Merge pull request #180131 from MicrosoftDocs/master

11/16 PM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -10,6 +10,11 @@
           "redirect_url": "/azure/active-directory/manage-apps/what-is-application-management",
           "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/active-directory/authentication/how-to-nudge-authenticator-app.md",
+            "redirect_url": "/azure/active-directory/authentication/how-to-mfa-registration-campaign",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/active-directory/develop/active-directory-v2-limitations.md",
             "redirect_url": "/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison",
@@ -1670,6 +1675,26 @@
             "redirect_url": "/azure/active-directory/authentication/tutorial-enable-azure-mfa",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/active-directory/conditional-access/require-managed-devices.md",
+            "redirect_url": "/azure/active-directory/conditional-access/concept-conditional-access-grant",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/conditional-access/untrusted-networks.md",
+            "redirect_url": "/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/conditional-access/app-based-conditional-access.md",
+            "redirect_url": "/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/conditional-access/app-protection-based-conditional-access.md",
+            "redirect_url": "/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/active-directory/authentication/quickstart-sspr.md",
             "redirect_url": "/azure/active-directory/authentication/tutorial-enable-sspr",
@@ -9888,7 +9913,7 @@
         {
             "source_path_from_root": "/articles/active-directory/active-directory-saas-workplacebyfacebook-provisioning-tutorial.md",
             "redirect_url": "/azure/active-directory/saas-apps/workplace-by-facebook-provisioning-tutorial",
-            "redirect_document_id": true
+            "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/active-directory/active-directory-saas-workplacebyfacebook-tutorial.md",

articles/active-directory/app-provisioning/functions-for-customizing-application-data.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: reference
-ms.date: 10/27/2021
+ms.date: 11/16/2021
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -33,7 +33,7 @@ The syntax for Expressions for Attribute Mappings is reminiscent of Visual Basic
 
 ## List of Functions
 
-[Append](#append)      [AppRoleAssignmentsComplex](#approleassignmentscomplex)      [BitAnd](#bitand)      [CBool](#cbool)      [CDate](#cdate)      [Coalesce](#coalesce)      [ConvertToBase64](#converttobase64)      [ConvertToUTF8Hex](#converttoutf8hex)      [Count](#count)      [CStr](#cstr)      [DateAdd](#dateadd)      [DateDiff](#datediff)      [DateFromNum](#datefromnum)  [FormatDateTime](#formatdatetime)      [Guid](#guid)      [IgnoreFlowIfNullOrEmpty](#ignoreflowifnullorempty)     [IIF](#iif)     [InStr](#instr)      [IsNull](#isnull)      [IsNullOrEmpty](#isnullorempty)      [IsPresent](#ispresent)      [IsString](#isstring)      [Item](#item)      [Join](#join)      [Left](#left)      [Mid](#mid)      [NormalizeDiacritics](#normalizediacritics)       [Not](#not)      [Now](#now)      [NumFromDate](#numfromdate)      [PCase](#pcase)      [RandomString](#randomstring)      [RemoveDuplicates](#removeduplicates)      [Replace](#replace)      [SelectUniqueValue](#selectuniquevalue)     [SingleAppRoleAssignment](#singleapproleassignment)     [Split](#split)    [StripSpaces](#stripspaces)      [Switch](#switch)     [ToLower](#tolower)     [ToUpper](#toupper)     [Word](#word)
+[Append](#append)      [AppRoleAssignmentsComplex](#approleassignmentscomplex)      [BitAnd](#bitand)      [CBool](#cbool)      [CDate](#cdate)      [Coalesce](#coalesce)      [ConvertToBase64](#converttobase64)      [ConvertToUTF8Hex](#converttoutf8hex)      [Count](#count)      [CStr](#cstr)      [DateAdd](#dateadd)      [DateDiff](#datediff)      [DateFromNum](#datefromnum)  [FormatDateTime](#formatdatetime)      [Guid](#guid)      [IgnoreFlowIfNullOrEmpty](#ignoreflowifnullorempty)     [IIF](#iif)     [InStr](#instr)      [IsNull](#isnull)      [IsNullOrEmpty](#isnullorempty)      [IsPresent](#ispresent)      [IsString](#isstring)      [Item](#item)      [Join](#join)      [Left](#left)      [Mid](#mid)      [NormalizeDiacritics](#normalizediacritics)       [Not](#not)      [Now](#now)      [NumFromDate](#numfromdate)      [PCase](#pcase)      [RandomString](#randomstring)      [Redact](#redact)      [RemoveDuplicates](#removeduplicates)      [Replace](#replace)      [SelectUniqueValue](#selectuniquevalue)     [SingleAppRoleAssignment](#singleapproleassignment)     [Split](#split)    [StripSpaces](#stripspaces)      [Switch](#switch)     [ToLower](#tolower)     [ToUpper](#toupper)     [Word](#word)
 
 ---
 ### Append
@@ -811,7 +811,32 @@ Generates a random string with 6 characters. The string contains 3 numbers and 3
 Generates a random string with 10 characters. The string contains at least 2 numbers, 2 special characters, 2 capital letters, 1 lower case letter and excludes the characters "?" and "," (1@!2BaRg53).
 
 ---
+### Redact
+**Function:** 
+Redact()
+
+**Description:** 
+The Redact function replaces the attribute value with the string literal "[Redact]" in the provisioning logs. 
+
+**Parameters:** 
+
+| Name | Required/ Repeating | Type | Notes |
+| --- | --- | --- | --- |
+| **attribute/value** |Required |String|Specify the attribute or constant / string to redact from the logs.|
+
+**Example 1:** Redact an attribute:
+`Redact([userPrincipalName])`
+Removes the userPrincipalName from the provisioning logs.
 
+**Example 2:** Redact a string:
+`Redact("StringToBeRedacted")`
+Removes a constant string from the provisioning logs.
+
+**Example 3:** Redact a random string:
+`Redact(RandomString(6,3,0,0,3))`
+Removes the random string from the provisioning logs.
+
+---
 ### RemoveDuplicates
 **Function:** 
 RemoveDuplicates(attribute)

articles/active-directory/authentication/TOC.yml

@@ -162,8 +162,12 @@
       href: howto-password-ban-bad-on-premises-faq.yml
     - name: Agent version history
       href: howto-password-ban-bad-on-premises-agent-versions.md
-  - name: Nudge Microsoft Authenticator setup (Preview)
-    href: how-to-nudge-authenticator-app.md
+  - name: Run a registration campaign
+    href: how-to-mfa-registration-campaign.md
+  - name: Use number matching (Preview)
+    href: how-to-mfa-number-match.md
+  - name: Use additional context (Preview)
+    href: how-to-mfa-additional-context.md
   - name: Use Microsoft managed settings 
     href: how-to-mfa-microsoft-managed.md
   - name: Use a Temporary Access Pass (Preview)

articles/active-directory/authentication/how-to-mfa-additional-context.md

@@ -0,0 +1,196 @@
+---
+title: Use additional context in multifactor authentication (MFA) notifications (Preview) - Azure Active Directory
+description: Learn how to use additional context in MFA notifications
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 11/16/2021
+
+ms.author: justinha
+author: mjsantani
+manager: daveba
+
+ms.collection: M365-identity-device-management
+
+# Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
+---
+# How to use additional context in multifactor authentication (MFA) notifications (Preview) - Authentication Methods Policy
+
+This topic covers how to improve the security of user sign-in by adding application location based on IP address in Microsoft Authenticator push notifications.  
+
+## Prerequisites
+
+Your organization will need to enable Microsoft Authenticator push notifications for some users or groups using the new Authentication Methods Policy API. 
+
+>[!NOTE]
+>Additional context can be targeted to only a single group, which can be dynamic or nested. On-premises synchronized security groups and cloud-only security groups are supported for the Authentication Method Policy.
+
+## Passwordless phone sign-in and multifactor authentication 
+
+When a user receives a Passwordless phone sign-in or MFA push notification in the Microsoft Authenticator app, they'll see the name of the application that requests the approval and the app location based on its IP address.
+
+![Screenshot of additional context in the MFA push notification.](media/howto-authentication-passwordless-phone/location.png)
+
+The additional context can be combined with [number matching](how-to-mfa-number-match.md) to further improve sign-in security. 
+
+![Screenshot of additional context with number matching in the MFA push notification.](media/howto-authentication-passwordless-phone/location-with-number-match.png)
+
+### Policy schema changes 
+
+Identify a single target group for the schema configuration. Then use the following API endpoint to change the displayAppInformationRequiredState property to **enabled**:
+
+https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+
+
+#### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties
+
+**PROPERTIES**
+
+| Property | Type | Description |
+|---------|------|-------------|
+| id | String | The authentication method policy identifier. |
+| state | authenticationMethodState | Possible values are: **enabled**<br>**disabled** |
+ 
+**RELATIONSHIPS**
+
+| Relationship | Type | Description |
+|--------------|------|-------------|
+| includeTargets | [microsoftAuthenticatorAuthenticationMethodTarget](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget.md?view=graph-rest-beta) |
+| collection | A collection of users or groups who are enabled to use the authentication method. |
+ 
+#### MicrosoftAuthenticator includeTarget properties
+ 
+**PROPERTIES**
+
+| Property | Type | Description |
+|----------|------|-------------|
+| authenticationMode | String | Possible values are:<br>**any**: Both passwordless phone sign-in and traditional second factor notifications are allowed.<br>**deviceBasedPush**: Only passwordless phone sign-in notifications are allowed.<br>**push**: Only traditional second factor push notifications are allowed. |
+| id | String | Object ID of an Azure AD user or group. |
+| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.<br>You can only set one group or user for additional context. |
+| displayAppInformationRequiredState | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |
+
+>[!NOTE]
+>Additional context can only be enabled for a single group.
+
+#### Example of how to enable additional context for all users
+
+Change the **displayAppInformationRequiredState** from **default** to **enabled**. 
+
+The value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we'll use **any**, but if you do not want to allow passwordless, use **push**.
+
+You need to PATCH the entire includeTarget to prevent overwriting any previous configuration. In that case, do a GET first, update only the relevant fields, and then PATCH. The following example only shows the update to the **displayAppInformationRequiredState**. 
+
+```json
+//Retrieve your existing policy via a GET. 
+//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.
+//Change the Query to PATCH and Run query
+ 
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
+    "id": "MicrosoftAuthenticator",
+    "state": "enabled",
+    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "includeTargets": [
+        {
+            "targetType": "group",
+            "id": "all_users",
+            "authenticationMode": "any",
+            "displayAppInformationRequiredState": "enabled",
+            "numberMatchingRequiredState": "enabled"
+        }
+    ]
+}
+ 
+```
+ 
+To confirm this update has applied, run the GET request below using the endpoint below.
+GET - https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+ 
+ 
+#### Example of how to enable additional context for a single group
+ 
+Change the **displayAppInformationRequiredState** value from **default** to **enabled.** 
+Change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.
+
+You need to PATCH the entire includeTarget to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **displayAppInformationRequiredState**. 
+
+```json
+//Copy paste the below in the Request body section as shown below.
+//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.
+//Change query to PATCH and run query
+
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
+    "id": "MicrosoftAuthenticator",
+    "state": "enabled",
+    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "includeTargets": [
+        {
+            "targetType": "group",
+            "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a”,
+            "authenticationMode": "any",
+            "displayAppInformationRequiredState": "enabled",
+            "numberMatchingRequiredState": "enabled"
+        }
+    ]
+}
+```
+ 
+To verify, RUN GET again and verify the ObjectID
+GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+ 
+
+#### Example of error when enabling additional context for multiple groups
+
+The PATCH request will fail with 400 Bad Request and the error will contain the following message: 
+
+`Persistance of policy failed with error: You cannot enable multiple targets for feature 'Require Display App Information'. Choose only one of the following includeTargets to enable: aede0efe-c1b4-40dc-8ae7-2c402f23e312,aede0efe-c1b4-40dc-8ae7-2c402f23e317.`
+
+### Test the end-user experience
+Add the test user account to the Microsoft Authenticator app. The account **doesn't** need to be enabled for phone sign-in. 
+
+See the end-user experience of an Authenticator MFA push notification with additional context by signing into aka.ms/MFAsetup. 
+
+### Turn off additional context
+
+To turn off additional context, you'll need to PATCH remove **displayAppInformationRequiredState** from **enabled** to **disabled**/**default**.
+
+```json
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
+    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
+    "id": "MicrosoftAuthenticator",
+    "state": "enabled",
+    "[email protected]": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+    "includeTargets": [
+        {
+            "targetType": "group",
+            "id": "all_users",
+            "authenticationMode": "any",
+            "displayAppInformationRequiredState": "enabled",
+            "numberMatchingRequiredState": "default"
+        }
+    ]
+}
+```
+
+## Enable additional context in the portal
+
+To enable additional context in the Azure AD portal, complete the following steps:
+
+1. In the Azure AD portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
+1. Select the target users, click the three dots on the right, and click **Configure**.
+   
+   ![Screenshot of how to configure number match.](media/howto-authentication-passwordless-phone/configure.png)
+
+1. Select the **Authentication mode**, and then for **Show additional context in notifications (Preview)**, click **Enable**, and then click **Done**.
+
+   ![Screenshot of enabling additional context.](media/howto-authentication-passwordless-phone/enable-additional-context.png)
+
+## Next steps
+
+[Authentication methods in Azure Active Directory - Microsoft Authenticator app](concept-authentication-authenticator-app.md)
+