Merge pull request #219786 from MicrosoftGuyJFlo/CATemplatesRefresh1222

[Azure AD] Conditional Access - Templates December 22 refresh

Author: v-stsavell

articles/active-directory/conditional-access/concept-conditional-access-policy-common.md

@@ -1,12 +1,12 @@
 ---
-title: Common Conditional Access policies - Azure Active Directory
-description: Commonly used Conditional Access policies for organizations
+title: Conditional Access templates - Azure Active Directory
+description: Deploy commonly used Conditional Access policies with templates
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 08/22/2022
+ms.date: 11/29/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -15,57 +15,63 @@ ms.reviewer: calebb, lhuangnorth
 
 ms.collection: M365-identity-device-management
 ---
-# Common Conditional Access policies
+# Conditional Access templates (Preview)
 
-[Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) are great for some but many organizations need more flexibility than they offer. Many organizations need to exclude specific accounts like their emergency access or break-glass administration accounts from Conditional Access policies. The policies referenced in this article can be customized based on organizational needs. Organizations can [use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)
-
-## Conditional Access templates (Preview)
-
-Conditional Access templates are designed to provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations.
+Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations.
 
 :::image type="content" source="media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png" alt-text="Conditional Access policies and templates in the Azure portal." lightbox="media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png":::
 
-The 14 policy templates are split into policies that would be assigned to user identities or devices. Find the templates in the **Azure portal** > **Azure Active Directory** > **Security** > **Conditional Access** > **Create new policy from template**.
+There are 14 Conditional Access policy templates, filtered by six different scenarios: 
 
-Organizations not comfortable allowing Microsoft to create these policies can create them manually by copying the settings from **View policy summary** or use the linked articles to create policies themselves. 
+- Secure foundation
+- Zero Trust
+- Remote work
+- Protect administrators
+- Emerging threats
+- All 
+
+Find the templates in the **Azure portal** > **Azure Active Directory** > **Security** > **Conditional Access** > **New policy from template (Preview)**. Select **Show more** to see all policy templates in each scenario.
 
 :::image type="content" source="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png" alt-text="Create a Conditional Access policy from a preconfigured template in the Azure portal." lightbox="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png":::
 
 > [!IMPORTANT]
-> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md) open the policy and modify the excluded users and groups to include them. 
+> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. Simply navigate to **Azure portal** > **Azure Active Directory** > **Security** > **Conditional Access** > **Policies**, select the policy to open the editor and modify the excluded users and groups to select accounts you want to exclude.
 > 
 > By default, each policy is created in [report-only mode](concept-conditional-access-report-only.md), we recommended organizations test and monitor usage, to ensure intended result, before turning each policy on.
 
-- Identities
-   - [Require multi-factor authentication for admins](howto-conditional-access-policy-admin-mfa.md)\*
-   - [Securing security info registration](howto-conditional-access-policy-registration.md)
-   - [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)\*
-   - [Require multi-factor authentication for all users](howto-conditional-access-policy-all-users-mfa.md)\*
-   - [Require multi-factor authentication for guest access](howto-policy-guest-mfa.md)
-   - [Require multi-factor authentication for Azure management](howto-conditional-access-policy-azure-management.md)\*
-   - [Require multi-factor authentication for risky sign-in](howto-conditional-access-policy-risk.md) **Requires Azure AD Premium P2**
-   - [Require password change for high-risk users](howto-conditional-access-policy-risk-user.md) **Requires Azure AD Premium P2**
-- Devices
-   - [Require compliant or hybrid Azure AD joined device or multifactor authentication for all users](howto-conditional-access-policy-compliant-device.md)
-   - [Block access for unknown or unsupported device platform](howto-policy-unknown-unsupported-device.md)
-   - [No persistent browser session](howto-policy-persistent-browser-session.md)
-   - [Require approved client apps or app protection](howto-policy-approved-app-or-app-protection.md)
-   - [Require compliant or Hybrid Azure AD joined device for administrators](howto-conditional-access-policy-compliant-device-admin.md)
-   - [Use application enforced restrictions for unmanaged devices](howto-policy-app-enforced-restriction.md)
+Organizations can select individual policy templates and:
 
-> \* These four policies when configured together, provide similar functionality enabled by [security defaults](../fundamentals/concept-fundamentals-security-defaults.md).
+- View a summary of the policy settings.
+- Edit, to customize based on organizational needs.
+- Export the JSON definition for use in programmatic workflows.
+   - These JSON definitions can be edited and then imported on the main Conditional Access policies page using the **Import policy file** option.
 
-### Other policies
+## Conditional Access template policies
+
+- [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)\*
+- [Require multifactor authentication for admins](howto-conditional-access-policy-admin-mfa.md)\*
+- [Require multifactor authentication for all users](howto-conditional-access-policy-all-users-mfa.md)\*
+- [Require multifactor authentication for Azure management](howto-conditional-access-policy-azure-management.md)\*
+
+> \* These four policies when configured together, provide similar functionality enabled by [security defaults](../fundamentals/concept-fundamentals-security-defaults.md).
 
-* [Block access by location](howto-conditional-access-policy-location.md)
-* [Block access except specific apps](howto-conditional-access-policy-block-access.md)
+- [Block access for unknown or unsupported device platform](howto-policy-unknown-unsupported-device.md)
+- [No persistent browser session](howto-policy-persistent-browser-session.md)
+- [Require approved client apps or app protection](howto-policy-approved-app-or-app-protection.md)
+- [Require compliant or hybrid Azure AD joined device or multifactor authentication for all users](howto-conditional-access-policy-compliant-device.md)
+- [Require compliant or Hybrid Azure AD joined device for administrators](howto-conditional-access-policy-compliant-device-admin.md)
+- [Require multi-factor authentication for risky sign-in](howto-conditional-access-policy-risk.md) **Requires Azure AD Premium P2**
+- [Require multifactor authentication for guest access](howto-policy-guest-mfa.md)
+- [Require password change for high-risk users](howto-conditional-access-policy-risk-user.md) **Requires Azure AD Premium P2**
+- [Securing security info registration](howto-conditional-access-policy-registration.md)
+- [Use application enforced restrictions for unmanaged devices](howto-policy-app-enforced-restriction.md)
 
-## Emergency access accounts
+## Other common policies
 
-More information about emergency access accounts and why they're important can be found in the following articles: 
+- [Block access by location](howto-conditional-access-policy-location.md)
+- [Block access except specific apps](howto-conditional-access-policy-block-access.md)
 
-* [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md)
-* [Create a resilient access control management strategy with Azure Active Directory](../authentication/concept-resilient-controls.md)
+[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)]
 
 ## Next steps
 

articles/active-directory/conditional-access/media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png

@@ -129,7 +129,7 @@ If you already have risk policies enabled in Identity Protection, we highly reco
 
 ### Migrating to Conditional Access
 
-1.	**Create an equivalent** [user risk-based](#user-risk-policy-in-conditional-access) and [sign-in risk-based ](#sign-in-risk-policy-in-conditional-access) policy in Conditional Access in report-only mode. You can create a policy with the steps above or using [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md#common-conditional-access-policies) based on Microsoft's recommendations and your organizational requirements.
+1.	**Create an equivalent** [user risk-based](#user-risk-policy-in-conditional-access) and [sign-in risk-based ](#sign-in-risk-policy-in-conditional-access) policy in Conditional Access in report-only mode. You can create a policy with the steps above or using [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md) based on Microsoft's recommendations and your organizational requirements.
     1. Ensure that the new Conditional Access risk policy works as expected by testing it in [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md).
 1.	**Enable** the new Conditional Access risk policy. You can choose to have both policies running side-by-side to confirm the new policies are working as expected before turning off the Identity Protection risk policies.
     1. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**. 

articles/active-directory/conditional-access/media/concept-conditional-access-policy-common/create-policy-from-template-identity.png

@@ -2,12 +2,12 @@
 author: joflore
 ms.service: active-directory
 ms.topic: include
-ms.date: 09/27/2022
+ms.date: 11/29/2022
 ms.author: joflore
 ---
 ## User exclusions
 
-Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
+Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:
 
 - **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access.
    - More information can be found in the article, [Manage emergency access accounts in Azure AD](../articles/active-directory/roles/security-emergency-access.md).