Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into PIM

Author: barclayn

.openpublishing.redirection.managed-grafana.json

@@ -0,0 +1,9 @@
+{
+    "redirections": [
+        {
+            "source_path_from_root": "/articles/managed-grafana/how-to-sync-teams-with-aad-groups.md",
+            "redirect_url": "/azure/managed-grafana/how-to-sync-teams-with-azure-ad-groups",
+            "redirect_document_id": false
+        }
+    ]
+}

articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md

@@ -58,3 +58,7 @@ After your admins are enforced for multifactor authentication and have been usin
 - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview)
 
 You can read more about these authentication methods and their security considerations in [Azure AD authentication methods](concept-authentication-methods.md).
+
+## Next steps
+
+[Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md)

articles/active-directory/authentication/how-to-authentication-methods-manage.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/22/2023
+ms.date: 09/13/2023
 
 ms.author: justinha
 author: justinha
@@ -70,7 +70,10 @@ Record which users are in scope for SSPR (either all users, one specific group,
 
 ### Authentication methods policy
 
-To check settings in the Authentication methods policy, sign in as an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) and go to **Azure Active Directory** > **Security** > **Authentication methods** > **Policies**. A new tenant has all methods **Off** by default, which makes migration easier because legacy policy settings don't need to be merged with existing settings. 
+To check settings in the Authentication methods policy, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) and browse to **Protection** > **Authentication methods** > **Policies**. A new tenant has all methods **Off** by default, which makes migration easier because legacy policy settings don't need to be merged with existing settings. 
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** >
 
 :::image type="content"  source="media/concept-authentication-methods-manage/authentication-methods-policy.png" alt-text="Screenshot that shows the authentication methods." lightbox="media/concept-authentication-methods-manage/authentication-methods-policy.png":::
 

articles/active-directory/authentication/how-to-authentication-sms-supported-apps.md

@@ -25,7 +25,7 @@ SMS-based authentication is available to Microsoft apps integrated with the Micr
 | Microsoft One Note | ● |   |
 | Microsoft Teams | ● | ● |
 | Company portal | ● | ● |
-| My Apps Portal | ● |Not available|
+| My Apps portal | ● |Not available|
 | Microsoft Forms | ● |Not available|
 | Microsoft Edge | ● |   |
 | Microsoft Power BI | ● |   |
@@ -36,17 +36,17 @@ SMS-based authentication is available to Microsoft apps integrated with the Micr
 
 *_SMS sign-in isn't available for office applications, such as Word, Excel, etc., when accessed directly on the web, but is available when accessed through the [Office 365 web app](https://www.office.com)_
 
-The above mentioned Microsoft apps support SMS sign-in is because they use the Microsoft Identity login (`https://login.microsoftonline.com/`), which allows user to enter phone number and SMS code.
+The above mentioned Microsoft apps support SMS sign-in is because they use the Microsoft Identity login (`https://login.microsoftonline.com/`), which allows users to enter phone number and SMS code.
 
 ## Unsupported Microsoft apps
 
 Microsoft 365 desktop (Windows or Mac) apps and Microsoft 365 web apps (except MS One Note) that are accessed directly on the web don't support SMS sign-in. These apps use the Microsoft Office login (`https://office.live.com/start/*`) that requires a password to sign in.
-For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Company Portal, and Microsoft Azure) don't support SMS sign-in.
+For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Company portal, and Microsoft Azure) don't support SMS sign-in.
 
 | Unsupported Microsoft apps| Examples |
 | --- | --- |
 | Native desktop Microsoft apps | Microsoft Teams, O365 apps, Word, Excel, etc.|
-| Native mobile Microsoft apps (except Microsoft Teams, Company Portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, SharePoint, Power Apps, Word, etc.|
+| Native mobile Microsoft apps (except Microsoft Teams, Company portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, SharePoint, Power Apps, Word, etc.|
 | Microsoft 365 web apps (accessed directly on web) | [Outlook](https://outlook.live.com/owa/), [Word](https://office.live.com/start/Word.aspx), [Excel](https://office.live.com/start/Excel.aspx), [PowerPoint](https://office.live.com/start/PowerPoint.aspx)|  
 
 ## Support for Non-Microsoft apps 

articles/active-directory/authentication/how-to-certificate-based-authentication.md

@@ -5,7 +5,7 @@ description: Topic that shows how to configure Azure AD certificate-based authen
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 02/09/2023
+ms.date: 09/13/2023
 
 ms.author: justinha
 author: justinha
@@ -53,16 +53,16 @@ Optionally, you can also configure authentication bindings to map certificates t
 
 ## Step 1: Configure the certification authorities
 
-You can configure CAs by using the Azure portal or PowerShell.
+You can configure CAs by using the Microsoft Entra admin center or PowerShell.
 
-### Configure certification authorities using the Azure portal
+### Configure certification authorities using the Microsoft Entra admin center
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-To enable the certificate-based authentication and configure user bindings in the Azure portal, complete the following steps:
+To enable the certificate-based authentication and configure user bindings in the Microsoft Entra admin center, complete the following steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
-1. Click **Azure Active Directory** > **Security**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Certifacte-based authentication**.
 
    :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/certificate-authorities.png" alt-text="Screenshot of certification authorities.":::
 
@@ -144,11 +144,10 @@ For more information, see [Understanding the certificate revocation process](./c
 >[!IMPORTANT]
 >A user is considered capable for **MFA** when the user is in scope for **Certificate-based authentication** in the Authentication methods policy. This policy requirement means a user can't use proof up as part of their authentication to register other available methods. If the users do not have access to certificates they will be locked out and not be able to register other methods for MFA. So the admin needs to enable users who have a valid certificate into the CBA scope. Do not use all users for CBA target and use groups of users who have valid certificates available. For more information, see [Azure AD MFA](concept-mfa-howitworks.md).
 
-To enable the certificate-based authentication in the Azure portal, complete the following steps:
+To enable the certificate-based authentication in the Microsoft Entra admin center, complete the following steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Authentication Policy Administrator.
-1. Select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
-1. Under **Manage**, select **Authentication methods** > **Certificate-based Authentication**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Certificate-based Authentication**.
 1. Under **Enable and Target**, click **Enable**.
 1. Click **All users**, or click **Add groups** to select specific groups.
 
@@ -164,11 +163,10 @@ Once certificate-based authentication is enabled on the tenant, all users in the
 
 The authentication binding policy helps determine the strength of authentication to either a single factor or multi factor. An admin can change the default value from single-factor to multifactor and configure custom policy rules by mapping to issuer Subject or policy OID fields in the certificate.
 
-To enable Azure AD CBA and configure user bindings in the Azure portal, complete the following steps:
+To enable Azure AD CBA and configure user bindings in the Microsoft Entra admin center, complete the following steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Authentication Policy Administrator.
-1. Select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
-1. Click **Authentication methods** > **Policies**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Policies**.
 1. Under **Manage**, select **Authentication methods** > **Certificate-based Authentication**.
 
    :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/policy.png" alt-text="Screenshot of Authentication policy.":::

articles/active-directory/authentication/how-to-mfa-additional-context.md

@@ -4,7 +4,7 @@ description: Learn how to use additional context in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 09/13/2023
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -17,7 +17,7 @@ This topic covers how to improve the security of user sign-in by adding the appl
 
 ## Prerequisites
 
-- Your organization needs to enable Microsoft Authenticator passwordless and push notifications for some users or groups by using the new Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. 
+- Your organization needs to enable Microsoft Authenticator passwordless and push notifications for some users or groups by using the new Authentication methods policy. You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API. 
 
   >[!NOTE]
   >The policy schema for Microsoft Graph APIs has been improved. The older policy schema is now deprecated. Make sure you use the new schema to help prevent errors.
@@ -165,7 +165,7 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
 #### Example of how to enable application name and geographic location for separate groups
 
 In **featureSettings**, change **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled.** 
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.
 
 You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**. 
 
@@ -222,7 +222,7 @@ GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationM
 #### Example of how to disable application name and only enable geographic location 
 
 In **featureSettings**, change the state of **displayAppInformationRequiredState** to **default** or **disabled** and **displayLocationInformationRequiredState** to **enabled.** 
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.
 
 You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**. 
 
@@ -273,9 +273,9 @@ Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
 #### Example of how to exclude a group from application name and geographic location 
 
 In **featureSettings**, change the states of **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled.** 
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.
 
-In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Azure portal. This change excludes that group from seeing application name or geographic location.
+In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Microsoft Entra admin center. This change excludes that group from seeing application name or geographic location.
 
 You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**. 
 
@@ -408,11 +408,12 @@ To turn off additional context, you'll need to PATCH **displayAppInformationRequ
 }
 ```
 
-## Enable additional context in the portal
+## Enable additional context in the Microsoft Entra admin center
 
-To enable application name or geographic location in the Azure portal, complete the following steps:
+To enable application name or geographic location in the Microsoft Entra admin center, complete the following steps:
 
-1. In the Azure portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Microsoft Authenticator**.
 1. On the **Basics** tab, click **Yes** and **All users** to enable the policy for everyone, and change **Authentication mode** to **Any**. 
 
    Only users who are enabled for Microsoft Authenticator here can be included in the policy to show the application name or geographic location of the sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see application name or geographic location.