Merge pull request #216640 from MicrosoftDocs/main

10/31 PM Publish

Author: huypub

articles/active-directory/reports-monitoring/recommendation-integrate-third-party-apps.md

@@ -2,60 +2,47 @@
 title: Azure Active Directory recommendation - Integrate third party apps with Azure AD | Microsoft Docs
 description: Learn why you should integrate third party apps with Azure AD
 services: active-directory
-documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
-editor: ''
 
-ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
 ms.service: active-directory
 ms.topic: reference
-ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 10/31/2022
+ms.author: sarahlipsey
 ms.reviewer: hafowler
 
 ms.collection: M365-identity-device-management
 ---
 
-# Azure AD recommendation: Integrate your third party apps 
+# Azure AD recommendation: Integrate third party apps 
 
-[Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
-
-This article covers the recommendation to integrate third party apps. 
+[Azure Active Directory (Azure AD) recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
 
+This article covers the recommendation to integrate your third party apps with Azure AD. 
 
 ## Description
 
-As an Azure AD admin responsible for managing applications, you want to use the Azure AD security features with your third party apps. Integrating these apps into Azure AD enables:
-
-- You to use one unified method to manage access to your third party apps.
-- Your users to benefit from using single sign-on to access all your apps with a single password.
-
+As an Azure AD admin responsible for managing applications, you want to use the Azure AD security features with your third party apps. Integrating these apps into Azure AD enables you to use one unified method to manage access to your third party apps. Your users also benefit from using single sign-on to access all your apps with a single password.
 
-## Logic 
-
-If Azure AD determines that none of your users are using Azure AD to authenticate to your third party apps, this recommendation shows up.
+If Azure AD determines that none of your users are using Azure AD to authenticate to your third party apps, this recommendation shows up. 
 
 ## Value 
 
-Integrating third party apps with Azure AD allows you to use Azure AD's security features.
-The integration:
+Integrating third party apps with Azure AD allows you to utilize the core identity and access features provided by Azure AD. Manage access, single sign-on, and other properties. Add an extra security layer by using [Conditional Access](../conditional-access/overview.md) to control how your users can access your apps.
+
+Integrating third party apps with Azure AD:
 - Improves the productivity of your users.
 
 - Lowers your app management cost.
 
-You can then add an extra security layer by using conditional access to control how your users can access your apps.
-
 ## Action plan
 
 1. Review the configuration of your apps. 
-2. For each app that isn't integrated into Azure AD yet, verify whether an integration is possible.
+2. For each app that isn't integrated into Azure AD, verify whether an integration is possible.
 
 
 ## Next steps
 
-- [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md)
-- [Azure AD reports overview](overview-reports.md)
+- [Explore tutorials for integrating SaaS applications with Azure AD](../saas-apps/tutorial-list.md)

articles/active-directory/reports-monitoring/recommendation-mfa-from-known-devices.md

@@ -2,19 +2,14 @@
 title: Azure Active Directory recommendation - Minimize MFA prompts from known devices in Azure AD | Microsoft Docs
 description: Learn why you should minimize MFA prompts from known devices in Azure AD.
 services: active-directory
-documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
-editor: ''
-
-ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
 ms.service: active-directory
 ms.topic: reference
-ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 10/31/2022
+ms.author: sarahlipsey
 ms.reviewer: hafowler
 
 ms.collection: M365-identity-device-management
@@ -30,7 +25,7 @@ This article covers the recommendation to convert minimize multi-factor authenti
 
 ## Description
 
-As an admin, you want to maintain security for my company’s resources, but you also want your employees to easily access resources as needed.
+As an admin, you want to maintain security for your company’s resources, but you also want your employees to easily access resources as needed.
 
 MFA enables you to enhance the security posture of your tenant. While enabling MFA is a good practice, you should try to keep the number of MFA prompts your users have to go through at a minimum. One option you have to accomplish this goal is to **allow users to remember multi-factor authentication on devices they trust**.
 

articles/active-directory/reports-monitoring/recommendation-migrate-apps-from-adfs-to-azure-ad.md

@@ -2,19 +2,14 @@
 title: Azure Active Directory recommendation - Migrate apps from ADFS to Azure AD in Azure AD | Microsoft Docs
 description: Learn why you should migrate apps from ADFS to Azure AD in Azure AD
 services: active-directory
-documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
-editor: ''
-
-ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
 ms.service: active-directory
 ms.topic: reference
-ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 10/31/2022
+ms.author: sarahlipsey
 ms.reviewer: hafowler
 
 ms.collection: M365-identity-device-management
@@ -25,7 +20,7 @@ ms.collection: M365-identity-device-management
 [Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
 
 
-This article covers the recommendation to migrate apps from ADFS to Azure AD. 
+This article covers the recommendation to migrate apps from ADFS to Azure Active Directory (Azure AD). 
 
 
 ## Description

articles/active-directory/reports-monitoring/recommendation-migrate-to-authenticator.md

@@ -2,19 +2,14 @@
 title: Azure Active Directory recommendation - Migrate to Microsoft authenticator | Microsoft Docs
 description: Learn why you should migrate your users to the Microsoft authenticator app in Azure AD.
 services: active-directory
-documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
-editor: ''
-
-ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
 ms.service: active-directory
 ms.topic: reference
-ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 10/31/2022
+ms.author: sarahlipsey
 ms.reviewer: hafowler
 
 ms.collection: M365-identity-device-management

articles/active-directory/reports-monitoring/recommendation-turn-off-per-user-mfa.md

@@ -2,63 +2,54 @@
 title: Azure Active Directory recommendation - Turn off per user MFA in Azure AD | Microsoft Docs
 description: Learn why you should turn off per user MFA in Azure AD
 services: active-directory
-documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
-editor: ''
 
-ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
 ms.service: active-directory
 ms.topic: reference
-ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 10/31/2022
+ms.author: sarahlipsey
 ms.reviewer: hafowler
 
 ms.collection: M365-identity-device-management
 ---
 
-# Azure AD recommendation: Turn off per user MFA 
+# Azure AD recommendation: Convert per-user MFA to Conditional Access MFA
 
 [Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
 
-
-This article covers the recommendation to turn off per user MFA. 
-
+This article covers the recommendation to convert per-user Multi-factor authentication (MFA) accounts to Conditional Access (CA) MFA accounts. 
 
 ## Description
 
-As an admin, you want to maintain security for my company’s resources, but you also want your employees to easily access resources as needed.
-
-Multi-factor authentication (MFA) enables you to enhance the security posture of your tenant. In your tenant, you can enable MFA on a per-user basis. In this scenario, your users perform MFA each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on). 
-
-While enabling MFA is a good practice, you can reduce the number of times your users are prompted for MFA by converting per-user MFA to MFA based on conditional access.   
-
+As an admin, you want to maintain security for your company’s resources, but you also want your employees to easily access resources as needed. MFA enables you to enhance the security posture of your tenant.
 
-## Logic 
+In your tenant, you can enable MFA on a per-user basis. In this scenario, your users perform MFA each time they sign in, with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on. While enabling MFA is a good practice, converting per-user MFA to MFA based on [Conditional Access](../conditional-access/overview.md) can reduce the number of times your users are prompted for MFA.
 
-This recommendation shows up, if:
+This recommendation shows up if:
 
-- You have per-user MFA configured for at least 5% of your users
-- Conditional access policies are active for more than 1% of your users (indicating familiarity with CA policies).
+- You have per-user MFA configured for at least 5% of your users.
+- Conditional Access policies are active for more than 1% of your users (indicating familiarity with CA policies).
 
 ## Value 
 
-This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. Ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.
+This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. CA and MFA used together help ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.
 
 ## Action plan
 
-1. To get started, confirm that there's an existing conditional access policy with an MFA requirement. Ensure that you're covering all resources and users you would like to secure with MFA. Review your [conditional access policies](https://portal.azure.com/?Microsoft_AAD_IAM_enableAadvisorFeaturePreview=true&amp%3BMicrosoft_AAD_IAM_enableAadvisorFeature=true#blade/Microsoft_AAD_IAM/PoliciesTemplateBlade).
+1. Confirm that there's an existing CA policy with an MFA requirement. Ensure that you're covering all resources and users you would like to secure with MFA.
+    - Review your [Conditional Access policies](https://portal.azure.com/?Microsoft_AAD_IAM_enableAadvisorFeaturePreview=true&amp%3BMicrosoft_AAD_IAM_enableAadvisorFeature=true#blade/Microsoft_AAD_IAM/PoliciesTemplateBlade).
 
-2.	To require MFA using a conditional access policy, follow the steps in [Secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md).
+2.	Require MFA using a Conditional Access policy.
+    - [Secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md).
 
 3. Ensure that the per-user MFA configuration is turned off. 
 
- 
+After all users have been migrated to CA MFA accounts, the recommendation status automatically updates the next time the service runs. Continue to review your CA policies to improve the overall health of your tenant.
 
 ## Next steps
 
-- [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md)
-- [Azure AD reports overview](overview-reports.md)
+- [Learn about requiring MFA for all users using Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)
+- [View the MFA CA policy tutorial](../authentication/tutorial-enable-azure-mfa.md)

articles/active-directory/reports-monitoring/toc.yml

@@ -145,7 +145,7 @@
 
 - name: Recommendations
   items:
-    - name: Convert to conditional access MFA
+    - name: Convert to Conditional Access MFA
       href: recommendation-turn-off-per-user-mfa.md
     - name: Integrate your third party apps
       href: recommendation-integrate-third-party-apps.md

articles/active-directory/reports-monitoring/tutorial-access-api-with-certificates.md

@@ -2,44 +2,41 @@
 title: Tutorial for AD Reporting API with certificates | Microsoft Docs
 description: This tutorial explains how to use the Azure AD Reporting API with certificate credentials to get data from directories without user intervention. 
 services: active-directory
-documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
-
-ms.assetid: 
 ms.service: active-directory
 ms.workload: identity
-ms.tgt_pltfrm: na
 ms.topic: tutorial
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 10/31/2022
+ms.author: sarahlipsey
 ms.reviewer: dhanyahk 
-
-# Customer intent: As a developer, I want to learn how to access the Azure AD reporting API using certificates so that I can create an application that does not require user intervention to access reports.
 ms.collection: M365-identity-device-management
 ms.custom: has-adal-ref
+
+# Customer intent: As a developer, I want to learn how to access the Azure AD reporting API using certificates so that I can create an application that does not require user intervention to access reports.
+
 ---
 
 # Tutorial: Get data using the Azure Active Directory reporting API with certificates
 
-The [Azure Active Directory (Azure AD) reporting APIs](concept-reporting-api.md) provide you with programmatic access to the data through a set of REST-based APIs. You can call these APIs from a variety of programming languages and tools. If you want to access the Azure AD Reporting API without user intervention, you must configure your access to use certificates.
+The [Azure Active Directory (Azure AD) reporting APIs](concept-reporting-api.md) provide you with programmatic access to the data through a set of REST-based APIs. You can call these APIs from various programming languages and tools. If you want to access the Azure AD Reporting API without user intervention, you must configure your access to use certificates.
 
 In this tutorial, you learn how to use a test certificate to access the MS Graph API for reporting. We don't recommend using test certificates in a production environment. 
 
 ## Prerequisites
 
-1. To access sign-in data, make sure you have an Azure Active Directory tenant with a premium (P1/P2) license. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. Note that if you did not have any activities data prior to the upgrade, it will take a couple of days for the data to show up in the reports after you upgrade to a premium license. 
+1. To access sign-in data, make sure you have an Azure AD tenant with a premium (P1/P2) license. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure AD edition. If you didn't have any activities data prior to the upgrade, it will take a couple of days for the data to show up in the reports after you upgrade to a premium license. 
 
-2. Create or switch to a user account in the **global administrator**, **security administrator**, **security reader** or **report reader** role for the tenant. 
+2. Create or switch to a user account in the **Global Administrator**, **Security Administrator**, **Security Reader** or **Report Reader** role for the tenant. 
 
 3. Complete the [prerequisites to access the Azure Active Directory reporting API](howto-configure-prerequisites-for-reporting-api.md). 
 
 4. Download and install [Azure AD PowerShell V2](https://github.com/Azure/azure-docs-powershell-azuread/blob/master/docs-conceptual/azureadps-2.0/install-adv2.md).
 
 5. Install [MSCloudIdUtils](https://www.powershellgallery.com/packages/MSCloudIdUtils/). This module provides several utility cmdlets including:
-    - The ADAL libraries needed for authentication
-    - Access tokens from user, application keys, and certificates using ADAL
+    - The Microsoft Authentication Library libraries needed for authentication
+    - Access tokens from user, application keys, and certificates using Microsoft Authentication Library
     - Graph API handling paged results
 
 6. If it's your first time using the module run **Install-MSCloudIdUtilsModule**, otherwise import it using the **Import-Module** PowerShell command. Your session should look similar to this screen:
@@ -60,13 +57,13 @@ In this tutorial, you learn how to use a test certificate to access the MS Graph
 
 ## Get data using the Azure Active Directory reporting API with certificates
 
-1. Navigate to the [Azure portal](https://portal.azure.com), select **Azure Active Directory**, then select **App registrations** and choose your application from the list. 
+1. Go to the [Azure portal](https://portal.azure.com) > **Azure Active Directory** > **App registrations** and choose your application from the list. 
 
-2. Select **Certificates & secrets** under **Manage** section on Application registration blade and select **Upload Certificate**.
+2. From the Application registration area, select **Certificates & secrets** under the **Manage** section, and then select **Upload Certificate**.
 
 3. Select the certificate file from the previous step and select **Add**. 
 
-4. Note the Application ID, and the thumbprint of the certificate you just registered with your application. To find the thumbprint, from your application page in the portal, go to **Certificates & secrets** under **Manage** section. The thumbprint will be under the **Certificates** list.
+4. Note the Application ID, and the thumbprint of the certificate you registered with your application. To find the thumbprint, from your application page in the portal, go to **Certificates & secrets** under **Manage** section. The thumbprint will be under the **Certificates** list.
 
 5. Open the application manifest in the inline manifest editor and verify the *keyCredentials* property is updated with your new certificate information as shown below - 
 
@@ -85,13 +82,13 @@ In this tutorial, you learn how to use a test certificate to access the MS Graph
 
    ![Screenshot shows a PowerShell window with a command that creates an access token.](./media/tutorial-access-api-with-certificates/getaccesstoken.png)
 
-7. Use the access token in your PowerShell script to query the Graph API. Use the **Invoke-MSCloudIdMSGraphQuery** cmdlet from the MSCloudIDUtils to enumerate the signins and directoryAudits endpoint. This cmdlet handles multi-paged results, and sends those results to the PowerShell pipeline.
+7. Use the access token in your PowerShell script to query the Graph API. Use the **Invoke-MSCloudIdMSGraphQuery** cmdlet from the MSCloudIDUtils to enumerate the `signins` and `directoryAudits` endpoint. This cmdlet handles multi-paged results, and sends those results to the PowerShell pipeline.
 
-8. Query the directoryAudits endpoint to retrieve the audit logs. 
+8. Query the `directoryAudits` endpoint to retrieve the audit logs. 
 
    ![Screenshot shows a PowerShell window with a command to query the directoryAudits endpoint using the access token from earlier in this procedure.](./media/tutorial-access-api-with-certificates/query-directoryAudits.png)
 
-9. Query the signins endpoint to retrieve the sign-in logs.
+9. Query the `signins` endpoint to retrieve the sign-in logs.
 
     ![Screenshot shows a PowerShell window with a command to query the signins endpoint using the access token from earlier in this procedure.](./media/tutorial-access-api-with-certificates/query-signins.png)