diff --git a/docs/identity/authentication/concept-system-preferred-multifactor-authentication.md b/docs/identity/authentication/concept-system-preferred-multifactor-authentication.md index fc7b7140b09..c90362fc295 100644 --- a/docs/identity/authentication/concept-system-preferred-multifactor-authentication.md +++ b/docs/identity/authentication/concept-system-preferred-multifactor-authentication.md @@ -4,7 +4,7 @@ description: Learn how to use system-preferred multifactor authentication ms.service: entra-id ms.subservice: authentication ms.topic: conceptual -ms.date: 09/13/2023 +ms.date: 10/02/2024 ms.author: justinha author: justinha manager: amycolannino @@ -15,16 +15,16 @@ ms.reviewer: msft-poulomi # System-preferred multifactor authentication - Authentication methods policy -System-preferred multifactor authentication (MFA) prompts users to sign in by using the most secure method they registered. Administrators can enable system-preferred MFA to improve sign-in security and discourage less secure sign-in methods like SMS. +System-preferred multifactor authentication (MFA) prompts users to sign in by using the most secure method they registered. +It's an important security enhancement for users who authenticate by using telecom transports. +Administrators can enable system-preferred MFA to improve sign-in security and discourage less secure sign-in methods like Short Message Service (SMS). For example, if a user registered both SMS and Microsoft Authenticator push notifications as methods for MFA, system-preferred MFA prompts the user to sign in by using the more secure push notification method. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered. -System-preferred MFA is a Microsoft managed setting, which is a [tristate policy](#authentication-method-feature-configuration-properties). For preview, the **default** state is disabled. If you want to turn it on for all users or a group of users during preview, you need to explicitly change the Microsoft managed state to **Enabled**. Sometime after general availability, the Microsoft managed state for system-preferred MFA will change to **Enabled**. +System-preferred MFA is a Microsoft managed setting, which is a [tristate policy](#authentication-method-feature-configuration-properties). The **Microsoft managed** value of system-preferred MFA is **Enabled**. If you don't want to enable system-preferred MFA, change the state from **Microsoft managed** to **Disabled**, or exclude users and groups from the policy. After system-preferred MFA is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered. ->[!NOTE] ->System-preferred MFA is an important security enhancement for users authenticating by using telecom transports. Starting July 07, 2023, the Microsoft managed value of system-preferred MFA will change from **Disabled** to **Enabled**. If you don't want to enable system-preferred MFA, change the state from **Default** to **Disabled**, or exclude users and groups from the policy. ## Enable system-preferred MFA in the Microsoft Entra admin center @@ -46,7 +46,7 @@ To enable system-preferred MFA in advance, you need to choose a single target gr ### Authentication method feature configuration properties -By default, system-preferred MFA is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) and disabled during preview. After generally availability, the Microsoft managed state default value will change to enable system-preferred MFA. +By default, system-preferred MFA is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) and enabled. | Property | Type | Description | |----------|------|-------------| @@ -66,7 +66,7 @@ System-preferred MFA can be enabled only for a single group, which can be a dyna Use the following API endpoint to enable **systemCredentialPreferences** and include or exclude groups: ``` -https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy +https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy ``` >[!NOTE] @@ -77,7 +77,7 @@ https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy The following example excludes a sample target group and includes all users. For more information, see [Update authenticationMethodsPolicy](/graph/api/authenticationmethodspolicy-update). ```http -PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy +PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy Content-Type: application/json { @@ -103,7 +103,7 @@ Content-Type: application/json ### How does system-preferred MFA determine the most secure method? -When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is prompted to sign-in with the most secure method according to the following order. The order of authentication methods is dynamic. It's updated as the security landscape changes, and as better authentication methods emerge. Due to known issues with Certificate-based authentication and System preferred MFA we have moved CBA to the bottom of the list. Click the link for information about each method. +When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is prompted to sign-in with the most secure method according to the following order. The order of authentication methods is dynamic. It's updated as the security landscape changes, and as better authentication methods emerge. Due to known issues with certificate-based authentication (CBA) and system-preferred MFA, we moved CBA to the bottom of the list. Click the link for more information about each method. 1. [Temporary Access Pass](howto-authentication-temporary-access-pass.md) 1. [FIDO2 security key](concept-authentication-passwordless.md) @@ -112,9 +112,9 @@ When a user signs in, the authentication process checks which authentication met 1. [Telephony](concept-authentication-phone-options.md)2 1. [Certificate-based authentication](concept-certificate-based-authentication.md) -1 Includes hardware or software TOTP from Microsoft Authenticator, Authenticator Lite, or third-party applications. +1Includes hardware or software TOTP from Microsoft Authenticator, Authenticator Lite, or third-party applications. -2 Includes SMS and voice calls. +2Includes SMS and voice calls. ### How does system-preferred MFA affect the NPS extension? diff --git a/docs/identity/authentication/howto-mfa-userdevicesettings.yml b/docs/identity/authentication/howto-mfa-userdevicesettings.yml index 6369ef92a2d..fdcd7fc4863 100644 --- a/docs/identity/authentication/howto-mfa-userdevicesettings.yml +++ b/docs/identity/authentication/howto-mfa-userdevicesettings.yml @@ -7,7 +7,7 @@ metadata: ms.author: justinha manager: amycolannino ms.reviewer: jupetter - ms.date: 07/30/2024 + ms.date: 10/01/2024 ms.service: entra-id ms.subservice: authentication ms.topic: how-to @@ -30,6 +30,10 @@ introduction: | - Revoke existing MFA sessions. - Delete a user's existing app passwords + > [!NOTE] + > The screenshots in this topic show how to manage user authentication methods by using an updated experience in the Microsoft Entra admin center. There's also a legacy experience, and admins can toggle between the two using a banner in the admin center. The modern experience has full parity with the legacy experience, and it manages modern methods like Temporary Access Pass, passkeys, and other settings. + > The legacy experience in the Microsoft Entra admin center will be retired starting Oct 31, 2024. There's no action required by organizations before the retirement. + prerequisites: summary: | Microsoft Entra multifactor authentication, which is enabled by default. @@ -38,12 +42,12 @@ procedureSection: - title: | Add authentication methods for a user summary: | - You can add authentication methods for a user by using the Microsoft Entra admin center or Microsoft Graph. + You can add authentication methods for a user by using the Microsoft Entra admin center or Microsoft Graph PowerShell. In the Microsoft Entra admin center, the leagcy method for managing user authentication methods will be retired after Oct. 31, 2024. > [!NOTE] - > For security reasons, public user contact information fields should not be used to perform MFA. Instead, users should populate their authentication method numbers to be used for MFA. + > For security reasons, public user contact information fields shouldn't be used to perform MFA. Instead, users should populate their authentication method numbers to be used for MFA. - :::image type="content" source="media/howto-mfa-userdevicesettings/add-authentication-method-detail.png" alt-text="Screenshot of add authentication methods from the Microsoft Entra admin center."::: + :::image type="content" source="media/howto-mfa-userdevicesettings/add-authentication-method-detail.png" alt-text="Screenshot of how to add authentication methods from the Microsoft Entra admin center."::: To add authentication methods for a user in the Microsoft Entra admin center: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-administrator). diff --git a/docs/identity/monitoring-health/overview-recommendations.md b/docs/identity/monitoring-health/overview-recommendations.md index 2229f1d909c..93027a76c81 100644 --- a/docs/identity/monitoring-health/overview-recommendations.md +++ b/docs/identity/monitoring-health/overview-recommendations.md @@ -39,12 +39,6 @@ Your Identity Secure Score, which appears at the top of the page, is a numerical Each recommendation contains a description, a summary of the value of addressing the recommendation, and a step-by-step action plan. If applicable, impacted resources associated with the recommendation are listed, so you can resolve each affected area. If a recommendation doesn't have any associated resources, the impacted resource type is *Tenant level*, so your step-by-step action plan impacts the entire tenant and not just a specific resource. -## Are Microsoft Entra recommendations related to Azure Advisor? - -The Microsoft Entra recommendations feature is the Microsoft Entra specific implementation of [Azure Advisor](/azure/advisor/advisor-overview), which is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. Azure Advisor analyzes your resource configuration and usage data to recommend solutions that can help you improve the cost effectiveness, performance, reliability, and security of your Azure resources. - -Microsoft Entra recommendations use similar data to support you with the roll-out and management of Microsoft's best practices for Microsoft Entra tenants to keep your tenant in a secure and healthy state. The Microsoft Entra recommendations feature provides a holistic view into your tenant's security, health, and usage. - ## Recommendation availability and license requirements The recommendations listed in the following table are currently available in public preview or general availability. The license requirements for recommendations in public preview are subject to change. The table provides the impacted resources and links to available documentation. @@ -65,3 +59,51 @@ The recommendations listed in the following table are currently available in pub | [Renew expiring service principal credentials](recommendation-renew-expiring-service-principal-credential.md) | Applications | [Microsoft Entra Workload ID Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-id) | Public preview | Microsoft Entra only displays the recommendations that apply to your tenant, so you might not see all supported recommendations listed. + +## Are Microsoft Entra recommendations related to Azure Advisor? + +The Microsoft Entra recommendations feature is the Microsoft Entra specific implementation of [Azure Advisor](/azure/advisor/advisor-overview), which is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. Azure Advisor analyzes your resource configuration and usage data to recommend solutions that can help you improve the cost effectiveness, performance, reliability, and security of your Azure resources. + +Microsoft Entra recommendations use similar data to support you with the roll-out and management of Microsoft's best practices for Microsoft Entra tenants to keep your tenant in a secure and healthy state. The Microsoft Entra recommendations feature provides a holistic view into your tenant's security, health, and usage. + +## Email notifications (preview) + +Microsoft Entra recommendations now generate email notifications when a new recommendation is generated. This new preview feature sends emails to a predetermined set of roles for each recommendation. For example, recommendations that are associated with the health of your tenant's applications are sent to users who have the Application Administrator role. + +The following table lists the Microsoft built-in roles that receive email notifications for each recommendation: + +| Recommendation Title | Target Roles | +| --- | --- | +| AAD Connect Deprecated | Hybrid Identity Administrator | +| Convert per-user MFA to Conditional Access MFA | Security Administrator | +| Designate more than one Global Administrator | Global Administrator | +| Do not allow users to grant consent to unreliable applications | Global Administrator | +| Do not expire passwords | Global Administrator | +| Enable password hash sync if hybrid | Hybrid Identity Administrator | +| Enable policy to block legacy authentication | Conditional Access Administrator, Security Administrator | +| Enable self-service password reset | Authentication Policy Administrator | +| Ensure all users can complete multifactor authentication | Conditional Access Administrator, Security Administrator | +| Long lived credentials in applications | Global Administrator | +| Migrate Applications from the retiring Azure AD Graph APIs to Microsoft Graph | Application Administrator | +| Migrate applications from AD FS to Microsoft Entra ID | Application Administrator, Authentication Administrator Hybrid Identity Administrator | +| Migrate authentication methods off the legacy MFA & SSPR policies | Global Administrator | +| Migrate from ADAL to MSAL | Application Administrator | +| Migrate from MFA Server to Microsoft Entra MFA | Global Administrator | +| Migrate service principals from the retiring Azure AD Graph APIs to Microsoft Graph | Application Administrator | +| MS Graph versioning | Global Administrator | +| Optimize tenant MFA | Security Administrator | +| Protect all users with a sign-in risk policy | Conditional Access Administrator, Security Administrator | +| Protect all users with a user risk policy | Conditional Access Administrator, Security Administrator | +| Protect your tenant with Insider Risk Conditional Access policy | Conditional Access Administrator, Security Administrator | +| Remove overprivileged permissions for your applications | Global Administrator | +| Remove unused applications | Application Administrator | +| Remove unused credentials from applications | Application Administrator | +| Renew expiring application credentials | Application Administrator | +| Renew expiring credentials for service principals | Application Administrator | +| Require MFA for administrative roles | Conditional Access Administrator, Security Administrator | +| Review inactive users with Access Reviews | Identity Governance Administrator | +| Secure and govern your apps with automatic user and group provisioning | Application Administrator, IT Governance Administrator | +| Use least privileged administrative roles | Privileged Role Administrator | +| Verify App Publisher | Global Administrator | + +If your organization is using Privileged Identity Management (PIM), the recipients must be elevated to the role indicated in order to receive the email notification. If no one is actively assigned to the role, no emails are sent. For this reason, we recommend checking the recommendations regularly to ensure that you are aware of any new recommendations. \ No newline at end of file