Merge pull request #190117 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: ttorble

articles/active-directory-b2c/supported-azure-ad-features.md

@@ -26,6 +26,7 @@ An Azure AD B2C tenant is different than an Azure Active Directory tenant, which
 | [Conditional Access](../active-directory/conditional-access/overview.md) | Fully supported for administrative and user accounts. | A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user) Lean how to configure Azure AD B2C [conditional access](conditional-access-user-flow.md).|
 | [Premium P1](https://azure.microsoft.com/pricing/details/active-directory) | Fully supported for Azure AD premium P1 features. For example, [Password Protection](../active-directory/authentication/concept-password-ban-bad.md), [Hybrid Identities](../active-directory/hybrid/whatis-hybrid-identity.md),  [Conditional Access](../active-directory/roles/permissions-reference.md#), [Dynamic groups](../active-directory/enterprise-users/groups-create-rule.md), and more. | Azure AD B2C uses [Azure AD B2C Premium P1 license](https://azure.microsoft.com/pricing/details/active-directory/external-identities/), which is different from Azure AD premium P1. A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md).|
 | [Premium P2](https://azure.microsoft.com/pricing/details/active-directory/) | Fully supported for Azure AD premium P2 features. For example, [Identity Protection](../active-directory/identity-protection/overview-identity-protection.md), and [Identity Governance](../active-directory/governance/identity-governance-overview.md).  | Azure AD B2C uses [Azure AD B2C Premium P2 license](https://azure.microsoft.com/pricing/details/active-directory/external-identities/), which is different from Azure AD premium P2. A subset of Azure AD Identity Protection features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to [Investigate risk with Identity Protection](identity-protection-investigate-risk.md) and configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md). |
+|[Data retention policy](../active-directory/reports-monitoring/reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data)|Data retention period for both audit and sign in logs depend on your subscription. Learn more about [How long Azure AD store reporting data](../active-directory/reports-monitoring/reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data).|Sign in and  audit logs are only retained for **seven (7) days**. If you require a longer retention period, use the [Azure monitor](azure-monitor.md).|
 
 > [!NOTE]
 > **Other Azure resources in your tenant:** <br>In an Azure AD B2C tenant, you can't provision other Azure resources such as virtual machines, Azure web apps, or Azure functions. You must create these resources in your Azure AD tenant.

articles/active-directory-b2c/user-flow-custom-attributes.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/08/2021
+ms.date: 03/01/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -89,7 +89,7 @@ Extension attributes can only be registered on an application object, even thoug
 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
 1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
 1. Select **App registrations**, and then select **All applications**.
-1. Select the `b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.` application.
+1. Select the **b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.** application.
 1. Copy the following identifiers to your clipboard and save them:
     * **Application ID**. Example: `11111111-1111-1111-1111-111111111111`.
     * **Object ID**. Example: `22222222-2222-2222-2222-222222222222`.
@@ -179,11 +179,10 @@ The following example demonstrates the use of a custom attribute in Azure AD B2C
 
 ## Using custom attribute with MS Graph API
 
-Microsoft Graph API supports creating and updating a user with extension attributes. Extension attributes in the Graph API are named by using the convention `extension_ApplicationClientID_attributename`, where the `ApplicationClientID` is the **Application (client) ID** of the `b2c-extensions-app` application. Note that the **Application (client) ID** as it's represented in the extension attribute name includes no hyphens. For example:
+[Microsoft Graph API][ms-graph-api] supports creating and updating a user with extension attributes. Extension attributes in the Microsoft Graph API are named by using the convention `extension_ApplicationClientID_attributename`, where the `ApplicationClientID` is the **Application (client) ID** of the `b2c-extensions-app` [application](#azure-ad-b2c-extensions-app). Note that the **Application (client) ID** as it's represented in the extension attribute name includes no hyphens. For example, the Microsoft Graph API identifies an extension attribute `loyaltyId` in Azure AD B2C as `extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyId`. 
 
-```json
-"extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyId": "212342" 
-``` 
+Learn how to [interact with resources in your Azure AD B2C tenant](microsoft-graph-operations.md#user-management) using Microsoft Graph API. 
+ 
 
 ## Remove extension attribute
 
@@ -194,11 +193,11 @@ Unlike built-in attributes, extension/custom attributes can be removed. The exte
 
 ::: zone pivot="b2c-user-flow"
 
-Use the following steps to remove extension/custom attribute from a user flow:
+Use the following steps to remove extension/custom attribute from a user flow in your:
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
 2. Make sure you're using the directory that contains your Azure AD B2C tenant:
-    1.  Select the **Directories + subscriptions** icon in the portal toolbar.
+    1. Select the **Directories + subscriptions** icon in the portal toolbar.
     1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select **Switch**
 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
 1. Select **User attributes**, and then select the attribute you want to delete.
@@ -218,3 +217,8 @@ To remove a custom attribute, use [MS Graph API](microsoft-graph-operations.md),
 ## Next steps
 
 Follow the guidance for how to [add claims and customize user input using custom policies](configure-user-input.md). This sample uses a built-in claim 'city'. To use a custom attribute, replace 'city' with your own custom attributes.
+
+
+<!-- LINKS -->
+[ms-graph]: /graph/
+[ms-graph-api]: /graph/api/overview

articles/active-directory/authentication/TOC.yml

@@ -302,6 +302,8 @@
     href: /answers/topics/azure-active-directory.html
   - name: Pricing
     href: https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing
+  - name: Feature availability
+    href: feature-availability.md
   - name: Service updates
     href: ../fundamentals/whats-new.md
   - name: Stack Overflow

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -49,7 +49,7 @@ Let's cover each step:
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-alt.png" alt-text="Screenshot of the Sign-in if FIDO2 is also enabled.":::
 
-1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](/azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs. 
+1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](/azure/azure-government/compare-azure-government-global-azure#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs. 
 
    The endpoint performs mutual authentication and requests the client certificate as part of the TLS handshake. You will see an entry for this request in the Sign-in logs. There is a [known issue](#known-issues) where User ID is displayed instead of Username.
 
@@ -236,4 +236,3 @@ For the next test scenario, configure the authentication policy where the Issuer
 - [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
 - [FAQ](certificate-based-authentication-faq.yml)
 - [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)
-

articles/active-directory/authentication/feature-availability.md

@@ -0,0 +1,122 @@
+---
+title: Azure AD feature availability in Azure Government
+description: Learn which Azure AD features are available in Azure Government. 
+
+services: multi-factor-authentication
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 02/28/2022
+
+ms.author: justinha
+author: justinha
+manager: daveba
+ms.reviewer: michmcla
+ms.collection: M365-identity-device-management
+---
+
+# Cloud feature availability
+
+<!---Jeremy said there are additional features that don't fit nicely in this list that we need to add later--->
+
+This following table lists Azure AD feature availability in Azure Government.
+
+
+|Service     | Feature | Availability |
+|:------|---------|:------------:|
+|**Authentication, single sign-on, and MFA**|||
+||Cloud authentication (Pass-through authentication, password hash synchronization) | &#x2705; |
+|| Federated authentication (Active Directory Federation Services or federation with other identity providers) | &#x2705; |
+|| Single sign-on (SSO) unlimited | &#x2705; | 
+|| Multifactor authentication (MFA) | Hardware OATH tokens are not available. Instead, use Conditional Access policies with named locations to establish when multifactor authentication should and should not be required based off the user's current IP address. Microsoft Authenticator only shows GUID and not UPN for compliance reasons. | 
+|| Passwordless (Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations) | &#x2705; | 
+|| Service-level agreement | &#x2705; | 
+|**Applications access**|||
+|| SaaS apps with modern authentication (Azure AD application gallery apps, SAML, and OAUTH 2.0) | &#x2705; | 
+|| Group assignment to applications | &#x2705; | 
+|| Cloud app discovery (Microsoft Cloud App Security) | &#x2705; | 
+|| Application Proxy for on-premises, header-based, and Integrated Windows Authentication | &#x2705; | 
+|| Secure hybrid access partnerships (Kerberos, NTLM, LDAP, RDP, and SSH authentication) | &#x2705; | 
+|**Authorization and Conditional Access**|||
+|| Role-based access control (RBAC) | &#x2705; | 
+|| Conditional Access  | &#x2705; | 
+|| SharePoint limited access | &#x2705; | 
+|| Session lifetime management | &#x2705; | 
+|| Identity Protection (vulnerabilities and risky accounts) | See [Identity protection](#identity-protection) below. | 
+|| Identity Protection (risk events investigation, SIEM connectivity) | See [Identity protection](#identity-protection) below. | 
+|**Administration and hybrid identity**|||
+|| User and group management | &#x2705; | 
+|| Advanced group management (Dynamic groups, naming policies, expiration, default classification) | &#x2705; | 
+|| Directory synchronization—Azure AD Connect (sync and cloud sync) | &#x2705; | 
+|| Azure AD Connect Health reporting | &#x2705; | 
+|| Delegated administration—built-in roles  | &#x2705; | 
+|| Global password protection and management – cloud-only users | &#x2705; | 
+|| Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory | &#x2705; | 
+|| Microsoft Identity Manager user client access license (CAL) | &#x2705; | 
+|**End-user self-service**|||
+|| Application launch portal (My Apps) | &#x2705; | 
+|| User application collections in My Apps | &#x2705; |
+|| Self-service account management portal (My Account) | &#x2705; |
+|| Self-service password change for cloud users | &#x2705; |
+|| Self-service password reset/change/unlock with on-premises write-back | &#x2705; |
+|| Self-service sign-in activity search and reporting | &#x2705; |
+|| Self-service group management (My Groups) | &#x2705; |
+|| Self-service entitlement management (My Access) | &#x2705; |
+|**Identity governance**|||
+|| Automated user provisioning to apps | &#x2705; |
+|| Automated group provisioning to apps | &#x2705; |
+|| HR-driven provisioning | Partial. See [HR-provisioning apps](#hr-provisioning-apps). |
+|| Terms of use attestation | &#x2705; |
+|| Access certifications and reviews | &#x2705; |
+|| Entitlement management | &#x2705; |
+|| Privileged Identity Management (PIM), just-in-time access |  &#x2705; |
+|**Event logging and reporting**|||
+|| Basic security and usage reports | &#x2705; |
+|| Advanced security and usage reports | &#x2705; |
+|| Identity Protection: vulnerabilities and risky accounts | &#x2705; |
+|| Identity Protection: risk events investigation, SIEM connectivity | &#x2705; |
+|**Frontline workers**|||
+|| SMS sign-in | Feature not available. |
+|| Shared device sign-out | Enterprise state roaming for Windows 10 devices is not available. |
+|| Delegated user management portal (My Staff) | Feature not available. |
+
+
+## Identity protection
+
+| Risk Detection | Availability |
+|----------------|:--------------------:|
+|Leaked credentials (MACE) | &#x2705; |
+|Azure AD threat intelligence | Feature not available. |
+|Anonymous IP address | &#x2705; | 
+|Atypical travel | &#x2705; |
+|Anomalous Token | Feature not available. |
+|Token Issuer Anomaly| Feature not available. |
+|Malware linked IP address | &#x2705; |
+|Suspicious browser | &#x2705; |
+|Unfamiliar sign-in properties | &#x2705; |
+|Admin confirmed user compromised | &#x2705; |
+|Malicious IP address | &#x2705; |
+|Suspicious inbox manipulation rules | &#x2705; |
+|Password spray | &#x2705; |
+|Impossible travel | &#x2705; |
+|New country | &#x2705; |
+|Activity from anonymous IP address | &#x2705; |
+|Suspicious inbox forwarding | &#x2705; |
+|Azure AD threat intelligence | Feature not available. |
+|Additional risk detected | &#x2705; |
+
+
+## HR-provisioning apps
+
+| HR-provisioning app | Availability |
+|----------------|:--------------------:|
+|Workday to Azure AD User Provisioning | &#x2705; |
+|Workday Writeback | &#x2705; |
+|SuccessFactors to Azure AD User Provisioning | &#x2705; | 
+|SuccessFactors to Writeback | &#x2705; |
+|Provisioning agent configuration and registration with Gov cloud tenant| Works with special undocumented command-line invocation:<br> AADConnectProvisioningAgent.Installer.exe ENVIRONMENTNAME=AzureUSGovernment |
+
+
+
+
+

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/23/2022
+ms.date: 02/28/2022
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -50,9 +50,6 @@ When a user responds to an MFA push notification using Microsoft Authenticator,
 
 During self-service password reset, Microsoft Authenticator notification will show a number that the user will need to type in their Authenticator app notification. This number will only be seen to users who have been enabled for number matching.
 
->[!NOTE]
->Number matching for admin roles during SSPR is pending and unavailable for a couple days.
-
 ### Combined registration
 
 When a user is goes through combined registration to set up Microsoft Authenticator, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification. 

articles/active-directory/authentication/how-to-mfa-registration-campaign.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/11/2022
+ms.date: 02/28/2022
 
 ms.author: justinha
 author: mjsantani
@@ -253,39 +253,57 @@ The nudge will not appear on mobile devices that run Android or iOS.
 
 ## Frequently asked questions
 
-**Will this feature be available for MFA Server?** 
-No. This feature will be available only for users using Azure MFA. 
+**Is registration campaign available for MFA Server?** 
+
+No. This feature is available only for users using Azure MFA. 
+
+**Can users be nudged within an application?** 
+
+Nudge is available only on browsers and not on applications.
 
 **How long will the campaign run for?** 
+
 You can use the APIs to enable the campaign for as long as you like. Whenever you want to be done running the campaign, simply use the APIs to disable the campaign.  
 
 **Can each group of users have a different snooze duration?** 
+
 No. The snooze duration for the prompt is a tenant-wide setting and applies to all groups in scope. 
 
 **Can users be nudged to set up passwordless phone sign-in?** 
+
 The feature aims to empower admins to get users set up with MFA using the Authenticator app and not passwordless phone sign-in.  
 
 **Will a user who has a 3rd party authenticator app setup see the nudge?** 
+
 If this user doesn’t have the Microsoft Authenticator app set up for push notifications and are enabled for it by policy, yes, the user will see the nudge. 
 
-**Will a user who has a Microsoft Authenticator app setup only for TOTP codes see the nudge?** Yes. If the Microsoft Authenticator app is not set up for push notifications and the user is enabled for it by policy, yes, the user will see the nudge.
+**Will a user who has a Microsoft Authenticator app setup only for TOTP codes see the nudge?** 
+
+Yes. If the Microsoft Authenticator app is not set up for push notifications and the user is enabled for it by policy, yes, the user will see the nudge.
 
 **If a user just went through MFA registration, will they be nudged in the same sign-in session?** 
+
 No. To provide a good user experience, users will not be nudged to set up the Authenticator in the same session that they registered other authentication methods.  
 
 **Can I nudge my users to register another authentication method?** 
+
 No. The feature, for now, aims to nudge users to set up the Microsoft Authenticator app only. 
 
 **Is there a way for me to hide the snooze option and force my users to setup the Authenticator app?**  
+
 There is no way to hide the snooze option on the nudge. You can set the snoozeDuration to 0, which will ensure that users will see the nudge during each MFA attempt.  
 
 **Will I be able to nudge my users if I am not using Azure MFA?** 
+
 No. The nudge will only work for users who are doing MFA using the Azure MFA service. 
 
 **Will Guest/B2B users in my tenant be nudged?** 
+
 Yes. If they have been scoped for the nudge using the policy. 
 
-**What if the user closes the browser?** It's the same as snoozing.
+**What if the user closes the browser?** 
+
+It's the same as snoozing.
 
 
 ## Next steps