Merge pull request #230797 from MicrosoftDocs/main

Publish to live, Wednesday 4 AM PST, 3/15

Author: ttorble

articles/active-directory-domain-services/migrate-from-classic-vnet.md

@@ -179,9 +179,9 @@ Before you begin the migration process, complete the following initial checks an
     | Service tag | AzureActiveDirectoryDomainServices | *                  | Any           | WinRM   | 5986        | TCP       | Allow  | Yes       | Management of your domain |
     | Service tag | CorpNetSaw                         | *                  | Any           | RDP   | 3389        | TCP       | Allow  | Optional  | Debugging for support |
 
-    Make a note of this target resource group, target virtual network, and target virtual network subnet. These resource names are used during the migration process.
+    Make a note of the target resource group, target virtual network, and target virtual network subnet. These resource names are used during the migration process.
 
-    Please note that the **CorpNetSaw** service tag isn't available by using Azure portal, and the network security group rule for **CorpNetSaw** has to be added by using PowerShell (powershell-create-instance.md#create-a-network-security-group).
+    Note that the **CorpNetSaw** service tag isn't available by using Azure portal, and the network security group rule for **CorpNetSaw** has to be added by using [PowerShell](powershell-create-instance.md#create-a-network-security-group).
 
 1. Check the managed domain health in the Azure portal. If you have any alerts for the managed domain, resolve them before you start the migration process.
 1. Optionally, if you plan to move other resources to the Resource Manager deployment model and virtual network, confirm that those resources can be migrated. For more information, see [Platform-supported migration of IaaS resources from Classic to Resource Manager][migrate-iaas].

articles/active-directory-domain-services/network-considerations.md

@@ -9,8 +9,9 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/14/2023
 ms.author: justinha
+ms.reviewer: xyuan
 
 ---
 # Virtual network design considerations and configuration options for Azure Active Directory Domain Services
@@ -110,10 +111,13 @@ The following sections cover network security groups and Inbound and Outbound po
 
 The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet for your managed domain.
 
-| Inbound port number | Protocol | Source                             | Destination | Action | Required | Purpose |
-|:-----------:|:--------:|:----------------------------------:|:-----------:|:------:|:--------:|:--------|
-| 5986        | TCP      | AzureActiveDirectoryDomainServices | Any         | Allow  | Yes      | Management of your domain. |
-| 3389        | TCP      | CorpNetSaw                         | Any         | Allow  | Optional      | Debugging for support. |
+| Source      | Source service tag                 | Source port ranges |  Destination  | Service | Destination port ranges | Protocol | Action | Required | Purpose |
+|:-----------:|:----------------------------------:|:------------------:|:-------------:|:-------:|:-----------------------:|:--------:|:------:|:--------:|:--------|
+| Service tag | AzureActiveDirectoryDomainServices | *                  | Any           | WinRM   | 5986            | TCP | Allow | Yes | Management of your domain. |
+| Service tag | CorpNetSaw                         | *                  | Any           | RDP     | 3389            | TCP | Allow | Optional | Debugging for support |
+
+
+Note that the **CorpNetSaw** service tag isn't available by using Azure portal, and the network security group rule for **CorpNetSaw** has to be added by using [PowerShell](powershell-create-instance.md#create-a-network-security-group).
 
 Azure AD DS also relies on the Default Security rules AllowVnetInBound and AllowAzureLoadBalancerInBound.
 

articles/active-directory-domain-services/tutorial-configure-ldaps.md

@@ -8,8 +8,9 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 01/29/2023
+ms.date: 03/14/2023
 ms.author: justinha
+ms.reviewer: xyuan
 
 #Customer intent: As an identity administrator, I want to secure access to an Azure Active Directory Domain Services managed domain using secure lightweight directory access protocol (LDAPS)
 ---
@@ -236,11 +237,13 @@ Let's create a rule to allow inbound secure LDAP access over TCP port 636 from a
 
     | Setting                           | Value        |
     |-----------------------------------|--------------|
-    | Source                            | IP Addresses |
-    | Source IP addresses / CIDR ranges | A valid IP address or range for your environment |
+    | Source                            | Service tag  |
+    | Source service tag                | AzureActiveDirectoryDomainServices  |
+    | Source IP addresses/CIDR ranges   | A valid IP address or range for your environment |
     | Source port ranges                | *            |
     | Destination                       | Any          |
     | Destination port ranges           | 636          |
+    | Service                           | WinRM        |
     | Protocol                          | TCP          |
     | Action                            | Allow        |
     | Priority                          | 401          |

articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md

@@ -379,7 +379,7 @@ The SuccessFactors connector supports expansion of the position object. To expan
 | positionNameDE | $.employmentNav.results[0].jobInfoNav.results[0].positionNav.externalName_de_DE |
 
 ### Provisioning users in the Onboarding module
-Inbound user provisioning from SAP SuccessFactors to on-premises Active Directory and Azure AD now supports advance provisioning of pre-hires present in the SAP SuccessFactors Onboarding 2.0 module. Upon encountering a new hire profile with future start date, the Azure AD provisioning service queries SAP SuccessFactors to get new hires with one of the following status codes: `active`, `inactive`, `active_external`. The status code `active_external` corresponds to pre-hires present in the SAP SuccessFactors Onboarding 2.0 module. For a description of these status codes, refer to [SAP support note 2736579](https://launchpad.support.sap.com/#/notes/0002736579).
+Inbound user provisioning from SAP SuccessFactors to on-premises Active Directory and Azure AD now supports advance provisioning of pre-hires present in the SAP SuccessFactors Onboarding 2.0 module. Upon encountering a new hire profile with future start date, the Azure AD provisioning service queries SAP SuccessFactors to get new hires with one of the following status codes: `active`, `inactive`, `active_external_suite`. The status code `active_external_suite` corresponds to pre-hires present in the SAP SuccessFactors Onboarding 2.0 module. For a description of these status codes, refer to [SAP support note 2736579](https://launchpad.support.sap.com/#/notes/0002736579).
 
 The default behavior of the provisioning service is to process pre-hires in the Onboarding module. 
 
@@ -388,7 +388,12 @@ If you want to exclude processing of pre-hires in the Onboarding module, update
 1. Under show advanced options, edit the SuccessFactors attribute list to add a new attribute called `userStatus`.
 1. Set the JSONPath API expression for this attribute as: `$.employmentNav.results[0].userNav.status`
 1. Save the schema to return back to the attribute mapping blade. 
-1. Edit the Source Object scope to apply a scoping filter `userStatus NOT EQUALS active_external`
+1. Edit the Source Object scope to apply a scoping filter `userStatus NOT EQUALS 
+
+
+
+
+`
 1. Save the mapping and validate that the scoping filter works using provisioning on demand. 
 
 ### Enabling OData API Audit logs in SuccessFactors

articles/active-directory/authentication/TOC.yml

@@ -108,7 +108,7 @@
             href: howto-authentication-passwordless-faqs.md
           - name: Troubleshoot hybrid
             href: howto-authentication-passwordless-troubleshoot.md
-      - name: Passwordless phone sign-in
+      - name: Microsoft Authenticator
         items:
         - name: Manage
           href: howto-authentication-passwordless-phone.md
@@ -118,6 +118,8 @@
           href: how-to-mfa-number-match.md
         - name: Use additional context 
           href: how-to-mfa-additional-context.md
+        - name: Use Authenticator Lite 
+          href: how-to-mfa-authenticator-lite.md
         - name: Use Microsoft managed settings 
           href: how-to-mfa-microsoft-managed.md
       - name: Windows Hello for Business

articles/active-directory/authentication/concept-authentication-default-enablement.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/24/2023
+ms.date: 03/12/2023
 
 ms.author: justinha
 author: mjsantani
@@ -39,8 +39,6 @@ As MFA fatigue attacks rise, number matching becomes more critical to sign-in se
 >[!NOTE]
 >Number matching will begin to be enabled for all users of Microsoft Authenticator starting May 08, 2023.
 
-<!---Add link to Mayur Blog post here--->
-
 ## Microsoft managed settings
 
 In addition to configuring Authentication methods policy settings to be either **Enabled** or **Disabled**, IT admins can configure some settings in the Authentication methods policy to be **Microsoft managed**. A setting that is configured as **Microsoft managed** allows Azure AD to enable or disable the setting. 
@@ -59,6 +57,7 @@ The following table lists each setting that can be set to Microsoft managed and
 | [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)           | Disabled      |
 | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)   | Disabled      |
 | [System-preferred MFA](concept-system-preferred-multifactor-authentication.md)                  | Disabled      |
+| [Authenticator Lite](how-to-mfa-authenticator-lite.md)                                          | Disabled      |  
 
 As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). 
 

articles/active-directory/authentication/concept-authentication-methods.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/17/2022
+ms.date: 03/13/2023
 
 ms.author: justinha
 author: justinha
@@ -38,7 +38,8 @@ The following table outlines the security considerations for the available authe
 | Authentication method          | Security | Usability | Availability |
 |--------------------------------|:--------:|:---------:|:------------:|
 | Windows Hello for Business     | High     | High      | High         |
-| Microsoft Authenticator app    | High     | High      | High         |
+| Microsoft Authenticator        | High     | High      | High         |
+| Authenticator Lite             | High     | High      | High         |
 | FIDO2 security key             | High     | High      | High         |
 | Certificate-based authentication (preview)| High | High | High       |
 | OATH hardware tokens (preview) | Medium   | Medium    | High         |
@@ -63,10 +64,11 @@ The following table outlines when an authentication method can be used during a
 
 | Method                         | Primary authentication | Secondary authentication  |
 |--------------------------------|:----------------------:|:-------------------------:|
-| Windows Hello for Business     | Yes                    | MFA\*                      |
-| Microsoft Authenticator app    | Yes                    | MFA and SSPR              |
+| Windows Hello for Business     | Yes                    | MFA\*                     |
+| Microsoft Authenticator        | Yes                    | MFA and SSPR              |
+| Authenticator Lite             | No                     | MFA                       |
 | FIDO2 security key             | Yes                    | MFA                       |
-| Certificate-based authentication (preview) | Yes        | No              |
+| Certificate-based authentication | Yes                  | No                        |
 | OATH hardware tokens (preview) | No                     | MFA and SSPR              |
 | OATH software tokens           | No                     | MFA and SSPR              |
 | SMS                            | Yes                    | MFA and SSPR              |

articles/active-directory/authentication/concept-mfa-howitworks.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/13/2023
 
 ms.author: justinha
 author: justinha
@@ -44,7 +44,8 @@ When users sign in to an application or service and receive an MFA prompt, they
 
 The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:
 
-* Microsoft Authenticator app
+* Microsoft Authenticator 
+* Authenticator Lite (in Outlook)
 * Windows Hello for Business
 * FIDO2 security key
 * OATH hardware token (preview)