Merge pull request #209496 from MicrosoftDocs/main

8/29 AM Publish

Author: huypub

articles/active-directory-b2c/partner-dynamics-365-fraud-protection.md

@@ -17,7 +17,7 @@ ms.subservice: B2C
 
 # Tutorial: Configure Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C
 
-In this sample tutorial, learn how to integrate [Microsoft Dynamics 365 Fraud Protection](/dynamics365/fraud-protection) (DFP) with Azure Active Directory (AD) B2C.
+In this sample tutorial, learn how to integrate [Microsoft Dynamics 365 Fraud Protection](/dynamics365/fraud-protection/ap-overview) (DFP) with Azure Active Directory (AD) B2C.
 
 Microsoft DFP provides organizations with the capability to assess the risk of attempts to create fraudulent accounts and  log-ins. Microsoft DFP assessment can be used by the customer to block or challenge suspicious attempts to create new fake accounts or to compromise existing accounts.
 

articles/active-directory/authentication/howto-authentication-temporary-access-pass.md

@@ -113,7 +113,7 @@ c5dbd20a-8b8f-4791-a23f-488fcbde3b38 5/22/2022 11:19:17 PM False    True
 
 ```
 
-For more information, see [New-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/new-mguserauthenticationtemporaryaccesspassmethod&preserve-view=true) and [Get-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/get-mguserauthenticationtemporaryaccesspassmethod?view=graph-powershell-beta&preserve-view=true).
+For more information, see [New-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/new-mguserauthenticationtemporaryaccesspassmethod) and [Get-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/get-mguserauthenticationtemporaryaccesspassmethod?view=graph-powershell-beta&preserve-view=true).
 
 ## Use a Temporary Access Pass
 

articles/active-directory/cloud-sync/reference-cloud-sync-faq.yml

@@ -4,7 +4,7 @@ metadata:
   description: This document describes frequently asked questions for cloud sync.
   services: active-directory
   author: billmath
-  manager: karenhoran
+  manager: amycolannino
   ms.service: active-directory
   ms.workload: identity
   ms.topic: faq

articles/active-directory/conditional-access/TOC.yml

@@ -82,6 +82,8 @@
       href: howto-conditional-access-policy-location.md
     - name: Block access
       href: howto-conditional-access-policy-block-access.md
+    - name: Require MFA for Intune enrollment
+      href: /mem/intune/enrollment/multi-factor-authentication?toc=/azure/active-directory/conditional-access/TOC.json
   - name: Configure resilience defaults
     href: resilience-defaults.md
   - name: Configure report only mode

articles/active-directory/conditional-access/howto-conditional-access-policy-risk-user.md

@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find leaked username and password pairs. Organizations with Azure AD Premium P2 licenses can create Conditional Access policies incorporating [Azure AD Identity Protection user risk detections](../identity-protection/concept-identity-protection-risks.md). 
 
-There are two locations where this policy may be configured, Conditional Access and Identity Protection. Configuration using a Conditional Access policy is the preferred method providing more context including enhanced diagnostic data, report-only mode integration, Graph API support, and the ability to utilize other Conditional Access attributes in the policy.
+There are two locations where this policy may be configured, Conditional Access and Identity Protection. Configuration using a Conditional Access policy is the preferred method providing more context including enhanced diagnostic data, report-only mode integration, Graph API support, and the ability to utilize other Conditional Access attributes like sign-in frequency in the policy.
 
 ## Template deployment
 
@@ -41,21 +41,21 @@ Organizations can choose to deploy this policy using the steps outlined below or
 1. Under **Access controls** > **Grant**.
    1. Select **Grant access**, **Require password change**.
    1. Select **Select**.
+1. Under **Session**.
+   1. Select **Sign-in frequency**.
+   1. Ensure **Every time** is selected.
+   1. Select **Select**.
 1. Confirm your settings, and set **Enable policy** to **Report-only**.
 1. Select **Create** to create to enable your policy.
 
-After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.
 
 ## Next steps
 
-[Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md)
-
-[Conditional Access common policies](concept-conditional-access-policy-common.md)
-
-[Sign-in risk-based Conditional Access](howto-conditional-access-policy-risk.md)
-
-[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
-
-[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
-
-[What is Azure Active Directory Identity Protection?](../identity-protection/overview-identity-protection.md)
+- [Require reauthentication every time](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time)
+- [Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md)
+- [Conditional Access common policies](concept-conditional-access-policy-common.md)
+- [Sign-in risk-based Conditional Access](howto-conditional-access-policy-risk.md)
+- [Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
+- [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
+- [What is Azure Active Directory Identity Protection?](../identity-protection/overview-identity-protection.md)

articles/active-directory/conditional-access/howto-conditional-access-policy-risk.md

@@ -21,9 +21,9 @@ Most users have a normal behavior that can be tracked, when they fall outside of
 
 A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Organizations with Azure AD Premium P2 licenses can create Conditional Access policies incorporating [Azure AD Identity Protection sign-in risk detections](../identity-protection/concept-identity-protection-risks.md#sign-in-risk). 
 
-There are two locations where this policy may be configured, Conditional Access and Identity Protection. Configuration using a Conditional Access policy is the preferred method providing more context including enhanced diagnostic data, report-only mode integration, Graph API support, and the ability to utilize other Conditional Access attributes in the policy.
+There are two locations where this policy may be configured, Conditional Access and Identity Protection. Configuration using a Conditional Access policy is the preferred method providing more context including enhanced diagnostic data, report-only mode integration, Graph API support, and the ability to utilize other Conditional Access attributes like sign-in frequency in the policy.
 
-The Sign-in risk-based policy protects users from registering MFA in risky sessions. If users aren't registered for MFA, their risky sign-ins will get blocked, and they see an AADSTS53004 error.
+The Sign-in risk-based policy protects users from registering MFA in risky sessions. If users aren't registered for MFA, their risky sign-ins are blocked, and they see an AADSTS53004 error.
 
 ## Template deployment
 
@@ -45,21 +45,21 @@ Organizations can choose to deploy this policy using the steps outlined below or
 1. Under **Access controls** > **Grant**.
    1. Select **Grant access**, **Require multifactor authentication**.
    1. Select **Select**.
+1. Under **Session**.
+   1. Select **Sign-in frequency**.
+   1. Ensure **Every time** is selected.
+   1. Select **Select**.
 1. Confirm your settings and set **Enable policy** to **Report-only**.
 1. Select **Create** to create to enable your policy.
 
-After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.
 
 ## Next steps
 
-[Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md)
-
-[Conditional Access common policies](concept-conditional-access-policy-common.md)
-
-[User risk-based Conditional Access](howto-conditional-access-policy-risk-user.md)
-
-[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
-
-[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
-
-[What is Azure Active Directory Identity Protection?](../identity-protection/overview-identity-protection.md)
+- [Require reauthentication every time](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time)
+- [Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md)
+- [Conditional Access common policies](concept-conditional-access-policy-common.md)
+- [User risk-based Conditional Access](howto-conditional-access-policy-risk-user.md)
+- [Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
+- [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
+- [What is Azure Active Directory Identity Protection?](../identity-protection/overview-identity-protection.md)

articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md

@@ -11,7 +11,7 @@ ms.date: 08/22/2022
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
-ms.reviewer: jlu, calebb, ripull
+ms.reviewer: calebb, ripull, inbarc
 
 ms.collection: M365-identity-device-management
 ---
@@ -58,7 +58,7 @@ Sign-in frequency previously applied to only to the first factor authentication
 
 ### User sign-in frequency and device identities
 
-If you have Azure AD joined, hybrid Azure AD joined, or Azure AD registered devices, when a user unlocks their device or signs in interactively, this event will satisfy the sign-in frequency policy as well. In the following two examples user sign-in frequency is set to 1 hour:
+On Azure AD joined, hybrid Azure AD joined, or Azure AD registered devices, unlocking the device or signing in interactively will satisfy the sign-in frequency policy. In the following two examples user sign-in frequency is set to 1 hour:
 
 Example 1:
 
@@ -73,29 +73,23 @@ Example 2:
 - At 00:45, the user returns from their break and unlocks the device.
 - At 01:45, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator since the last sign-in happened at 00:45.
 
-### Require reauthentication every time (preview)
+### Require reauthentication every time
 
 There are scenarios where customers may want to require a fresh authentication, every time before a user performs specific actions. Sign-in frequency has a new option for **Every time** in addition to hours or days.
 
-The public preview supports the following scenarios:
+Supported scenarios:
 
 - Require user reauthentication during [Intune device enrollment](/mem/intune/fundamentals/deployment-guide-enrollment), regardless of their current MFA status.
 - Require user reauthentication for risky users with the [require password change](concept-conditional-access-grant.md#require-password-change) grant control.
 - Require user reauthentication for risky sign-ins with the [require multifactor authentication](concept-conditional-access-grant.md#require-multi-factor-authentication) grant control.
 
 When administrators select **Every time**, it will require full reauthentication when the session is evaluated.
 
-> [!NOTE]
-> An early preview version included the option to prompt for Secondary authentication methods only at reauthentication. This option is no longer supported and should not be used.
-
-> [!WARNING]
-> Using require reauthentication every time with the sign-in risk grant control set to **No risk** isn’t supported and will result in poor user experience.
-
 ## Persistence of browsing sessions
 
 A persistent browser session allows users to remain signed in after closing and reopening their browser window.
 
-The Azure AD default for browser session persistence allows users on personal devices to choose whether to persist the session by showing a “Stay signed in?” prompt after successful authentication. If browser persistence is configured in AD FS using the guidance in the article [AD FS Single Sign-On Settings](/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online), we'll comply with that policy and persist the Azure AD session as well. You can also configure whether users in your tenant see the “Stay signed in?” prompt by changing the appropriate setting in the company branding pane in Azure portal using the guidance in the article [Customize your Azure AD sign-in page](../fundamentals/customize-branding.md).
+The Azure AD default for browser session persistence allows users on personal devices to choose whether to persist the session by showing a “Stay signed in?” prompt after successful authentication. If browser persistence is configured in AD FS using the guidance in the article [AD FS single sign-on settings](/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online), we'll comply with that policy and persist the Azure AD session as well. You can also configure whether users in your tenant see the “Stay signed in?” prompt by changing the appropriate setting in the [company branding pane](../fundamentals/customize-branding.md).
 
 ## Configuring authentication session controls
 
@@ -123,13 +117,10 @@ To make sure that your policy works as expected, the recommended best practice i
 
 1. Under **Access controls** > **Session**.
    1. Select **Sign-in frequency**.
-   1. Enter the required value of days or hours in the first text box.
-   1. Select a value of **Hours** or **Days** from dropdown.
+      1. Choose **Periodic reauthentication** and enter a value of hours or days or select **Every time**.
 1. Save your policy.
 
-![Conditional Access policy configured for sign-in frequency](media/howto-conditional-access-session-lifetime/conditional-access-policy-session-sign-in-frequency.png)
-
-On Azure AD registered Windows devices, sign in to the device is considered a prompt. For example, if you've configured the sign-in frequency to 24 hours for Office apps, users on Azure AD registered Windows devices will satisfy the sign-in frequency policy by signing in to the device and will be not prompted again when opening Office apps.
+   > ![Conditional Access policy configured for sign-in frequency](media/howto-conditional-access-session-lifetime/conditional-access-policy-session-sign-in-frequency.png)
 
 ### Policy 2: Persistent browser session
 
@@ -144,13 +135,12 @@ On Azure AD registered Windows devices, sign in to the device is considered a pr
 
 1. Under **Access controls** > **Session**.
    1. Select **Persistent browser session**.
-   1. Select a value from dropdown.
-1. Save your policy.
 
-![Conditional Access policy configured for persistent browser](media/howto-conditional-access-session-lifetime/conditional-access-policy-session-persistent-browser.png)
+      > [!NOTE]
+      > Persistent Browser Session configuration in Azure AD Conditional Access overrides the “Stay signed in?” setting in the company branding pane in the Azure portal for the same user if you have configured both policies.
 
-> [!NOTE]
-> Persistent Browser Session configuration in Azure AD Conditional Access will overwrite the “Stay signed in?” setting in the company branding pane in the Azure portal for the same user if you have configured both policies.
+   1. Select a value from dropdown.
+1. Save your policy.
 
 ### Policy 3: Sign-in frequency control every time risky user
 
@@ -165,25 +155,24 @@ On Azure AD registered Windows devices, sign in to the device is considered a pr
 1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
 1. Under **Conditions** > **User risk**, set **Configure** to **Yes**. Under **Configure user risk levels needed for policy to be enforced** select **High**, then select **Done**.
 1. Under **Access controls** > **Grant**, select **Grant access**, **Require password change**, and select **Select**.
-1. Under **Session controls** > **Sign-in frequency**, select **Every time (preview)**.
+1. Under **Session controls** > **Sign-in frequency**, select **Every time**.
 1. Confirm your settings and set **Enable policy** to **Report-only**.
 1. Select **Create** to create to enable your policy.
 
 After administrators confirm your settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.
 
 ### Validation
 
-Use the What-If tool to simulate a sign-in from the user to the target application and other conditions based on how you configured your policy. The authentication session management controls show up in the result of the tool.
-
-![Conditional Access What If tool results](media/howto-conditional-access-session-lifetime/conditional-access-what-if-tool-result.png)
+Use the [What If tool](what-if-tool.md) to simulate a sign-in from the user to the target application and other conditions based on how you configured your policy. The authentication session management controls show up in the result of the tool.
 
 ## Prompt tolerance
 
-We factor for five minutes of clock skew, so that we don’t prompt users more often than once every five minutes. If the user has done MFA in the last 5 minutes, and they hit another Conditional Access policy that requires reauthentication, we won't prompt the user. Over-promoting users for reauthentication can impact their productivity and increase the risk of users approving MFA requests they didn’t initiate. We highly recommend using “Sign-in frequency – every time” only for specific business needs. 
+We factor for five minutes of clock skew, so that we don’t prompt users more often than once every five minutes. If the user has done MFA in the last 5 minutes, and they hit another Conditional Access policy that requires reauthentication, we won't prompt the user. Over-promoting users for reauthentication can impact their productivity and increase the risk of users approving MFA requests they didn’t initiate. Use “Sign-in frequency – every time” only for specific business needs. 
 
 ## Known issues
-- If you configure sign-in frequency for mobile devices, authentication after each sign-in frequency interval could be slow (it can take 30 seconds on average). Also, it could happen across various apps at the same time. 
-- In iOS devices, if an app configures certificates as the first authentication factor and the app has both Sign-in frequency and [Intune mobile application management](/mem/intune/apps/app-lifecycle) policies applied, the end-users will be blocked from signing in to the app when the policy is triggered.
+
+- If you configure sign-in frequency for mobile devices: Authentication after each sign-in frequency interval could be slow, it can take 30 seconds on average. Also, it could happen across various apps at the same time. 
+- On iOS devices: If an app configures certificates as the first authentication factor and the app has both Sign-in frequency and [Intune mobile application management policies](/mem/intune/apps/app-lifecycle) applied, end-users are blocked from signing in to the app when the policy triggers.
 
 ## Next steps
 

articles/active-directory/conditional-access/media/howto-conditional-access-session-lifetime/conditional-access-policy-session-sign-in-frequency.png

@@ -4,7 +4,7 @@ description: Planning for a successful access reviews campaign for a particular
 services: active-directory
 documentationCenter: ''
 author: markwahl-msft
-manager: karenhoran
+manager: amycolannino
 editor: 
 ms.service: active-directory
 ms.workload: identity