Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into yelevin/atomic-incidents

Author: yelevin

.openpublishing.redirection.active-directory.json

@@ -4416,6 +4416,11 @@
       "redirect_url": "/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/reference-reports-latencies.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/reference-azure-ad-sla-performance",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/customize-branding.md",
       "redirect_url": "/azure/active-directory/fundamentals/customize-branding",

.openpublishing.redirection.azure-monitor.json

@@ -25,6 +25,11 @@
             "redirect_url": "/azure/azure-monitor/change/change-analysis",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/legacy-pricing.md",
+            "redirect_url": "/azure/azure-monitor/best-practices-cost",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/snapshot-debugger.md",
             "redirect_url": "/azure/azure-monitor/snapshot-debugger/snapshot-debugger",

.openpublishing.redirection.json

@@ -13444,16 +13444,6 @@
             "redirect_url": "/azure/logic-apps/logic-apps-exception-handling",
             "redirect_document_id": false
         },
-        {
-            "source_path_from_root": "/articles/machine-learning/tutorial-power-bi-automated-model.md",
-            "redirect_url": "/azure/machine-learning/tutorial-power-bi-custom-model",
-            "redirect_document_id": false
-        },
-        {
-            "source_path_from_root": "/articles/machine-learning/tutorial-power-bi-designer-model.md",
-            "redirect_url": "/azure/machine-learning/tutorial-power-bi-custom-model",
-            "redirect_document_id": false
-        },
         {
             "source_path_from_root": "/articles/event-grid/cli-samples.md",
             "redirect_url": "/azure/event-grid/scripts/event-grid-cli-subscribe-custom-topic",
@@ -22671,6 +22661,11 @@
             "redirect_URL": "/azure/route-server/tutorial-protect-route-server-ddos",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/external-attack-surface-management/data-connections-overview.md",
+            "redirect_URL": "/azure/external-attack-surface-management/index",
+            "redirect_document_id": true
+        },
         {
             "source_path": "articles/virtual-network/nat-gateway/tutorial-protect-nat-gateway.md",
             "redirect_URL": "/azure/virtual-network/nat-gateway/tutorial-protect-nat-gateway-ddos",

articles/active-directory/authentication/certificate-based-authentication-faq.yml

@@ -120,9 +120,15 @@ sections:
           The browser caches the certificate after the certificate picker appears. If the user retries, the cached certificate is used automatically. The user should close the browser, and reopen a new session to try CBA again.          
 
       - question: |
-          Why can't single-factor certificates be used to complete MFA?
+          Why does not proof up for registering other auth methods come up when I use single factor certificates?
         answer: |
-          There's no support for a second factor when the first factor is a single-factor certificate. We're working to add support for second factors.
+          A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods and should have MFA via another method to register other available auth methods.
+          
+      - question: |
+          How can I use single-factor certificates to complete MFA?
+        answer: |
+          We have support for single factor CBA to get MFA. CBA SF + PSI (passwordless phone sign in) and CBA SF + FIDO2 are the two supported combinations to get MFA using single factor certificates.
+          [MFA with single factor certificates](../authentication/concept-certificate-based-authentication-technical-deep-dive.md#mfa-authentication-flow-using-single-factor-certificates-and-passwordless-sign-in) 
           
       - question: |
           Will the changes to the Authentication methods policy take effect immediately?

articles/active-directory/authentication/concept-authentication-phone-options.md

@@ -30,7 +30,7 @@ To work properly, phone numbers must be in the format *+CountryCode PhoneNumber*
 > [!NOTE]
 > There needs to be a space between the country/region code and the phone number.
 >
-> Password reset doesn't support phone extensions. Even in the *+1 4251234567X12345* format, extensions are removed before the call is placed.
+> Password reset and Azure AD Multi-Factor Authentication don't support phone extensions. Even in the *+1 4251234567X12345* format, extensions are removed before the call is placed.
 
 ## Mobile phone verification
 

articles/active-directory/authentication/concept-certificate-based-authentication-migration.md

@@ -39,6 +39,9 @@ To configure Staged Rollout, follow these steps:
 
 For more information, see [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).
 
+>[!NOTE]
+> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Azure AD. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.
+
 ## Use Azure AD connect to update certificateUserIds attribute
 
 An AD FS admin can use **Synchronization Rules Editor** to create rules to sync the values of attributes from AD FS to Azure AD user objects. For more information, see [Sync rules for certificateUserIds](concept-certificate-based-authentication-certificateuserids.md#update-certificate-user-ids-using-azure-ad-connect).

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -72,9 +72,12 @@ Now we'll walk through each step:
 1. Azure AD completes the sign-in process by sending a primary refresh token back to indicate successful sign-in.
 1. If the user sign-in is successful, the user can access the application.
 
-## Single-factor certificate-based authentication
+## MFA with Single-factor certificate-based authentication
 
-Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
+Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
+
+>[!IMPORTANT]
+>A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods. More info on [Azure AD MFA](../authentication/concept-mfa-howitworks.md)
 
 **Steps to set up passwordless phone signin(PSI) with CBA**
 

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,9 +4,9 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/31/2023
+ms.date: 02/03/2023
 ms.author: justinha
-author: mjsantani
+author: justinha
 ms.collection: M365-identity-device-management
 
 # Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
@@ -305,7 +305,7 @@ GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationM
 
 ### When will my tenant see number matching if I don't use the Azure portal or Graph API to roll out the change?
 
-Number match will be enabled for all users of Microsoft Authenticator after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users. 
+Number match will be enabled for all users of Microsoft Authenticator push notifications after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users. 
 
 ### Will the changes after February 27th, 2023, override number matching settings that are configured for a group in the Authentication methods policy?
 
@@ -362,10 +362,6 @@ If the user has a different default authentication method, there won't be any ch
 
 Regardless of their default method, any user who is prompted to sign-in with Authenticator push notifications will see number match after February 27th, 2023. If the user is prompted for another method, they won't see any change. 
 
-### Will users who don't use number matching be able to perform MFA?
-
-It depends on how the **Enable and Target** tab is configured. The scope for number match approvals will change under the **Configure** tab to include everyone, but it only applies for users and groups targeted on the **Enable and Target** tab for Push or Any. However, if Target on the **Enable and Target** tab is set to specific groups for Push or Any, and the user isn't a member of those groups, then they won't receive the number matching approvals once the change is implemented after February 27th, 2023 because they aren't a member of the groups defined on the **Enable and Target** tab for Push and/or Any.
-
 ### Is number matching supported with MFA Server?
 
 No, number matching isn't enforced because it's not a supported feature for MFA Server, which is [deprecated](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454).

articles/active-directory/cloud-infrastructure-entitlement-management/how-to-add-remove-user-to-group.md

@@ -21,7 +21,7 @@ This article describes how you can add or remove a new user for a group in Permi
 
 ## Add a user
 
-1. Navigate to the [Microsoft Entra admin center](https://entr.microsoft.com/#home). 
+1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).
 1. From the Azure Active Directory tile, select **Go to Azure Active Directory**. 
 1. From the navigation pane, select the **Groups** drop-down menu, then **All groups**.
 1. Select the group name for the group you want to add the user to.
@@ -37,7 +37,7 @@ This article describes how you can add or remove a new user for a group in Permi
 
 ## Remove a user
 
-1. Navigate to the Microsoft [Entra admin center](https://entr.microsoft.com/#home). 
+1. Navigate to the Microsoft [Entra admin center](https://entra.microsoft.com/#home). 
 1. From the Azure Active Directory tile, select **Go to Azure Active Directory**. 
 1. From the navigation pane, select the **Groups** drop-down menu, then **All groups**.
 1. Select the group name for the group you want to remove the user from.

articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-group-based-permissions.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: how-to
-ms.date: 02/23/2022
+ms.date: 02/03/2023
 ms.author: jfields
 ---
 
@@ -33,15 +33,15 @@ This article describes how you can create  and manage group-based permissions in
 1. Select **Next**
 
 1. If you selected **Admin for all Authorization System Types**
-    - Select Identities for each Authorization System that you would like members of this group to Request on.
+    - Select Identities to add for each Authorization System. Added Identities will have access to submit requests from the **Remediation** tab.
 
 1. If you selected **Admin for selected Authorization System Types**
     - Select **Viewer**, **Controller**, or **Approver** for the **Authorization System Types** you want.
-    - Select **Next** and then select Identities for each Authorization System that you would like members of this group to Request on.
+    - Select **Next** and then select Select Identities to add for each Authorization System. Added Identities will have access to submit requests from the **Remediation** tab.
 
 1. If you select **Custom**, select the **Authorization System Types** you want.
     - Select **Viewer**, **Controller**, or **Approver** for the **Authorization Systems** you want.
-    - Select **Next** and then select Identities for each Authorization System that you would like members of this group to Request on.
+    - Select **Next** and then select Select Identities to add for each Authorization System. Added Identities will have access to submit requests from the **Remediation** tab.
 
 1. Select **Save**, The following message appears: **New Group Has been Created Successfully.**
 1. To see the group you created in the **Groups** table, refresh the page.