Merge pull request #223188 from MicrosoftDocs/main

1/06 AM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -1942,8 +1942,8 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/active-directory-b2b-add-user-without-invite.md",
-      "redirect_url": "/azure/active-directory/b2b/add-user-without-invite",
-      "redirect_document_id": true
+      "redirect_url": "/azure/active-directory/external-identities/redemption-experience",
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/active-directory-b2b-allow-deny-list.md",
@@ -3908,8 +3908,8 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/b2b/add-user-without-invite.md",
-      "redirect_url": "/azure/active-directory/external-identities/add-user-without-invite",
-      "redirect_document_id": true
+      "redirect_url": "/azure/active-directory/external-identities/redemption-experience",
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/b2b/allow-deny-list.md",
@@ -4089,7 +4089,7 @@
     {
       "source_path_from_root": "/articles/active-directory/b2b/redemption-experience.md",
       "redirect_url": "/azure/active-directory/external-identities/redemption-experience",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/b2b/self-service-portal.md",

.openpublishing.redirection.json

@@ -1163,6 +1163,11 @@
             "redirect_url": "/azure",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/active-directory/external-identities/add-user-without-invite.md",
+            "redirect_url": "/azure/active-directory/external-identities/redemption-experience",
+            "redirect_document_id": true
+    	 },
         {
             "source_path_from_root": "/articles/active-directory-b2c/active-directory-b2c-landing-custom.md",
             "redirect_url": "/azure/active-directory-b2c",

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/05/2023
+ms.date: 01/06/2023
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -85,7 +85,7 @@ To create the registry key that overrides push notifications:
    Value = TRUE
 1. Restart the NPS Service. 
 
-If you're using Remote Desktop Gateway, the user account must be configured for phone verification, or Microsoft Authenticator push notifications. If neither option is configured, the user won't be able to meet the Azure AD MFA challenge, and Remote Desktop Gateway sign-in will fail. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE. 
+If you're using Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_TOP = FALSE to fall back to push notifications with Microsoft Authenticator.
 
 ### Apple Watch supported for Microsoft Authenticator
 
@@ -323,7 +323,7 @@ They'll see a prompt to supply a verification code. They must select their accou
 
 ### Can I opt out of number matching?
 
-Yes, currently you can disable number matching. We highly recommend that you enable number matching for all users in your tenant to protect yourself from MFA fatigue attacks. Microsoft will enable number matching for all tenants starting February 27, 2023. After protection is enabled by default, users can't opt out of number matching in Microsoft Authenticator push notifications. 
+Yes, currently you can disable number matching. We highly recommend that you enable number matching for all users in your tenant to protect yourself from MFA fatigue attacks. To protect the ecosystem and mitigate these threats, Microsoft will enable number matching for all tenants starting February 27, 2023. After protection is enabled by default, users can't opt out of number matching in Microsoft Authenticator push notifications. 
 
 ### Does number matching only apply if Microsoft Authenticator is set as the default authentication method?
 

articles/active-directory/conditional-access/howto-conditional-access-policy-risk-user.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 08/22/2022
+ms.date: 01/06/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -39,7 +39,7 @@ Organizations can choose to deploy this policy using the steps outlined below or
    1. Under **Configure user risk levels needed for policy to be enforced**, select **High**.
    1. Select **Done**.
 1. Under **Access controls** > **Grant**.
-   1. Select **Grant access**, **Require password change**.
+   1. Select **Grant access**, **Require multifactor authentication** and **Require password change**.
    1. Select **Select**.
 1. Under **Session**.
    1. Select **Sign-in frequency**.

articles/active-directory/develop/workload-identity-federation-create-trust-gcp.md

@@ -2,15 +2,15 @@
 title: Access Azure resources from Google Cloud without credentials
 description: Access Azure AD protected resources from a service running in Google Cloud without using secrets or certificates.  Use workload identity federation to set up a trust relationship between an app in Azure AD and an identity in Google Cloud. The workload running in Google Cloud can get an access token from Microsoft identity platform and access Azure AD protected resources.
 services: active-directory
-author: rwike77
+author: OwenRichards1
 manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
-ms.date: 08/07/2022
-ms.author: ryanwi
+ms.date: 01/06/2023
+ms.author: owenrichards
 ms.custom: aaddev
 ms.reviewer: udayh
 #Customer intent: As an application developer, I want to create a trust relationship with a Google Cloud identity so my service in Google Cloud can access Azure AD protected resources without managing secrets.
@@ -206,32 +206,32 @@ class ClientAssertionCredential implements TokenCredential {
 
         // Get the ID token from Google.
         return getGoogleIDToken() // calling this directly just for clarity, 
-                               // this should be a callback
-        // pass this as a client assertion to the confidential client app
-        .then((clientAssertion:any)=> {
-            var msalApp: any;
-            msalApp = new msal.ConfidentialClientApplication({
-                auth: {
-                    clientId: this.clientID,
-                    authority: this.aadAuthority + this.tenantID,
-                    clientAssertion: clientAssertion,
-                }
+
+            let aadAudience = "api://AzureADTokenExchange"
+            const jwt = axios({
+            url: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=" 
+            + aadAudience,
+            method: "GET",
+            headers: {
+                "Metadata-Flavor": "Google"
+                    }}).then(response => {
+                        console.log("AXIOS RESPONSE");
+                        return response.data;
+                    });
+                return jwt;
+            .then(function(aadToken) {
+                // return in form expected by TokenCredential.getToken
+                let returnToken = {
+                    token: aadToken.accessToken,
+                    expiresOnTimestamp: aadToken.expiresOn.getTime(),
+                };
+                return (returnToken);
+            })
+            .catch(function(error) {
+                // error stuff
             });
-            return msalApp.acquireTokenByClientCredential({ scopes })
-        })
-        .then(function(aadToken) {
-            // return in form expected by TokenCredential.getToken
-            let returnToken = {
-                token: aadToken.accessToken,
-                expiresOnTimestamp: aadToken.expiresOn.getTime(),
-            };
-            return (returnToken);
-        })
-        .catch(function(error) {
-            // error stuff
-        });
+        }
     }
-}
 export default ClientAssertionCredential;
 ```
 

articles/active-directory/external-identities/add-user-without-invite.md

@@ -130,3 +130,4 @@ Check out the invitation API reference in [https://developer.microsoft.com/graph
 - [What is Azure AD B2B collaboration?](what-is-b2b.md)
 - [Add and invite guest users](add-users-administrator.md)
 - [The elements of the B2B collaboration invitation email](invitation-email-elements.md)
+

articles/active-directory/external-identities/customize-invitation-api.md

@@ -98,5 +98,4 @@ When a B2B user signs into a resource tenant to collaborate, a sign-in log is ge
 See the following articles on Azure AD B2B collaboration:
 
 - [What is Azure AD B2B collaboration?](what-is-b2b.md)
-- [Add B2B collaboration guest users without an invitation](add-user-without-invite.md)
 - [Adding a B2B collaboration user to a role](./add-users-administrator.md)

articles/active-directory/external-identities/external-collaboration-settings-configure.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 
 # The elements of the B2B collaboration invitation email - Azure Active Directory
 
-Invitation emails are a critical component to bring partners on board as B2B collaboration users in Azure AD. It’s [not required that you send an email to invite someone using B2B collaboration](add-user-without-invite.md), but it gives the user all the information they need to decide if they accept your invite or not. It also gives them a link they can always refer to in the future when they need to return to your resources.
+Invitation emails are a critical component to bring partners on board as B2B collaboration users in Azure AD. It’s [not required that you send an email to invite someone using B2B collaboration](redemption-experience.md#redemption-through-a-direct-link), but it gives the user all the information they need to decide if they accept your invite or not. It also gives them a link they can always refer to in the future when they need to return to your resources.
 
 ![Screenshot showing the B2B invitation email](media/invitation-email-elements/invitation-email.png)
 
@@ -100,4 +100,3 @@ See the following articles on Azure AD B2B collaboration:
 - [How do Azure Active Directory admins add B2B collaboration users?](add-users-administrator.md)
 - [How do information workers add B2B collaboration users?](add-users-information-worker.md)
 - [B2B collaboration invitation redemption](redemption-experience.md)
-- [Add B2B collaboration users without an invitation](add-user-without-invite.md)

articles/active-directory/external-identities/invitation-email-elements.md

@@ -111,8 +111,6 @@
       href: add-users-information-worker.md
     - name: Invite internal users to B2B
       href: invite-internal-users.md
-    - name: Add B2B users without an invitation
-      href: add-user-without-invite.md
     - name: Customize invitations using API
       href: customize-invitation-api.md
   - name: Add self-service sign-up for guest users