Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 07/15/2022
+ms.date: 07/19/2022
 
 
 ms.author: justinha
@@ -24,21 +24,38 @@ Microsoft Authenticator can be used to sign in to any Azure AD account without u
 
 This authentication technology can be used on any device platform, including mobile. This technology can also be used with any app or website that integrates with Microsoft Authentication Libraries.
 
-:::image type="content" border="false" source="./media/howto-authentication-passwordless-phone/phone-sign-in-microsoft-authenticator-app.png" alt-text="Screenshot that shows an example of a browser sign-in asking for the user to approve the sign-in.":::
+:::image type="content" border="false" source="./media/howto-authentication-passwordless-phone/phone-sign-in-microsoft-authenticator-app-next.png" alt-text="Screenshot that shows an example of a browser sign-in asking for the user to approve the sign-in.":::
 
 People who enabled phone sign-in from Microsoft Authenticator see a message that asks them to tap a number in their app. No username or password is asked for. To complete the sign-in process in the app, a user must next take the following actions:
 
 1. Enter the number they see on the login screen into Microsoft Authenticator dialog.
 1. Choose **Approve**.
 1. Provide their PIN or biometric.
 
+## Multiple accounts on iOS (preview)
+
+You can enable passwordless phone sign-in for multiple accounts in Microsoft Authenticator on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device. 
+
+Previously, admins might not require passwordless sign-in for users with multiple accounts because it requires them to carry more devices for sign-in. By removing the limitation of one user sign-in from a device, admins can more confidently encourage users to register passwordless phone sign-in and use it as their default sign-in method.
+
+The Azure AD accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-in from one device.
+
+>[!NOTE]
+>Multiple accounts on iOS is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). 
+
 ## Prerequisites
 
 To use passwordless phone sign-in with Microsoft Authenticator, the following prerequisites must be met:
 
 - Recommended: Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity. 
 - Latest version of Microsoft Authenticator installed on devices running iOS 12.0 or greater, or Android 6.0 or greater.
-- The device that runs Microsoft Authenticator must be registered to an individual user. We're actively working to enable multiple accounts on Android. 
+- For Android, the device that runs Microsoft Authenticator must be registered to an individual user. We're actively working to enable multiple accounts on Android. 
+- For iOS, the device must be registered with each tenant where it's used to sign in. For example, the following device must be registered with Contoso and Wingtiptoys to allow all accounts to sign in:
+  - [email protected]
+  - [email protected] and bsandhu@wingtiptoys
+- For iOS, we recommend enabling the option in Microsoft Authenticator to allow Microsoft to gather usage data. It's not enabled by default. To enable it in Microsoft Authenticator, go to **Settings** > **Usage Data**.
+  
+  :::image type="content" border="true" source="./media/howto-authentication-passwordless-phone/telemetry.png" alt-text="Screenshot of Usage Data in Microsoft Authenticator.":::
 
 To use passwordless authentication in Azure AD, first enable the combined registration experience, then enable users for the passwordless method.
 
@@ -128,19 +145,11 @@ An end user can be enabled for multifactor authentication (MFA) through an on-pr
 
 If the user attempts to upgrade multiple installations (5+) of Microsoft Authenticator with the passwordless phone sign-in credential, this change might result in an error.
 
-### Device registration
-
-Before you can create this new strong credential, there are prerequisites. One prerequisite is that the device on which Microsoft Authenticator is installed must be registered within the Azure AD tenant to an individual user.
-
-Currently, a device can only be enabled for passwordless sign-in in a single tenant. This limit means that only one work or school account in Microsoft Authenticator can be enabled for phone sign-in.
-
-> [!NOTE]
-> Device registration is not the same as device management or mobile device management (MDM). Device registration only associates a device ID and a user ID together, in the Azure AD directory.
 
 ## Next steps
 
 To learn about Azure AD authentication and passwordless methods, see the following articles:
 
 - [Learn how passwordless authentication works](concept-authentication-passwordless.md)
 - [Learn about device registration](../devices/overview.md)
-- [Learn about Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)
+- [Learn about Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)

articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md

@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 Accounts that are assigned administrative rights are targeted by attackers. Requiring multi-factor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.
 
-Microsoft recommends you require MFA on the following roles at a minimum:
+Microsoft recommends you require MFA on the following roles at a minimum, based on [identity score recommendations](../fundamentals/identity-secure-score.md):
 
 - Global administrator
 - Application administrator

articles/active-directory/fundamentals/road-to-the-cloud-introduction.md

@@ -14,7 +14,7 @@ ms.custom: references_regions
 
 # Introduction
 
-This content provides guidance to move:
+Some organizations set goals to remove AD, and their on-premises IT footprint. Others take advantage of some cloud-based capabilities to reduce the AD footprint, but not to completely remove their on-premises environments. This content provides guidance to move:
 
  * **From** - Active Directory (AD) and other non-cloud based services, either hosted on-premises or Infrastructure-as-a-Service (IaaS), that provide identity management (IDM), identity and access management (IAM) and device management.
 
@@ -23,7 +23,7 @@ This content provides guidance to move:
 >[!NOTE]
 > In this content, when we refer to AD, we are referring to Windows Server Active Directory Domain Services.
 
-Some organizations set goals to remove AD, and their on-premises IT footprint. Others set goals to take advantage of some cloud-based capabilities, but not to completely remove their on-premises or IaaS environments. Transformation must be aligned with and achieve business objectives including increased productivity, reduced costs and complexity, and improved security posture. To better understand the costs vs. value of moving to the cloud, see [Forrester TEI for Microsoft Azure Active Directory](https://www.microsoft.com/security/business/forrester-tei-study) and other TEI reports and [Cloud economics](https://azure.microsoft.com/overview/cloud-economics/).
+Transformation must be aligned with and achieve business objectives including increased productivity, reduced costs and complexity, and improved security posture. To better understand the costs vs. value of moving to the cloud, see [Forrester TEI for Microsoft Azure Active Directory](https://www.microsoft.com/security/business/forrester-tei-study) and other TEI reports and [Cloud economics](https://azure.microsoft.com/overview/cloud-economics/).
 
 ## Next steps
 

articles/active-directory/governance/TOC.yml

@@ -56,7 +56,7 @@
     - name: Manage users excluded from Conditional Access
       href: conditional-access-exclusion.md
     - name: Review recommendations for group access reviews
-      hreg: peer-outlier-access-reviews.md
+      href: review-recommendations-group-access-reviews.md
   - name:  Review and remove users from external organizations
     href: access-reviews-external-users.md
 - name: How-to guides

articles/active-directory/governance/review-recommendations-group-access-reviews.md

@@ -1,5 +1,5 @@
 ---
-title: Review access with review recommendations - Azure AD
+title: Review recommendations for Access reviews - Azure AD
 description: Learn how to review access of group members with review recommendations in Azure Active Directory access reviews.
 services: active-directory
 author: ajburnle
@@ -16,7 +16,7 @@ ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
 ---
 
-# Review recommendations for group access reviews 
+# Review recommendations for Access reviews 
 
 Decision makers who review users' access and perform access reviews can use system based recommendations to help them decide whether to continue their access or deny their access to resources. For more information about how to use review recommendations, see [Enable decision helpers](create-access-review.md#next-settings).
 

articles/aks/web-app-routing.md

@@ -20,12 +20,10 @@ The Web Application Routing solution makes it easy to access applications that a
 
 ## Web Application Routing solution overview
 
-The add-on deploys four components: an [nginx ingress controller][nginx], [Secrets Store CSI Driver][csi-driver], [Open Service Mesh (OSM)][osm], and [External-DNS][external-dns] controller.
+The add-on deploys two components: an [nginx ingress controller][nginx], and [External-DNS][external-dns] controller.
 
 - **Nginx ingress Controller**: The ingress controller exposed to the internet.
 - **External-DNS controller**: Watches for Kubernetes Ingress resources and creates DNS A records in the cluster-specific DNS zone.
-- **CSI driver**: Connector used to communicate with keyvault to retrieve SSL certificates for ingress controller.
-- **OSM**: A lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
 
 ## Prerequisites
 
@@ -48,23 +46,31 @@ az extension update --name aks-preview
 
 ### Install the `osm` CLI
 
-Since Web Application Routing uses OSM internally to secure intranet communication, we need to set up the `osm` CLI. This command-line tool contains everything needed to install and configure Open Service Mesh. The binary is available on the [OSM GitHub releases page][osm-release].
+Since Web Application Routing uses OSM internally to secure intranet communication, we need to set up the `osm` CLI. This command-line tool contains everything needed to configure and manage Open Service Mesh. The latest binaries are available on the [OSM GitHub releases page][osm-release].
 
-## Deploy Web Application Routing with the Azure CLI
+### Import certificate to Azure Keyvault
 
-The Web Application Routing routing add-on can be enabled with the Azure CLI when deploying an AKS cluster. To do so, use the [az aks create][az-aks-create] command with the `--enable-addons` argument.
+```bash
+openssl pkcs12 -export -in aks-ingress-tls.crt -inkey aks-ingress-tls.key -out aks-ingress-tls.pfx
+# skip Password prompt
+```
 
 ```azurecli
-az aks create --resource-group myResourceGroup --name myAKSCluster --enable-addons web_application_routing 
+az keyvault certificate import --vault-name <MY_KEYVAULT> -n <KEYVAULT-CERTIFICATE-NAME> -f aks-ingress-tls.pfx
 ```
 
-> [!TIP]
-> If you want to enable multiple add-ons, provide them as a comma-separated list. For example, to enable Web Application Routing routing and monitoring, use the format `--enable-addons web_application_routing,monitoring`.
+## Deploy Web Application Routing with the Azure CLI
+
+The Web Application Routing routing add-on can be enabled with the Azure CLI when deploying an AKS cluster. To do so, use the [az aks create][az-aks-create] command with the `--enable-addons` argument. However, since Web Application routing depends on the OSM addon to secure intranet communication and the Azure Keyvault Secret Provider to retrieve certificates, we must enable them at the same time.
+
+```azurecli
+az aks create --resource-group myResourceGroup --name myAKSCluster --enable-addons azure-keyvault-secrets-provider,open-service-mesh,web_application_routing --generate-ssh-keys
+```
 
 You can also enable Web Application Routing on an existing AKS cluster using the [az aks enable-addons][az-aks-enable-addons] command. To enable Web Application  Routing on an existing cluster, add the `--addons` parameter and specify *web_application_routing* as shown in the following example:
 
 ```azurecli
-az aks enable-addons --resource-group myResourceGroup --name myAKSCluster --addons web_application_routing 
+az aks enable-addons --resource-group myResourceGroup --name myAKSCluster --addons azure-keyvault-secrets-provider,open-service-mesh,web_application_routing
 ```
 
 ## Connect to your AKS cluster
@@ -109,16 +115,10 @@ Copy the identity's object ID:
 
 ### Grant access to Azure Key Vault
 
-Obtain the vault URI for your Azure Key Vault:
-
-```azurecli
-az keyvault show --resource-group myResourceGroup --name myapp-contoso
-```
-
 Grant `GET` permissions for Web Application Routing to retrieve certificates from Azure Key Vault:
 
 ```azurecli
-az keyvault set-policy --name myapp-contoso --object-id <WEB_APP_ROUTING_MSI_OBJECT_ID>  --secret-permissions get --certificate-permissions get
+az keyvault set-policy --name myapp-contoso --object-id <WEB_APP_ROUTING_MSI_OBJECT_ID> --secret-permissions get --certificate-permissions get
 ```
 
 ## Use Web Application Routing
@@ -128,12 +128,16 @@ The Web Application Routing solution may only be triggered on service resources
 ```yaml
 annotations:
   kubernetes.azure.com/ingress-host: myapp.contoso.com
-  kubernetes.azure.com/tls-cert-keyvault-uri: myapp-contoso.vault.azure.net/certificates/keyvault-certificate-name/keyvault-certificate-name-revision
+  kubernetes.azure.com/tls-cert-keyvault-uri: https://<MY-KEYVAULT>.vault.azure.net/certificates/<KEYVAULT-CERTIFICATE-NAME>/<KEYVAULT-CERTIFICATE-REVISION>
 ```
 
-These annotations in the service manifest would direct Web Application Routing to create an ingress servicing `myapp.contoso.com` connected to the keyvault `myapp-contoso` and will retrieve the `keyvault-certificate-name` with `keyvault-certificate-name-revision`
+These annotations in the service manifest would direct Web Application Routing to create an ingress servicing `myapp.contoso.com` connected to the keyvault `<MY-KEYVAULT>` and will retrieve the `<KEYVAULT-CERTIFICATE-NAME>` with `<KEYVAULT-CERTIFICATE-REVISION>`. To obtain the certificate URI within your keyvault run: 
+
+```azurecli
+az keyvault certificate show --vault-name <MY_KEYVAULT> --name <KEYVAULT-CERTIFICATE-NAME> -o jsonc | jq .id
+```
 
-Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` with your DNS host name and `<MY_KEYVAULT_URI>` with the full certficicate vault URI.
+Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` with your DNS host name and `<MY_KEYVAULT_CERTIFICATE_URI>` with the ID returned from keyvault.
 
 ```yaml
 apiVersion: apps/v1
@@ -165,7 +169,7 @@ metadata:
   name: aks-helloworld
   annotations:
     kubernetes.azure.com/ingress-host: <MY_HOSTNAME>
-    kubernetes.azure.com/tls-cert-keyvault-uri: <MY_KEYVAULT_URI>
+    kubernetes.azure.com/tls-cert-keyvault-uri: <MY_KEYVAULT_CERTIFICATE_URI>
 spec:
   type: ClusterIP
   ports:
@@ -190,10 +194,15 @@ service/aks-helloworld created
 ## Verify the managed ingress was created
 
 ```bash
-$ kubectl get ingress -n hello-web-app-routing
+kubectl get ingress -n hello-web-app-routing
+
+NAME             CLASS                                HOSTS               ADDRESS       PORTS     AGE
+aks-helloworld   webapprouting.kubernetes.azure.com   myapp.contoso.com   20.51.92.19   80, 443   4m
 ```
 
-Open a web browser to *<MY_HOSTNAME>*, for example *myapp.contoso.com* and verify you see the demo application. The application may take a few minutes to appear.
+## Configure external DNS to point to cluster
+
+Now that Web Application Routing is configured within our cluster and we have the external IP address, we can configure our DNS servers to reflect this. As soon as the DNS updates have propagated, open a web browser to *<MY_HOSTNAME>*, for example *myapp.contoso.com* and verify you see the demo application. The application may take a few minutes to appear.
 
 ## Remove Web Application Routing
 
@@ -206,7 +215,7 @@ kubectl delete namespace hello-web-app-routing
 The Web Application Routing add-on can be removed using the Azure CLI. To do so run the following command, substituting your AKS cluster and resource group name.
 
 ```azurecli
-az aks disable-addons --addons web_application_routing  --name myAKSCluster --resource-group myResourceGroup --no-wait
+az aks disable-addons --addons azure-keyvault-secrets-provider,open-service-mesh,web_application_routing --name myAKSCluster --resource-group myResourceGroup 
 ```
 
 When the Web Application Routing add-on is disabled, some Kubernetes resources may remain in the cluster. These resources include *configMaps* and *secrets*, and are created in the *app-routing-system* namespace. To maintain a clean cluster, you may want to remove these resources.