Merge branch 'main' into oath-one

Author: Justinha

.openpublishing.redirection.active-directory.json

@@ -11095,6 +11095,11 @@
       "source_path_from_root": "/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-inventory.md",
       "redirect_url": "/azure/active-directory/cloud-infrastructure-entitlement-management/product-data-billable-resources",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/governance/create-access-review-privileged-access-groups.md",
+      "redirect_url": "/azure/active-directory/governance/create-access-review-pim-for-groups",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/identity-provider-microsoft-account.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 01/13/2022
+ms.date: 02/13/2023
 ms.custom: project-no-code
 ms.author: godonnell
 ms.subservice: B2C
@@ -51,7 +51,7 @@ To enable sign-in for users with a Microsoft account in Azure Active Directory B
 1. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.
 
    For more information on the different account type selections, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
-1. Under **Redirect URI (optional)**, select **Web** and enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain.
+1. Under **Redirect URI (optional)**, select **Web** and enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your Azure AD B2C tenant, and `your-domain-name` with your custom domain.
 1. Select **Register**
 1. Record the **Application (client) ID** shown on the application Overview page. You need the client ID when you configure the identity provider in the next section.
 1. Select **Certificates & secrets**

articles/active-directory-b2c/partner-nevis.md

@@ -29,7 +29,7 @@ To get started, you'll need:
 - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription
 
 >[!NOTE]
->To integrate Nevis into your sign-up policy flow, configure the Azure AD B2C environment to use custom policies. </br>See, [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](/azure/active-directory-b2c/tutorial-create-user-flows).
+>To integrate Nevis into your sign-up policy flow, configure the Azure AD B2C environment to use custom policies. </br>See, [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md).
 
 ## Scenario description
 
@@ -191,4 +191,4 @@ The diagram shows the implementation.
 ## Next steps
 
 - [Custom policies in Azure AD B2C](./custom-policy-overview.md)
-- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)

articles/active-directory/authentication/concept-fido2-hardware-vendor.md

@@ -13,24 +13,18 @@ ms.collection: M365-identity-device-management
 
 # Become a Microsoft-compatible FIDO2 security key vendor
 
-Most hacking related breaches use either stolen or weak passwords. Often, IT will enforce stronger password complexity or frequent password changes to reduce the risk of a security incident. However, this increases help desk costs and leads to poor user experiences as users are required to memorize or store new, complex passwords.
+Most hacking related breaches use either stolen or weak passwords. Often, IT enforce stronger password complexity or frequent password changes to reduce the risk of a security incident. However, this increases help desk costs and leads to poor user experiences as users are required to memorize or store new, complex passwords.
 
-FIDO2 security keys offer an alternative. FIDO2 security keys can replace weak credentials with strong hardware-backed public/private-key credentials which can't be reused, replayed, or shared across services. Security keys support shared device scenarios, allowing you to carry your credential with you and safely authenticate to an Azure Active Directory joined Windows 10 device that’s part of your organization.
+FIDO2 security keys offer an alternative. FIDO2 security keys can replace weak credentials with strong hardware-backed public/private-key credentials that can't be reused, replayed, or shared across services. Security keys support shared device scenarios, allowing you to carry your credential with you and safely authenticate to an Azure Active Directory joined Windows 10 device that’s part of your organization.
 
-Microsoft partners with FIDO2 security key vendors to ensure that security devices work on Windows, the Microsoft Edge browser, and online Microsoft accounts, to enable strong password-less authentication.
+Microsoft partners with FIDO2 security key vendors to ensure that security devices work on Windows, the Microsoft Edge browser, and online Microsoft accounts. FIDO2 security keys enable strong password-less authentication.
 
-You can become a Microsoft-compatible FIDO2 security key vendor through the following process.  Microsoft doesn't commit to do go-to-market activities with the partner and will evaluate partner priority based on customer demand.
+You can become a Microsoft-compatible FIDO2 security key vendor through the following process.  Microsoft doesn't commit to do go-to-market activities with the partner and evaluates partner priority based on customer demand.
 
-1. First, your authenticator needs to have a FIDO2 certification. We won't be able to work with providers who don't have a FIDO2 certification. To learn more about the certification, please visit this website:  [https://fidoalliance.org/certification/](https://fidoalliance.org/certification/)
-2. After you have a FIDO2 certification, please fill in your request to our form here: [https://forms.office.com/r/NfmQpuS9hF](https://forms.office.com/r/NfmQpuS9hF). Our engineering team will only test compatibility of your FIDO2 devices. We won't test security of your solutions.
-3. Once we confirm a move forward to the testing phase, the process usually take about 3-6 months. The steps usually involve:
-    - Initial discussion between Microsoft and your team.
-        - Verify FIDO Alliance Certification or the path to certification if not complete
-        - Receive an overview of the device from the vendor
-    - Microsoft will share our test scripts with you. Our engineering team will be able to answer questions if you have any specific needs.
-    - You'll complete and send all passed results to Microsoft Engineering team
-4. Upon successful passing of all tests by Microsoft Engineering team, Microsoft will confirm vendor's device is listed in [the FIDO MDS](https://fidoalliance.org/metadata/).
-5. Microsoft will add your FIDO2 Security Key on Azure AD backend and to our list of approved FIDO2 vendors.
+1. First, your authenticator needs to have a FIDO2 certification. We aren't able to work with providers who don't have a FIDO2 certification. To learn more about the certification, visit the [FIDO Alliance Certification Overview website](https://fidoalliance.org/certification/).
+2. After you have a FIDO2 certification, [submit a request form](https://forms.office.com/r/NfmQpuS9hF) to become a Microsoft-compatible FIDO2 security key vendor. Our engineering team only confirms the features supported by your FIDO2 devices. We don't retest features already tested as part of the FIDO2 certification and don't evaluate the security of your solutions. The process usually takes a few weeks to complete.
+3. After the engineering team successfully confirmed the feature list, we'll confirm vendor's device is listed in the [FIDO Alliance Metadata Service](https://fidoalliance.org/metadata/).
+4. Microsoft adds your FIDO2 Security Key on Azure Active Directory backend and to our list of approved FIDO2 vendors.
 
 ## Current partners
 
@@ -64,14 +58,10 @@ The following table lists partners who are Microsoft-compatible FIDO2 security k
 | VinCSS                    | ![n]              | ![y]| ![n]| ![n]| ![n]           | https://passwordless.vincss.net                                                                     |
 | Yubico                    | ![y]              | ![y]| ![y]| ![n]| ![y]           | https://www.yubico.com/solutions/passwordless/                                                      |
 
-
-
 <!--Image references-->
 [y]: ./media/fido2-compatibility/yes.png
 [n]: ./media/fido2-compatibility/no.png
 
-
 ## Next steps
 
 [FIDO2 Compatibility](fido2-compatibility.md)
-

articles/active-directory/authentication/feature-availability.md

@@ -8,10 +8,11 @@ ms.subservice: authentication
 ms.topic: conceptual
 ms.date: 01/29/2023
 
+
 ms.author: justinha
 author: justinha
-manager: daveba
-ms.reviewer: michmcla
+manager: amycolannino
+ms.reviewer: mattsmith
 ms.collection: M365-identity-device-management
 ---
 
@@ -28,8 +29,9 @@ This following tables list Azure AD feature availability in Azure Government.
 |**Authentication, single sign-on, and MFA**|Cloud authentication (Pass-through authentication, password hash synchronization) | ✅ |
 || Federated authentication (Active Directory Federation Services or federation with other identity providers) | ✅ |
 || Single sign-on (SSO) unlimited | ✅ | 
-|| Multifactor authentication (MFA) <sup>1</sup>| &#x2705; | 
+|| Multifactor authentication (MFA) | &#x2705; | 
 || Passwordless (Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations) | &#x2705; | 
+|| Certificate-based authentication | &#x2705; | 
 || Service-level agreement | &#x2705; | 
 |**Applications access**|SaaS apps with modern authentication (Azure AD application gallery apps, SAML, and OAUTH 2.0) | &#x2705; | 
 || Group assignment to applications | &#x2705; | 
@@ -42,6 +44,7 @@ This following tables list Azure AD feature availability in Azure Government.
 || Session lifetime management | &#x2705; | 
 || Identity Protection (vulnerabilities and risky accounts) | See [Identity protection](#identity-protection) below. | 
 || Identity Protection (risk events investigation, SIEM connectivity) | See [Identity protection](#identity-protection) below. | 
+|| Entra permissions management | &#10060; | 
 |**Administration and hybrid identity**|User and group management | &#x2705; | 
 || Advanced group management (Dynamic groups, naming policies, expiration, default classification) | &#x2705; | 
 || Directory synchronization—Azure AD Connect (sync and cloud sync) | &#x2705; | 
@@ -50,6 +53,7 @@ This following tables list Azure AD feature availability in Azure Government.
 || Global password protection and management – cloud-only users | &#x2705; | 
 || Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory | &#x2705; | 
 || Microsoft Identity Manager user client access license (CAL) | &#x2705; | 
+|| Entra workload identities | &#10060; | 
 |**End-user self-service**|Application launch portal (My Apps) | &#x2705; | 
 || User application collections in My Apps | &#x2705; |
 || Self-service account management portal (My Account) | &#x2705; |
@@ -65,26 +69,26 @@ This following tables list Azure AD feature availability in Azure Government.
 || Access certifications and reviews | &#x2705; |
 || Entitlement management | &#x2705; |
 || Privileged Identity Management (PIM), just-in-time access |  &#x2705; |
+|| Entra governance | &#10060; |
 |**Event logging and reporting**|Basic security and usage reports | &#x2705; |
 || Advanced security and usage reports | &#x2705; |
 || Identity Protection: vulnerabilities and risky accounts | &#x2705; |
 || Identity Protection: risk events investigation, SIEM connectivity | &#x2705; |
-|**Frontline workers**|SMS sign-in | Feature not available. |
+|**Frontline workers**|SMS sign-in | &#x2705; |
 || Shared device sign-out | Enterprise state roaming for Windows 10 devices isn't available. |
-|| Delegated user management portal (My Staff) | Feature not available. |
+|| Delegated user management portal (My Staff) | &#10060; |
 
-<sup>1</sup>Microsoft Authenticator only shows GUID and not UPN for compliance reasons.
 
 ## Identity protection
 
 | Risk Detection | Availability |
 |----------------|:--------------------:|
 |Leaked credentials (MACE) | &#x2705; |
-|Azure AD threat intelligence | Feature not available. |
+|Azure AD threat intelligence | &#10060; |
 |Anonymous IP address | &#x2705; | 
 |Atypical travel | &#x2705; |
-|Anomalous Token | Feature not available. |
-|Token Issuer Anomaly| Feature not available. |
+|Anomalous Token | &#x2705; |
+|Token Issuer Anomaly| &#x2705; |
 |Malware linked IP address | &#x2705; |
 |Suspicious browser | &#x2705; |
 |Unfamiliar sign-in properties | &#x2705; |
@@ -96,7 +100,6 @@ This following tables list Azure AD feature availability in Azure Government.
 |New country | &#x2705; |
 |Activity from anonymous IP address | &#x2705; |
 |Suspicious inbox forwarding | &#x2705; |
-|Azure AD threat intelligence | Feature not available. |
 |Additional risk detected | &#x2705; |
 
 

articles/active-directory/authentication/how-to-certificate-based-authentication.md

@@ -41,7 +41,7 @@ Make sure that the following prerequisites are in place:
 
 ## Steps to configure and test Azure AD CBA
 
-Some configuration steps to be done before you enable Azure AD CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators are needed to make changes. Only the [Privileged Authentication Administrator](../roles/permissions-reference.md#privileged-authentication-administrator) role can configure the CA.
+Some configuration steps to be done before you enable Azure AD CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators are needed to make changes. Only the [Global Administrator](../roles/permissions-reference.md#global-administrator) role can configure the CA.
 
 Optionally, you can also configure authentication bindings to map certificates to single-factor or multifactor authentication, and configure username bindings to map the certificate field to an attribute of the user object. [Authentication Policy Administrators](../roles/permissions-reference.md#authentication-policy-administrator) can configure user-related settings. Once all the configurations are complete, enable Azure AD CBA on the tenant. 
 

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/09/2023
+ms.date: 02/10/2023
 ms.author: justinha
 author: justinha
 ms.collection: M365-identity-device-management
@@ -366,13 +366,13 @@ Regardless of their default method, any user who is prompted to sign-in with Aut
 
 No, number matching isn't enforced because it's not a supported feature for MFA Server, which is [deprecated](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454).
 
-### What happens if a user runs an older version of Microsoft Authenticator?
+### What happens if a user runs an older version of Microsoft Authenticator?  
 
-If a user is running an older version of Microsoft Authenticator that doesn't support number matching, authentication won't work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in.  
+If a user is running an older version of Microsoft Authenticator that doesn't support number matching, authentication won't work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in if they use Android versions prior to 6.2006.4198, or iOS versions prior to 6.4.12.
 
-### Why is my user prompted to tap on one out of three numbers instead of entering the number in their Microsoft Authenticator app?
+### Why is my user prompted to tap on one of three numbers rather than enter the number in their Microsoft Authenticator app?
 
-Older versions of Microsoft Authenticator prompt users to tap and select a number instead of entering the number in their Microsoft Authenticator app. These authentications won't fail, but we highly recommend that users update to the latest version of the app to be able to enter the number. 
+Older versions of Microsoft Authenticator prompt users to tap and select a number rather than enter the number in Microsoft Authenticator. These authentications won't fail, but Microsoft highly recommends that users upgrade to the latest version of Microsoft Authenticator if they use Android versions prior to 6.2108.5654, or iOS versions prior to 6.5.82, so they can use number match.
 
 ## Next steps
 

articles/active-directory/authentication/how-to-mfa-registration-campaign.md

@@ -16,6 +16,7 @@ manager: amycolannino
 ms.collection: M365-identity-device-management
 #Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
 ---
+
 # How to run a registration campaign to set up Microsoft Authenticator - Microsoft Authenticator
 
 You can nudge users to set up Microsoft Authenticator during sign-in. Users will go through their regular sign-in, perform multifactor authentication as usual, and then be prompted to set up Microsoft Authenticator. You can include or exclude users or groups to control who gets nudged to set up the app. This allows targeted campaigns to move users from less secure authentication methods to the Authenticator app.  
@@ -40,8 +41,7 @@ In addition to choosing who can be nudged, you can define how many days a user c
 
 1. User taps **Next** and steps through the Authenticator app setup. 
    1. First download the app.  
-
-      ![User downloads Microsoft Authenticator](./media/how-to-nudge-authenticator-app/download.png)
+   ![User downloads Microsoft Authenticator](media/how-to-mfa-registration-campaign/user-downloads-microsoft-authenticator.png)
 
    1. See how to set up the Authenticator app. 
 
@@ -264,7 +264,6 @@ Nudge is available only on browsers and not on applications.
 **How long will the campaign run for?** 
 
 You can use the APIs to enable the campaign for as long as you like. Whenever you want to be done running the campaign, simply use the APIs to disable the campaign.  
- 
 **Can each group of users have a different snooze duration?** 
 
 No. The snooze duration for the prompt is a tenant-wide setting and applies to all groups in scope. 
@@ -312,3 +311,4 @@ A nudge won't appear if a user is in scope for a conditional access policy that
 ## Next steps
 
 [Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md)
+

articles/active-directory/authentication/media/how-to-mfa-registration-campaign/user-downloads-microsoft-authenticator.png

@@ -63,7 +63,7 @@ On Windows 7, iOS, Android, macOS, and some third-party web browsers, Azure AD i
 
 #### Subscription activation
 
-Organizations that use the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to “step-up” from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their device compliance policy.
+Organizations that use the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to “step-up” from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their Conditional Access policy.
 
 ## Next steps