Merge pull request #229638 from Justinha/combined

JamesJBarnett · web-flow · commit a7f9dcb1a6a2 · 2023-03-06T17:25:20.000-07:00
edits from Tim
diff --git a/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md b/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md
@@ -6,19 +6,19 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/06/2023
 
 ms.author: justinha
-author: sajiang
+author: justinha
 manager: amycolannino
-ms.reviewer: sajiang
+ms.reviewer: tilarso
 
 ms.collection: M365-identity-device-management
 ---
 # Combined password policy and check for weak passwords in Azure Active Directory
 
 Beginning in October 2021, Azure Active Directory (Azure AD) validation for compliance with password policies also includes a check for [known weak passwords](concept-password-ban-bad.md) and their variants. 
-As the combined check for password policy and banned passwords gets rolled out to tenants, Azure AD and Office 365 admin center users may see differences when they create, change, or reset their passwords. This topic explains details about the password policy criteria checked by Azure AD. 
+This topic explains details about the password policy criteria checked by Azure AD. 
 
 ## Azure AD password policies
 
@@ -34,12 +34,12 @@ The following Azure AD password policy requirements apply for all passwords that
 | Characters not allowed | Unicode characters |
 | Password length |Passwords require<br>- A minimum of eight characters<br>- A maximum of 256 characters</li> |
 | Password complexity |Passwords require three out of four of the following categories:<br>- Uppercase characters<br>- Lowercase characters<br>- Numbers <br>- Symbols<br> Note: Password complexity check isn't required for Education tenants. |
-| Password not recently used | When a user changes or resets their password, the new password can't be the same as the current or recently used passwords. |
+| Password not recently used | When a user changes their password, the new password can't be the same as the current or recently used passwords. |
 | Password isn't banned by [Azure AD Password Protection](concept-password-ban-bad.md) | The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization. |
 
 ## Password expiration policies
 
-Password expiration policies are unchanged but they're included in this topic for completeness. A *global administrator* or *user administrator* can use the [Microsoft Azure AD Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire.
+Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Microsoft Azure AD Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire.
 
 > [!NOTE]
 > By default, only passwords for user accounts that aren't synchronized through Azure AD Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Azure AD](../hybrid/how-to-connect-password-hash-synchronization.md#password-expiration-policy).
diff --git a/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md b/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/06/2023
 
 ms.author: justinha
 author: justinha
@@ -66,7 +66,7 @@ Combined registration supports the authentication methods and actions in the fol
 > [!NOTE]
 > <b>Alternate phone</b> can only be registered in *manage mode* on the [Security info](https://mysignins.microsoft.com/security-info) page and requires Voice calls to be enabled in the Authentication methods policy. <br /> 
 > <b>Office phone</b> can only be registered in *Interrupt mode* if the users *Business phone* property has been set. Office phone can be added by users in *Managed mode from the [Security info](https://mysignins.microsoft.com/security-info)* without this requirement.  <br />
-> <b>App passwords</b> are available only to users who have been enforced for per-user MFA. App passwords are not available to users who are enabled for Azure AD Multi-Factor Authentication by a Conditional Access policy. <br />
+> <b>App passwords</b> are available only to users who have been enforced for per-user MFA. App passwords aren't available to users who are enabled for Azure AD Multi-Factor Authentication by a Conditional Access policy. <br />
 > <b>FIDO2 security keys</b>, can only be added in *manage mode only* on the [Security info](https://mysignins.microsoft.com/security-info) page.
 
 Users can set one of the following options as the default multifactor authentication method. 
@@ -77,9 +77,9 @@ Users can set one of the following options as the default multifactor authentica
 - Text message
 
 >[!NOTE]
->Virtual phone numbers are not supported for Voice calls or SMS messages.
+>Virtual phone numbers aren't supported for Voice calls or SMS messages.
 
-Third party authenticator apps do not provide push notification. As we continue to add more authentication methods to Azure AD, those methods become available in combined registration.
+Third party authenticator apps don't provide push notification. As we continue to add more authentication methods to Azure AD, those methods become available in combined registration.
 
 ## Combined registration modes
 
@@ -98,28 +98,32 @@ Combined registration adheres to both multifactor authentication and SSPR polici
 
 The following are sample scenarios where users might be prompted to register or refresh their security info:
 
-- *Multifactor Authentication registration enforced through Identity Protection:* Users are asked to register during sign-in. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
-- *Multifactor Authentication registration enforced through per-user multifactor authentication:* Users are asked to register during sign-in. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
-- *Multifactor Authentication registration enforced through Conditional Access or other policies:* Users are asked to register when they use a resource that requires multifactor authentication. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
+- *Multifactor authentication registration enforced through Identity Protection:* Users are asked to register during sign-in. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
+- *Multifactor authentication registration enforced through per-user multifactor authentication:* Users are asked to register during sign-in. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
+- *Multifactor authentication registration enforced through Conditional Access or other policies:* Users are asked to register when they use a resource that requires multifactor authentication. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
 - *SSPR registration enforced:* Users are asked to register during sign-in. They register only SSPR methods.
 - *SSPR refresh enforced:* Users are required to review their security info at an interval set by the admin. Users are shown their info and can confirm the current info or make changes if needed.
 
-When registration is enforced, users are shown the minimum number of methods needed to be compliant with both multifactor authentication and SSPR policies, from most to least secure. Users going through combined registration where both MFA and SSPR registration is enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc.)
+When registration is enforced, users are shown the minimum number of methods needed to be compliant with both multifactor authentication and SSPR policies, from most to least secure. Users going through combined registration where both MFA and SSPR registration are enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc.)
 
 Consider the following example scenario:
 
-- A user is enabled for SSPR. The SSPR policy requires two methods to reset and has enabled Authenticator app, email, and phone.
+- A user is enabled for SSPR. The SSPR policy requires two methods to reset and has enabled Microsoft Authenticator app, email, and phone.
 - When the user chooses to register, two methods are required:
-   - The user is shown Authenticator app and phone by default.
+   - The user is shown Microsoft Authenticator app and phone by default.
    - The user can choose to register email instead of Authenticator app or phone.
 
+When they set up Microsoft Authenticator, the user can click **I want to setup a different method** to register other authentication methods. The list of available methods is determined by the Authentication methods policy for the tenant. 
+
+:::image type="content" border="true" source="media/concept-registration-mfa-sspr-combined/choose.png" alt-text="Screenshot of how to choose another method when you set up Microsoft Authenticator.":::
+
 The following flowchart describes which methods are shown to a user when interrupted to register during sign-in:
 
 ![Combined security info flowchart](media/concept-registration-mfa-sspr-combined/combined-security-info-flow-chart.png)
 
 If you have both multifactor authentication and SSPR enabled, we recommend that you enforce multifactor authentication registration.
 
-If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up to date, or they can make changes if they need to. Users must perform multi-factor authentication when accessing this page.
+If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up to date, or they can make changes if they need to. Users must perform multifactor authentication to access this page.
 
 ### Manage mode
 
@@ -135,7 +139,7 @@ A user has not set up all required security info and goes to the Azure portal. A
 
 ### Set up security info from My Account
 
-An admin has not enforced registration.
+An admin hasn't enforced registration.
 
 A user who hasn't yet set up all required security info goes to [https://myaccount.microsoft.com](https://myaccount.microsoft.com). The user selects **Security info** in the left pane. From there, the user chooses to add a method, selects any of the methods available, and follows the steps to set up that method. When finished, the user sees the method that was set up on the Security info page.
 
diff --git a/articles/active-directory/authentication/media/concept-registration-mfa-sspr-combined/choose.png b/articles/active-directory/authentication/media/concept-registration-mfa-sspr-combined/choose.png
