Skip to content

Commit

Permalink
Merge pull request #5443 from MicrosoftDocs/main
Browse files Browse the repository at this point in the history
10/4/2024 PM Publish
  • Loading branch information
Taojunshen authored Oct 4, 2024
2 parents 45494a8 + 8b60ffe commit 692e553
Show file tree
Hide file tree
Showing 20 changed files with 242 additions and 180 deletions.
4 changes: 3 additions & 1 deletion .docutune/dictionaries/known-guids.json
Original file line number Diff line number Diff line change
Expand Up @@ -3348,5 +3348,7 @@
"Business Central Business Foundation": "f3552374-a1f2-4356-848e-196002525837",
"Change password": "AB721A53-1E2F-11D0-9819-00AA0040529B",
"ID of the Prevhost.exe surrogate host GUID" : "6d2b5079-2f0b-48dd-ab7f-97cec514d30b",
"32-bit preview handlers GUID" : "534A1E02-D58F-44f0-B58B-36CBED287C7C"
"32-bit preview handlers GUID" : "534A1E02-D58F-44f0-B58B-36CBED287C7C",
"Business Central Test Toolkit - Library Assert" : "dd0be2ea-f733-4d65-bb34-a28f4624fb14",
"Business Central Test Toolkit - Test Libraries" : "5d86850b-0d76-4eca-bd7b-951ad998e997"
}
3 changes: 2 additions & 1 deletion docs/fundamentals/how-to-rename-azure-ad.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
ms.author: celested
manager: CelesteDG
ms.reviewer: nicholepet
ms.date: 05/31/2024
ms.date: 10/04/2024
ms.service: entra
ms.subservice: fundamentals
ms.topic: how-to
Expand Down Expand Up @@ -229,6 +229,7 @@ procedureSection:
@{ Key = 'Azure AD group'; Value = 'Microsoft Entra group' },
@{ Key = 'Azure AD login'; Value = 'Microsoft Entra login' },
@{ Key = 'Azure AD managed'; Value = 'Microsoft Entra managed' },
@{ Key = 'Azure AD managed identities'; Value = 'Managed identities for Azure resources' },
@{ Key = 'Azure AD entitlement'; Value = 'Microsoft Entra entitlement' },
@{ Key = 'Azure AD access review'; Value = 'Microsoft Entra access review' },
@{ Key = 'Azure AD Identity Protection'; Value = 'Microsoft Entra ID Protection' },
Expand Down
4 changes: 2 additions & 2 deletions docs/fundamentals/new-name.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ manager: CelesteDG
ms.service: entra
ms.subservice: fundamentals
ms.topic: concept-article
ms.date: 03/05/2024
ms.date: 10/04/2024
ms.author: celested
ms.reviewer: nicholepet

Expand Down Expand Up @@ -205,7 +205,7 @@ Only official product names are capitalized, plus Conditional Access and My * ap

| **Category** | **Old terminology** | **Correct name as of July 2023** |
|-------------------------|---------------------|----------------------------------|
| **Microsoft Entra product family** | Microsoft Azure Active Directory<br/> Azure Active Directory<br/> Azure Active Directory (Azure AD)<br/> Azure AD<br/> AAD | Microsoft Entra ID<br/> (Second use: Microsoft Entra ID is preferred, ID is acceptable in product/UI experiences, ME-ID if abbreviation is necessary) |
| **Microsoft Entra product family** | Microsoft Azure Active Directory<br/> Azure Active Directory<br/> Azure Active Directory (Azure AD)<br/> Azure AD<br/> AAD | Microsoft Entra ID<br/> (Second use: Microsoft Entra ID is preferred, Entra ID should be used sparingly and only when space is truly limited) <br/><br/>Acronym usage isn't encouraged, but if you must replace AAD with an acronym due to space limitations, use ME-ID. |
| | Azure Active Directory External Identities<br/> Azure AD External Identities | Microsoft Entra External ID<br/> (Second use: External ID) |
| | Azure Active Directory Identity Governance<br/> Azure AD Identity Governance<br/> Microsoft Entra Identity Governance | Microsoft Entra ID Governance<br/> (Second use: ID Governance) |
| | *New* | Microsoft Entra Internet Access<br/> (Second use: Internet Access) |
Expand Down
5 changes: 3 additions & 2 deletions docs/id-governance/scenarios/automate-identity-lifecycle.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
---
title: 'Automate identity lifecycle management with Microsoft Entra ID Governance'
description: Describes overview of identity lifecycle management for Microsoft Entra ID Governance.
services: active-directory
ms.service: entra-id
ms.subservice: hybrid-cloud-sync
author: billmath
manager: amycolannino
ms.service: active-directory

ms.workload: identity
ms.topic: overview
ms.date: 02/28/2024
Expand Down
7 changes: 3 additions & 4 deletions docs/id-governance/scenarios/deploy-sap-netweaver.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
---
title: 'Deploy SAP NetWeaver AS ABAP 7'
description: This article describes how to set up a lab environment with SAP ECC for testing.
services: active-directory
documentationcenter: ''
ms.service: entra-id
ms.subservice: app-provisioning
author: billmath
manager: amycolannino
editor: ''
ms.service: active-directory

ms.topic: conceptual
ms.date: 07/28/2023
ms.author: billmath
Expand Down
8 changes: 4 additions & 4 deletions docs/id-governance/scenarios/identity-governance-use-cases.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
title: 'Microsoft Entra ID Governance use cases'
description: This article describes use cases Microsoft Entra ID Governance.
services: active-directory
documentationcenter: ''
ms.service: entra-id-governance

author: billmath
manager: amycolannino
editor: ''
ms.service: active-directory


ms.topic: conceptual
ms.date: 02/28/2024
ms.author: billmath
Expand Down
9 changes: 5 additions & 4 deletions docs/id-governance/scenarios/least-privileged.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
---
title: 'Understanding least privilege with Microsoft Entra ID Governance'
description: This article describes the concept of least privilege and how it relates with Microsoft Entra ID Governance.
services: active-directory
documentationcenter: ''
ms.service: entra-id
ms.subservice: app-provisioning

author: billmath
manager: amycolannino
editor: ''
ms.service: active-directory


ms.topic: conceptual
ms.date: 07/28/2023
ms.author: billmath
Expand Down
5 changes: 3 additions & 2 deletions docs/id-governance/scenarios/sap-template.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
---
title: 'Author SAP ECC 7 Template for ECMA2Host'
description: This article describes how to create a template for the Web Service ECMA connector to manage SAP ECC users.
services: active-directory
ms.service: entra-id
ms.subservice: app-provisioning
documentationcenter: ''
author: billmath
manager: amycolannino
editor: ''
ms.service: active-directory

ms.topic: conceptual
ms.date: 07/28/2023
ms.author: billmath
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
author: kengaderdus
ms.service: active-directory
ms.subservice: ciam
ms.service: entra-external-id
ms.subservice: customers
ms.topic: include
ms.date: 03/12/2024
ms.author: kengaderdus
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Learn about the authentication methods policy and different ways to
ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 10/03/2024
ms.date: 10/04/2024

ms.author: justinha
author: justinha
Expand Down Expand Up @@ -72,10 +72,16 @@ Similarly, let's suppose you enable **Voice calls** for a group. After you enabl

## Migration between policies

The Authentication methods policy provides a migration path toward unified administration of all authentication methods. All desired methods can be enabled in the Authentication methods policy, assuming it has been defined the user groups required for each Authentication Method policy (unless it applies to All Users). After this user groups management activity, methods in the legacy MFA and SSPR policies can be disabled. Migration has three settings to let you move at your own pace, and avoid problems with sign-in or SSPR during the transition. After migration is complete, you'll centralize control over authentication methods for both sign-in and SSPR in a single place, and the legacy MFA and SSPR policies will be disabled.
The Authentication methods policy provides a migration guide to help unify administration of all authentication methods. All desired methods can be enabled in the Authentication methods policy if the policy targets intended user groups, or all users. The authentication methods migration guide automates the steps to audit your current policy settings for MFA and SSPR, and consolidate them in the Authentication methods policy. You can access the guide from the [Microsoft Entra admin center](https://entra.microsoft.com) by browsing to **Protection** > **Authentication methods** > **Policies**.

:::image type="content" border="false" source="media/how-to-authentication-methods-manage/wizard-entry-point.png" alt-text="Screenshot of the Authentication methods policy blade with highlighted wizard entry point."

You can also migrate policy settings manually. The migration has three settings to let you move at your own pace, and avoid problems with sign-in or SSPR during the transition.

After migration is complete, methods in the legacy MFA and SSPR policies can be disabled. You can centralize control over authentication methods for both sign-in and SSPR in a single place, and the legacy MFA and SSPR policies will be disabled.

>[!Note]
>Security questions can only be enabled today by using the legacy SSPR policy. In the future, it will be made available in the Authentication methods policy. If you're using security questions, and don't want to disable them, make sure to keep them enabled in the legacy SSPR policy until the new control is available in the future. You can migrate the remainder of your authentication methods and still manage security questions in the legacy SSPR policy.
>Security questions can only be enabled today by using the legacy SSPR policy. If you're using security questions, and don't want to disable them, make sure to keep them enabled in the legacy SSPR policy until a migration control is available. You can migrate the remainder of your authentication methods and still manage security questions in the legacy SSPR policy.
To view the migration options, open the Authentication methods policy and click **Manage migration**.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ ms.subservice: authentication
ms.topic: conceptual
ms.date: 10/04/2024


ms.author: justinha
author: justinha
ms.reviewer: jpettere
Expand All @@ -15,13 +16,41 @@ manager: amycolannino
---
# How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID

You can migrate Microsoft Entra ID [legacy policy settings](concept-authentication-methods-manage.md#legacy-mfa-and-sspr-policies) that separately control multifactor authentication and self-service password reset (SSPR) to unified management with the [Authentication methods policy](./concept-authentication-methods-manage.md).
You can migrate Microsoft Entra ID [legacy policy settings](concept-authentication-methods-manage.md#legacy-mfa-and-sspr-policies) that separately control multifactor authentication (MFA) and self-service password reset (SSPR) to unified management with the [Authentication methods policy](./concept-authentication-methods-manage.md).

You can use the authentication methods migration guide (preview) in the Microsoft Entra admin center to automate the migration. The guide provides a wizard to help audit your current policy settings for MFA and SSPR. Then it consolidates those settings in the Authentication methods policy, where they can be managed together more easily.

You migrate policy settings on your own schedule, and the process is fully reversible. You can continue to use tenant-wide MFA and SSPR policies while you configure authentication methods more precisely for users and groups in the Authentication methods policy. You complete the migration whenever you're ready to manage all authentication methods together in the Authentication methods policy.
You can also migrate policy settings manually on your own schedule. The migration process is fully reversible. You can continue to use tenant-wide MFA and SSPR policies while you configure authentication methods more precisely for users and groups in the Authentication methods policy.

For more information about how these policies work together during migration, see [Manage authentication methods for Microsoft Entra ID](concept-authentication-methods-manage.md).

## Before you begin
## Automated migration guide
The automated migration guide lets you migrate where you manage authentication methods in just a few clicks. It can be accessed from the [Microsoft Entra admin center](https://entra.microsoft.com) by browsing to **Protection** > **Authentication methods** > **Policies**.

:::image type="content" border="false" source="media/how-to-authentication-methods-manage/wizard-entry-point.png" alt-text="Screenshot of the Authentication methods policy blade with highlighted wizard entry point."

The first page of the wizard explains what it is and how it works. It also provides links to each of the legacy policies for your reference.

:::image type="content" border="false" source="media/how-to-authentication-methods-manage/wizard-first-page.png" alt-text="Screenshot of the Authentication methods policy blade with highlighted wizard first page."


The wizard then configures the Authentication method policy based on what your organization currently has enabled in the legacy MFA and SSPR policies.
If a method is enabled in either legacy policy, the recommendation is to also enable it in the Authentication method policy.
With that configuration, users can continue to sign in and reset their password by using the same method they used previously.

In addition, we recommend you enable the latest modern, secure methods like passkeys, Temporary Access Pass, and Microsoft Authenticator to help improve your organizations security posture.
To edit the recommended configuration, select the pencil icon next to each method.

:::image type="content" border="false" source="media/how-to-authentication-methods-manage/wizard-second-page.png" alt-text="Screenshot of the Authentication methods policy blade with highlighted wizard second page."

Once you're happy with the configuration, select **Migrate**, and then confirm the migration.
The Authentication methods policy gets updated to match the configuration specified in the wizard.
Authentication methods in the legacy MFA and SSPR policies become grayed out and no longer apply.

Your migration status will be updated to **Migration Complete**.
You can change this status back to **In Progress** anytime to re-enable methods in the legacy policies if needed.

## Manual migration

Begin by doing an audit of your existing policy settings for each authentication method that's available for users. If you roll back during migration, you might want a record of the authentication method settings from each of these policies:

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Topic that shows how to configure Microsoft Entra certificate-based
ms.service: entra-id
ms.subservice: authentication
ms.topic: how-to
ms.date: 09/17/2023
ms.date: 10/04/2024

ms.author: justinha
author: vimrang
Expand Down Expand Up @@ -47,7 +47,9 @@ Make sure that the following prerequisites are in place:

## Steps to configure and test Microsoft Entra CBA

Some configuration steps to be done before you enable Microsoft Entra CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators are needed to make changes. Only the [Global Administrator](../role-based-access-control/permissions-reference.md#global-administrator) role can configure the CA.
Some configuration steps to be done before you enable Microsoft Entra CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators are needed to make changes.

[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)]

Optionally, you can also configure authentication bindings to map certificates to single-factor or multifactor authentication, and configure username bindings to map the certificate field to an attribute of the user object. [Authentication Policy Administrators](../role-based-access-control/permissions-reference.md#authentication-policy-administrator) can configure user-related settings. Once all the configurations are complete, enable Microsoft Entra CBA on the tenant.

Expand All @@ -61,7 +63,7 @@ You can configure certificate authorities(CAs) by using the Microsoft Entra admi

To enable the certificate-based authentication and configure user bindings in the Microsoft Entra admin center, complete the following steps:

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator).
1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)]
1. Browse to **Protection** > **Show more** > **Security Center** (or **Identity Secure Score**) > **Certificate authorities**.
1. To upload a CA, select **Upload**:
1. Select the CA file.
Expand All @@ -76,7 +78,8 @@ To enable the certificate-based authentication and configure user bindings in th
1. Select **Columns** to add or delete columns.

>[!NOTE]
>Upload of a new CA fails if any existing CA expired. A Global Administrator should delete any expired CA, and retry to upload the new CA.
>Upload of a new CA fails if any existing CA expired. You should delete any expired CA, and retry to upload the new CA.
>[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)]
### Configure certificate authorities (CA) using PowerShell

Expand Down
Loading

0 comments on commit 692e553

Please sign in to comment.