MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 34271 additions & 34271 deletions b/‎.openpublishing.redirection.json
Lines changed: 34271 additions & 34271 deletions
diff --git a/‎.openpublishing.redirection.virtual-desktop.json
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.virtual-desktop.json
Lines changed: 10 additions & 0 deletions
diff --git a/‎articles/active-directory-domain-services/faqs.yml
Lines changed: 5 additions & 0 deletions b/‎articles/active-directory-domain-services/faqs.yml
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/how-to-mfa-additional-context.md
Lines changed: 6 additions & 383 deletions b/‎articles/active-directory/authentication/how-to-mfa-additional-context.md
Lines changed: 6 additions & 383 deletions
diff --git a/‎articles/active-directory/authentication/how-to-mfa-number-match.md
Lines changed: 6 additions & 253 deletions b/‎articles/active-directory/authentication/how-to-mfa-number-match.md
Lines changed: 6 additions & 253 deletions
@@ -19,6 +19,16 @@
             "source_path_from_root": "/articles/virtual-desktop/create-profile-container-adds.md",
             "redirect_url": "/azure/virtual-desktop/fslogix-profile-container-configure-azure-files-active-directory",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/virtual-desktop/shortpath.md",
+            "redirect_url": "/azure/virtual-desktop/rdp-shortpath",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/virtual-desktop/shortpath-public.md",
+            "redirect_url": "/azure/virtual-desktop/rdp-shortpath",
+            "redirect_document_id": false
         }
     ]
 }
@@ -164,6 +164,11 @@ sections:
           How are Windows Updates applied in Azure AD Domain Services?
         answer: |
           Domain controllers in a managed domain automatically apply required Windows updates. There's nothing for you to configure or administer here. Make sure you don't create network security group rules that block outbound traffic to Windows Updates. For your own VMs joined to the managed domain, you are responsible for configuring and applying any required OS and application updates.
+          
+      - question: |
+          Why do my domain controllers change names?
+        answer: |
+          It is possible that during the maintenance of domain controllers there is a change in their names. To avoid problems with this type of change, it is recommended to not use the names of the domain controllers hardcoded in applications and/or other domain resources, but the FQDN of the domain. This way, no matter what the names of the domain controllers are, you won't need to reconfigure anything after a name change.
 
   - name: Billing and availability
     questions:
 
@@ -14,7 +14,7 @@ manager: amycolannino
 ms.reviewer: annaba
 
 ms.collection: M365-identity-device-management
-ms.custom: has-adal-ref
+
 ---
 # Get started with certificate-based authentication in Azure Active Directory with federation
 
@@ -37,7 +37,7 @@ This topic:
 
 To configure CBA with federation, the following statements must be true:
 
-- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication (ADAL), or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Azure AD CBA without needing federation, see [How to configure Azure AD certificate-based authentication](how-to-certificate-based-authentication.md).
+- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication, or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Azure AD CBA without needing federation, see [How to configure Azure AD certificate-based authentication](how-to-certificate-based-authentication.md).
 - The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.
 - Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.
 - You must have at least one certificate authority configured in Azure Active Directory. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.
 
@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/01/2022
+ms.date: 09/09/2022
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -13,7 +13,7 @@ ms.collection: M365-identity-device-management
 ---
 # How to use number matching in multifactor authentication (MFA) notifications (Preview) - Authentication Methods Policy
 
-This topic covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security. Number matching can be enabled by using the Azure portal or Microsoft Graph API. 
+This topic covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security. The schema for the API to enable number match is currently being updated. **While the API is updated over the next two weeks, you should only use the Azure AD portal to enable number match.**   
 
 >[!NOTE]
 >Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator that will be enabled by default for all tenants a few months after general availability (GA).<br> 
@@ -25,6 +25,8 @@ Your organization will need to enable Authenticator (traditional second factor)
 
 ## Number matching
 
+<!---check below with Mayur. The bit about the policy came from the number match FAQ at the end.--->
+
 Number matching can be targeted to only a single group, which can be dynamic or nested. On-premises synchronized security groups and cloud-only security groups are supported for the Authentication Method Policy. 
 
 Number matching is available for the following scenarios. When enabled, all scenarios support number matching.
@@ -84,256 +86,7 @@ To create the registry key that overrides push notifications:
 
 ## Enable number matching 
 
-
->[!NOTE]
->In Graph Explorer, ensure you've consented to the **Policy.Read.All** and **Policy.ReadWrite.AuthenticationMethod** permissions. 
-
-Identify your single target group for the schema configuration. Then use the following API endpoint to change the numberMatchingRequiredState property under featureSettings to **enabled** and include or exclude groups:
-
-```http
-https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
-```
-
-
-### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties
-
-**PROPERTIES**
-
-| Property | Type | Description |
-|---------|------|-------------|
-| id | String | The authentication method policy identifier. |
-| state | authenticationMethodState | Possible values are: **enabled**<br>**disabled** |
- 
-**RELATIONSHIPS**
-
-| Relationship | Type | Description |
-|--------------|------|-------------|
-| includeTargets | [microsoftAuthenticatorAuthenticationMethodTarget](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget?view=graph-rest-beta&preserve-view=true) collection | A collection of users or groups who are enabled to use the authentication method |
-| featureSettings | [microsoftAuthenticatorFeatureSettings](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget) collection | A collection of Microsoft Authenticator features. |
- 
-### MicrosoftAuthenticator includeTarget properties
- 
-**PROPERTIES**
-
-| Property | Type | Description |
-|----------|------|-------------|
-| authenticationMode | String | Possible values are:<br>**any**: Both passwordless phone sign-in and traditional second factor notifications are allowed.<br>**deviceBasedPush**: Only passwordless phone sign-in notifications are allowed.<br>**push**: Only traditional second factor push notifications are allowed. |
-| id | String | Object ID of an Azure AD user or group. |
-| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.|
-
-
-
-### MicrosoftAuthenticator featureSettings properties
- 
-**PROPERTIES**
-
-| Property | Type | Description |
-|----------|------|-------------|
-| numberMatchingRequiredState | authenticationMethodFeatureConfiguration | Require number matching for MFA notifications. Value is ignored for phone sign-in notifications. |
-| displayAppInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown application name in Microsoft Authenticator notification. |
-| displayLocationInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown geographic location context in Microsoft Authenticator notification. |
-
-### Authentication Method Feature Configuration properties
-
-**PROPERTIES**
-
-| Property | Type | Description |
-|----------|------|-------------|
-| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br> Please note: You will be able to only exclude one group for number matching. |
-| includeTarget | featureTarget | A single entity that is included in this feature. <br> Please note: You will be able to only set one group for number matching. |
-| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |
-
-### Feature Target properties
-
-**PROPERTIES**
-
-| Property | Type | Description |
-|----------|------|-------------|
-| id | String | ID of the entity targeted. |
-| targetType | featureTargetType | The kind of entity targeted, such as group, role, or administrative unit. The possible values are: ‘group’, 'administrativeUnit’, ‘role’, unknownFutureValue’. |
-
->[!NOTE]
->Number matching can be enabled only for a single group. 
-
-### Example of how to enable number matching for all users
-
-In **featureSettings**, you will need to change the **numberMatchingRequiredState** from **default** to **enabled**. 
-
-Note that the value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we will use **any**, but if you do not want to allow passwordless, use **push**. 
-
->[!NOTE]
->For passwordless users, enabling or disabling number matching has no impact because it's already part of the passwordless experience. 
-
-You might need to patch the entire schema to prevent overwriting any previous configuration. In that case, do a GET first, update only the relevant fields, and then PATCH. The following example only shows the update to the **numberMatchingRequiredState** under **featureSettings**. 
-
-Only users who are enabled for Microsoft Authenticator under Microsoft Authenticator’s **includeTargets** will see the number match requirement. Users who aren't enabled for Microsoft Authenticator won't see the feature.
-
-```json
-//Retrieve your existing policy via a GET. 
-//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.
-//Change the Query to PATCH and Run query
- 
-{
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
-    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
-    "id": "MicrosoftAuthenticator",
-    "state": "enabled",
-    "featureSettings": {
-        "numberMatchingRequiredState": {
-            "state": "enabled",
-            "includeTarget": {
-                "targetType": "group",
-                "id": "all_users"
-            },
-            "excludeTarget": {
-                "targetType": "group",
-                "id": "00000000-0000-0000-0000-000000000000"
-            }
-      }
-    },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
-    "includeTargets": [
-        {
-            "targetType": "group",
-            "id": "all_users",
-            "isRegistrationRequired": false,
-            "authenticationMode": "any",        
-        }
-    ]
-}
- 
-```
- 
-To confirm this has applied, please run the GET request below using the endpoint below.
-
-```http
-GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
-```
- 
-### Example of how to enable number matching for a single group
- 
-In **featureSettings**, you will need to change the **numberMatchingRequiredState** value from **default** to **enabled.** 
-Inside the **includeTarget**, you will need to change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.
-
-You need to PATCH the entire configuration to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **numberMatchingRequiredState**. 
-
-Only users who are enabled for Microsoft Authenticator under Microsoft Authenticator’s **includeTargets** will see the number match requirement. Users who aren't enabled for Microsoft Authenticator won't see the feature.
-
-```json
-{
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
-    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
-    "id": "MicrosoftAuthenticator",
-    "state": "enabled",
-    "featureSettings": {
-        "numberMatchingRequiredState": {
-            "state": "enabled",
-            "includeTarget": {
-                "targetType": "group",
-                "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a"
-            },
-            "excludeTarget": {
-                "targetType": "group",
-                "id": "00000000-0000-0000-0000-000000000000"
-            }
-        }
-    },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
-    "includeTargets": [
-        {
-            "targetType": "group",
-            "id": "all_users",
-            "isRegistrationRequired": false,
-            "authenticationMode": "any"
-        }
-    ]
-}
-```
- 
-To verify, RUN GET again and verify the ObjectID
-
-```http
-GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
-```
- 
-### Example of removing the excluded group from number matching
-
-In **featureSettings**, you will need to change the **numberMatchingRequiredState** value from **default** to **enabled.** 
-You need to change the **id** of the **excludeTarget** to `00000000-0000-0000-0000-000000000000`.
-
-You need to PATCH the entire configuration to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **numberMatchingRequiredState**. 
-
-Only users who are enabled for Microsoft Authenticator under Microsoft Authenticator’s **includeTargets** will be excluded from the number match requirement. Users who aren't enabled for Microsoft Authenticator won't see the feature.
-
-```json
-{
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
-    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
-    "id": "MicrosoftAuthenticator",
-    "state": "enabled",
-    "featureSettings": {
-        "numberMatchingRequiredState": {
-            "state": "enabled",
-            "includeTarget": {
-                "targetType": "group",
-                "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a"
-            },
-            "excludeTarget": {
-                "targetType": "group",
-                "id": " 00000000-0000-0000-0000-000000000000"
-            }
-        }
-    },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
-    "includeTargets": [
-        {
-            "targetType": "group",
-            "id": "all_users",
-            "isRegistrationRequired": false,
-            "authenticationMode": "any"
-        }
-    ]
-}
-```
-
-## Turn off number matching
-
-To turn number matching off, you will need to PATCH remove **numberMatchingRequiredState** from **enabled** to **disabled**/**default**.
-
-```json
-{
-    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
-    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
-    "id": "MicrosoftAuthenticator",
-    "state": "enabled",
-    "featureSettings": {
-        "numberMatchingRequiredState": {
-            "state": "default",
-            "includeTarget": {
-                "targetType": "group",
-                "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a"
-            },
-            "excludeTarget": {
-                "targetType": "group",
-                "id": " 00000000-0000-0000-0000-000000000000"
-            }
-        }
-    },
-    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
-    "includeTargets": [
-        {
-            "targetType": "group",
-            "id": "all_users",
-            "isRegistrationRequired": false,
-            "authenticationMode": "any"
-        }
-    ]
-}
-```
-
-## Enable number matching in the portal
-
-To enable number matching in the Azure AD portal, complete the following steps:
+To enable number matching, complete the following steps:
 
 1. In the Azure AD portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
 1. On the **Basics** tab, click **Yes** and **All users** to enable the policy for everyone, and change **Authentication mode** to **Push**. 
@@ -348,4 +101,4 @@ To enable number matching in the Azure AD portal, complete the following steps:
 
 ## Next steps
 
-[Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)
+[Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,16 @@`
`19`	`19`	`"source_path_from_root": "/articles/virtual-desktop/create-profile-container-adds.md",`
`20`	`20`	`"redirect_url": "/azure/virtual-desktop/fslogix-profile-container-configure-azure-files-active-directory",`
`21`	`21`	`"redirect_document_id": true`
	`22`	`+ },`
	`23`	`+ {`
	`24`	`+ "source_path_from_root": "/articles/virtual-desktop/shortpath.md",`
	`25`	`+ "redirect_url": "/azure/virtual-desktop/rdp-shortpath",`
	`26`	`+ "redirect_document_id": true`
	`27`	`+ },`
	`28`	`+ {`
	`29`	`+ "source_path_from_root": "/articles/virtual-desktop/shortpath-public.md",`
	`30`	`+ "redirect_url": "/azure/virtual-desktop/rdp-shortpath",`
	`31`	`+ "redirect_document_id": false`
`22`	`32`	`}`
`23`	`33`	`]`
`24`	`34`	`}`