MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/authentication/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
Lines changed: 1 addition & 2 deletions b/‎articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
Lines changed: 1 addition & 2 deletions
diff --git a/‎articles/active-directory/authentication/feature-availability.md
Lines changed: 122 additions & 0 deletions b/‎articles/active-directory/authentication/feature-availability.md
Lines changed: 122 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-view-role-policy.md
Lines changed: 16 additions & 16 deletions b/‎articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-view-role-policy.md
Lines changed: 16 additions & 16 deletions
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-sources.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-sources.md
Lines changed: 1 addition & 1 deletion
@@ -302,6 +302,8 @@
     href: /answers/topics/azure-active-directory.html
   - name: Pricing
     href: https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing
+  - name: Feature availability
+    href: feature-availability.md
   - name: Service updates
     href: ../fundamentals/whats-new.md
   - name: Stack Overflow
 
@@ -49,7 +49,7 @@ Let's cover each step:
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-alt.png" alt-text="Screenshot of the Sign-in if FIDO2 is also enabled.":::
 
-1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](/azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs. 
+1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](/azure/azure-government/compare-azure-government-global-azure#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs. 
 
    The endpoint performs mutual authentication and requests the client certificate as part of the TLS handshake. You will see an entry for this request in the Sign-in logs. There is a [known issue](#known-issues) where User ID is displayed instead of Username.
 
@@ -236,4 +236,3 @@ For the next test scenario, configure the authentication policy where the Issuer
 - [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
 - [FAQ](certificate-based-authentication-faq.yml)
 - [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)
-
@@ -0,0 +1,122 @@
+---
+title: Azure AD feature availability in Azure Government
+description: Learn which Azure AD features are available in Azure Government. 
+
+services: multi-factor-authentication
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 02/28/2022
+
+ms.author: justinha
+author: justinha
+manager: daveba
+ms.reviewer: michmcla
+ms.collection: M365-identity-device-management
+---
+
+# Cloud feature availability
+
+<!---Jeremy said there are additional features that don't fit nicely in this list that we need to add later--->
+
+This following table lists Azure AD feature availability in Azure Government.
+
+
+|Service     | Feature | Availability |
+|:------|---------|:------------:|
+|**Authentication, single sign-on, and MFA**|||
+||Cloud authentication (Pass-through authentication, password hash synchronization) | &#x2705; |
+|| Federated authentication (Active Directory Federation Services or federation with other identity providers) | &#x2705; |
+|| Single sign-on (SSO) unlimited | &#x2705; | 
+|| Multifactor authentication (MFA) | Hardware OATH tokens are not available. Instead, use Conditional Access policies with named locations to establish when multifactor authentication should and should not be required based off the user's current IP address. Microsoft Authenticator only shows GUID and not UPN for compliance reasons. | 
+|| Passwordless (Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations) | &#x2705; | 
+|| Service-level agreement | &#x2705; | 
+|**Applications access**|||
+|| SaaS apps with modern authentication (Azure AD application gallery apps, SAML, and OAUTH 2.0) | &#x2705; | 
+|| Group assignment to applications | &#x2705; | 
+|| Cloud app discovery (Microsoft Cloud App Security) | &#x2705; | 
+|| Application Proxy for on-premises, header-based, and Integrated Windows Authentication | &#x2705; | 
+|| Secure hybrid access partnerships (Kerberos, NTLM, LDAP, RDP, and SSH authentication) | &#x2705; | 
+|**Authorization and Conditional Access**|||
+|| Role-based access control (RBAC) | &#x2705; | 
+|| Conditional Access  | &#x2705; | 
+|| SharePoint limited access | &#x2705; | 
+|| Session lifetime management | &#x2705; | 
+|| Identity Protection (vulnerabilities and risky accounts) | See [Identity protection](#identity-protection) below. | 
+|| Identity Protection (risk events investigation, SIEM connectivity) | See [Identity protection](#identity-protection) below. | 
+|**Administration and hybrid identity**|||
+|| User and group management | &#x2705; | 
+|| Advanced group management (Dynamic groups, naming policies, expiration, default classification) | &#x2705; | 
+|| Directory synchronization—Azure AD Connect (sync and cloud sync) | &#x2705; | 
+|| Azure AD Connect Health reporting | &#x2705; | 
+|| Delegated administration—built-in roles  | &#x2705; | 
+|| Global password protection and management – cloud-only users | &#x2705; | 
+|| Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory | &#x2705; | 
+|| Microsoft Identity Manager user client access license (CAL) | &#x2705; | 
+|**End-user self-service**|||
+|| Application launch portal (My Apps) | &#x2705; | 
+|| User application collections in My Apps | &#x2705; |
+|| Self-service account management portal (My Account) | &#x2705; |
+|| Self-service password change for cloud users | &#x2705; |
+|| Self-service password reset/change/unlock with on-premises write-back | &#x2705; |
+|| Self-service sign-in activity search and reporting | &#x2705; |
+|| Self-service group management (My Groups) | &#x2705; |
+|| Self-service entitlement management (My Access) | &#x2705; |
+|**Identity governance**|||
+|| Automated user provisioning to apps | &#x2705; |
+|| Automated group provisioning to apps | &#x2705; |
+|| HR-driven provisioning | Partial. See [HR-provisioning apps](#hr-provisioning-apps). |
+|| Terms of use attestation | &#x2705; |
+|| Access certifications and reviews | &#x2705; |
+|| Entitlement management | &#x2705; |
+|| Privileged Identity Management (PIM), just-in-time access |  &#x2705; |
+|**Event logging and reporting**|||
+|| Basic security and usage reports | &#x2705; |
+|| Advanced security and usage reports | &#x2705; |
+|| Identity Protection: vulnerabilities and risky accounts | &#x2705; |
+|| Identity Protection: risk events investigation, SIEM connectivity | &#x2705; |
+|**Frontline workers**|||
+|| SMS sign-in | Feature not available. |
+|| Shared device sign-out | Enterprise state roaming for Windows 10 devices is not available. |
+|| Delegated user management portal (My Staff) | Feature not available. |
+
+
+## Identity protection
+
+| Risk Detection | Availability |
+|----------------|:--------------------:|
+|Leaked credentials (MACE) | &#x2705; |
+|Azure AD threat intelligence | Feature not available. |
+|Anonymous IP address | &#x2705; | 
+|Atypical travel | &#x2705; |
+|Anomalous Token | Feature not available. |
+|Token Issuer Anomaly| Feature not available. |
+|Malware linked IP address | &#x2705; |
+|Suspicious browser | &#x2705; |
+|Unfamiliar sign-in properties | &#x2705; |
+|Admin confirmed user compromised | &#x2705; |
+|Malicious IP address | &#x2705; |
+|Suspicious inbox manipulation rules | &#x2705; |
+|Password spray | &#x2705; |
+|Impossible travel | &#x2705; |
+|New country | &#x2705; |
+|Activity from anonymous IP address | &#x2705; |
+|Suspicious inbox forwarding | &#x2705; |
+|Azure AD threat intelligence | Feature not available. |
+|Additional risk detected | &#x2705; |
+
+
+## HR-provisioning apps
+
+| HR-provisioning app | Availability |
+|----------------|:--------------------:|
+|Workday to Azure AD User Provisioning | &#x2705; |
+|Workday Writeback | &#x2705; |
+|SuccessFactors to Azure AD User Provisioning | &#x2705; | 
+|SuccessFactors to Writeback | &#x2705; |
+|Provisioning agent configuration and registration with Gov cloud tenant| Works with special undocumented command-line invocation:<br> AADConnectProvisioningAgent.Installer.exe ENVIRONMENTNAME=AzureUSGovernment |
+
+
+
+
+
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Enable passwordless security key sign-in to on-premises resources by using Azure AD 
 
-This document discusses how to enable passwordless authentication to on-premises resources for environments with both *Azure Active Directory (Azure AD)-joined* and *hybrid Azure AD-joined* Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys, or with [Windows Hello for Business Cloud trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md)
+This document discusses how to enable passwordless authentication to on-premises resources for environments with both *Azure Active Directory (Azure AD)-joined* and *hybrid Azure AD-joined* Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys, or with [Windows Hello for Business Cloud trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)
 
 ## Use SSO to sign in to on-premises resources by using FIDO2 keys
 
 
@@ -32,8 +32,8 @@ The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) en
 1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** subtab.
 
     The **Role/Policies list** displays a list of existing roles/policies and the following information about each role/policy
-        - **Role/Policy name**: The name of the roles/policies available to you.
-        - **Role/Policy type**: **Custom**, **System**, or **CloudKnox only**
+        - **Role/Policy Name**: The name of the roles/policies available to you.
+        - **Role/Policy Type**: **Custom**, **System**, or **CloudKnox Only**
         - **Actions**: The type of action you can perform on the role/policy, **Clone**, **Modify**, or **Delete**
 
 
@@ -42,24 +42,24 @@ The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) en
     The **Tasks** list appears, displaying:
     - A list of **Tasks**.
     - **For AWS:** 
-        - The **Users**, **Groups**, and **Roles** the task is **Directly assigned to**.
-        - The **Group members** and **Role identities** the task is **Indirectly assessable by**. 
+        - The **Users**, **Groups**, and **Roles** the task is **Directly Assigned To**.
+        - The **Group Members** and **Role Identities** the task is **Indirectly Accessible By**. 
 
     - **For Azure:** 
-        - The **Users**, **Groups**, **Enterprise applications** and **Managed identities** the task is **Directly assigned to**.
-        - The **Group members** the task is **Indirectly assessable by**.
+        - The **Users**, **Groups**, **Enterprise Applications** and **Managed Identities** the task is **Directly Assigned To**.
+        - The **Group Members** the task is **Indirectly Accessible By**.
 
     - **For GCP:** 
-        - The **Users**, **Groups**, and **Service accounts** the task is **Directly assigned to**.
-        - The **Group members** the task is **Indirectly assessable by**.
+        - The **Users**, **Groups**, and **Service Accounts** the task is **Directly Assigned To**.
+        - The **Group Members** the task is **Indirectly Accessible By**.
 
 1. To close the role/policy details, select the arrow to the left of the role/policy name.
 
 ## Export information about roles/policies
 
 - **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file. 
 
-    When the file is successfully exported, a message appears: **Exported successfully.**
+    When the file is successfully exported, a message appears: **Exported Successfully.**
 
     - Check your email for a message from the CloudKnox Customer Success Team. This email contains a link to: 
         - The **Role Policy Details** report in CSV format.
@@ -73,20 +73,20 @@ The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) en
 1. On the CloudKnox home page, select the **Remediation** dashboard, and then select the **Role/Policies** tab.
 1. To filter the roles/policies, select from the following options:
 
-    - **Authorization system type**: Select **AWS**, **Azure**, or **GCP**.
-    - **Authorization system**: Select the accounts you want.
-    - **Role/Policy type**: Select from the following options:
+    - **Authorization System Type**: Select **AWS**, **Azure**, or **GCP**.
+    - **Authorization System**: Select the accounts you want.
+    - **Role/Policy Type**: Select from the following options:
 
          - **All**: All managed roles/policies.
          - **Custom**: A customer-managed role/policy. 
          - **System**: A cloud service provider-managed role/policy. 
-         - **CloudKnox only**: A role/policy created by CloudKnox.
+         - **CloudKnox Only**: A role/policy created by CloudKnox.
 
-    - **Role/Policy status**: Select **All**, **Assigned**, or **Unassigned**.
-    - **Role/Policy usage**: Select **All** or **Unused**.
+    - **Role/Policy Status**: Select **All**, **Assigned**, or **Unassigned**.
+    - **Role/Policy Usage**: Select **All** or **Unused**.
 1. Select **Apply**.
 
-    To discard your changes, select **Reset filter**.
+    To discard your changes, select **Reset Filter**.
 
 
 ## Next steps
 
@@ -76,7 +76,7 @@ You can use the **Data Collectors** dashboard in CloudKnox Permissions Managemen
 1. Select the ellipses **(...)** at the end of the row in the table.
 1. Select **Delete Configuration**. 
 
-    The **M-CIEM Onboarding - Summary** box displays.
+    The **CloudKnox Onboarding - Summary** box displays.
 1. Select **Delete**.
 1. Check your email for a one time password (OTP) code, and enter it in **Enter OTP**.