Merge pull request #178499 from Justinha/mau-2

Mau 2

Author: PRMerger8

articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 10/25/2021
+ms.date: 11/03/2021
 
 ms.author: justinha
 author: inbarckMS 
@@ -17,13 +17,13 @@ ms.collection: M365-identity-device-management
 ---
 # Find and address gaps in strong authentication coverage for your administrators
 
-Requiring multi-factor authentication (MFA) for the administrators in your tenant is one of the first steps you can take to increase the security of your tenant. In this article, we will cover how you can ensure all your administrators are covered by multi-factor authentication.
+Requiring multi-factor authentication (MFA) for the administrators in your tenant is one of the first steps you can take to increase the security of your tenant. In this article, we'll cover how to make sure all of your administrators are covered by multi-factor authentication.
 
 ## Detect current usage for Azure AD Built-in administrator roles
 
 The [Azure AD Secure Score](../fundamentals/identity-secure-score.md) provides a score for **Require MFA for administrative roles** in your tenant. This improvement action tracks the MFA usage of Global administrator, Security administrator, Exchange administrator, and SharePoint administrator. 
 
-There are different ways to check if your admins are covered by an MFA policies. 
+There are different ways to check if your admins are covered by an MFA policy. 
 
 - To troubleshoot sign-in for a specific administrator, you can use the sign-in logs. The sign-in logs let you filter **Authentication requirement** for specific users. Any sign-in where **Authentication requirement** is **Single-factor authentication** means there was no multi-factor authentication policy that was required for the sign-in.
 
@@ -33,19 +33,19 @@ There are different ways to check if your admins are covered by an MFA policies.
 
   ![Screenshot of the authentication activity details.](./media/how-to-authentication-find-coverage-gaps/details.png)
 
-- To choose which policy to enable based on your user licenses, we have a new MFA enablement wizard to help you [compare MFA policies](concept-mfa-licensing.md#compare-multi-factor-authentication-policies) and see which steps are right for your organization. The wizard shows admininstrators who were protected by MFA in the last 30 days.
+- To choose which policy to enable based on your user licenses, we have a new MFA enablement wizard to help you [compare MFA policies](concept-mfa-licensing.md#compare-multi-factor-authentication-policies) and see which steps are right for your organization. The wizard shows administrators who were protected by MFA in the last 30 days.
 
   ![Screenshot of the Multi-factor authentication enablement wizard.](./media/how-to-authentication-find-coverage-gaps/wizard.png)
 
-- To programmatically report for your tenant, you can run a [PowerShell script](https://github.com/microsoft/AzureADToolkit/blob/main/src/Find-UnprotectedUsersWithAdminRoles.ps1) to find all users with an active built-in or custom administrator role, and who is eligible for built-in and custom roles in Privileged Identity Management. The script then checks the sign-ins of these users and reports and users who do not have **Multi-factor authentication** for **Authentication requirement**.
+- To programmatically create a report listing all users with Admins roles in your tenant and their strong authentication status, you can run a [PowerShell script](https://github.com/microsoft/AzureADToolkit/blob/main/src/Find-UnprotectedUsersWithAdminRoles.ps1). This script enumerates all permanent and eligible built-in and custom role assignments as well as groups with roles assigned, and finds users that are either not registered for MFA or not signing in with MFA by evaluating their authentication methods and their sign-in activity.
 
 ## Enforce multi-factor authentication on your administrators
 
 Based on gaps you found, require administrators to use multi-factor authentication in one of the following ways:
 
 - If your administrators are licensed for Azure AD Premium, you can [create a Conditional Access policy](tutorial-enable-azure-mfa.md) to enforce MFA for administrators. You can also update this policy to require MFA from users who are in custom roles.  
 
-- Run the MFA enablement wizard to [choose your MFA policy](concept-mfa-licensing.md#compare-multi-factor-authentication-policies).
+- Run the [MFA enablement wizard](https://aka.ms/MFASetupGuide) to choose your MFA policy.
 
 - If you assign custom or built-in admin roles in [Privileged Identity Management](/privileged-identity-management/pim-configure.md), require multi-factor authentication upon role activation.