Merge pull request #77477 from MicrosoftGuyJFlo/FixesFromPRMergerPR76998

PRMerger14 · web-flow · commit e4e46c45f437 · 2019-05-22T07:33:57.000+08:00
[Azure AD] Conditional access - Fixes from PRMerger
diff --git a/articles/active-directory/conditional-access/concept-baseline-protection.md b/articles/active-directory/conditional-access/concept-baseline-protection.md
@@ -21,7 +21,7 @@ Baseline policies are a set of predefined policies that help protect organizat
 
 Managing customized conditional access policies requires an Azure AD Premium license.
 
-## Baseline Policies
+## Baseline policies
 
 ![Conditional access baseline policies in the Azure portal](./media/concept-baseline-protection/conditional-access-baseline-policies.png)
 
@@ -82,9 +82,9 @@ To protect privileged actions, this **Require MFA for service management (previe
 To enable a baseline policy:
 
 1. Sign in to the **Azure portal** as global administrator, security administrator, or conditional access administrator.
-1. Browse to **Azure Active Directory** > **Conditional Access**
-1. In the list of policies, select a baseline policy you’d like to enable
-1. Set **Enable policy** to **On**
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. In the list of policies, select a baseline policy you’d like to enable.
+1. Set **Enable policy** to **On**.
 1. Click Save.
 
 ## Next steps
diff --git a/articles/active-directory/conditional-access/howto-baseline-protect-administrators.md b/articles/active-directory/conditional-access/howto-baseline-protect-administrators.md
@@ -34,11 +34,11 @@ Upon enabling the Require MFA for admins policy, the above nine administrator ro
 
 ![Require MFA for admins baseline policy](./media/howto-baseline-protect-administrators/baseline-policy-require-mfa-for-admins.png)
 
-## Deployment Considerations
+## Deployment considerations
 
 Because the **Require MFA for admins** policy applies to all critical administrators, several considerations need to be made to ensure a smooth deployment. These considerations include identifying users and service principles in Azure AD that cannot or should not perform MFA, as well as applications and clients used by your organization that do not support modern authentication.
 
-### Legacy Protocols
+### Legacy protocols
 
 Legacy authentication protocols (IMAP, SMTP, POP3, etc.) are used by mail clients to make authentication requests. These protocols do not support MFA. Most of the account compromises seen by Microsoft are caused by bad actors performing attacks against legacy protocols attempting to bypass MFA. To ensure that MFA is required when logging into an administrative account and bad actors aren’t able to bypass MFA, this policy blocks all authentication requests made to administrator accounts from legacy protocols.
 
@@ -50,7 +50,7 @@ Legacy authentication protocols (IMAP, SMTP, POP3, etc.) are used by mail client
 This baseline policy provides you the option to exclude users. Before enabling the policy for your tenant, we recommend excluding the following accounts:
 
 * **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
-   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md)
+   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
 * **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
    * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
 * Users who do not have or will not be able to use a smart phone.
@@ -63,9 +63,9 @@ The policy **Baseline policy: Require MFA for admins** comes pre-configured and
 To enable this policy and protect your administrators:
 
 1. Sign in to the **Azure portal** as global administrator, security administrator, or conditional access administrator.
-1. Browse to **Azure Active Directory** > **Conditional Access**
-1. In the list of policies, select **Baseline policy: Require MFA for admins**
-1. Set **Enable policy** to **Use policy immediately**
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. In the list of policies, select **Baseline policy: Require MFA for admins**.
+1. Set **Enable policy** to **Use policy immediately**.
 1. Add any user exclusions by clicking on **Users** > **Select excluded users** and choosing the users that need to be excluded. Click **Select** then **Done**.
 1. Click **Save**.
 
diff --git a/articles/active-directory/conditional-access/howto-baseline-protect-azure.md b/articles/active-directory/conditional-access/howto-baseline-protect-azure.md
@@ -47,7 +47,7 @@ az login
 
 If the CLI can open your default browser, it will do so and load a sign-in page. Otherwise, you need to open a browser page and follow the instructions on the command line to enter an authorization code after navigating to [https://aka.ms/devicelogin](https://aka.ms/devicelogin) in your browser. Afterwards, sign in with your account credentials in the browser.
 
-## Deployment Considerations
+## Deployment considerations
 
 Because the **Require MFA for service management** policy applies to all Azure Resource Manager users, several considerations need to be made to ensure a smooth deployment. These considerations include identifying users and service principles in Azure AD that cannot or should not perform MFA, as well as applications and clients used by your organization that do not support modern authentication.
 
@@ -56,7 +56,7 @@ Because the **Require MFA for service management** policy applies to all Azure R
 This baseline policy provides you the option to exclude users. Before enabling the policy for your tenant, we recommend excluding the following accounts:
 
 * **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
-   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md)
+   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
 * **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
    * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
 * Users who do not have or will not be able to use a smart phone.
@@ -69,9 +69,9 @@ The policy **Baseline policy: Require MFA for service management (preview)** com
 To enable this policy and protect your administrators:
 
 1. Sign in to the **Azure portal** as global administrator, security administrator, or conditional access administrator.
-1. Browse to **Azure Active Directory** > **Conditional Access**
-1. In the list of policies, select **Baseline policy: Require MFA for service management (preview)**
-1. Set **Enable policy** to **Use policy immediately**
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. In the list of policies, select **Baseline policy: Require MFA for service management (preview)**.
+1. Set **Enable policy** to **Use policy immediately**.
 1. Add any user exclusions by clicking on **Users** > **Select excluded users** and choosing the users that need to be excluded. Click **Select** then **Done**.
 1. Click **Save**.
 
diff --git a/articles/active-directory/conditional-access/howto-baseline-protect-end-users.md b/articles/active-directory/conditional-access/howto-baseline-protect-end-users.md
@@ -28,7 +28,7 @@ End user protection is a risk-based MFA [baseline policy](concept-baseline-prote
 > [!NOTE]
 > This policy applies to all users including guest accounts and will be evaluated when logging into all applications.
 
-## Recovering Compromised Accounts
+## Recovering compromised accounts
 
 To help protect our customers, Microsoft’s leaked credential service finds publicly available username/password pairs. If they match one of our users, we help secure that account immediately. Users identified as having a leaked credential are confirmed compromised. These users will be blocked from signing in until their password is reset.
 
@@ -46,11 +46,11 @@ Confirm that the user has been blocked by the policy by examining the user’s s
 
 The user can now sign in, reset their password, and access the application.
 
-## Deployment Considerations
+## Deployment considerations
 
 Because the **End user protection** policy applies to all users in your directory, several considerations need to be made to ensure a smooth deployment. These considerations include identifying users and service principles in Azure AD that cannot or should not perform MFA, as well as applications and clients used by your organization that do not support modern authentication.
 
-### Legacy Protocols
+### Legacy protocols
 
 Legacy authentication protocols (IMAP, SMTP, POP3, etc.) are used by mail clients to make authentication requests. These protocols do not support MFA.  Most of the account compromises seen by Microsoft are caused by bad actors performing attacks against legacy protocols attempting to bypass MFA. To ensure that MFA is required when logging into an account and bad actors aren’t able to bypass MFA, this policy blocks all authentication requests made to administrator accounts from legacy protocols.
 
@@ -62,7 +62,7 @@ Legacy authentication protocols (IMAP, SMTP, POP3, etc.) are used by mail client
 This baseline policy provides you the option to exclude users. Before enabling the policy for your tenant, we recommend excluding the following accounts:
 
 * **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
-   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md)
+   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
 * **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
    * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
 * Users who do not have or will not be able to use a smart phone.
@@ -75,9 +75,9 @@ The policy **Baseline policy: End user protection (preview)** comes pre-configur
 To enable this policy and protect your administrators:
 
 1. Sign in to the **Azure portal** as global administrator, security administrator, or conditional access administrator.
-1. Browse to **Azure Active Directory** > **Conditional Access**
-1. In the list of policies, select **Baseline policy: End user protection (preview)**
-1. Set **Enable policy** to **Use policy immediately**
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. In the list of policies, select **Baseline policy: End user protection (preview)**.
+1. Set **Enable policy** to **Use policy immediately**.
 1. Add any user exclusions by clicking on **Users** > **Select excluded users** and choosing the users that need to be excluded. Click **Select** then **Done**.
 1. Click **Save**.
 
diff --git a/articles/active-directory/conditional-access/howto-baseline-protect-legacy-auth.md b/articles/active-directory/conditional-access/howto-baseline-protect-legacy-auth.md
@@ -34,21 +34,21 @@ The best way to protect your account from malicious authentication requests made
 
 Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. Azure AD sign-in logs can be used to understand if you’re using legacy authentication.
 
-1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**
+1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
 1. Add the Client App column if it is not shown by clicking on **Columns** > **Client App**.
 1. Filter by **Client App** > **Other Clients** and click **Apply**.
 
 Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you additional details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
 
 These logs will indicate which users are still depending on legacy authentication and which applications are using legacy protocols to make authentication requests. For users that do not appear in these logs and are confirmed to not be using legacy authentication, implement a conditional access policy or enable the **Baseline policy: block legacy authentication** for these users only.
 
-## Moving Away from Legacy Authentication
+## Moving away from legacy authentication
 
 Once you have a better idea of who is using legacy authentication in your directory and which applications depend on it, the next step is upgrading your users to use modern authentication. Modern authentication is a method of identity management that offers more secure user authentication and authorization. If you have an MFA policy in place on your directory, modern authentication ensures that the user is prompted for MFA when required. It is the more secure alternative to legacy authentication protocols.
 
 This section gives a step-by-step overview on how to update your environment to modern authentication. Read through the steps below before enabling a legacy authentication blocking policy in your organization.
 
-### Step 1: Enable Modern Authentication in your directory
+### Step 1: Enable modern authentication in your directory
 
 The first step in enabling modern authentication is making sure your directory supports modern authentication. Modern authentication is enabled by default for directories created on or after August 1, 2017. If your directory was created prior to this date, you’ll need to manually enable modern authentication for your directory using the following steps:
 
@@ -57,7 +57,7 @@ The first step in enabling modern authentication is making sure your directory s
 
 Be sure to complete this step before moving forward. It’s critical that your directory configurations are changed first because they dictate which protocol will be used by all Office clients. Even if you’re using Office clients that support modern authentication, they will default to using legacy protocols if modern authentication is disabled on your directory.
 
-### Step 2: Enable Modern authentication for Office Applications
+### Step 2: Office applications
 
 Once you have enabled modern authentication in your directory, you can start updating applications by enabling modern authentication for Office clients. Office 2016 or later clients support modern authentication by default. No extra steps are required.
 
@@ -67,7 +67,7 @@ Office 2010 does not support modern authentication. You will need to upgrade any
 
 If you are using MacOS, we recommend upgrading to Office for Mac 2016 or later. If you are using the native mail client, you will need to have MacOS version 10.14 or later on all devices.
 
-### Step 3: Enabling modern authentication for Exchange and SharePoint
+### Step 3: Exchange and SharePoint
 
 For Windows-based Outlook clients to use modern authentication, Exchange Online must be modern authentication enabled as well. If modern authentication is disabled for Exchange Online, Windows-based Outlook clients that support modern authentication (Outlook 2013 or later) will use basic authentication to connect to Exchange Online mailboxes.
 
@@ -81,13 +81,13 @@ To enable modern authentication in Skype for Business, we suggest you transition
 
 In addition to enabling modern authentication for Skype for Business Online, we recommend modern authentication be enabled for Exchange Online when enabling modern authentication for Skype for Business. This process will help synchronize the state of modern authentication in Exchange Online and Skype for Business online and will prevent multiple sign-in prompts for Skype for Business clients.
 
-### Step 5: Using Mobile Devices
+### Step 5: Using mobile devices
 
 Applications on your mobile device need to block legacy authentication as well. We recommend using Outlook for Mobile. Outlook Mobile supports modern authentication by default and will satisfy other MFA baseline protection policies.
 
 In order to use the native iOS mail client, you will need to be running iOS version 11.0 or later to ensure the mail client has been updated to block legacy authentication.
 
-### Step 6: Enable Modern Authentication for On-Premises Clients
+### Step 6: On-premises clients
 
 If you are a hybrid customer using Exchange Server on-premises and Skype for Business on-premises, both services will need to be updated to enable modern authentication. When using modern authentication in a hybrid environment, you’re still authenticating users on-premises. The story of authorizing their access to resources (files or emails) changes.
 
@@ -105,9 +105,9 @@ The policy **Baseline policy: Block legacy authentication (preview)** comes pre-
 To enable this policy and protect your administrators:
 
 1. Sign in to the **Azure portal** as global administrator, security administrator, or conditional access administrator.
-1. Browse to **Azure Active Directory** > **Conditional Access**
-1. In the list of policies, select **Baseline policy: Block legacy authentication (preview)**
-1. Set **Enable policy** to **Use policy immediately**
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. In the list of policies, select **Baseline policy: Block legacy authentication (preview)**.
+1. Set **Enable policy** to **Use policy immediately**.
 1. Add any user exclusions by clicking on **Users** > **Select excluded users** and choosing the users that need to be excluded. Click **Select** then **Done**.
 1. Click **Save**.
 
