablement 
+      href: concept-authentication-default-enablement.md
     - name: Prompts and session lifetime
       href: concepts-azure-multi-factor-authentication-prompts-session-lifetime.md
     - name: Data residency
@@ -174,8 +176,6 @@
     href: how-to-mfa-number-match.md
   - name: Use additional context 
     href: how-to-mfa-additional-context.md
-  - name: Use Microsoft managed settings 
-    href: how-to-mfa-microsoft-managed.md
   - name: Use a Temporary Access Pass
     href: howto-authentication-temporary-access-pass.md
   - name: Use SMS-based authentication

articles/active-directory/authentication/concept-authentication-default-enablement.md

@@ -0,0 +1,67 @@
+---
+title: Protecting authentication methods in Azure Active Directory
+description: Learn about authentication features that may be enabled by default in Azure Active Directory
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 10/19/2022
+
+ms.author: justinha
+author: mjsantani
+manager: amycolannino
+
+ms.collection: M365-identity-device-management
+
+# Customer intent: As an identity administrator, I want to encourage users to understand how default protection can improve our security posture.
+---
+# Protecting authentication methods in Azure Active Directory
+
+Azure Active Directory (Azure AD) adds and improves security features to better protect customers against increasing attacks. As new attack vectors become known, Azure AD may respond by enabling protection by default to help customers stay ahead of emerging security threats. 
+
+For example, in response to increasing MFA fatigue attacks, Microsoft recommended ways for customers to [defend users](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677). One recommendation to prevent users from accidental multifactor authentication (MFA) approvals is to enable [number matching](how-to-mfa-number-match.md). As a result, default behavior for number matching will be explicitly **Enabled** for all Microsoft Authenticator users.  
+
+There are two ways for protection of a security feature to be enabled by default: 
+
+- After a security feature is released, customers can use the Azure portal or Graph API to test and roll out the change on their own schedule. To help defend against new attack vectors, Azure AD may enable protection of a security feature by default for all tenants on a certain date, and there won't be an option to disable protection. Microsoft schedules default protection far in advance to give customers time to prepare for the change. Customers can't opt out if Microsoft schedules protection by default. 
+- Protection can be **Microsoft managed**, which means Azure AD can enable or disable protection based upon the current landscape of security threats. Customers can choose whether to allow Microsoft to manage the protection. They can change from **Microsoft managed** to explicitly make the protection **Enabled** or **Disabled** at any time. 
+
+>[!NOTE]
+>Only a critical security feature will have protection enabled by default.  
+
+## Default protection enabled by Azure AD
+
+Number matching is a good example of protection for an authentication method that is currently optional for push notifications in Microsoft Authenticator in all tenants. Customers could choose to enable number matching for push notifications in Microsoft Authenticator for users and groups, or they could leave it disabled. Number matching is already the default behavior for passwordless notifications in Microsoft Authenticator, and users can't opt out.
+
+As MFA fatigue attacks rise, number matching becomes more critical to sign-in security. As a result, Microsoft will change the default behavior for push notifications in Microsoft Authenticator. 
+
+>[!NOTE]
+>Number matching will begin to be enabled for all users of Microsoft Authenticator starting February 27, 2023.
+
+<!---Add link to Mayur Blog post here--->
+
+## Microsoft managed settings
+
+In addition to configuring Authentication methods policy settings to be either **Enabled** or **Disabled**, IT admins can configure some settings in the Authentication methods policy to be **Microsoft managed**. A setting that is configured as **Microsoft managed** allows Azure AD to enable or disable the setting. 
+
+The option to let Azure AD manage the setting is a convenient way for an organization to allow Microsoft to enable or disable a feature by default. Organizations can more easily improve their security posture by trusting Microsoft to manage when a feature should be enabled by default. By configuring a setting as **Microsoft managed** (named *default* in Graph APIs), IT admins can trust Microsoft to enable a security feature they haven't explicitly disabled. 
+
+For example, an admin can enable [location and application name](how-to-mfa-number-match.md) in push notifications to give users more context when they approve MFA requests with Microsoft Authenticator. The additional context can also be explicitly disabled, or set as **Microsoft managed**. Today, the **Microsoft managed** configuration for location and application name is **Disabled**, which effectively disables the option for any environment where an admin chooses to let Azure AD manage the setting. 
+
+As the security threat landscape changes over time, Microsoft may change the **Microsoft managed** configuration for location and application name to **Enabled**. For customers who want to rely upon Microsoft to improve their security posture, setting security features to **Microsoft managed** is an easy way stay ahead of security threats. They can trust Microsoft to determine the best way to configure security settings based on the current threat landscape.  
+
+The following table lists each setting that can be set to Microsoft managed and whether that setting is enabled or disabled by default. 
+
+| Setting                                                                                         | Configuration |
+|-------------------------------------------------------------------------------------------------|---------------|
+| [Registration campaign](how-to-mfa-registration-campaign.md)                                    | Disabled      |
+| [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)           | Disabled      |
+| [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)   | Disabled      |
+
+As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). 
+
+## Next steps
+
+[Authentication methods in Azure Active Directory - Microsoft Authenticator](concept-authentication-authenticator-app.md)
+

articles/active-directory/authentication/how-to-mfa-additional-context.md

@@ -1,5 +1,5 @@
 ---
-title: Use additional context in Microsoft Authenticator notifications (Preview) - Azure Active Directory
+title: Use additional context in Microsoft Authenticator notifications - Azure Active Directory
 description: Learn how to use additional context in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
@@ -11,7 +11,7 @@ ms.collection: M365-identity-device-management
 
 # Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
 ---
-# How to use additional context in Microsoft Authenticator notifications (Preview) - Authentication methods policy
+# How to use additional context in Microsoft Authenticator notifications - Authentication methods policy
 
 This topic covers how to improve the security of user sign-in by adding the application name and geographic location of the sign-in to Microsoft Authenticator passwordless and push notifications.  
 
@@ -47,7 +47,7 @@ You can enable and disable application name and geographic location separately.
 Identify your single target group for each of the features. Then use the following API endpoint to change the displayAppInformationRequiredState or displayLocationInformationRequiredState properties under featureSettings to **enabled** and include or exclude the groups you want:
 
 ```http
-https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
 ```
 
 #### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties
@@ -121,7 +121,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
 //Change the Query to PATCH and Run query
 
 {
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
     "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
     "id": "MicrosoftAuthenticator",
     "state": "enabled",
@@ -149,7 +149,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
             }
         }
     },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
     "includeTargets": [
         {
             "targetType": "group",
@@ -173,7 +173,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
 
 ```json
 {
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
     "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
     "id": "MicrosoftAuthenticator",
     "state": "enabled",
@@ -201,7 +201,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
             }
         }
     },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
     "includeTargets": [
         {
             "targetType": "group",
@@ -216,7 +216,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
 To verify, run GET again and verify the ObjectID:
 
 ```http
-GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
 ```
 
 #### Example of how to disable application name and only enable geographic location 
@@ -230,7 +230,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
 
 ```json
 {
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
     "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
     "id": "MicrosoftAuthenticator",
     "state": "enabled",
@@ -258,7 +258,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
             }
         }
     },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
     "includeTargets": [
         {
             "targetType": "group",
@@ -283,7 +283,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
 
 ```json
 {
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
     "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
     "id": "MicrosoftAuthenticator",
     "state": "enabled",
@@ -311,7 +311,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
             }
         }
     },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
     "includeTargets": [
         {
             "targetType": "group",
@@ -333,7 +333,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
 
 ```json
 {
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
     "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
     "id": "MicrosoftAuthenticator",
     "state": "enabled",
@@ -350,7 +350,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
             }
         }
     },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
     "includeTargets": [
         {
             "targetType": "group",
@@ -368,7 +368,7 @@ To turn off additional context, you'll need to PATCH **displayAppInformationRequ
 
 ```json
 {
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
     "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
     "id": "MicrosoftAuthenticator",
     "state": "enabled",
@@ -396,7 +396,7 @@ To turn off additional context, you'll need to PATCH **displayAppInformationRequ
             }
         }
     },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
     "includeTargets": [
         {
             "targetType": "group",