Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -43,7 +43,7 @@ Registration features for passwordless authentication methods rely on the combin
 ### Enable passwordless phone sign-in authentication methods
 
 1. Sign in to the [Azure portal](https://portal.azure.com)
-1. Browse to **Azure AD Security** > **Authentication methods** > **Authentication method policy (Preview)**
+1. Search for and select *Azure Active Directory*. Select **Security** > **Authentication methods** > **Authentication method policy (Preview)**
 1. Under **Passwordless phone sign-in**, choose the following options
    1. **Enable** - Yes or No
    1. **Target** - All users or Select users

articles/active-directory/authentication/howto-mfa-userstates.md

@@ -53,7 +53,7 @@ All users start out *Disabled*. When you enroll users in Azure MFA, their state
 Use the following steps to access the page where you can view and manage user states:
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.
-2. Go to **Azure Active Directory** > **Users and groups** > **All users**.
+2. Search for and select *Azure Active Directory*. Select **Users** > **All users**.
 3. Select **Multi-Factor Authentication**.
    ![Select Multi-Factor Authentication](./media/howto-mfa-userstates/selectmfa.png)
 4. A new page that displays the user states opens.

articles/active-directory/authentication/howto-mfaserver-deploy.md

@@ -99,7 +99,7 @@ If you aren't using the Event Confirmation feature, and your users aren't using
 Follow these steps to download the Azure Multi-Factor Authentication Server from the Azure portal:
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.
-2. Select **Azure Active Directory** > **MFA Server**.
+2. Search for and select *Azure Active Directory*. Select **MFA Server**.
 3. Select **Server settings**.
 4. Select **Download** and follow the instructions on the download page to save the installer. 
 

articles/active-directory/authentication/howto-password-smart-lockout.md

@@ -64,7 +64,8 @@ Based on your organizational requirements, smart lockout values may need to be c
 
 To check or modify the smart lockout values for your organization, use the following steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Active Directory** > **Authentication methods** > **Password protection**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for and select *Azure Active Directory*. Select **Authentication methods** > **Password protection**.
 1. Set the **Lockout threshold**, based on how many failed sign-ins are allowed on an account before its first lockout. The default is 10.
 1. Set the **Lockout duration in seconds**, to the length in seconds of each lockout. The default is 60 seconds (one minute).
 

articles/active-directory/devices/assign-local-admin.md

@@ -47,7 +47,7 @@ To view and update the membership of the global administrator role, see:
 In the Azure portal, you can manage the device administrator role on the **Devices** page. To open the **Devices** page:
 
 1. Sign in to your [Azure portal](https://portal.azure.com) as a global administrator or device administrator.
-1. On the left navbar, click **Azure Active Directory**. 
+1. Search for and select *Azure Active Directory*.
 1. In the **Manage** section, click **Devices**.
 1. On the **Devices** page, click **Device settings**.
 

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -31,8 +31,8 @@ There are many benefits of using Azure AD authentication to log in to Windows VM
 - Azure RBAC allows you to grant the appropriate access to VMs based on need and remove it when it is no longer needed.
 - Before allowing access to a VM, Azure AD Conditional Access can enforce additional requirements such as: 
    - Multi-factor authentication
-   - Sign-in risk
-- Automate and scale Azure AD join for Azure based Windows VMs.
+   - Sign-in risk check
+- Automate and scale Azure AD join of Azure Windows VMs that are part for your VDI deployments.
 
 ## Requirements
 
@@ -65,7 +65,7 @@ To use Azure AD login in for Windows VM in Azure, you need to first enable Azure
 There are multiple ways you can enable Azure AD login for your Windows VM:
 
 - Using the Azure portal experience when creating a Windows VM
-- Using the Azure Cloud Shell experience when creating a Windows VM or for an existing Windows VM
+- Using the Azure Cloud Shell experience when creating a Windows VM **or for an existing Windows VM**
 
 ### Using Azure portal create VM experience to enable Azure AD login
 
@@ -184,6 +184,14 @@ For more information on how to use RBAC to manage access to your Azure subscript
 - [Manage access to Azure resources using RBAC and the Azure portal](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal)
 - [Manage access to Azure resources using RBAC and Azure PowerShell](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-powershell).
 
+## Using Conditional Access
+
+You can enforce Conditional Access policies such as multi-factor authentication or user sign-in risk check before authorizing access to Windows VMs in Azure that are enabled with Azure AD sign in. To apply Conditional Access policy, you must select "Azure Windows VM Sign-In" app from the cloud apps or actions assignment option and then use Sign-in risk as a condition and/or 
+require multi-factor authentication as a grant access control. 
+
+> [!NOTE]
+> If you use "Require multi-factor authentication" as a grant access control for requesting access to "Azure Windows VM Sign-In" app, then you must supply multi-factor authentication claim as part of the client that initiates the RDP session to the target Windows VM in Azure. The only way to achieve this on a Windows 10 client is to use Windows Hello for Business PIN or biometric auth during RDP. Biometric auth for RDP is supported starting Windows 10 1809. Using Windows Hello for Business auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
+
 ## Log in using Azure AD credentials to a Windows VM
 
 > [!IMPORTANT]
@@ -334,7 +342,10 @@ If you see the following error message when you initiate a remote desktop connec
 
 ![The sign-in method you're trying to use isn't allowed.](./media/howto-vm-sign-in-azure-ad-windows/mfa-sign-in-method-required.png)
 
-If you have configured a Conditional Access policy that requires MFA to be done before you can access the RBAC resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see the following error.
+If you have configured a Conditional Access policy that requires MFA to be done before you can access the RBAC resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see the following error. If you have not deployed Windows Hello for Business and if that is not an option for now, you can exlcude MFA requirement by configuring Conditional Access policy that excludes "Azure Windows VM Sign-In" app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see [Windows Hello for Business Overview] (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification).
+
+> [!NOTE]
+> Windows Hello for Business PIN auth during RDP has been supported for long now, however using Biometric auth for RDP is supported starting Windows 10 1809. Using Windows Hello for Business auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
  
 ## Preview feedback
 

articles/active-directory/manage-apps/access-panel-extension-problem-installing.md

@@ -1,5 +1,5 @@
 ---
-title: Install the application access panel browser extension - Azure | Microsoft Docs
+title: Install application access panel browser extension - Azure AD
 description: Fix common errors encountered when you install the access panel browser extension.
 services: active-directory
 documentationcenter: ''

articles/active-directory/manage-apps/application-provisioning-config-how-to.md

@@ -1,5 +1,5 @@
 ---
-title: How to configure user provisioning to an Azure AD Gallery application | Microsoft Docs
+title: How to configure user provisioning to an Azure AD Gallery app
 description: How you can quickly configure rich user account provisioning and deprovisioning to applications already listed in the Azure AD Application Gallery
 services: active-directory
 documentationcenter: ''

articles/active-directory/manage-apps/application-provisioning-config-problem-no-users-provisioned.md

@@ -1,5 +1,5 @@
 ---
-title: No users are being provisioned to an Azure AD Gallery application | Microsoft Docs
+title: No users are being provisioned to an Azure AD Gallery application
 description: How to troubleshoot common issues faced when you don't see users appearing in an Azure AD Gallery Application you have configured for user provisioning with Azure AD
 services: active-directory
 documentationcenter: ''

articles/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility.md

@@ -1,5 +1,5 @@
 ---
-title: Known issues and resolutions with SCIM 2.0 protocol compliance of the Azure AD User Provisioning service | Microsoft Docs
+title: Known issues with SCIM 2.0 protocol compliance - Azure AD
 description: How to solve common protocol compatibility issues faced when adding a non-gallery application that supports SCIM 2.0 to Azure AD
 services: active-directory
 documentationcenter: ''