Merge pull request #111227 from iainfoulds/azuread-mfaconcepts

[AzureAD] Concepts and how-to updates

Author: American-Dipper

.openpublishing.redirection.json

@@ -38336,6 +38336,11 @@
       "redirect_url": "/azure/active-directory/authentication/howto-password-ban-bad-configure",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/authentication/multi-factor-authentication-security-best-practices.md",
+      "redirect_url": "/azure/active-directory/authentication/howto-mfa-getstarted",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/active-directory/active-directory-passwords-reset-register.md",
       "redirect_url": "/azure/active-directory/user-help/active-directory-passwords-reset-register",

articles/active-directory/authentication/TOC.yml

@@ -42,17 +42,13 @@
     items:
     - name: How MFA works
       href: concept-mfa-howitworks.md
-    - name: License your users
-      href: concept-mfa-licensing.md
-    - name: Manage an Auth Provider
-      href: concept-mfa-authprovider.md
-    - name: Security guidance
-      href: multi-factor-authentication-security-best-practices.md
     - name: Data residency
       href: concept-mfa-data-residency.md
+    - name: Licenses
+      href: concept-mfa-licensing.md
     - name: MFA for Office 365
       href: https://docs.microsoft.com/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
-    - name: MFA FAQ
+    - name: FAQ
       href: multi-factor-authentication-faq.md
   - name: Azure AD password protection
     items:
@@ -72,16 +68,18 @@
       href: howto-sspr-authenticationdata.md
     - name: SSPR for Windows clients
       href: howto-sspr-windows.md
-  - name: Cloud-based MFA
+  - name: Azure Multi-Factor Authentication
     items:
     - name: Deployment guide
       href: howto-mfa-getstarted.md
-    - name: Per user MFA
-      href: howto-mfa-userstates.md
-    - name: User and device settings
-      href: howto-mfa-userdevicesettings.md
     - name: Configure settings
       href: howto-mfa-mfasettings.md
+    - name: Configure users
+      href: howto-mfa-userdevicesettings.md
+    - name: Enable per-user MFA
+      href: howto-mfa-userstates.md
+    - name: Configure authentication providers
+      href: concept-mfa-authprovider.md
     - name: Directory Federation
       items:
       - name: Windows Server 2016 AD FS Adapter

articles/active-directory/authentication/concept-mfa-authprovider.md

@@ -17,13 +17,13 @@ ms.collection: M365-identity-device-management
 ---
 # When to use an Azure Multi-Factor Authentication Provider
 
+> [!IMPORTANT]
+> Effective September 1st, 2018 new auth providers may no longer be created. Existing auth providers may continue to be used and updated, but migration is no longer possible. Multi-factor authentication will continue to be available as a feature in Azure AD Premium licenses.
+
 Two-step verification is available by default for global administrators who have Azure Active Directory, and Office 365 users. However, if you wish to take advantage of [advanced features](howto-mfa-mfasettings.md) then you should purchase the full version of Azure Multi-Factor Authentication (MFA).
 
 An Azure Multi-Factor Auth Provider is used to take advantage of features provided by Azure Multi-Factor Authentication for users who **do not have licenses**.
 
-> [!NOTE]
-> Effective September 1st, 2018 new auth providers may no longer be created. Existing auth providers may continue to be used and updated, but migration is no longer possible. Multi-factor authentication will continue to be available as a feature in Azure AD Premium licenses.
-
 ## Caveats related to the Azure MFA SDK
 
 Note the SDK has been deprecated and will only continue to work until November 14, 2018. After that time, calls to the SDK will fail.

articles/active-directory/authentication/concept-mfa-data-residency.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 12/16/2019
+ms.date: 04/13/2020
 
 ms.author: iainfou
 author: iainfoulds

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -136,7 +136,7 @@ A user who has previously set up at least one method that can be used for Multi-
 
 ## Next steps
 
-[Force users to re-register authentication methods](howto-mfa-userdevicesettings.md#manage-authentication-methods)
+[Force users to re-register authentication methods](howto-mfa-userdevicesettings.md#manage-user-authentication-options)
 
 [Enable combined registration in your tenant](howto-registration-mfa-sspr-combined.md)
 

articles/active-directory/authentication/howto-mfa-userdevicesettings.md

@@ -1,12 +1,12 @@
 ---
-title: Manage users and devices Azure MFA - Azure Active Directory
-description: How can administrators change user settings such as forcing the users to do the proof-up process again.
+title: Manage user settings for Azure Multi-Factor Authentication - Azure Active Directory
+description: Learn how you can configure Azure Active Directory user settings for Azure Multi-Factor Authentication
 
 services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/21/2019
+ms.date: 04/13/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -15,44 +15,40 @@ ms.reviewer: michmcla
 
 ms.collection: M365-identity-device-management
 ---
-# Manage user settings with Azure Multi-Factor Authentication in the cloud
+# Manage user settings for Azure Multi-Factor Authentication
 
-As an administrator, you can manage the following user and device settings:
+To help manage the users of Azure Multi-Factor Authentication, you can require users to reset their password, re-register for MFA, or revoke existing MFA sessions. For users that have defined app passwords, you can also choose to delete these passwords, causing legacy authentication to fail in those applications. These actions may be necessary if you need to provide assistance to a user, or want to reset their security status.
 
-* Require users to provide contact methods again
-* Delete app passwords
-* Require MFA on all trusted devices
+## Manage user authentication options
 
-## Manage authentication methods
-
-As an administrator assigned the Authentication Administrator role you can require users to reset their password, re-register for MFA, or revoke existing MFA sessions from their user object.
-
-![Manage authentication methods from the Azure portal](./media/howto-mfa-userdevicesettings/manage-authentication-methods-in-azure.png)
+If you're assigned the *Authentication Administrator* role you can require users to reset their password, re-register for MFA, or revoke existing MFA sessions from their user object. To manage user settings, complete the following steps:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. On the left, select **Azure Active Directory** > **Users** > **All users**.
-1. Choose the user you wish to perform an action on and select **Authentication methods**.
-   - **Reset Password** will reset the user's password and assign a temporary password that must be changed on the next sign in.
-   - **Require Re-register MFA** will make it so that when the user signs in next time, they will be requested to setup a new MFA authentication method.
-   - **Revoke MFA Sessions** clears the user's remembered MFA sessions and requires them to perform MFA the next time it is required by the policy on the device.
+1. Choose the user you wish to perform an action on and select **Authentication methods**. At the top of the window, then choose one of the following options for the user:
+   - **Reset Password** resets the user's password and assigns a temporary password that must be changed on the next sign-in.
+   - **Require Re-register MFA** makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method.
+   - **Revoke MFA Sessions** clears the user's remembered MFA sessions and requires them to perform MFA the next time it's required by the policy on the device.
+
+   ![Manage authentication methods from the Azure portal](./media/howto-mfa-userdevicesettings/manage-authentication-methods-in-azure.png)
 
 ## Delete users existing app passwords
 
-This setting deletes all of the app passwords that a user has created. Non-browser apps that were associated with these app passwords stop working until a new app password is created. Global administrator permissions are required to perform this action.
+If needed, you can delete all of the app passwords that a user has created. Non-browser apps that were associated with these app passwords stop working until a new app password is created. *Global administrator* permissions are required to perform this action.
 
-### How to delete users existing app passwords
+To delete a user's app passwords, complete the following steps:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-2. On the left, select **Azure Active Directory** > **Users** > **All users**.
-3. On the right, select **Multi-Factor Authentication** on the toolbar. The multi-factor authentication page opens.
-4. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right.
-5. Select **Manage user settings**.
-6. Check the box for **Delete all existing app passwords generated by the selected users**.
+1. On the left-hand side, select **Azure Active Directory** > **Users** > **All users**.
+1. Select **Multi-Factor Authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full Azure portal window and menu location:
+    [![](media/howto-mfa-userstates/selectmfa-cropped.png "Select Multi-Factor Authentication from the Users window in Azure AD")](media/howto-mfa-userstates/selectmfa.png#lightbox)
+1. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right.
+1. Select **Manage user settings**, then check the box for **Delete all existing app passwords generated by the selected users**, as shown in the following example:
    ![Delete all existing app passwords](./media/howto-mfa-userdevicesettings/deleteapppasswords.png)
-7. Click **save**.
-8. Click **close**.
+1. Select **save**, then **close**.
 
 ## Next steps
 
-- Get more information about how to [Configure Azure Multi-Factor Authentication settings](howto-mfa-mfasettings.md)
-- If your users need help, point them towards the [User guide for two-step verification](../user-help/multi-factor-authentication-end-user.md)
+This article helped configure individual user settings. To configure Azure Multi-Factor Authentication service settings, see [Configure Azure Multi-Factor Authentication settings](howto-mfa-mfasettings.md)
+
+If your users need help, see the [User guide for Azure Multi-Factor Authentication](../user-help/multi-factor-authentication-end-user.md).