diff --git a/docs/external-id/customers/reference-training-videos.md b/docs/external-id/customers/reference-training-videos.md
index 4336ccd6c64..3c9b46c713a 100644
--- a/docs/external-id/customers/reference-training-videos.md
+++ b/docs/external-id/customers/reference-training-videos.md
@@ -8,7 +8,7 @@ ms.service: entra-external-id
ms.subservice: customers
ms.topic: concept-article
-ms.date: 01/07/2024
+ms.date: 10/14/2024
ms.author: mimart
ms.custom: it-pro
@@ -44,6 +44,12 @@ Microsoft Entra External ID videos are incorporated within our documentation and
We regularly expand our video library, so be sure to subscribe to the Microsoft Security Channel for the latest updates. Here are some videos to help you get started with Microsoft Entra External ID.
+### Introduction to Microsoft Entra External ID
+
+Microsoft Entra External ID is Microsoft’s customer identity and access management (CIAM) platform. It helps control who has access to your external facing applications continually verify their online identity while ensuring their personal information and privacy remain safeguarded. This video gives you an introduction to Microsoft Entra External ID, its capabilities and what it’s like to use it as an end user.
+
+> [!VIDEO https://www.youtube.com/embed/XuxXCMOYiSc?si=yX21DVcKsozFPM0v]
+
### Get started with Microsoft Entra external ID
This tutorial guides you through creating a new Microsoft Entra External ID tenant and helps you get started with running a sample app and signing in your users. It also explores the various components involved and discusses ways to enhance your configuration.
@@ -78,6 +84,12 @@ This video explains the concept of a custom claims provider, which enables you t
> [!VIDEO https://www.youtube.com/embed/1tPA7B9ztz0?si=0VXQJmDfnSUv_jAz]
The second part shows how to [configure Microsoft Entra ID custom claims provider](https://youtu.be/fxQGVIwX8_4?si=vwcYT7wn7OzL6MzK) with the token issuance start event type, which triggers just before a security token is issued. This event allows you to call a REST API to add claims to the token that's returned to your application.
+### Edit user's profile
+
+In this video, we’ll explore the various methods available for accessing and editing user profiles in Microsoft Entra External ID.
+
+> [!VIDEO https://www.youtube.com/embed/_zKCgukVHYw?si=8T6TAdEorg4SHUUc]
+
### Microsoft Graph and continuous integration
This video examines the benefits of using Microsoft Graph API and Microsoft Graph PowerShell for automating tasks and running batch operations. Streamline deployment with GitHub workflows to reduce integration and deployment issues, speed up release cycles, improve change management, and maintain version control across different environments.
diff --git a/docs/external-id/customers/tutorial-native-authentication-prepare-android-app.md b/docs/external-id/customers/tutorial-native-authentication-prepare-android-app.md
index 25149d0aba5..c6a93e7c142 100644
--- a/docs/external-id/customers/tutorial-native-authentication-prepare-android-app.md
+++ b/docs/external-id/customers/tutorial-native-authentication-prepare-android-app.md
@@ -191,7 +191,7 @@ Your code should look something similar to the following snippet:
}
}
- private fun displaySignedInState(accountState: AccountState) {
+ private fun displaySignedInState(accountResult: AccountState) {
val accountName = accountResult.getAccount().username
val textView: TextView = findViewById(R.id.accountText)
textView.text = "Cached account found: $accountName"
diff --git a/docs/external-id/what-is-b2b.md b/docs/external-id/what-is-b2b.md
index 5fa876e1e91..76e8099455c 100644
--- a/docs/external-id/what-is-b2b.md
+++ b/docs/external-id/what-is-b2b.md
@@ -4,7 +4,7 @@ description: Learn about B2B collaboration for sharing apps with external identi
ms.service: entra-external-id
ms.topic: overview
-ms.date: 09/06/2024
+ms.date: 10/14/2024
ms.author: cmulligan
author: csmulligan
manager: celestedg
@@ -101,7 +101,7 @@ You can use authentication and authorization policies to protect your corporate
## Let application and group owners manage their own guest users
-You can delegate guest user management to application owners so that they can add guest users directly to any application they want to share, whether it's a Microsoft application or not.
+You can delegate guest user management to application owners. This allows them to add guest users directly to any application they want to share, whether it's a Microsoft application or not.
- Administrators set up self-service app and group management.
- Non-administrators use their [Access Panel](https://myapps.microsoft.com) to add guest users to applications or groups.
@@ -123,7 +123,7 @@ Microsoft Entra External ID supports external identity providers like Facebook,
## Integrate with SharePoint and OneDrive
-You can [enable integration with SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration) to share files, folders, list items, document libraries, and sites with people outside your organization, while using Azure B2B for authentication and management. The users you share resources with are typically guest users in your directory, and permissions and groups work the same for these guests as they do for internal users. When enabling integration with SharePoint and OneDrive, you also enable the [email one-time passcode](one-time-passcode.md) feature in Microsoft Entra B2B to serve as a fallback authentication method.
+You can [enable integration with SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration) to share files, folders, list items, document libraries, and sites with people outside your organization, while using Microsoft Entra B2B for authentication and management. The users you share resources with are typically guest users in your directory, and permissions and groups work the same for these guests as they do for internal users. When enabling integration with SharePoint and OneDrive, you also enable the [email one-time passcode](one-time-passcode.md) feature in Microsoft Entra B2B to serve as a fallback authentication method.
:::image type="content" source="media/what-is-b2b/enable-email-otp-options.png" alt-text="Screenshot of the email one-time-passcode setting.":::
@@ -131,4 +131,4 @@ You can [enable integration with SharePoint and OneDrive](/sharepoint/sharepoint
- [Invitation email](invitation-email-elements.md)
- [Add B2B collaboration guest users in the admin center](add-users-administrator.yml)
-- [B2B direct connect](b2b-direct-connect-overview.md)
\ No newline at end of file
+- [B2B direct connect](b2b-direct-connect-overview.md)
diff --git a/docs/identity/authentication/concept-certificate-based-authentication-technical-deep-dive.md b/docs/identity/authentication/concept-certificate-based-authentication-technical-deep-dive.md
index 63dd0bfb2ad..a59cbce3b79 100644
--- a/docs/identity/authentication/concept-certificate-based-authentication-technical-deep-dive.md
+++ b/docs/identity/authentication/concept-certificate-based-authentication-technical-deep-dive.md
@@ -187,8 +187,8 @@ Let's look at an example of a user who has single-factor certificate, and is con
CBA can be used as a second factor like Password (first factor) and CBA (second factor) to get MFA.
>[!NOTE]
-On iOS, users with certificate-based authentication will see a "double prompt", where they must click the option to use certificate-based authentication twice.
-On iOS, users with Microsoft Authenticator App will also see hourly login prompt to authenticate with CBA if there's an Authentication Strength policy enforcing CBA, or if they use CBA as the second factor or step-up authentication.
+> On iOS, users with certificate-based authentication will see a "double prompt", where they must click the option to use certificate-based authentication twice.
+> On iOS, users with Microsoft Authenticator App will also see hourly login prompt to authenticate with CBA if there's an Authentication Strength policy enforcing CBA, or if they use CBA as the second factor or step-up authentication.
## Understanding the authentication binding policy
diff --git a/docs/identity/monitoring-health/concept-microsoft-entra-health.md b/docs/identity/monitoring-health/concept-microsoft-entra-health.md
index 42ebe27bf6d..c4b1e482a4c 100644
--- a/docs/identity/monitoring-health/concept-microsoft-entra-health.md
+++ b/docs/identity/monitoring-health/concept-microsoft-entra-health.md
@@ -6,7 +6,7 @@ manager: amycolannino
ms.service: entra-id
ms.topic: conceptual
ms.subservice: monitoring-health
-ms.date: 01/04/2024
+ms.date: 10/14/2024
ms.author: sarahlipsey
ms.reviewer: sarbar
@@ -14,89 +14,55 @@ ms.reviewer: sarbar
# What is Microsoft Entra Health?
-Microsoft Entra Health (preview) provides you with the ability to view the health of your Microsoft Entra tenant through a report of service level agreement (SLA) attainment and a set of health metrics you can monitor for key Microsoft Entra ID scenarios. All the data is provided at the tenant level. The scenario monitoring solution is currently in public preview and can be enabled or disabled in the Preview Hub; the SLA Attainment report is available by default.
+Microsoft Entra Health (preview) provides you with observability of your Microsoft Entra tenant through continuous low-latency health monitoring and look-back reporting. The low-latency health monitoring solution includes a set of health metric data streams (signals) with built-in alerts designed to help IT operations teams maintain high levels of uptime and service on common Microsoft Entra scenarios. The monthly look-back solution shows the core authentication availability of Microsoft Entra ID each month.
-## How to access Microsoft Entra Health
+## How Microsoft Entra health monitoring (preview) works
-You can view the Microsoft Entra Health SLA attainment and Scenario monitoring (preview) from the Microsoft Entra admin center.
+1. Metrics and data are gathered, processed, and converted into meaningful signals displayed in Microsoft Entra Health monitoring.
-1. Sign into the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader).
-1. Browse to **Identity** > **Monitoring and health** > **Health (preview)**.
+1. These signals are fed into our anomaly detection service.
-
+1. When the anomaly detection service identifies a significant change to a pattern in the signal, it triggers an alert.
-### Enable the Scenario monitoring preview
+1. When the alert is triggered, an email notification is sent to a set of users, preselected by the tenant admin. This email notification prompts recipients to investigate and determine if there's a problem.
-If you'd like to view the **Scenario monitoring (preview)**:
+1. After you see an alert, you need to research possible root causes, determine the next steps, and take action to mitigate the root cause. Each health alert contains an impact assessment and links to resources to help you through the process.
-1. Sign into the [Microsoft Entra admin center] as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader).
-1. Browse to **Identity** > **Settings** > **Preview hub**.
-1. Enable **Scenario monitoring**.
+## Microsoft Entra Health monitoring signals
-Enabling preview feature might take up to 24 hours to populate. Enabling the preview only changes your view, not the entire tenant. You can disable the preview at any time.
+Many IT administrators spend a considerable amount of time investigating several key scenarios, such as sign-ins requiring multifactor authentication (MFA) or sign-ins requiring a compliant or managed device. Microsoft Entra Health provides a visualization of the data associated with these metrics, so you can quickly identify trends and potential issues.
-## SLA attainment
-
-In addition to providing global SLA performance, Microsoft Entra ID now provides tenant-level SLA performance for organizations with at least 5000 monthly active users. The Service Level Agreement (SLA) attainment is the user authentication availability for Microsoft Entra ID. For the current availability target and details on how SLA is calculated, see [SLA for Microsoft Entra ID](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/).
-
-Hover your mouse over the bar for a month to view the percentage for that month. A table with the same details appears below the graph.
-
-You can also view SLA attainment using [Microsoft Graph](/graph/api/resources/serviceactivity?view=graph-rest-beta&preserve-view=true).
+The following key scenarios can be monitored in Microsoft Entra Health:
-
-
-## Scenario monitoring (preview)
-
-Many IT administrators spend a considerable amount of time investigating the health of the following key scenarios:
-
-- Interactive user sign-in requests that require Microsoft Entra multifactor authentication.
+- Interactive user sign-in requests that require Microsoft Entra multifactor authentication (MFA).
- User sign-in requests that require a managed device through a Conditional Access policy.
- User sign-in requests that require a compliant device through a Conditional Access policy.
- User sign-in requests to applications using SAML authentication.
-The data associated with each of these scenarios is aggregated into a view that's specific to that scenario. If you're only interested in sign-ins from compliant devices, you can dive into that scenario without noise from other sign-in activities.
-
-Data is aggregated every 15 minutes, for low latency insights into your tenant's health. Each scenario detail page provides trends and totals for that scenario for the last 30 days. You can set the date range to 24 hours, 7 days, or 1 month.
+The data associated with each of these scenarios is aggregated into a view that's specific to that scenario. If you're only interested in sign-ins from compliant devices, you can dive into that scenario without noise from other sign-in activities.
-Select **View details** on a tile to view the metrics for that scenario. You can also view these metric streams using [Microsoft Graph](/graph/api//resources/serviceactivity?view=graph-rest-beta&preserve-view=true).
+Each scenario detail page provides trends and totals for that scenario for the last 30 days. This data is aggregated every 15 minutes, for low latency insights into your tenant's health.
-
+## Microsoft Entra Health monitoring alerts
-### Sign-ins requiring a compliant device
+In addition to providing health signals, Microsoft Entra Health monitoring also has an anomaly detection service that looks at the data and develops dynamic alerting thresholds based on the pattern specific to your tenant. When the service identifies a significant change to that pattern at the tenant level, it triggers an alert. By monitoring these scenarios and reviewing the alerts, you can more effectively monitor and improve the health of your tenant.
-This scenario captures each user authentication that satisfies a Conditional Access policy requiring sign-in from a compliant device.
+Alerts are specific to your tenant and to the scenario being monitored. Machine learning requires at least four weeks of data to establish a pattern for your tenant. The more data we collect on the signal, the more accurate the anomaly detection service becomes. The service looks back 25-30 minutes on the timeline and triggers an alert if the signal deviates from the pattern.
-- [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy).
-- [Learn about Conditional Access and Intune](/mem/intune/protect/conditional-access).
-- [Learn about Microsoft Entra joined devices](../devices/concept-directory-join.md).
+The service provides alerts for the following scenarios:
-
+- [Sign-ins requiring a Conditional Access compliant device](scenario-health-sign-ins-compliant-managed-device.md)
+- [Sign-ins requiring a Conditional Access managed device](scenario-health-sign-ins-compliant-managed-device.md)
+- [Sign-ins requiring multifactor authentication (MFA)](scenario-health-sign-ins-mfa.md)
-### Sign-ins requiring a managed device
+At this time, alerts are only available through the Microsoft Graph API. With the Microsoft Graph health monitoring alerts APIs, you can view the alerts, configure email notifications, and update the state of the alert. You can run the API calls on a recurring cadence (for example, daily or hourly) or configure email notifications. For more information, see [How to use Microsoft Entra scenario health alerts](howto-use-health-scenario-alerts.md) and the [Microsoft Graph health monitoring alerts API documentation](/graph/api/resources/healthmonitoring-overview?view=graph-rest-beta&preserve-view=true).
-This scenario captures each user authentication that satisfies a Conditional Access policy requiring sign-in from a managed device.
-
-- [What is device management](/mem/intune/fundamentals/what-is-device-management)?
-- [Learn about Microsoft Entra hybrid joined devices](../devices/concept-hybrid-join.md).
-
-
-
-### Sign-ins requiring multifactor authentication (MFA)
-
-This scenario provides two aggregated data graphs. The first displays the number of users who successfully completed an interactive MFA sign-in using a Microsoft Entra cloud MFA service. The metric excludes instances when a user refreshes the session without completing the interactive MFA or using passwordless sign-in methods.
-
-This scenario also provides an aggregated look at failures of interactive MFA sign-in attempts. The same type of refreshed sessions and passwordless methods are excluded from this metric.
-
-- [Configure Conditional Access for MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md).
-- [Troubleshoot common sign-in errors](howto-troubleshoot-sign-in-errors.md).
-
-
+## SLA attainment
-### Sign-ins to applications using SAML authentication
+In addition to publicly reporting global SLA performance, Microsoft Entra ID provides tenant-level SLA performance for organizations with at least 5000 monthly active users. The Service Level Agreement (SLA) attainment is the user authentication availability for Microsoft Entra ID. For the current availability target and details on how SLA is calculated, see [SLA for Microsoft Entra ID](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/).
-This scenario looks at SAML 2.0 authentication attempts that the Microsoft Entra cloud service for your tenant successfully processed. This metric currently excludes WS-FED/SAML 1.1 apps integrated with Microsoft Entra ID.
+Hover your mouse over the bar for a month to view the percentage for that month. A table with the same details appears below the graph.
-- [Learn how the Microsoft Identity platform uses the SAML protocol](../../identity-platform/saml-protocol-reference.md)
-- [Use a SAML 2.0 IdP for single sign on](../hybrid/connect/how-to-connect-fed-saml-idp.md).
+You can also view SLA attainment using [Microsoft Graph APIs](/graph/api/resources/azureadauthentication?view=graph-rest-beta&preserve-view=true).
-
+
\ No newline at end of file
diff --git a/docs/identity/monitoring-health/howto-use-health-scenario-alerts.md b/docs/identity/monitoring-health/howto-use-health-scenario-alerts.md
new file mode 100644
index 00000000000..a1166fcb87b
--- /dev/null
+++ b/docs/identity/monitoring-health/howto-use-health-scenario-alerts.md
@@ -0,0 +1,161 @@
+---
+title: How to use Microsoft Entra health monitoring alerts (preview)
+description: Learn how to use the Microsoft Entra health monitoring alerts to monitor and improve the health of your tenant.
+author: shlipsey3
+manager: amycolannino
+ms.service: entra-id
+ms.topic: how-to
+ms.subservice: monitoring-health
+ms.date: 10/14/2024
+ms.author: sarahlipsey
+ms.reviewer: sarbar
+
+# Customer intent: As an IT admin, I want to learn how to use Microsoft Entra health monitoring to observe and improve the health of my tenant.
+---
+
+# How to use Microsoft Entra health monitoring alerts (preview)
+
+Microsoft Entra Health monitoring provides the ability to monitor the health of your Microsoft Entra tenant through a set of health metrics and intelligent alerts. Health metrics are fed into our anomaly detection service, which uses machine learning to understand the patterns for your tenant. When the anomaly detection service identifies a significant change one of the tenant-level patterns, it triggers an alert. You can also receive email notifications when a potential issue or failure condition is detected within the health scenarios. For more information on Microsoft Entra Health, see [What is Microsoft Entra Health](concept-microsoft-entra-health.md).
+
+This article provides guidance on how to:
+
+- Access Microsoft Entra Health.
+- Configure email notifications for alerts.
+- Investigate an alert.
+
+## Prerequisites
+
+[!INCLUDE [Microsoft Entra health](../../includes/licensing-health.md)]
+
+### Known limitations
+
+- Newly onboarded tenants might not have enough data to generate alerts for about 30 days.
+- Currently, alerts are only available with the Microsoft Graph API.
+
+## How to access Microsoft Entra Health
+
+You can view the Microsoft Entra Health service level agreement (SLA) attainment report and the health monitoring signals from the Microsoft Entra admin center. You can also view these data streams, and the public preview of health monitoring alerts, using [Microsoft Graph APIs](/graph/api/resources/healthmonitoring-overview?view=graph-rest-beta&preserve-view=true). [Enable the Scenario monitoring preview](https://entra.microsoft.com/?feature.tokencaching=true&feature.internalgraphapiversion=true#view/Microsoft_AAD_IAM/FeaturePreviewsListBlade).
+
+1. Sign into the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader).
+
+1. Browse to **Identity** > **Monitoring and health** > **Health**.
+
+1. Select the **Scenario Monitoring** tab.
+
+ 
+
+1. Select **View details** for the scenario you wish to investigate.
+
+ 
+
+The default view is the last seven days, but you can adjust the date range to 24 hours, seven days, or one month. The data is updated every 15 minutes.
+
+## Configure the email notifications
+
+With the Microsoft Graph health monitoring alerts API, you can configure email notifications. You can run the API calls on a regular cadence (for example, daily or hourly) or you can configure email notifications for when an alert is triggered. We recommend daily monitoring of the scenario monitoring signals and alerts.
+
+Email notifications are sent to the [Microsoft Entra group](../../fundamentals/concept-learn-about-groups.md) of your choice. We recommend sending alerts to users with the appropriate access to investigate and take action on the alerts. Not every role can take the same action, so consider including a group with the following roles:
+
+- [Security Reader](../role-based-access-control/permissions-reference.md#security-reader)
+- [Security Administrator](../role-based-access-control/permissions-reference.md#security-administrator)
+- [Intune Administrator](../role-based-access-control/permissions-reference.md#intune-administrator)
+- [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator)
+
+To configure alert notifications, you need the ID of the Microsoft Entra group you want to receive the alerts AND the scenario alert ID. You can configure different groups to receive alerts for different alert scenarios.
+
+### Locate the group's Object ID
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../role-based-access-control/permissions-reference.md#user-administrator).
+1. Browse to **Groups** > **All groups** > and select the group you want to receive the alerts.
+1. Select **Properties** and copy the `Object ID` of the group.
+
+ 
+
+### Locate the scenario alert type
+
+1. Sign in to [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) as at least a [Helpdesk Administrator](../role-based-access-control/permissions-reference.md#helpdesk-administrator) and consent to the appropriate permissions.
+1. Select **GET** as the HTTP method from the dropdown and set the API version to **beta**.
+1. Run the following query to retrieve the list of alerts for your tenant.
+
+ ```http
+ GET https://graph.microsoft.com/beta/reports/healthMonitoring/alerts
+ ```
+1. Locate and save the `alertType` of the alert you want to be notified about, for example `alertType: "mfaSignInFailure`.
+
+### Configure the email notifications
+
+In Microsoft Graph Explorer, run the following PATCH query to configure email notifications for alerts.
+
+- Replace `{alertType}` with the specific `alertType` you want to configure.
+- Replace `Object ID of the group` with the `Object ID` of the group you want to receive the alerts.
+- For more information, see [configure email notifications for alerts](/graph/api/healthmonitoring-alertconfiguration-update?view=graph-rest-beta&preserve-view=true).
+
+```http
+PATCH https://graph.microsoft.com/beta/reports/healthMonitoring/alertConfigurations/{alertType}
+Content-Type: application/json
+
+{
+ "emailNotificationConfigurations": [
+ {
+ "groupId":"Object ID of the group",
+ "isEnabled": true
+ }
+ ]
+}
+```
+
+## Investigate the alert and signals
+
+With the email notifications configured, you and your team can more effectively monitor the health of these scenarios. When you receive an alert, you typically need to investigate the following data sets:
+
+- **Alert impact**: The portion of the response after `impacts` quantifies the scope and summarizes impacted resources. These details include the `impactCount` so you can determine how widespread the issue is.
+- **Alert signals**: The data stream, or health signal, that caused the alert. A query is provided in the response for further investigation.
+- **Sign-in logs**: A query is provided in the response for further investigation into the sign-in logs where the health signal was generated. The sign-in logs provide detailed event metadata that might be used to identify a problem's root cause.
+- **Scenario-specific resources**: Depending on the scenario, you might need to investigate Intune compliance policies or Conditional Access policies. In many cases, a link to related documentation is provided in the response.
+
+### View the impacts and signals
+
+1. In Microsoft Graph, add the following query to retrieve all alerts for your tenant.
+
+ ```http
+ GET https://graph.microsoft.com/beta/reports/healthMonitoring/alerts
+ ```
+
+1. Locate and save the `id` of the alert you want to investigate.
+
+1. Add the following query, using `id` as the `alertId`.
+
+ ```http
+ GET https://graph.microsoft.com/beta/reports/healthMonitoring/alerts/{alertId}
+ ```
+For sample requests and responses, see [Health monitoring List alert objects](/graph/api/healthmonitoring-healthmonitoringroot-list-alerts?view=graph-rest-beta&preserve-view=true).
+- The portion of the response after `impacts` make up the impact summary for the alert.
+- The `supportingData` portion includes the full query used to generate the alert.
+- The results of the query include everything identified by the anomaly detection service, but there might be results that aren't directly related to the alert.
+
+### View the sign-in logs
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader).
+ - If you need to modify Conditional Access policies, you need the [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator) role.
+1. Browse to **Monitoring & health** > **Sign-in logs**.
+ - Adjust the time range to match the alert time frame.
+ - Add a **filter** for Conditional Access.
+ - Select a log entry to view the sign-in logs details and select the Conditional Access tab to see the policies that were applied.
+
+### View the scenario-specific resources
+
+Each alert might have a different data set to investigate. For details on each alert type, see the following articles:
+
+- [Sign-ins requiring a compliant or managed device](scenario-health-sign-ins-compliant-managed-device.md)
+- [Sign-ins requiring multifactor authentication (MFA)](scenario-health-sign-ins-mfa.md)
+
+## Analyze the possible root causes
+
+After gathering all the data related to the scenario, you need to consider possible root causes and research potential solutions. Think about the seriousness of the alert. Are only a handful of users affected, or is it a widespread issue? Did a recent policy change have unintended consequences?
+
+We recommend looking at the alerts and health monitoring data regularly to identify trends and potential issues before they become widespread problems.
+
+## Next steps
+
+- [Troubleshoot sign-in problems with Conditional Access](../conditional-access/troubleshoot-conditional-access.md)
+- [Use audit logs to troubleshoot Conditional Access policy changes](../conditional-access/troubleshoot-policy-changes-audit-log.md)
diff --git a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/identity-health-landing-page.png b/docs/identity/monitoring-health/media/concept-microsoft-entra-health/identity-health-landing-page.png
deleted file mode 100644
index 2685873d82e..00000000000
Binary files a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/identity-health-landing-page.png and /dev/null differ
diff --git a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-compliant-device.png b/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-compliant-device.png
deleted file mode 100644
index 85b0381273c..00000000000
Binary files a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-compliant-device.png and /dev/null differ
diff --git a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-managed-device.png b/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-managed-device.png
deleted file mode 100644
index a2d23360bfe..00000000000
Binary files a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-managed-device.png and /dev/null differ
diff --git a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-mfa.png b/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-mfa.png
deleted file mode 100644
index 1d1fc134530..00000000000
Binary files a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-mfa.png and /dev/null differ
diff --git a/docs/identity/monitoring-health/media/howto-use-health-scenario-alerts/identity-health-landing-page.png b/docs/identity/monitoring-health/media/howto-use-health-scenario-alerts/identity-health-landing-page.png
new file mode 100644
index 00000000000..d6c2bbd3a80
Binary files /dev/null and b/docs/identity/monitoring-health/media/howto-use-health-scenario-alerts/identity-health-landing-page.png differ
diff --git a/docs/identity/monitoring-health/media/howto-use-health-scenario-alerts/locate-group-id.png b/docs/identity/monitoring-health/media/howto-use-health-scenario-alerts/locate-group-id.png
new file mode 100644
index 00000000000..5e05860b0af
Binary files /dev/null and b/docs/identity/monitoring-health/media/howto-use-health-scenario-alerts/locate-group-id.png differ
diff --git a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring.png b/docs/identity/monitoring-health/media/howto-use-health-scenario-alerts/scenario-monitoring.png
similarity index 100%
rename from docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring.png
rename to docs/identity/monitoring-health/media/howto-use-health-scenario-alerts/scenario-monitoring.png
diff --git a/docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-saml.png b/docs/identity/monitoring-health/media/scenario-health-sign-ins-saml-auth/scenario-monitoring-saml.png
similarity index 100%
rename from docs/identity/monitoring-health/media/concept-microsoft-entra-health/scenario-monitoring-saml.png
rename to docs/identity/monitoring-health/media/scenario-health-sign-ins-saml-auth/scenario-monitoring-saml.png
diff --git a/docs/identity/monitoring-health/scenario-health-sign-ins-compliant-managed-device.md b/docs/identity/monitoring-health/scenario-health-sign-ins-compliant-managed-device.md
new file mode 100644
index 00000000000..993e7127ff2
--- /dev/null
+++ b/docs/identity/monitoring-health/scenario-health-sign-ins-compliant-managed-device.md
@@ -0,0 +1,81 @@
+---
+title: Sign-ins requiring a compliant or managed device
+description: Learn about the Microsoft Entra Health signals and alerts for sign-ins that require a compliant or managed device
+author: shlipsey3
+manager: amycolannino
+ms.service: entra-id
+ms.topic: how-to
+ms.subservice: monitoring-health
+ms.date: 10/14/2024
+ms.author: sarahlipsey
+ms.reviewer: sarbar
+
+# Customer intent: As an IT admin, I want to understand the health of my tenant through identity related signals and alerts so I can proactively address issues and maintain a healthy tenant.
+---
+
+# How to investigate the sign-ins requiring a compliant or managed device alert
+
+Microsoft Entra Health monitoring provides a set of tenant-level health metrics you can monitor and alerts when a potential issue or failure condition is detected. There are multiple health scenarios that can be monitored, including two related to devices:
+
+- Sign-ins requiring a Conditional Access compliant device
+- Sign-ins requiring a Conditional Access managed device
+
+These scenarios allow you to monitor and receive alerts on user authentication that satisfies a Conditional Access policy requiring signing in from a compliant or managed device. To learn more about how Microsoft Entra Health works, see:
+
+- [What is Microsoft Entra Health?](concept-microsoft-entra-health.md)
+- [How to use Microsoft Entra health monitoring signals and alerts](howto-use-health-scenario-alerts.md)
+
+This article describes the health metrics related to compliant and managed devices and how to troubleshoot a potential issue when you receive an alert.
+
+## Prerequisites
+
+[!INCLUDE [Microsoft Entra health](../../includes/licensing-health.md)]
+
+## Investigate the alert and signal
+
+Investigating an alert starts with gathering data.
+
+1. Gather the signal details and impact summary.
+ - For more information, see [Microsoft Graph health monitoring overview](/graph/api/resources/healthmonitoring-overview?view=graph-rest-beta&preserve-view=true).
+ - Run the [List alerts](/graph/api/healthmonitoring-healthmonitoringroot-list-alerts?view=graph-rest-beta&preserve-view=true) API to retrieve all alerts for the tenant.
+ - Run the [Get alert](/graph/api/healthmonitoring-alert-get?view=graph-rest-beta&preserve-view=true) API to retrieve the details of a specific alert.
+1. Review your Intune device compliance policies.
+ - For more information, see [Intune device compliance overview](/mem/intune/protect/device-compliance-get-started).
+ - Learn how to [Monitor device compliance policies](/mem/intune/protect/compliance-policy-monitor).
+ - If you're not using Intune, review your device management solution's compliance policies
+1. Investigate common Conditional Access issues.
+ - [Troubleshoot Conditional Access device compliance policies](/troubleshoot/mem/intune/device-protection/troubleshoot-conditional-access#devices-appear-compliant-but-users-are-still-blocked).
+ - [Troubleshoot Conditional Access sign-in problems](../conditional-access/troubleshoot-conditional-access.md).
+1. Review the sign-in logs.
+ - [Review the sign-in log details](concept-sign-in-log-activity-details.md).
+ - Look for users being blocked from signing in *and* have a compliant device policy applied.
+1. Check the audit logs for recent policy changes.
+ - [Use the audit logs to troubleshoot Conditional Access policy changes](../conditional-access/troubleshoot-policy-changes-audit-log.md).
+
+## Mitigate common issues
+
+The following common issues could cause a spike in sign-ins requiring a compliant or managed device. This list isn't exhaustive, but provides a starting point for your investigation.
+
+### Many users are blocked from signing in from known devices
+
+If a large group of users are blocked from signing in to known devices, a spike could indicate that these devices have fallen out of compliance.
+
+- Check your [Intune device compliance policy](/mem/intune/protect/device-compliance-get-started).
+- Check your [Conditional Access device compliance policies](/troubleshoot/mem/intune/device-protection/troubleshoot-conditional-access#devices-appear-compliant-but-users-are-still-blocked).
+
+### User is blocked from signing in from an unknown device
+
+If the increase in blocked sign-ins is coming from an unknown device, that spike could indicate that an attacker has acquired a user's credentials and is attempting to sign in from a device used for such attacks.
+
+- [Review the sign-in logs](../monitoring-health/concept-sign-in-log-activity-details.md).
+- [Investigate risk with Microsoft Entra ID Protection](../../id-protection/howto-identity-protection-investigate-risk.md).
+ - Note: Microsoft Entra ID Protection requires a Microsoft Entra P2 license.
+
+## Next steps
+
+- [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy)
+- [Learn about Conditional Access and Intune](/mem/intune/protect/conditional-access)
+- [Learn about Microsoft Entra joined devices](../devices/concept-directory-join.md)
+- [What is device management](/mem/intune/fundamentals/what-is-device-management)
+- [Learn about Conditional Access and Intune](/mem/intune/protect/conditional-access)
+- [Learn about Microsoft Entra hybrid joined devices](../devices/concept-hybrid-join.md)
\ No newline at end of file
diff --git a/docs/identity/monitoring-health/scenario-health-sign-ins-mfa.md b/docs/identity/monitoring-health/scenario-health-sign-ins-mfa.md
new file mode 100644
index 00000000000..cbc9a6872bd
--- /dev/null
+++ b/docs/identity/monitoring-health/scenario-health-sign-ins-mfa.md
@@ -0,0 +1,88 @@
+---
+title: Sign-ins requiring multifactor authentication
+description: Learn about the Microsoft Entra Health signals and alerts for sign-ins that require a multifactor authentication
+author: shlipsey3
+manager: amycolannino
+ms.service: entra-id
+ms.topic: how-to
+ms.subservice: monitoring-health
+ms.date: 10/14/2024
+ms.author: sarahlipsey
+ms.reviewer: sarbar
+
+# Customer intent: As an IT admin, I want to understand the health of my tenant through identity related signals and alerts so I can proactively address issues and maintain a healthy tenant.
+---
+
+# How to investigate sign-ins requiring multifactor authentication
+
+Microsoft Entra Health monitoring provides a set of tenant-level health metrics you can monitor and alerts when a potential issue or failure condition is detected. There are multiple health scenarios that can be monitored, including multifactor authentication (MFA).
+
+This scenario:
+
+- Aggregates the number of users who successfully completed an MFA sign-in using a Microsoft Entra cloud MFA service.
+- Captures interactive sign-ins with MFA, aggregating both successes and failures.
+- Excludes when a user refreshes the session without completing the interactive MFA or using passwordless sign-in methods.
+
+This article describes these health metrics and how to troubleshoot a potential issue when you receive an alert.
+
+## Prerequisites
+
+[!INCLUDE [Microsoft Entra health](../../includes/licensing-health.md)]
+
+## Gather data
+
+Investigating an alert starts with gathering data.
+
+1. Gather the signal details and impact summary.
+ - For more information, see [Microsoft Graph health monitoring overview](/graph/api/resources/healthmonitoring-overview?view=graph-rest-beta&preserve-view=true).
+1. Review the sign-in logs.
+ - [Review the sign-in log details](concept-sign-in-log-activity-details.md).
+ - Look for users being blocked from signing in *and* have a Conditional Access policy requiring MFA applied.
+1. Check the audit logs for recent policy changes.
+ - [Use the audit logs to troubleshoot Conditional Access policy changes](../conditional-access/troubleshoot-policy-changes-audit-log.md).
+
+## Mitigate common issues
+
+The following common issues could cause a spike in MFA sign-ins. This list isn't exhaustive, but provides a starting point for your investigation.
+
+### Application configuration issues
+
+An increase in sign-ins requiring MFA could indicate a policy change or new feature rollout potentially triggered a large number of users to sign in around the same time.
+
+To investigate:
+
+- In the impact summary, if `resourceType` is "application" and there's only one or two applications listed, check the audit logs for changes to the listed applications.
+- In the audit logs, use the **Target** column to filter for the application or open the audit logs from Enterprise Applications, so the filter is already set.
+- Determine if the application was recently added or reconfigured.
+- In the sign-in logs, use the **Application** column to filter for the same application or date range to look for any other patterns.
+
+### User authentication issues
+
+An increase in sign-ins requiring MFA could indicate a brute force attack, where multiple unauthorized sign-in attempts are made to a user's account.
+
+To investigate:
+
+- In the impact summary, if `resourceType` is "user" and the `impactedCount` value shows a small subset of users, the issue might be user-specific.
+- Use the following filters in the sign-in logs:
+ - **Status**: Failure
+ - **Authentication requirement**: Multifactor authentication
+ - Adjust the date to match the timeframe indicated in the impact summary.
+- Are the failed sign-in attempts coming from the same IP address?
+- Are the failed sign-in attempts from the same user?
+- Run the [sign-in diagnostic](howto-use-sign-in-diagnostics.md) to rule out standard user error issues or initial MFA setup issues.
+
+### Network issues
+
+There could be a regional system outage that required a large number of users to sign in at the same time.
+
+To investigate:
+
+- In the impact summary, if `resourceType` is "user" and the `impactedCount` value shows a large percentage of your organization's users, you might be looking at a wide spread issue.
+- Check your system and network health to see if an outage or update matches the same timeframe as the anomaly.
+
+
+## Next steps
+
+- [Configure Conditional Access for MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)
+- [Troubleshoot common sign-in errors](howto-troubleshoot-sign-in-errors.md)
+- [Learn about Conditional Access and Intune](/mem/intune/protect/conditional-access)
diff --git a/docs/identity/monitoring-health/scenario-health-sign-ins-saml-auth.md b/docs/identity/monitoring-health/scenario-health-sign-ins-saml-auth.md
new file mode 100644
index 00000000000..09db81d11da
--- /dev/null
+++ b/docs/identity/monitoring-health/scenario-health-sign-ins-saml-auth.md
@@ -0,0 +1,23 @@
+---
+title: Sign-ins to applications using SAML authentication
+description: Learn about the Microsoft Entra Health signals and alerts for sign-ins to applications that use SAML authentication
+author: shlipsey3
+manager: amycolannino
+ms.service: entra-id
+ms.topic: how-to
+ms.subservice: monitoring-health
+ms.date: 10/14/2024
+ms.author: sarahlipsey
+ms.reviewer: sarbar
+
+# Customer intent: As an IT admin, I want to understand the health of my tenant through identity related signals and alerts so I can proactively address issues and maintain a healthy tenant.
+---
+
+# How to investigate the sign-ins to applications using SAML authentication
+
+The Security Assertion Markup Language (SAML) authentication scenario provides health monitoring signal but doesn't trigger alerts. The scenario monitors SAML 2.0 authentication attempts that the Microsoft Entra cloud service for your tenant successfully processed. This metric currently excludes WS-FED/SAML 1.1 apps integrated with Microsoft Entra ID.
+
+- [Learn how the Microsoft Identity platform uses the SAML protocol](../../identity-platform/saml-protocol-reference.md)
+- [Use a SAML 2.0 IdP for single sign on](../hybrid/connect/how-to-connect-fed-saml-idp.md).
+
+
\ No newline at end of file
diff --git a/docs/identity/monitoring-health/toc.yml b/docs/identity/monitoring-health/toc.yml
index fde3c591a59..a39c3e23bc9 100644
--- a/docs/identity/monitoring-health/toc.yml
+++ b/docs/identity/monitoring-health/toc.yml
@@ -74,10 +74,21 @@ items:
- name: How-to guides
expanded: true
items:
+ - name: How to use Microsoft Entra Health alerts
+ href: howto-use-health-scenario-alerts.md
- name: How to use Identity Recommendations
href: howto-use-recommendations.md
- name: How to use Identity Workbooks
href: howto-use-workbooks.md
+ - name: Health scenarios
+ expanded: false
+ items:
+ - name: Sign-ins requiring a compliant or managed device
+ href: scenario-health-sign-ins-compliant-managed-device.md
+ - name: Sign-ins requiring MFA
+ href: scenario-health-sign-ins-mfa.md
+ - name: Sign-ins to applications using SAML auth
+ href: scenario-health-sign-ins-saml-auth.md
- name: Recommendations
expanded: false
items:
diff --git a/docs/includes/licensing-health.md b/docs/includes/licensing-health.md
new file mode 100644
index 00000000000..7834ad7cdb2
--- /dev/null
+++ b/docs/includes/licensing-health.md
@@ -0,0 +1,27 @@
+---
+title: include file
+description: include file
+author: barclayn
+manager: amycolannino
+ms.service: entra-id
+ms.topic: include
+ms.date: 01/17/2024
+ms.author: barclayn
+ms.custom: include file,licensing
+---
+
+There are different roles, permissions, and license requirements to view health monitoring signals and configure and receive alerts. Apart from Microsoft Entra admin roles, Microsoft Graph permissions are required to access health monitoring signals and alerts via the Microsoft Graph APIs. We recommend using a role with least privilege access to align with the [Zero Trust guidance](/security/zero-trust/zero-trust-overview).
+
+- A tenant with a [Microsoft Entra P1 or P2 license](~/fundamentals/get-started-premium.md) is required to **view** the Microsoft Entra health scenario monitoring signals.
+- A tenant with both a [Microsoft Entra P1 or P2 license](~/fundamentals/get-started-premium.md) *and* at least 100 monthly active users is required to **view alerts** and **receive alert notifications**.
+
+### Required roles and permissions
+
+| Activity | Roles |
+|--|--|
+| View scenario monitoring signals and alerts and alert configurations | [Reports Reader](../identity/role-based-access-control/permissions-reference.md#reports-reader)
[Security Reader](../identity/role-based-access-control/permissions-reference.md#security-reader)
[Security Operator](../identity/role-based-access-control/permissions-reference.md#security-operator)
[Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator)
[Helpdesk Administrator](../identity/role-based-access-control/permissions-reference.md#helpdesk-administrator)
[Global Reader](../identity/role-based-access-control/permissions-reference.md#global-reader)
|
+| Update alerts | [Security Operator](../identity/role-based-access-control/permissions-reference.md#security-operator)
[Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator)
[Helpdesk Administrator](../identity/role-based-access-control/permissions-reference.md#helpdesk-administrator) |
+| Update alert notification configurations | [Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator)
[Helpdesk Administrator](../identity/role-based-access-control/permissions-reference.md#helpdesk-administrator) |
+| View and modify Conditional Access policies | [Conditional Access Administrator](../identity/role-based-access-control/permissions-reference.md#conditional-access-administrator) |
+| View the alerts using the Microsoft Graph API |`HealthMonitoringAlert.Read.All` permission |
+| View and modify the alerts using the Microsoft Graph API | `HealthMonitoringAlert.ReadWrite.All` permission |
\ No newline at end of file