Merge pull request #6117 from MicrosoftDocs/main

11/27/2024 PM Publish

docs/id-governance/entitlement-management-access-package-incompatible.md

@@ -14,20 +14,20 @@ ms.author: owinfrey
 
 In entitlement management, you can configure multiple policies, with different settings for each user community that will need access through an access package. For example, employees might only need manager approval to get access to certain apps, but guests coming in from other organizations could require both a sponsor and a resource team departmental manager to approve. In a policy for users already in the directory, you can specify a particular group of users for who can request access. However, you can have a requirement to avoid a user obtaining excessive access. To meet this requirement, you want to further restrict who can request access, based on the access the requestor already has.
 
-With the separation of duties settings on an access package, you can configure that a user who is a member of a group or who already has an assignment to one access package can't request another access package.
+With the separation of duties settings on an access package, you can configure that a user who is a member of a security group or who already has an assignment to one access package can't request another access package.
 
 ![myaccess experience for attempting to request incompatible access](./media/entitlement-management-access-package-incompatible/request-prevented.png)
 
 
 ## Scenarios for separation of duties checks
 
-For example, you have an access package, *Marketing Campaign*, that people across your organization and other organizations can request access to, to work with your organization's marketing department while that campaign is going on. Since employees in the marketing department should already have access to that marketing campaign material, you don't want employees in the marketing department to request access to that access package. Or, you could already have a dynamic membership group, *Marketing department employees*, with all of the marketing employees in it. You could indicate that the access package is incompatible with the dynamic membership group. Then, if a marketing department employee is looking for an access package to request, they couldn't request access to the *Marketing campaign* access package.
+For example, you have an access package, *Marketing Campaign*, that people across your organization and other organizations can request access to, to work with your organization's marketing department while that campaign is going on. Since employees in the marketing department should already have access to that marketing campaign material, you don't want employees in the marketing department to request access to that access package. Or, you could already have a dynamic membership security group, *Marketing department employees*, with all of the marketing employees in it. You could indicate that the access package is incompatible with the dynamic membership group. Then, if a marketing department employee is looking for an access package to request, they couldn't request access to the *Marketing campaign* access package.
 
 Similarly, you could have an application with two app roles - **Western Sales** and **Eastern Sales** - representing sales territories, and you want to ensure that a user can only have one sales territory at a time. If you have two access packages, one access package **Western Territory** giving the **Western Sales** role and the other access package **Eastern Territory** giving the **Eastern Sales** role, then you can configure:
  - the **Western Territory** access package has the **Eastern Territory** package as incompatible, and
  - the **Eastern Territory** access package has the **Western Territory** package as incompatible.
 
-If you’ve been using Microsoft Identity Manager or other on-premises identity management systems for automating access for on-premises apps, then you can integrate these systems with entitlement management as well. If you're controlling access to Microsoft Entra integrated apps through entitlement management, and want to prevent users from having incompatible access, you can configure that an access package is incompatible with a group. That could be a group, which your on-premises identity management system sends into Microsoft Entra ID through Microsoft Entra Connect. This check ensures a user is unable to request an access package, if that access package would give access that's incompatible with access the user has in on-premises apps.
+If you’ve been using Microsoft Identity Manager or other on-premises identity management systems for automating access for on-premises apps, then you can integrate these systems with entitlement management as well. If you're controlling access to Microsoft Entra integrated apps through entitlement management, and want to prevent users from having incompatible access, you can configure that an access package is incompatible with a security group. That could be an AD security group, which your on-premises identity management system sends into Microsoft Entra ID through Microsoft Entra Connect. This check ensures a user is unable to request an access package, if that access package would give access that's incompatible with access the user has in on-premises apps.
 
 ## Prerequisites
 
@@ -59,7 +59,7 @@ Follow these steps to change the list of incompatible groups or other access pac
     ![configuration of incompatible access packages](./media/entitlement-management-access-package-incompatible/select-incompatible-ap.png)
 
 
-1.  If you wish to prevent users who have an existing group membership from requesting this access package, then select on **Add group** and select the group that the user would already be in. That group will then be added to the list of groups on the **Incompatible groups** tab.
+1.  If you wish to prevent users who have an existing group membership from requesting this access package, then select on **Add group** and select the security-enabled group that the user would already be in. That group will then be added to the list of groups on the **Incompatible groups** tab.
 
 1. If you want the users who are assigned to this access package to not be able to request that access package, as each incompatible access package relationship is unidirectional, then change to that access package, and add this access package as incompatible. For example, you want to have users with the **Western Territory** access package not to be able to request the **Eastern Territory** access package, and users with the **Eastern Territory** access package to not be able to request the **Western Territory** access package. If first on the **Western Territory** access package you added the **Eastern Territory** access package as incompatible, then next change to the **Eastern Territory** access package, and add the **Western Territory** access package as incompatible.
 

docs/identity/authentication/concept-certificate-based-authentication-mobile-ios.md

@@ -5,7 +5,7 @@ description: Learn about Microsoft Entra certificate-based authentication on App
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 02/09/2023
+ms.date: 11/27/2024
 
 ms.author: justinha
 author: justinha
@@ -124,9 +124,9 @@ Even though the native Smartcard/CCID driver is available on iOS/iPadOS for Ligh
 1. Install the latest Microsoft Authenticator app.
 1. Open Outlook and plug in your YubiKey. 
 1. Select **Add account** and enter your user principal name (UPN).
-1. Click **Continue** and the iOS certificate picker appears. 
+1. Select **Continue** and the iOS certificate picker appears. 
 1. Select the public certificate copied from YubiKey that is associated with the user’s account.  
-1. Click **YubiKey required** to open the YubiKey authenticator app. 
+1. Select **YubiKey required** to open the YubiKey authenticator app. 
 1. Enter the PIN to access YubiKey and select the back button at the top left corner. 
 
 The user should be successfully logged in and redirected to the Outlook homepage. 
@@ -144,17 +144,17 @@ The iOS certificate picker shows all the certificates on both iOS device and the
 
 #### After CBA fails, the CBA option in the ‘Other ways to sign in’ link also fails. Is there a workaround? 
 
-This issue happens because of certificate caching. We're working on an update to clear the cache. As a workaround, click **Cancel**, retry sign-in, and choose a new certificate. 
+This issue happens because of certificate caching. We're working on an update to clear the cache. As a workaround, select **Cancel**, retry sign-in, and choose a new certificate. 
 
 <a name='azure-ad-cba-with-yubikey-is-failing-what-information-would-help-debug-the-issue-'></a>
 
 #### Microsoft Entra CBA with YubiKey is failing. What information would help debug the issue? 
 
-1. Open Microsoft Authenticator app, click the three dots icon in the top right corner and select **Send Feedback**.
-1. Click **Having Trouble?**.
+1. Open Microsoft Authenticator app, select the three dots icon in the top right corner and select **Send Feedback**.
+1. Select **Having Trouble?**.
 1. For **Select an option**, select **Add or sign into an account**. 
 1. Describe any details you want to add. 
-1. Click the send arrow in the top right corner. Note the code provided in the dialog that appears. 
+1. Select the send arrow in the top right corner. Note the code provided in the dialog that appears. 
 
 #### How can I enforce phishing-resistant MFA using a hardware security key on browser-based applications on mobile? 
 
@@ -182,7 +182,7 @@ CBA support for YubiKey is available in the latest Microsoft Authentication Libr
 
 ## Known issues
 
-- On iOS, users with certificate-based authentication will see a "double prompt", where they must click the option to use certificate-based authentication twice.
+- On iOS, users with certificate-based authentication will see a "double prompt", where they must select the option to use certificate-based authentication twice.
 - On iOS, users with Microsoft Authenticator App will also see hourly login prompt to authenticate with CBA if there's an Authentication Strength policy enforcing CBA, or if they use CBA as the second factor.
 - On iOS, an auth strength policy requiring CBA and an MAM app protection policy will end up in a loop between device registration and MFA satisfaction. Due to the bug on iOS, when a user uses CBA to satisfy MFA requirement, the MAM policy is not satisfied with error being thrown by server saying device registration is required, even though the device is registered. This incorrect error causes re-registeration and the request is stuck in loop of using CBA to sign in and device need registration.
 

docs/identity/authentication/concept-certificate-based-authentication-smartcard.md

@@ -5,7 +5,7 @@ description: Learn how to enable Windows smart card sign-in using Microsoft Entr
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 11/27/2024
 
 ms.author: justinha
 author: justinha

docs/identity/authentication/concept-mfa-data-residency.md

@@ -6,7 +6,7 @@ description: Learn what personal and organizational data Microsoft Entra multifa
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/14/2023
+ms.date: 11/27/2024
 
 ms.author: justinha
 author: justinha
@@ -69,7 +69,7 @@ For Microsoft Azure Government, Microsoft Azure operated by 21Vianet, Azure AD B
 If you use MFA Server, the following personal data is stored.
 
 > [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multifactor authentication Server. Beginning September 30, 2024, Azure Multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
 
 | Event type                           | Data store type |
 |--------------------------------------|-----------------|

docs/identity/authentication/concept-mfa-regional-opt-in.md

@@ -5,7 +5,7 @@ description: To protect customers, some regions require a support ticket to requ
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/12/2023
+ms.date: 11/27/2024
 
 author: aloom3
 ms.author: justinha
@@ -19,7 +19,7 @@ As a protection for our customers, Microsoft doesn't automatically support telep
 
 ## Why this protection is needed  
 
-In today's digital world, telecommunication services have become ingrained into our lives. But advancements come with a risk of fraudulent activities. International Revenue Share Fraud (IRSF) is a threat with severe financial implications that also makes using services more difficult. Let's look at IRSF fraud more in-depth.  
+In today's digital world, telecommunication services have become ingrained into our lives. But, advancements come with a risk of fraudulent activities. International Revenue Share Fraud (IRSF) is a threat with severe financial implications that also makes using services more difficult. Let's look at IRSF fraud more in-depth.  
 
 IRSF is a type of telephony fraud where criminals exploit the billing system of telecommunication services providers to make profit for themselves. Bad actors gain unauthorized access to a telecommunication network and divert traffic to those networks to skim profit for every transaction that is sent to that network. To divert traffic, bad actors steal existing usernames and passwords, create new usernames and passwords, or try a host of other things to send text message messages and voice calls through their telecommunication network. Bad actors take advantage of multifactor authentication screens, which require a text message or voice call before a user can access their account. This activity causes exorbitant charges and makes services unreliable for our customers, causing downtime, and system errors.  
 

docs/identity/authentication/concept-mfa-telephony-fraud.md

@@ -5,7 +5,7 @@ description: Understanding International Revenue Share Fraud (IRSF) is crucial f
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/11/2023
+ms.date: 11/27/2024
 
 author: aloom3
 ms.author: justinha
@@ -16,7 +16,7 @@ ms.custom: references_regions
 
 # Understanding telephony fraud  
 
-In today's digital landscape, telecommunication services have seamlessly integrated into our daily lives. But technological progress also brings the risk of fraudulent activities like International Revenue Share Fraud (IRSF), which poses financial consequences and service disruptions. IRSF involves exploiting telecommunication billing systems by unauthorized actors. They divert telephony traffic and generate profits through a technique called *traffic pumping*. Traffic pumping targets multifactor authentication systems, and causes inflated charges, service unreliability, and system errors. 
+In today's digital landscape, telecommunication services seamlessly integrate into our daily lives. But technological progress also brings the risk of fraudulent activities like International Revenue Share Fraud (IRSF), which poses financial consequences and service disruptions. IRSF involves exploiting telecommunication billing systems by unauthorized actors. They divert telephony traffic and generate profits through a technique called *traffic pumping*. Traffic pumping targets multifactor authentication systems, and causes inflated charges, service unreliability, and system errors. 
 
 To counter this risk, a thorough understanding of IRSF is crucial for implementing preventive measures like regional restrictions and phone number verification, while our system aims to minimize disruptions and safeguard both our business, users, and your business we prioritize your security and as such we may sometimes take proactive measures.  
 

docs/identity/authentication/concept-password-ban-bad-combined-policy.md

@@ -6,7 +6,7 @@ ms.service: entra-id
 ms.subservice: authentication
 ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
 ms.topic: conceptual
-ms.date: 10/16/2023
+ms.date: 11/27/2024
 
 ms.author: justinha
 author: justinha

docs/identity/authentication/concept-sspr-licensing.md

@@ -5,7 +5,7 @@ description: Learn about the difference Microsoft Entra self-service password re
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 11/27/2024
 
 ms.author: justinha
 author: justinha

docs/identity/authentication/concept-sspr-writeback.md

@@ -4,7 +4,7 @@ description: Learn how password change or reset events in Microsoft Entra ID can
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/14/2023
+ms.date: 11/27/2024
 ms.author: justinha
 author: justinha
 manager: amycolannino

docs/identity/authentication/feature-availability.md

@@ -6,7 +6,7 @@ description: Learn which Microsoft Entra features are available in Azure Governm
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 04/13/2023
+ms.date: 11/27/2024
 
 
 ms.author: justinha

docs/identity/authentication/how-to-authentication-sms-supported-apps.md

@@ -5,7 +5,7 @@ description: Learn which apps are supported for users to sign in to Microsoft En
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/16/2023
+ms.date: 11/27/2024
 ms.author: justinha
 author: aanjusingh
 manager: amycolannino