Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

.openpublishing.redirection.json

@@ -22986,6 +22986,11 @@
       "redirect_url": "/azure/active-directory/device-management-azure-portal",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/conditional-access/concept-baseline-protection.md",
+      "redirect_url": "/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/active-directory/active-directory-dev-glossary.md",
       "redirect_url": "/azure/active-directory/develop/active-directory-dev-glossary",
@@ -49855,6 +49860,11 @@
       "redirect_url": "/azure/lab-services/class-type-mobile-dev-android-studio",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/lab-services/class-type-mobile-dev-android-studio.md",
+      "redirect_url": "/azure/lab-services/class-types",
+      "redirect_document_id": true
+    },    
     {
       "source_path": "articles/lab-services/classroom-labs/class-type-shell-scripting-linux.md",
       "redirect_url": "/azure/lab-services/class-type-shell-scripting-linux",
@@ -49870,11 +49880,6 @@
       "redirect_url": "/azure/lab-services/class-type-sql-server",
       "redirect_document_id": true
     },
-    {
-      "source_path": "articles/lab-services/classroom-labs/class-types.md",
-      "redirect_url": "/azure/lab-services/class-types",
-      "redirect_document_id": true
-    },
     {
       "source_path": "articles/lab-services/classroom-labs/classroom-labs-concepts.md",
       "redirect_url": "/azure/lab-services/classroom-labs-concepts",

articles/active-directory/authentication/overview-authentication.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: overview
-ms.date: 01/17/2020
+ms.date: 07/13/2020
 
 ms.author: iainfou
 author: iainfoulds

articles/active-directory/authentication/tutorial-configure-custom-password-protection.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 02/27/2020
+ms.date: 07/13/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -35,12 +35,12 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 * An account with *global administrator* privileges.
 * A non-administrator user with a password you know, such as *testuser*. You test a password change event using this account in this tutorial.
-    * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../add-users-azure-active-directory.md).
+    * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
     * To test the password change operation using a banned password, the Azure AD tenant must be [configured for self-service password reset](tutorial-enable-sspr.md).
 
 ## What are banned password lists?
 
-Azure AD includes a global banned password list. The contents of the global banned password list isn't based on any external data source. Instead, the global banned password list is based on the ongoing results of Azure AD security telemetry and analysis. When a user or administrator tries to change or reset their credentials, the desired password is checked against the list of banned passwords. The password change request fails if there's a match in the global banned password list.
+Azure AD includes a global banned password list. The contents of the global banned password list isn't based on any external data source. Instead, the global banned password list is based on the ongoing results of Azure AD security telemetry and analysis. When a user or administrator tries to change or reset their credentials, the desired password is checked against the list of banned passwords. The password change request fails if there's a match in the global banned password list. You can't edit this default global banned password list.
 
 To give you flexibility in what passwords are allowed, you can also define a custom banned password list. The custom banned password list works alongside the global banned password list to enforce strong passwords in your organization. Organizational-specific terms can be added to the custom banned password list, such as the following examples:
 
@@ -90,7 +90,7 @@ For a hybrid environment, you can also [deploy Azure AD password protection to a
 To see the custom banned password list in action, try to change the password to a variation of one that you added in the previous section. When Azure AD tries to process the password change, the password is matched against an entry in the custom banned password list. An error is then displayed to the user.
 
 > [!NOTE]
-> Before a user can reset their password in the web-based portal, the Azure AD tenant must be [configured for self-service password reset](tutorial-enable-sspr.md).
+> Before a user can reset their password in the web-based portal, the Azure AD tenant must be [configured for self-service password reset](tutorial-enable-sspr.md). If needed, the user can then [register for SSPR at https://aka.ms/ssprsetup](https://aka.ms/ssprsetup).
 
 1. Go to the **My Apps** page at [https://myapps.microsoft.com](https://myapps.microsoft.com).
 1. In the top-right corner, select your name, then choose **Profile** from the drop-down menu.

articles/active-directory/authentication/tutorial-enable-azure-mfa.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 02/11/2020
+ms.date: 07/13/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -22,6 +22,11 @@ Multi-factor authentication (MFA) is a process where a user is prompted during a
 
 Azure Multi-Factor Authentication and Conditional Access policies give the flexibility to enable MFA for users during specific sign-in events.
 
+> [!IMPORTANT]
+> This tutorial shows an administrator how to enable Azure Multi-Factor Authentication.
+>
+> If your IT team hasn't enabled the ability to use Azure Multi-Factor Authentication or you have problems during sign-in, reach out to your helpdesk for additional assistance.
+
 In this tutorial you learn how to:
 
 > [!div class="checklist"]
@@ -37,9 +42,9 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 * An account with *global administrator* privileges.
 * A non-administrator user with a password you know, such as *testuser*. You test the end-user Azure Multi-Factor Authentication experience using this account in this tutorial.
-    * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../add-users-azure-active-directory.md).
+    * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
 * A group that the non-administrator user is a member of, such as *MFA-Test-Group*. You enable Azure Multi-Factor Authentication for this group in this tutorial.
-    * If you need to create a group, see how to [Create a group and add members in Azure Active Directory](../active-directory-groups-create-azure-portal.md).
+    * If you need to create a group, see how to [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
 
 ## Create a Conditional Access policy
 

articles/active-directory/authentication/tutorial-enable-sspr-writeback.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 04/24/2020
+ms.date: 07/13/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -23,6 +23,11 @@ With Azure Active Directory (Azure AD) self-service password reset (SSPR), users
 
 Password writeback can be used to synchronize password changes in Azure AD back to your on-premises AD DS environment. Azure AD Connect provides a secure mechanism to send these password changes back to an existing on-premises directory from Azure AD.
 
+> [!IMPORTANT]
+> This tutorial shows an administrator how to enable self-service password reset back to an on-premises environment. If you're an end user already registered for self-service password reset and need to get back into your account, go to https://aka.ms/sspr.
+>
+> If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.
+
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
@@ -34,15 +39,15 @@ In this tutorial, you learn how to:
 
 To complete this tutorial, you need the following resources and privileges:
 
-* A working Azure AD tenant with at least an Azure AD Premium P1 or P2 trial license enabled.
+* A working Azure AD tenant with at least an Azure AD Premium P1 trial license enabled.
     * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
     * For more information, see [Licensing requirements for Azure AD SSPR](concept-sspr-licensing.md).
 * An account with *global administrator* privileges.
 * Azure AD configured for self-service password reset.
     * If needed, [complete the previous tutorial to enable Azure AD SSPR](tutorial-enable-sspr.md).
 * An existing on-premises AD DS environment configured with a current version of Azure AD Connect.
     * If needed, configure Azure AD Connect using the [Express](../hybrid/how-to-connect-install-express.md) or [Custom](../hybrid/how-to-connect-install-custom.md) settings.
-    * To use Password Writeback, your Domain Controllers must be Windows Server 2012 or later.
+    * To use password writeback, your Domain Controllers must be Windows Server 2012 or later.
 
 ## Configure account permissions for Azure AD Connect
 
@@ -53,9 +58,7 @@ To correctly work with SSPR writeback, the account specified in Azure AD Connect
 * **Reset password**
 * **Write permissions** on `lockoutTime`
 * **Write permissions** on `pwdLastSet`
-* **Extended rights** for "Unexpire Password" on either:
-   * The root object of *each domain* in that forest
-   * The user organizational units (OUs) you want to be in scope for SSPR
+* **Extended rights** for "Unexpire Password" on the root object of *each domain* in that forest, if not already set.
 
 If don't assign these permissions, writeback appears to be configured correctly, but users encounter errors when they manage their on-premises passwords from the cloud. Permissions must be applied to **This object and all descendant objects** for "Unexpire Password" to appear.  
 
@@ -73,7 +76,7 @@ To set up the appropriate permissions for password writeback to occur, complete
 1. In the **Applies to** drop-down list, select **Descendant User objects**.
 1. Under *Permissions*, select the box for the following option:
     * **Reset password**
-1. Under *Properties*, select the boxes for the following options. You need to scroll through the list to find these options, which may already be set by default:
+1. Under *Properties*, select the boxes for the following options. Scroll through the list to find these options, which may already be set by default:
     * **Write lockoutTime**
     * **Write pwdLastSet**
 
@@ -88,13 +91,13 @@ Password policies in the on-premises AD DS environment may prevent password rese
 If you update the group policy, wait for the updated policy to replicate, or use the `gpupdate /force` command.
 
 > [!Note]
-> In order for passwords to be changed immediately, password writeback must be set to 0. However, if users adhere to the on-premises policies, and the *Minimum password age* is set to a value greater than zero, password writeback will still work after the on-premises policies are evaluated. 
+> In order for passwords to be changed immediately, password writeback must be set to 0. However, if users adhere to the on-premises policies, and the *Minimum password age* is set to a value greater than zero, password writeback still works after the on-premises policies are evaluated.
 
 ## Enable password writeback in Azure AD Connect
 
 One of the configuration options in Azure AD Connect is for password writeback. When this option is enabled, password change events cause Azure AD Connect to synchronize the updated credentials back to the on-premises AD DS environment.
 
-To enable self-service password reset writeback, first enable the writeback option in Azure AD Connect. From your Azure AD Connect server, complete the following steps:
+To enable SSPR writeback, first enable the writeback option in Azure AD Connect. From your Azure AD Connect server, complete the following steps:
 
 1. Sign in to your Azure AD Connect server and start the **Azure AD Connect** configuration wizard.
 1. On the **Welcome** page, select **Configure**.

articles/active-directory/authentication/tutorial-enable-sspr.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 02/04/2020
+ms.date: 07/13/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
 Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.
 
 > [!IMPORTANT]
-> This quickstart shows an administrator how to enable self-service password reset. If you're an end user already registered for self-service password reset and need to get back into your account, go to https://aka.ms/sspr.
+> This tutorial shows an administrator how to enable self-service password reset. If you're an end user already registered for self-service password reset and need to get back into your account, go to https://aka.ms/sspr.
 >
 > If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.
 
@@ -40,9 +40,9 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 * An account with *Global Administrator* privileges.
 * A non-administrator user with a password you know, such as *testuser*. You test the end-user SSPR experience using this account in this tutorial.
-    * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../add-users-azure-active-directory.md).
+    * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
 * A group that the non-administrator user is a member of, such as *SSPR-Test-Group*. You enable SSPR for this group in this tutorial.
-    * If you need to create a group, see how to [Create a group and add members in Azure Active Directory](../active-directory-groups-create-azure-portal.md).
+    * If you need to create a group, see how to [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
 
 ## Enable self-service password reset
 
@@ -77,8 +77,8 @@ When users need to unlock their account or reset their password, they're prompte
     * *Mobile app code*
     * *Email*
     * *Mobile phone*
-    * *Office phone*
-    * *Security questions*
+
+    Additional authentication methods, such as *Office phone* or *Security questions*, can be enabled as needed to fit your business requirements.
 
 1. To apply the authentication methods, select **Save**.
 
@@ -94,7 +94,7 @@ An administrator can manually provide this contact information, or users can go
 
 ## Configure notifications and customizations
 
-To keep users informed about account activity, you can configure e-mail notifications to be sent when an SSPR event happens. These notifications can cover both regular user accounts and admin accounts. For admin accounts, this notification provides an additional layer of awareness when a privileged administrator account password is reset using SSPR.
+To keep users informed about account activity, you can configure e-mail notifications to be sent when an SSPR event happens. These notifications can cover both regular user accounts and admin accounts. For admin accounts, this notification provides an additional layer of awareness when a privileged administrator account password is reset using SSPR. All global admins would be notified when SSPR is used on an admin account.
 
 1. On the **Notifications** page from the menu in the left-hand side, configure the following options:
 

articles/active-directory/authentication/tutorial-risk-based-sspr-mfa.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 05/11/2020
+ms.date: 07/13/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -17,7 +17,12 @@ ms.collection: M365-identity-device-management
 ---
 # Tutorial: Use risk detections for user sign-ins to trigger Azure Multi-Factor Authentication or password changes
 
-To protect your users, you can configure risk-based policies in Azure Active Directory (Azure AD) that automatically respond to risky behaviors. Azure AD Identity Protection policies can automatically block a sign-in attempt or require additional action, such as require a password change or prompt for Azure Multi-Factor Authentication. These policies work with existing Azure AD Conditional Access policies as an extra layer of protection for org organization. Users may never trigger a risky behavior in one of these policies, but your organization is protected if an attempt to compromise your security is made.
+To protect your users, you can configure risk-based policies in Azure Active Directory (Azure AD) that automatically respond to risky behaviors. Azure AD Identity Protection policies can automatically block a sign-in attempt or require additional action, such as require a password change or prompt for Azure Multi-Factor Authentication. These policies work with existing Azure AD Conditional Access policies as an extra layer of protection for your organization. Users may never trigger a risky behavior in one of these policies, but your organization is protected if an attempt to compromise your security is made.
+
+> [!IMPORTANT]
+> This tutorial shows an administrator how to enable risk-based Azure Multi-Factor Authentication.
+>
+> If your IT team hasn't enabled the ability to use Azure Multi-Factor Authentication or you have problems during sign-in, reach out to your helpdesk for additional assistance.
 
 In this tutorial, you learn how to:
 

articles/active-directory/conditional-access/TOC.yml

@@ -47,8 +47,6 @@
     href: controls.md
   - name: Classic policy migrations
     href: policy-migration.md
-  - name: Baseline protection policies
-    href: concept-baseline-protection.md
 - name: How-to guides
   expanded: true
   items: