MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 17 additions & 2 deletions b/‎.openpublishing.redirection.json
Lines changed: 17 additions & 2 deletions
diff --git a/‎articles/active-directory-b2c/active-directory-b2c-reference-customize-ui-custom.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/active-directory-b2c-reference-customize-ui-custom.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/TOC.yml
Lines changed: 6 additions & 0 deletions b/‎articles/active-directory/authentication/TOC.yml
Lines changed: 6 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/concept-authentication-passwordless.md
Lines changed: 9 additions & 6 deletions b/‎articles/active-directory/authentication/concept-authentication-passwordless.md
Lines changed: 9 additions & 6 deletions
diff --git a/‎articles/active-directory/authentication/concept-mfa-get-started.md
Lines changed: 65 additions & 0 deletions b/‎articles/active-directory/authentication/concept-mfa-get-started.md
Lines changed: 65 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/concept-mfa-licensing.md
Lines changed: 25 additions & 26 deletions b/‎articles/active-directory/authentication/concept-mfa-licensing.md
Lines changed: 25 additions & 26 deletions
@@ -19196,9 +19196,14 @@
     },
     {
       "source_path": "articles/active-directory/active-directory-passwords.md",
-      "redirect_url": "active-directory-passwords-update-your-own-password",
+      "redirect_url": "/azure/active-directory/user-help/active-directory-passwords-update-your-own-password",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/user-help/user-help-reset-password.md",
+      "redirect_url": "/azure/active-directory/user-help/active-directory-passwords-update-your-own-password",
+      "redirect_document_id": false      
+    },
     {
       "source_path": "articles/active-directory/active-directory-protocols-oauth-code.md",
       "redirect_url": "/azure/active-directory/develop/active-directory-protocols-oauth-code",
@@ -41935,7 +41940,12 @@
     },
     {
       "source_path": "articles/iot-central/howto-use-device-groups-pnp.md",
-      "redirect_url": "/azure/iot-central/core/howto-use-device-groups-pnp/",
+      "redirect_url": "/azure/iot-central/core/tutorial-use-device-groups-pnp/",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/core/howto-use-device-groups-pnp.md",
+      "redirect_url": "/azure/iot-central/core/tutorial-use-device-groups-pnp/",
       "redirect_document_id": true
     },
     {
@@ -43297,6 +43307,11 @@
       "source_path": "articles/terraform/terraform-vm-msi.md",
       "redirect_url": "/azure/terraform/terraform-vm-managed-identities-for-azure-resources",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/active-directory/develop/msal-acquire-token-interactively.md",
+      "redirect_url": "/azure/active-directory/develop/msal-acquire-cache-tokens",
+      "redirect_document_id": true
     }
   ]
 }
@@ -39,7 +39,7 @@ You can provide as many content pages as you like by crafting HTML5/CSS files as
 > [!NOTE]
 > For security reasons, the use of JavaScript is currently blocked for customization. 
 
-In each of your HTML5/CSS templates, you provide an *anchor* element, which corresponds to the required `<div id=”api”>` element in the HTML or the content page as illustrate hereafter. Azure AD B2C requires that all content pages have this specific div.
+In each of your HTML5/CSS templates, you provide an *anchor* element, which corresponds to the required `<div id="api">` element in the HTML or the content page as illustrate hereafter. Azure AD B2C requires that all content pages have this specific div.
 
 ```
 <!DOCTYPE html>
 
@@ -43,6 +43,8 @@
     items:
     - name: How MFA works
       href: concept-mfa-howitworks.md
+    - name: Enable MFA
+      href: concept-mfa-get-started.md
     - name: License your users
       href: concept-mfa-licensing.md
     - name: Manage an Auth Provider
@@ -135,6 +137,10 @@
         href: howto-authentication-passwordless-deployment.md
       - name: Passwordless security keys
         href: howto-authentication-passwordless-security-key.md
+      - name: Passwordless Windows 10
+        href: howto-authentication-passwordless-security-key-windows.md
+      - name: Passwordless on-premises
+        href: howto-authentication-passwordless-security-key-on-premises.md
       - name: Passwordless phone sign-in
         href: howto-authentication-passwordless-phone.md
       - name: Windows Hello for Business
 
@@ -25,15 +25,15 @@ Multi-factor authentication (MFA) is a great way to secure your organization, bu
 
 Each organization has different needs when it comes to authentication. Microsoft offers three passwordless authentication options:
 
-- Windows Hello for Business 
-- Microsoft Authenticator app 
+- Windows Hello for Business
+- Microsoft Authenticator app
 - FIDO2 security keys
 
 ![Authentication: Security versus convenience](./media/concept-authentication-passwordless/passwordless-convenience-security.png)
 
-## Windows Hello for Business 
+## Windows Hello for Business
 
-Windows Hello for Business is ideal for information workers who have their own designated Windows PC. The biometric and PIN  are directly tied to the user's PC, which prevents access from anyone other than the owner. With PKI integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a simple and convenient method for seamlessly accessing corporate resources on-premises and in the cloud.
+Windows Hello for Business is ideal for information workers who have their own designated Windows PC. The biometric and PIN are directly tied to the user's PC, which prevents access from anyone other than the owner. With PKI integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a simple and convenient method for seamlessly accessing corporate resources on-premises and in the cloud.
 
 The Windows Hello for Business [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-planning-guide) can be used to help you make decisions on the type of Windows Hello for Business deployment and the options you'll need to consider.
 
@@ -49,7 +49,7 @@ It turns any iOS or Android phone into a strong, passwordless credential by allo
 
 FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. It allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.
 
-For public preview, employees can use external security keys to sign in to their Azure Active Directory Joined Windows 10 machines (running version 1809 or higher) and get single-sign on to their cloud resources. They can also sign in to supported browsers.
+For public preview, employees can use security keys to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. They can also sign in to supported browsers.
 
 ![Sign in to Microsoft Edge with a security key](./media/concept-authentication-passwordless/concept-web-sign-in-security-key.png)
 
@@ -75,6 +75,9 @@ The following providers offer FIDO2 security keys of different form factors that
 | eWBM | [https://www.ewbm.com/page/sub1_5](https://www.ewbm.com/page/sub1_5) |
 | AuthenTrend | [https://authentrend.com/about-us/#pg-35-3](https://authentrend.com/about-us/#pg-35-3) |
 
+> [!NOTE]
+> If you purchase and plan to use NFC based security keys you will need a supported NFC reader.
+
 If you are a vendor and want to get your device on this list, contact [[email protected]](mailto:[email protected]).
 
 FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren’t willing or able to use their phone as a second factor.
@@ -86,7 +89,7 @@ FIDO2 security keys are a great option for enterprises who are very security sen
 - End users can register and manage these passwordless authentication methods in their account portal
 - End users can sign in with these passwordless authentication methods
    - Microsoft Authenticator App: Will work in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 Out Of Box (OOBE) setup, and with integrated mobile apps on any operating system.
-   - Security keys: Will work on lock screen for Windows 10 version 1809 or higher and the web in supported browsers like Microsoft Edge.
+   - Security keys: Will work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge.
 
 ## Next steps
 
 
@@ -0,0 +1,65 @@
+---
+title: Enable Multi-Factor Authentication for your organization - Azure Active Directory
+description: Enable Azure MFA for your organization based on your license
+
+services: multi-factor-authentication
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 10/29/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: michmcla
+
+ms.collection: M365-identity-device-management
+---
+# Enable Multi-Factor Authentication for your organization
+
+There are multiple ways to enable Azure Multi-Factor Authentication (MFA) for your Azure Active Directory (AD) users based on the licenses that your organization owns. 
+
+![Investigate signals and enforce MFA if needed](./media/concept-mfa-get-started/verify-signals-and-perform-mfa-if-required.png)
+
+Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.
+
+So how does your organization turn on multi-factor authentication even for free, before becoming a statistic?
+
+## Free option
+
+Customers who are utilizing the free benefits of Azure AD can use [security defaults](../conditional-access/concept-conditional-access-security-defaults.md) to enable multi-factor authentication in their environment.
+
+## Office 365
+
+For customers with Office 365, there are two options:
+
+- [Security defaults](../conditional-access/concept-conditional-access-security-defaults.md) can be enabled through Azure AD to protect all of your users with Azure Multi-Factor Authentication.
+- If your organization requires more granularity in providing multi-factor authentication, your Office licenses include [per-user MFA](../authentication/howto-mfa-userstates.md) capabilities. Per-user MFA is enabled and enforced on each user individually by administrators.
+
+## Azure AD Premium P1
+
+For customers with Azure AD Premium P1 or similar licenses that include this functionality such as Enterprise Mobility + Security E3, Microsoft 365 F1, or Microsoft 365 E3: 
+
+The recommendation is to use [Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md) for the best user experience.
+
+## Azure AD Premium P2
+
+For customers with Azure AD Premium P2 or similar licenses that include this functionality such as Enterprise Mobility + Security E5 or Microsoft 365 E5: 
+
+The recommendation is to use [Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md) along with [Identity Protection](../identity-protection/overview-v2.md) risk policies for the best user experience and enforcement flexibility.
+
+## Authentication methods
+
+|   | Security defaults | All other methods |
+| --- | --- | --- |
+| Notification through mobile app | X | X |
+| Verification code from mobile app or hardware token |   | X |
+| Text message to phone |   | X |
+| Call to phone |   | X |
+| App passwords |   | X** |
+
+** App passwords are only available in per-user MFA with legacy authentication scenarios only if enabled by administrators.
+
+## Next steps
+
+[Azure AD pricing page](https://azure.microsoft.com/pricing/details/active-directory/)
@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 06/03/2018
+ms.date: 10/29/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -24,16 +24,17 @@ When it comes to protecting your accounts, two-step verification should be stand
 
 ## Available versions of Azure Multi-Factor Authentication
 
-The following table describes the differences between three versions of multi-factor authentication:
+The following table describes the differences between versions of multi-factor authentication:
 
 | Version | Description |
 | --- | --- |
-| Multi-Factor Authentication for Office 365 <br> Microsoft 365 Business | This version is managed from the Office 365 or Microsoft 365 portal. Administrators can [secure Office 365 resources with two-step verification](https://support.office.com/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6). This version is part of an Office 365 or Microsoft 365 Business subscription. |
+| Free option | Customers who are utilizing the free benefits of Azure AD can use [security defaults](../conditional-access/concept-conditional-access-security-defaults.md) to enable multi-factor authentication in their environment. |
+| Multi-Factor Authentication for Office 365 | This version is managed from the Office 365 or Microsoft 365 portal. Administrators can [secure Office 365 resources with two-step verification](https://support.office.com/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6). This version is part of an Office 365 subscription. |
 | Multi-Factor Authentication for Azure AD Administrators | Users assigned the Azure AD Global Administrator role in Azure AD tenants can enable two-step verification at no additional cost. |
-| Azure Multi-Factor Authentication | Often referred to as the "full" version, Azure Multi-Factor Authentication offers the richest set of capabilities. It provides additional configuration options via the [Azure portal](https://portal.azure.com), advanced reporting, and support for a range of on-premises and cloud applications. Azure Multi-Factor Authentication is a feature of [Azure Active Directory Premium](https://www.microsoft.com/cloud-platform/azure-active-directory-features). |
+| Azure Multi-Factor Authentication | Often referred to as the "full" version, Azure Multi-Factor Authentication offers the richest set of capabilities. It provides additional configuration options via the [Azure portal](https://portal.azure.com), advanced reporting, and support for a range of on-premises and cloud applications. Azure Multi-Factor Authentication is a feature of [Azure Active Directory Premium](https://www.microsoft.com/cloud-platform/azure-active-directory-features) and [Microsoft 365 Business](https://www.microsoft.com/microsoft-365/business). |
 
 > [!NOTE]
-> New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication will continue to be available as a feature in Azure AD Premium licenses.
+> New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication will continue to be available as a feature in Azure AD Premium or Microsoft 365 Business licenses.
 
 ## Feature comparison of versions
 
@@ -43,24 +44,24 @@ The following table provides a list of the features that are available in the va
 > This comparison table discusses the features that are part of each version of Multi-Factor Authentication. If you have the full Azure Multi-Factor Authentication service, some features may not be available depending on whether you use [MFA in the cloud or MFA on-premises](concept-mfa-whichversion.md).
 >
 
-| Feature | Multi-Factor Authentication for Office 365 | Multi-Factor Authentication for Azure AD Administrators | Azure Multi-Factor Authentication |
-| --- |:---:|:---:|:---:|
-| Protect Azure AD admin accounts with MFA |● |● (Azure AD Global Administrator accounts only) |● |
-| Mobile app as a second factor |● |● |● |
-| Phone call as a second factor |● |● |● |
-| SMS as a second factor |● |● |● |
-| App passwords for clients that don't support MFA |● |● |● |
-| Admin control over verification methods |● |● |● |
-| Protect non-admin accounts with MFA |● | |● |
-| PIN mode | | |● |
-| Fraud alert | | |● |
-| MFA Reports | | |● |
-| One-Time Bypass | | |● |
-| Custom greetings for phone calls | | |● |
-| Custom caller ID for phone calls | | |● |
-| Trusted IPs | | |● |
-| Remember MFA for trusted devices |● |● |● |
-| MFA for on-premises applications | | |● |
+| Feature | Multi-Factor Authentication for Office 365 | Multi-Factor Authentication for Azure AD Administrators | Azure Multi-Factor Authentication | Security defaults | 
+| --- |:---:|:---:|:---:|:---:|
+| Protect Azure AD admin accounts with MFA |● |● (Azure AD Global Administrator accounts only) |● |● |
+| Mobile app as a second factor |● |● |● |● |
+| Phone call as a second factor |● |● |● |   |
+| SMS as a second factor |● |● |● |   |
+| App passwords for clients that don't support MFA |● |● |● |   |
+| Admin control over verification methods |● |● |● |   |
+| Protect non-admin accounts with MFA |● | |● |● |
+| PIN mode | | |● |   |
+| Fraud alert | | |● |   |
+| MFA Reports | | |● |   |
+| One-Time Bypass | | |● |   |
+| Custom greetings for phone calls | | |● |   |
+| Custom caller ID for phone calls | | |● |   |
+| Trusted IPs | | |● |   |
+| Remember MFA for trusted devices |● |● |● |   |
+| MFA for on-premises applications | | |● |   |
 
 > [!IMPORTANT]
 > Starting in March of 2019 the phone call options will not be available to MFA and SSPR users in free/trial Azure AD tenants. SMS messages are not impacted by this change. Phone call will continue to be available to users in paid Azure AD tenants. This change only impacts free/trial Azure AD tenants.
@@ -98,10 +99,8 @@ When using an Azure Multi-Factor Authentication Provider, there are two usage mo
    > Today, the Azure MFA service received 3,105 two-step verification requests. Your Azure subscription is billed for 310.5 authentication packs.
    >
 
-It's important to note that you can have licenses, but still get billed for consumption-based configuration. If you set up a per-authentication Azure MFA Provider, you are billed for every two-step verification request, even those done by users who have licenses. If you set up a per-user Azure MFA Provider on a domain that isn't linked to your Azure AD tenant, you are billed per enabled user even if your users have licenses on Azure AD.
+It's important to note that you can have licenses, but still get billed for consumption-based configuration. If you set up a per-authentication Azure MFA Provider, you are billed for every two-step verification request, even those requests done by users who have licenses. If you set up a per-user Azure MFA Provider on a domain that isn't linked to your Azure AD tenant, you are billed per enabled user even if your users have licenses on Azure AD.
 
 ## Next steps
 
 - For more pricing details, see [Azure MFA Pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/).
-
-- Choose whether to deploy Azure MFA [in the cloud or on-premises](concept-mfa-whichversion.md)