Merge pull request #5462 from MicrosoftDocs/main

10/07/2024 AM Publish

docs/external-id/customers/concept-multifactor-authentication-customers.md

@@ -23,7 +23,7 @@ ms.custom: it-pro, references_regions
 [Multifactor authentication (MFA)](~/identity/authentication/concept-mfa-howitworks.md) adds a layer of security to your applications by requiring users to provide a second method for verifying their identity during sign-up or sign-in. External tenants support two methods for authentication as a second factor:
 
 - Email one-time passcode
-- SMS based authentication, available as an add-on [see details](#sms-based-authentication-preview).
+- SMS based authentication, available as an add-on [see details](#sms-based-authentication).
 
 Enforcing MFA enhances your organization's security by adding an extra layer of verification, making it more difficult for unauthorized users to gain access.
 
@@ -52,9 +52,9 @@ Email one-time passcode authentication is available in an external tenant both a
 
 When email one-time passcode is enabled for MFA, the user signs in with their primary sign-in method and is notified that a code will be sent to the user's email address. The user chooses to send the code, retrieves the passcode from their email inbox, and enters it in the sign-in window.
 
-## SMS-based authentication (preview)
+## SMS-based authentication
 
-SMS is available at additional cost for second-factor verification in external tenants. Currently, SMS is not available for first-factor authentication or self-service password reset in external tenants.
+SMS is available at additional cost for second-factor verification in external tenants. Currently, SMS isn't available for first-factor authentication or self-service password reset in external tenants.
 
 When SMS is enabled for MFA, users sign in with their primary method and are prompted to verify their identity with a code sent via text. They enter their phone number and receive an SMS with the verification code.
 
@@ -69,6 +69,8 @@ External ID mitigates fraudulent sign-ups and sign-ins via SMS by enforcing the
 
 The following table provides details about the different pricing tiers for SMS based authentication services across various countries or regions. For pricing details, see [Microsoft Entra External ID pricing](https://aka.ms/ExternalIDPricing).
 
+The SMS feature requires a [linked subscription](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription) and the External ID SMS Phone Authentication add-on. If your subscription expires or is cancelled, the feature will be disabled.
+
 |Tier                               |Countries/Regions  |
 |-----------------------------------|-------------------|
 |Phone Authentication Low Cost      |Australia, Brazil, Brunei, Canada, Chile, China, Colombia, Cyprus, Macedonia, Poland, Portugal, South Korea, Thailand, Turkey, United States         |

docs/external-id/customers/concept-supported-features-customers.md

@@ -71,7 +71,7 @@ The following table compares the [identity providers](../identity-providers.md)
 |Feature  |Workforce tenant  | External tenant |
 |---------|---------|---------|
 | **Identity providers for external users (primary authentication)** | **For self-service sign-up guests**</br>- Microsoft Entra accounts</br>- Microsoft accounts</br>- Email one-time passcode</br>- Google federation</br>- Facebook federation<br></br>**For invited guests**</br>- Microsoft Entra accounts</br>- Microsoft accounts</br>- Email one-time passcode</br>- Google federation</br>- SAML/WS-Fed federation | **For self-service sign-up users (consumers, business customers)**</br>- [Email with password](concept-authentication-methods-customers.md#email-and-password-sign-in)</br>- [Email one-time passcode](./concept-authentication-methods-customers.md#email-with-one-time-passcode-sign-in)</br>- [Google federation (preview)](./how-to-google-federation-customers.md)</br>- [Facebook federation (preview)](./how-to-facebook-federation-customers.md)<br></br>**For invited guests (preview)**</br>Guests invited with a directory role (for example, admins):</br>- Microsoft Entra accounts </br>- Microsoft accounts </br>- [Email one-time passcode](./concept-authentication-methods-customers.md#email-with-one-time-passcode-sign-in) |
-|   **Authentication methods for MFA**  | **For internal users (employees and admins)** </br>- [Authentication and verification methods](~/identity/authentication/concept-authentication-methods.md) </br>**For guests (invited or self-service sign-up)** </br>- [Authentication methods for guest MFA](../authentication-conditional-access.md#table-1-authentication-strength-mfa-methods-for-external-users)  |  **For self-service sign-up users (consumers, business customers) or invited users (preview)**</br>- [Email one-time passcode](concept-multifactor-authentication-customers.md#email-one-time-passcode)</br>- [SMS-based authentication](concept-multifactor-authentication-customers.md#sms-based-authentication-preview)    |
+|   **Authentication methods for MFA**  | **For internal users (employees and admins)** </br>- [Authentication and verification methods](~/identity/authentication/concept-authentication-methods.md) </br>**For guests (invited or self-service sign-up)** </br>- [Authentication methods for guest MFA](../authentication-conditional-access.md#table-1-authentication-strength-mfa-methods-for-external-users)  |  **For self-service sign-up users (consumers, business customers) or invited users (preview)**</br>- [Email one-time passcode](concept-multifactor-authentication-customers.md#email-one-time-passcode)</br>- [SMS-based authentication](concept-multifactor-authentication-customers.md#sms-based-authentication)    |
 
 ## Application registration
 
@@ -172,3 +172,4 @@ The following table compares the features available for token customization in e
 ## Next steps
 
 - [Planning for CIAM](concept-planning-your-solution.md)
+- 

docs/external-id/customers/how-to-multifactor-authentication-customers.md

@@ -22,7 +22,8 @@ ms.custom: it-pro
 [Multifactor authentication (MFA)](~/identity/authentication/concept-mfa-howitworks.md) adds a layer of security to your applications by requiring users to provide a second method for verifying their identity during sign-up or sign-in. External tenants support two methods for authentication as a second factor:
 
 - **Email one-time passcode**: After the user signs in with their email and password, they are prompted for a passcode that is sent to their email. To allow the use of email one-time passcodes for MFA, set your local account authentication method to *Email with password*. If you choose *Email with one-time passcode*, customers who use this method for primary sign-in won't be able to use it for MFA secondary verification.
-- **SMS-based authentication**: While SMS isn't an option for first factor authentication, it's available as a second factor for MFA. Users who sign in with email and password, email and one-time passcode, or social identities like Google or Facebook, are prompted for second verification using SMS. Our SMS MFA includes automatic fraud checks. If we suspect fraud, we'll ask the user to complete a CAPTCHA to confirm they're not a robot before sending the SMS code for verification.
+- **SMS-based authentication**: While SMS isn't an option for first factor authentication, it's available as a second factor for MFA. Users who sign in with email and password, email and one-time passcode, or social identities like Google or Facebook, are prompted for second verification using SMS. Our SMS MFA includes automatic fraud checks. If we suspect fraud, we'll ask the user to complete a CAPTCHA to confirm they're not a robot before sending the SMS code for verification. SMS is an add-on feature. Your tenant must be [linked](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription) to an active, valid subscription. ([Learn more](concept-multifactor-authentication-customers.md#sms-based-authentication))
+
 
 This article describes how to enforce MFA for your customers by creating a Microsoft Entra Conditional Access policy and adding MFA to your sign-up and sign-in user flow.
 
@@ -37,6 +38,7 @@ This article describes how to enforce MFA for your customers by creating a Micro
 - A [sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md).
 - An app that's registered in your external tenant and added to the sign-up and sign-in user flow.
 - An account with at least the Security Administrator role to configure Conditional Access policies and MFA.
+- For SMS-based authentication, the add-on for External ID SMS Phone Authentication. Your tenant must be [linked](../external-identities-pricing.md#link-an-external-tenant-to-a-subscription) to an active, valid subscription.
 
 ## Create a Conditional Access policy
 
@@ -100,7 +102,7 @@ Enable the email one-time passcode authentication method in your external tenant
 
 1. Select **Save**.
 
-## Enable SMS as an MFA method (preview)
+## Enable SMS as an MFA method
 
 Enable the SMS authentication method in your external tenant for all users.
 
@@ -116,8 +118,6 @@ Enable the SMS authentication method in your external tenant for all users.
 
 1. Under **Include**, next to **Target**, select **All users**.
 
-1. Disable the **Use for sign-in** check box. SMS is not supported in external tenants for first-factor authentication.
-
    :::image type="content" source="media/how-to-multifactor-authentication-customers/enable-sms.png" alt-text="Screenshot of enabling SMS." lightbox="media/how-to-multifactor-authentication-customers/enable-sms.png":::
 
 1. Select **Save**.

docs/external-id/customers/reference-service-limits.md

@@ -88,7 +88,7 @@ The following table lists the administrative configuration limits in the Microso
 |Number of event listener policies    |249         |
 
 ## Telephony throttling limits
-The following table lists the service limits we implement to prevent outages and slowdowns. These limits apply during the preview phase of SMS authentication in external tenants. We'll increase these limits as the feature becomes generally available. [Learn more](~/identity/authentication/concept-mfa-telephony-fraud.md)
+The following table lists the service limits we implement to prevent outages and slowdowns. [Learn more](~/identity/authentication/concept-mfa-telephony-fraud.md)
 
 |Limit                        |Texts every 15 minutes|Texts every 60 minutes|Texts every 24 hours                                 |Texts every 7 days |
 |-----------------------------|----------------------|----------------------|-----------------------------------------------------|-------------------|
@@ -100,3 +100,4 @@ The following table lists the service limits we implement to prevent outages and
 
 - [Start a free trial without an Azure subscription](quickstart-trial-setup.md)
 - [Create a tenant with an Azure subscription](quickstart-tenant-setup.md)
+- 

docs/fundamentals/how-to-create-delete-users.yml

@@ -23,7 +23,6 @@ introduction: |
 
   This article explains how to create a new user, invite an external guest, and delete a user in your workforce tenant. It also includes information about creating users in an external tenant for [Microsoft Entra External ID](~/external-id/customers/overview-customers-ciam.md) scenarios.
 
-  [!INCLUDE [GDPR-related guidance](~/../azure-docs-pr/includes/gdpr-hybrid-note.md)]
 
   ## Types of users
 

docs/id-governance/create-access-review.md

@@ -46,6 +46,9 @@ If you're reviewing access to an application, then before you create the review,
 > [!NOTE]
 > Access reviews capture a snapshot of access at the beginning of each review instance. Any changes made during the review process will be reflected in the subsequent review cycle. Essentially, with the commencement of each new recurrence, pertinent data regarding the users, resources under review, and their respective reviewers is retrieved.
 
+> [!NOTE]
+> In a group review, nested groups will be automatically flattened, so users from nested groups will appear as individual users. If a user is flagged for removal due to their membership in a nested group, they will not be automatically removed from the nested group, but only from direct group membership.
+
 ## Create a single-stage access review
 
 ### Scope

docs/identity/app-proxy/application-proxy-faq.yml

@@ -206,12 +206,12 @@ sections:
           
               In this case there's a fallback to “User principal name”. For more details on the B2B scenario, please read [Grant B2B users in Microsoft Entra ID access to your on-premises applications](~/external-id/hybrid-cloud-to-on-premises.md).
           
-  - name: Pass-through authentication
+  - name: Passthrough preauthentication
     questions:
       - question: |
-         Can I use Conditional Access Policies for applications published with pass-through authentication?
+         Can I use Conditional Access Policies for applications published with passthrough preauthentication?
         answer: |
-              Conditional Access Policies are only enforced for successfully preauthenticated users in Microsoft Entra ID. Pass-through authentication doesn’t trigger Microsoft Entra authentication, so Conditional Access Policies can't be enforced. With pass-through authentication, MFA policies must be implemented on the on-premises server, if possible, or by enabling preauthentication with Microsoft Entra application proxy.
+              Conditional Access Policies are only enforced for successfully preauthenticated users in Microsoft Entra ID. Passthrough preauthentication doesn’t trigger Microsoft Entra authentication, so Conditional Access Policies can't be enforced. With passthrough preauthentication, MFA policies must be implemented on the on-premises server, if possible, or by enabling Microsoft Entra ID preauthentication with Microsoft Entra application proxy.
 
       - question: |
          Can I publish a web application with client certificate authentication requirement?

docs/identity/domain-services/check-health.md

@@ -8,7 +8,7 @@ ms.assetid: 8999eec3-f9da-40b3-997a-7a2587911e96
 ms.service: entra-id
 ms.subservice: domain-services
 ms.topic: how-to
-ms.date: 09/13/2023
+ms.date: 10/07/2023
 ms.author: justinha
 ---
 # Check the health of a Microsoft Entra Domain Services managed domain
@@ -21,7 +21,7 @@ This article shows you how to view the Domain Services health status and underst
 
 The health status for a managed domain is viewed using the Microsoft Entra admin center. Information on the last backup time and synchronization with Microsoft Entra ID can be seen, along with any alerts that indicate a problem with the managed domain's health. To view the health status for a managed domain, complete the following steps:
 
-1. Sign in to [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator). 
+1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)] 
 1. Search for and select **Microsoft Entra Domain Services**.
 1. Select your managed domain, such as *aaddscontoso.com*.
 1. On the left-hand side of the Domain Services resource window, select **Health**. The following example screenshot shows a healthy managed domain and the status of the last backup and Microsoft Entra synchronization:

docs/identity/domain-services/csp.md

@@ -7,7 +7,7 @@ ms.assetid: 56ccb219-11b2-4e43-9f07-5a76e3cd8da8
 ms.service: entra-id
 ms.subservice: domain-services
 ms.topic: conceptual
-ms.date: 09/15/2023
+ms.date: 10/07/2024
 ms.author: justinha
 ---
 # Microsoft Entra Domain Services deployment and management for Azure Cloud Solution Providers
@@ -50,8 +50,9 @@ There are two ways in which you can use Domain Services with an Azure CSP subscr
 
 In this deployment model, Domain Services is enabled within a virtual network that belongs to the Azure CSP subscription. The CSP partner's admin agents have the following privileges:
 
-* *Global Administrator* privileges in the customer's Microsoft Entra tenant.
-* *Subscription owner* privileges on the Azure CSP subscription.
+[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)]
+
+Subscription owner privileges on the Azure CSP subscription are required for this feature.
 
 ![Direct deployment model](./media/csp/csp_direct_deployment_model.png)
 
@@ -67,7 +68,7 @@ With this deployment, the workloads or applications deployed by the CSP partner
 
 ![Peered deployment model](./media/csp/csp_peered_deployment_model.png)
 
-This deployment model provides a separation of privileges and enables the CSP partner's helpdesk agents to administer the Azure subscription and deploy and manage resources within it. However, the CSP partner's helpdesk agents don't need to have Global Administrator privileges on the customer's Microsoft Entra directory. The customer's identity administrators can continue to manage identities for their organization.
+This deployment model provides a separation of privileges and enables the CSP partner's helpdesk agents to administer the Azure subscription and deploy and manage resources within it. However, the CSP partner's helpdesk agents don't need a highly privileged role in the customer's Microsoft Entra directory. The customer's identity administrators can continue to manage identities for their organization.
 
 This deployment model may be suited to scenarios where an ISV provides a hosted version of their on-premises application, which also needs to connect to the customer's Microsoft Entra ID.
 

docs/identity/domain-services/delete.md

@@ -8,7 +8,7 @@ ms.assetid: 89e407e1-e1e0-49d1-8b89-de11484eee46
 ms.service: entra-id
 ms.subservice: domain-services
 ms.topic: how-to
-ms.date: 10/18/2023
+ms.date: 10/07/2024
 ms.author: justinha
 ---
 # Delete a Microsoft Entra Domain Services managed domain
@@ -30,7 +30,7 @@ This article shows you how to use the Microsoft Entra admin center to delete a m
 
 To delete a managed domain, complete the following steps:
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator).
+1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)] 
 1. Search for and select **Microsoft Entra Domain Services**.
 1. Select the name of your managed domain, such as *aaddscontoso.com*.
 1. On the **Overview** page, select **Delete**. To confirm the deletion, type the domain name of the managed domain again, then select **Delete**.