Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/authentication/TOC.yml

@@ -84,6 +84,8 @@
     href: concept-registration-mfa-sspr-combined.md
   - name: Resilient access controls
     href: concept-resilient-controls.md
+  - name: Web browser cookies
+    href: concept-authentication-web-browser-cookies.md
 - name: How-to guides
   items:
   - name: Manage authentication methods

articles/active-directory/authentication/concept-authentication-web-browser-cookies.md

@@ -0,0 +1,77 @@
+---
+title: Web browser cookies used in Azure Active Directory authentication
+description: Learn about Web browser cookies used in Azure Active Directory authentication.
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: overview
+ms.date: 12/06/2022
+
+ms.author: justinha
+author: custorod
+manager: amycolannino
+ms.reviewer: sahenry, michmcla
+
+ms.collection: M365-identity-device-management
+
+# Customer intent: As an Azure AD administrator, I want to understand which weh browser cookies are used for Azure AD.
+---
+# Web browser cookies used in Azure Active Directory authentication
+
+During authentication against Azure Active Directory (Azure AD) through a web browser, multiple cookies are involved in the process. Some of the cookies are common on all requests. Other cookies are used for specific authentication flows or specific client-side conditions.  
+
+Persistent session tokens are stored as persistent cookies on the web browser's cookie jar. Non-persistent session tokens are stored as session cookies on the web browser, and are destroyed when the browser session is closed. 
+
+|  Cookie Name | Type | Comments |
+|--|--|--|
+| ESTSAUTH | Common | Contains user's session information to facilitate SSO. Transient. |
+| ESTSAUTHPERSISTENT | Common | Contains user's session information to facilitate SSO. Persistent. |
+| ESTSAUTHLIGHT | Common  | Contains Session GUID Information. Lite session state cookie used exclusively by client-side JavaScript in order to facilitate OIDC sign-out. Security feature. |
+| SignInStateCookie | Common | Contains list of services accessed to facilitate sign-out. No user information. Security feature. |
+| CCState | Common | Contains session information state to be used between Azure AD and the [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). |
+| buid | Common | Tracks browser related information. Used for service telemetry and protection mechanisms. |
+| fpc | Common | Tracks browser related information. Used for tracking requests and throttling. |
+| esctx | Common | Session context cookie information. For CSRF protection. Binds a request to a specific browser instance so the request can't be replayed outside the browser. No user information. |
+| ch | Common | ProofOfPossessionCookie. Stores the Proof of Possession cookie hash to the user agent. |
+| ESTSSC | Common | Legacy cookie containing session count information no longer used. |
+| ESTSSSOTILES | Common | Tracks session sign-out. When present and not expired, with value "ESTSSSOTILES=1", it will interrupt SSO, for specific SSO authentication model, and will present tiles for user account selection. |
+| AADSSOTILES | Common | Tracks session sign-out. Similar to ESTSSSOTILES but for other specific SSO authentication model. |
+| ESTSUSERLIST | Common | Tracks Browser SSO user's list. |
+| SSOCOOKIEPULLED | Common | Prevents looping on specific scenarios. No user information. |
+| cltm | Common | For telemetry purposes. Tracks AppVersion, ClientFlight and Network type. | 
+| brcap | Common | Client-side cookie (set by JavaScript) to validate client/web browser's touch capabilities. |
+| clrc | Common | Client-side cookie (set by JavaScript) to control local cached sessions on the client. |
+| CkTst | Common | Client-side cookie (set by JavaScript). No longer in active use. | 
+| wlidperf | Common | Client-side cookie (set by JavaScript) that tracks local time for performance purposes. |
+| x-ms-gateway-slice | Common | Azure AD Gateway cookie used for tracking and load balance purposes. |
+| stsservicecookie | Common | Azure AD Gateway cookie also used for tracking purposes. |
+| x-ms-refreshtokencredential | Specific | Available when [Primary Refresh Token (PRT)](../devices/concept-primary-refresh-token.md) is in use. |
+| estsStateTransient | Specific | Applicable to new session information model only. Transient. | 
+| estsStatePersistent | Specific | Same as estsStateTransient, but persistent. |
+| ESTSNCLOGIN | Specific | National Cloud Login related Cookie. | 
+| UsGovTraffic | Specific | US Gov Cloud Traffic Cookie. | 
+| ESTSWCTXFLOWTOKEN | Specific | Saves flowToken information when redirecting to ADFS. |
+| CcsNtv | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). Native flows. | 
+| CcsWeb | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). Web flows. | 
+| Ccs* | Specific | Cookies with prefix Ccs*, have the same purpose as the ones without prefix, but only apply when [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md) is in use. | 
+| threxp | Specific | Used for throttling control. | 
+| rrc | Specific | Cookie used to identify a recent B2B invitation redemption. | 
+| debug | Specific | Cookie used to track if user's browser session is enabled for DebugMode. |
+| MSFPC | Specific | This cookie is not specific to any ESTS flow, but is sometimes present. It applies to all Microsoft Sites (when accepted by users). Identifies unique web browsers visiting Microsoft sites. It's used for advertising, site analytics, and other operational purposes. |
+
+> [!NOTE] 
+> Cookies identified as client-side cookies are set locally on the client device by JavaScript, hence, will be marked with HttpOnly=false.  
+>
+> Cookie definitions and respective names are subject to change at any moment in time according to Azure AD service requirements.  
+
+## Next steps
+
+To learn more about self-service password reset concepts, see [How Azure AD self-service password reset works][concept-sspr].
+
+To learn more about multi-factor authentication concepts, see [How Azure AD Multi-Factor Authentication works][concept-mfa].
+
+<!-- INTERNAL LINKS -->
+[concept-sspr]: concept-sspr-howitworks.md
+[concept-mfa]: concept-mfa-howitworks.md
+

articles/active-directory/authentication/how-to-authentication-methods-manage.md

@@ -45,9 +45,9 @@ For each method, note whether or not it's enabled for the tenant. The following
 
 | Multifactor authentication policy | Authentication method policy |
 |-----------------------------------|------------------------------|
-| Call to phone                     | Voice calls                   |
-| Text message to phone             | SMS<br>Microsoft Authenticator      |
-| Notification through mobile app   | Microsoft Authenticator             |
+| Call to phone                     | Phone calls                  |
+| Text message to phone             | SMS                          |
+| Notification through mobile app   | Microsoft Authenticator      |
 | Verification code from mobile app or hardware token   | Third party software OATH tokens<br>Hardware OATH tokens (not yet available)<br>Microsoft Authenticator |
 
 ### Review the legacy SSPR policy

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 09/15/2022
+ms.date: 12/06/2022
 
 
 ms.author: justinha
@@ -73,24 +73,28 @@ To enable the authentication method for passwordless phone sign-in, complete the
 1. Under **Microsoft Authenticator**, choose the following options:
    1. **Enable** - Yes or No
    1. **Target** - All users or Select users
-1. Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change the mode, for each row:
-   1. Browse to **...** > **Configure**.
-   1. For **Authentication mode** - choose **Any**, or **Passwordless**. Choosing **Push** prevents the use of the passwordless phone sign-in credential. 
+1. Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change the mode, for each row for **Authentication mode** - choose **Any**, or **Passwordless**. Choosing **Push** prevents the use of the passwordless phone sign-in credential. 
 1. To apply the new policy, click **Save**. 
 
    >[!NOTE]
-   >If you see an error when you try to save, the cause might be due to the number of users or groups being added. As a workaround, replace the users and groups you are trying to add with a single group, in the same operation, and then click **Save** again.
+   >If you see an error when you try to save, the cause might be due to the number of users or groups being added. As a workaround, replace the users and groups you are trying to add with a single group, in the same operation, and then select **Save** again.
 
 ## User registration 
 
-Users register themselves for the passwordless authentication method of Azure AD by using the following steps:
+Users register themselves for the passwordless authentication method of Azure AD. For users who already registered the Microsoft Authenticator app for [multi-factor authentication](./concept-mfa-howitworks.md), skip to the next section, [enable phone sign-in](#enable-phone-sign-in). To register the Microsoft Authenticator app, follow these steps:
 
 1. Browse to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo).
-1. Sign in, then click **Add method** > **Authenticator app** > **Add** to add Microsoft Authenticator.
+1. Sign in, then select **Add method** > **Authenticator app** > **Add** to add Microsoft Authenticator.
 1. Follow the instructions to install and configure the Microsoft Authenticator app on your device.
 1. Select **Done** to complete Microsoft Authenticator configuration.
-1. In **Microsoft Authenticator**, choose **Enable phone sign-in** from the drop-down menu for the account registered.
-1. Follow the instructions in the app to finish registering the account for passwordless phone sign-in.
+
+### Enable phone sign-in
+
+After users registered themselves for the Microsoft Authenticator app, they need to enable phone sign-in: 
+
+1. In **Microsoft Authenticator**, select the account registered.
+2. Select **Enable phone sign-in**.
+3. Follow the instructions in the app to finish registering the account for passwordless phone sign-in.
 
 An organization can direct its users to sign in with their phones, without using a password. For further assistance configuring Microsoft Authenticator and enabling phone sign-in, see [Sign in to your accounts using the Microsoft Authenticator app](https://support.microsoft.com/account-billing/sign-in-to-your-accounts-using-the-microsoft-authenticator-app-582bdc07-4566-4c97-a7aa-56058122714c).
 

articles/active-directory/authentication/overview-authentication.md

@@ -87,54 +87,6 @@ When you sign in with a passwordless method, credentials are provided by using m
 
 Azure AD provides ways to natively authenticate using passwordless methods to simplify the sign-in experience for users and reduce the risk of attacks.  
 
-## Web browser cookies
-
-When authenticating against Azure Active Directory through a web browser, multiple cookies are involved in the process. Some of the cookies are common on all requests, other cookies are specific to some particular scenarios, i.e., specific authentication flows and/or specific client-side conditions.  
-
-Persistent session tokens are stored as persistent cookies on the web browser's cookie jar, and non-persistent session tokens are stored as session cookies on the web browser and are destroyed when the browser session is closed. 
-
-|  Cookie Name | Type | Comments |
-|--|--|--|
-| ESTSAUTH | Common | Contains user's session information to facilitate SSO. Transient. |
-| ESTSAUTHPERSISTENT | Common | Contains user's session information to facilitate SSO. Persistent. |
-| ESTSAUTHLIGHT | Common  | Contains Session GUID Information. Lite session state cookie used exclusively by client-side JavaScript in order to facilitate OIDC sign-out. Security feature. |
-| SignInStateCookie | Common | Contains list of services accessed to facilitate sign-out. No user information. Security feature. |
-| CCState | Common | Contains session information state to be used between Azure AD and the [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). |
-| buid | Common | Tracks browser related information. Used for service telemetry and protection mechanisms. |
-| fpc | Common | Tracks browser related information. Used for tracking requests and throttling. |
-| esctx | Common | Session context cookie information. For CSRF protection. Binds a request to a specific browser instance so the request can't be replayed outside the browser. No user information. |
-| ch | Common | ProofOfPossessionCookie. Stores the Proof of Possession cookie hash to the user agent. |
-| ESTSSC | Common | Legacy cookie containing session count information no longer used. |
-| ESTSSSOTILES | Common | Tracks session sign-out. When present and not expired, with value "ESTSSSOTILES=1", it will interrupt SSO, for specific SSO authentication model, and will present tiles for user account selection. |
-| AADSSOTILES | Common | Tracks session sign-out. Similar to ESTSSSOTILES but for other specific SSO authentication model. |
-| ESTSUSERLIST | Common | Tracks Browser SSO user's list. |
-| SSOCOOKIEPULLED | Common | Prevents looping on specific scenarios. No user information. |
-| cltm | Common | For telemetry purposes. Tracks AppVersion, ClientFlight and Network type. | 
-| brcap | Common | Client-side cookie (set by JavaScript) to validate client/web browser's touch capabilities. |
-| clrc | Common | Client-side cookie (set by JavaScript) to control local cached sessions on the client. |
-| CkTst | Common | Client-side cookie (set by JavaScript). No longer in active use. | 
-| wlidperf | Common | Client-side cookie (set by JavaScript) that tracks local time for performance purposes. |
-| x-ms-gateway-slice | Common | Azure AD Gateway cookie used for tracking and load balance purposes. |
-| stsservicecookie | Common | Azure AD Gateway cookie also used for tracking purposes. |
-| x-ms-refreshtokencredential | Specific | Available when [Primary Refresh Token (PRT)](../devices/concept-primary-refresh-token.md) is in use. |
-| estsStateTransient | Specific | Applicable to new session information model only. Transient. | 
-| estsStatePersistent | Specific | Same as estsStateTransient, but persistent. |
-| ESTSNCLOGIN | Specific | National Cloud Login related Cookie. | 
-| UsGovTraffic | Specific | US Gov Cloud Traffic Cookie. | 
-| ESTSWCTXFLOWTOKEN | Specific | Saves flowToken information when redirecting to ADFS. |
-| CcsNtv | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). Native flows. | 
-| CcsWeb | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). Web flows. | 
-| Ccs* | Specific | Cookies with prefix Ccs*, have the same purpose as the ones without prefix, but only apply when [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md) is in use. | 
-| threxp | Specific | Used for throttling control. | 
-| rrc | Specific | Cookie used to identify a recent B2B invitation redemption. | 
-| debug | Specific | Cookie used to track if user's browser session is enabled for DebugMode. |
-| MSFPC | Specific | This cookie is not specific to any ESTS flow, but is sometimes present. It applies to all Microsoft Sites (when accepted by users). Identifies unique web browsers visiting Microsoft sites. It's used for advertising, site analytics, and other operational purposes. |
-
-> [!NOTE] 
-> Cookies identified as client-side cookies are set locally on the client device by JavaScript, hence, will be marked with HttpOnly=false.  
->
-> Cookie definitions and respective names are subject to change at any moment in time according to Azure AD service requirements.  
-
 ## Next steps
 
 To get started, see the [tutorial for self-service password reset (SSPR)][tutorial-sspr] and [Azure AD Multi-Factor Authentication][tutorial-azure-mfa].

articles/active-directory/governance/entitlement-management-access-package-auto-assignment-policy.md

@@ -70,7 +70,42 @@ To create a policy for an access package, you need to start from the access pack
 
 ## Create an automatic assignment policy programmatically (Preview)
 
-You can also create a policy using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application in a catalog role or with the `EntitlementManagement.ReadWrite.All` permission, can call the [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-1.0&preserve-view=true) API.  In your [request payload](/graph/api/resources/accesspackageassignmentpolicy?view=graph-rest-1.0&preserve-view=true), include the `displayName`, `description`, `specificAllowedTargets`, [`automaticRequestSettings`](/graph/api/resources/accesspackageautomaticrequestsettings?view=graph-rest-1.0&preserve-view=true) and `accessPackage` properties of the policy.
+There are two ways to create an access package assignment policy for automatic assignment programmatically, through Microsoft Graph and through the PowerShell cmdlets for Microsoft Graph.
+
+### Creating an access package assignment policy through Graph
+
+You can create a policy using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application in a catalog role or with the `EntitlementManagement.ReadWrite.All` permission, can call the [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-1.0&preserve-view=true) API. In your [request payload](/graph/api/resources/accesspackageassignmentpolicy?view=graph-rest-1.0&preserve-view=true), include the `displayName`, `description`, `specificAllowedTargets`, [`automaticRequestSettings`](/graph/api/resources/accesspackageautomaticrequestsettings?view=graph-rest-1.0&preserve-view=true) and `accessPackage` properties of the policy.
+
+### Creating an access package assignment policy through PowerShell
+
+You can also create a policy in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or later.
+
+This script below illustrates using the `v1.0` profile, to create a policy for automatic assignment to an access package.  See [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-v1.0&preserve-view=true) for more examples.
+
+```powershell
+Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
+Select-MgProfile -Name "v1.0"
+
+$apid = "cdd5f06b-752a-4c9f-97a6-82f4eda6c76d"
+
+$pparams = @{
+	DisplayName = "Sales department users"
+	Description = "All users from sales department"
+	AllowedTargetScope = "specificDirectoryUsers"
+	SpecificAllowedTargets = @( @{
+        "@odata.type" = "#microsoft.graph.attributeRuleMembers"
+        description = "All users from sales department"
+        membershipRule = '(user.department -eq "Sales")'
+	} )
+	AutomaticRequestSettings = @{
+        RequestAccessForAllowedTargets = $true
+	}
+    AccessPackage = @{
+      Id = $apid
+    }
+}
+New-MgEntitlementManagementAssignmentPolicy -BodyParameter $pparams
+```
 
 ## Next steps