Skip to content

Commit

Permalink
Merge pull request #5435 from MicrosoftDocs/main
Browse files Browse the repository at this point in the history
10/4/2024 AM Publish
  • Loading branch information
Taojunshen authored Oct 4, 2024
2 parents 224cdf8 + 22f365e commit 45494a8
Show file tree
Hide file tree
Showing 57 changed files with 202 additions and 351 deletions.
5 changes: 5 additions & 0 deletions .openpublishing.redirection.json
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@
"redirect_url": "/entra/fundamentals/how-to-manage-support-access-requests",
"redirect_document_id": false
},
{
"source_path_from_root": "/docs/identity/monitoring-health/reference-azure-monitor-sign-ins-log-schema.md",
"redirect_url": "/entra/identity/monitoring-health/concept-activity-log-schemas",
"redirect_document_id": false
},
{
"source_path_from_root": "/docs/identity/monitoring-health/howto-configure-prerequisites-for-reporting-api.md",
"redirect_url": "/entra/identity/monitoring-health/howto-analyze-activity-logs-with-microsoft-graph",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,21 +59,21 @@ The related information exists for the following device platforms:

## Step 2: Configure the certificate authorities

[!INCLUDE [Configure certificate authorities](../../includes/entra-authentication-configure-certificate-authorities.md)]
[!INCLUDE [Configure certificate authorities](~/includes/entra-authentication-configure-certificate-authorities.md)]

### Connect

[!INCLUDE [Connect-AzureAD](../../includes/entra-authentication-connect.md)]
[!INCLUDE [Connect-AzureAD](~/includes/entra-authentication-connect.md)]


### Retrieve

[!INCLUDE [Get-AzureAD](../../includes/entra-authentication-get-trusted.md)]
[!INCLUDE [Get-AzureAD](~/includes/entra-authentication-get-trusted.md)]


To add, modify, or remove a CA, use the Microsoft Entra admin center:

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator).
1. [!INCLUDE [Privileged role](../../includes/privileged-role-include.md)]
1. Browse to **Protection** > **Show more** > **Security Center** (or **Identity Secure Score**) > **Certificate authorities**.
1. To upload a CA, select **Upload**:
1. Select the CA file.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Learn about the authentication methods policy and different ways to
ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 07/09/2024
ms.date: 10/03/2024

ms.author: justinha
author: justinha
Expand Down Expand Up @@ -35,7 +35,9 @@ Only the [converged registration experience](concept-registration-mfa-sspr-combi

## Legacy MFA and SSPR policies

Two other policies, located in **Multifactor authentication** settings and **Password reset** settings, provide a legacy way to manage some authentication methods for all users in the tenant. You can't control who uses an enabled authentication method, or how the method can be used. A [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator) is needed to manage these policies.
Two other policies, located in **Multifactor authentication** settings and **Password reset** settings, provide a legacy way to manage some authentication methods for all users in the tenant. You can't control who uses an enabled authentication method, or how the method can be used.

[!INCLUDE [Privileged role](~/includes/privileged-role-feature-include.md)]

>[!Important]
>In March 2023, we announced the deprecation of managing authentication methods in the legacy multifactor authentication and self-service password reset (SSPR) policies. Beginning September 30, 2025, authentication methods can't be managed in these legacy MFA and SSPR policies. We recommend customers use the manual migration control to migrate to the Authentication methods policy by the deprecation date.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ services: active-directory
ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 02/14/2024
ms.date: 10/03/2024

ms.author: justinha
author: justinha
Expand Down Expand Up @@ -54,7 +54,7 @@ Helga@contoso.com,1234567,2234567abcdef2234567abcdef,60,Contoso,HardwareKey
> [!NOTE]
> Make sure you include the header row in your CSV file.
Once properly formatted as a CSV file, a Global Administrator can then sign in to the Microsoft Entra admin center, navigate to **Protection** > **Multifactor authentication** > **OATH tokens**, and upload the resulting CSV file.
Once properly formatted as a CSV file, an administrator can then sign in to the Microsoft Entra admin center, navigate to **Protection** > **Multifactor authentication** > **OATH tokens**, and upload the resulting CSV file.

Depending on the size of the CSV file, it can take a few minutes to process. Select the **Refresh** button to get the current status. If there are any errors in the file, you can download a CSV file that lists any errors for you to resolve. The field names in the downloaded CSV file are different than the uploaded version.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Learn how to migrate from Federated server to Microsoft Entra ID
ms.service: entra-id
ms.subservice: authentication
ms.topic: how-to
ms.date: 09/13/2023
ms.date: 10/03/2024


ms.author: justinha
Expand Down Expand Up @@ -75,7 +75,7 @@ For synchronized accounts:

### Should organizations eliminate federated servers like AD FS to prevent the capability to pivot from AD FS to Azure?

With federation, an attacker could impersonate anyone, such as a CIO, even if they can't obtain a cloud-only role like the Global Administrator account.
With federation, an attacker could impersonate anyone, such as a CIO, even if they can't obtain a cloud-only role like a highly privileged administrator account.

When a domain is federated in Microsoft Entra ID, a high level of trust is being placed on the Federated IdP. AD FS is one example, but the notion holds true for *any* federated IdP. Many organizations deploy a federated IdP such as AD FS exclusively to accomplish certificate based authentication. Microsoft Entra CBA completely removes the AD FS dependency in this case. With Microsoft Entra CBA, customers can move their application estate to Microsoft Entra ID to modernize their IAM infrastructure and reduce costs with increased security.

Expand Down
10 changes: 6 additions & 4 deletions docs/identity/authentication/concept-mfa-authprovider.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,21 @@ description: When should you use an authentication provider with Microsoft Entra
ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 09/14/2023
ms.date: 10/03/2024

ms.author: justinha
author: justinha
manager: amycolannino
ms.reviewer: michmcla
ms.reviewer: jpettere
---
# When to use a Microsoft Entra multifactor authentication provider

> [!IMPORTANT]
> Effective September 1st, 2018 new auth providers may no longer be created. Existing auth providers may continue to be used and updated, but migration is no longer possible. Multifactor authentication will continue to be available as a feature in Microsoft Entra ID P1 or P2 licenses.
Two-step verification is available by default for Global Administrators who have Microsoft Entra ID, and Microsoft 365 users. However, if you wish to take advantage of [advanced features](howto-mfa-mfasettings.md) then you should purchase the full version of Microsoft Entra multifactor authentication.
Two-step verification is available by default for administrators in Microsoft Entra ID, and Microsoft 365 users. However, if you wish to take advantage of [advanced features](howto-mfa-mfasettings.md) then you should enable Microsoft Entra multifactor authentication by using Conditional Access. For more information, see [Common Conditional Access policy: Require MFA for all users](~/identity/conditional-access/howto-conditional-access-policy-all-users-mfa.md).

A Microsoft Entra multifactor authentication provider is used to take advantage of features provided by Microsoft Entra multifactor authentication for users who **do not have licenses**.
A Microsoft Entra multifactor authentication provider is used to take advantage of features provided by Microsoft Entra multifactor authentication for users who **don't have licenses**.

## Caveats related to the Azure MFA SDK

Expand Down Expand Up @@ -70,3 +70,5 @@ After you confirm that all settings are migrated, browse to **Providers** and se
## Next steps

[Configure multifactor authentication settings](howto-mfa-mfasettings.md)

[Common Conditional Access policy: Require MFA for all users](~/identity/conditional-access/howto-conditional-access-policy-all-users-mfa.md)
27 changes: 8 additions & 19 deletions docs/identity/authentication/concept-mfa-licensing.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ description: Learn about the Microsoft Entra multifactor authentication client a
ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 01/29/2023
ms.date: 10/03/2024

ms.author: justinha
author: justinha
Expand All @@ -15,16 +15,16 @@ ms.reviewer: michmcla
---
# Features and licenses for Microsoft Entra multifactor authentication

To protect user accounts in your organization, multifactor authentication should be used. This feature is especially important for accounts that have privileged access to resources. Basic multifactor authentication features are available to Microsoft 365 and Microsoft Entra users and Global Administrators for no extra cost. If you want to upgrade the features for your admins or extend multifactor authentication to the rest of your users with more authentication methods and greater control, you can purchase Microsoft Entra multifactor authentication in several ways.
To protect user accounts in your organization, multifactor authentication should be used. This feature is especially important for accounts that have privileged access to resources. Basic multifactor authentication features are available to Microsoft 365 and Microsoft Entra ID users and administrators for no extra cost. If you want to upgrade the features for your admins or extend multifactor authentication to the rest of your users with more authentication methods and greater control, you can enable Microsoft Entra multifactor authentication by using Conditional Access. For more information, see [Common Conditional Access policy: Require MFA for all users](~/identity/conditional-access/howto-conditional-access-policy-all-users-mfa.md).

> [!IMPORTANT]
> This article details the different ways that Microsoft Entra multifactor authentication can be licensed and used. For specific details about pricing and billing, see the [Microsoft Entra pricing page](https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing).
> This article details the different ways that Microsoft Entra multifactor authentication can be licensed and used. For specific details about pricing and billing, see the [Microsoft Entra pricing page](https://www.microsoft.com/security/business/microsoft-entra-pricing).
<a name='available-versions-of-azure-ad-multi-factor-authentication'></a>

## Available versions of Microsoft Entra multifactor authentication

Microsoft Entra multifactor authentication can be used, and licensed, in a few different ways depending on your organization's needs. All tenants are entitled to basic multifactor authentication features via Security Defaults. You may already be entitled to use advanced Microsoft Entra multifactor authentication depending on the Microsoft Entra ID, EMS, or Microsoft 365 license you currently have. For example, the first 50,000 monthly active users in Microsoft Entra External ID can use MFA and other Premium P1 or P2 features for free. For more information, see [Microsoft Entra External ID pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/).
Microsoft Entra multifactor authentication can be used, and licensed, in a few different ways depending on your organization's needs. All tenants are entitled to basic multifactor authentication features by using security defaults. You may already be entitled to use advanced Microsoft Entra multifactor authentication depending on the license you currently have. For example, the first 50,000 monthly active users in Microsoft Entra External ID can use MFA and other Premium P1 or P2 features for free. For more information, see [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/).

The following table details the different ways to get Microsoft Entra multifactor authentication and some of the features and use cases for each.

Expand All @@ -34,7 +34,7 @@ The following table details the different ways to get Microsoft Entra multifacto
| [Microsoft Entra ID P1](~/fundamentals/get-started-premium.md) | You can use [Microsoft Entra Conditional Access](~/identity/conditional-access/howto-conditional-access-policy-all-users-mfa.md) to prompt users for multifactor authentication during certain scenarios or events to fit your business requirements. |
| [Microsoft Entra ID P2](~/fundamentals/get-started-premium.md) | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](~/identity/conditional-access/howto-conditional-access-policy-risk.md) to the Microsoft Entra ID P1 features that adapts to user's patterns and minimizes multifactor authentication prompts. |
| [All Microsoft 365 plans](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans) | Microsoft Entra multifactor authentication can be enabled for all users using [security defaults](~/fundamentals/security-defaults.md). Management of Microsoft Entra multifactor authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Microsoft Entra ID P1 or P2 and use Conditional Access. For more information, see [secure Microsoft 365 resources with multifactor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication). |
| [Office 365 free](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)<br>[Microsoft Entra ID Free](~/verified-id/how-to-create-a-free-developer-account.md) | You can use [security defaults](~/fundamentals/security-defaults.md) to prompt users for multifactor authentication as needed but you don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multifactor authentication for everyone, users assigned the *Microsoft Entra Global Administrator* role can be configured to use multifactor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multifactor authentication. |
| [Office 365 free](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)<br>[Microsoft Entra ID Free](~/verified-id/how-to-create-a-free-developer-account.md) | You can use [security defaults](~/fundamentals/security-defaults.md) to prompt users for multifactor authentication as needed but you don't have granular control of enabled users or scenarios, but it does provide that additional security step. |

## Feature comparison based on licenses

Expand All @@ -61,7 +61,7 @@ The following table provides a list of the features that are available in the va

## Compare multifactor authentication policies

Our recommended approach to enforce MFA is using [Conditional Access](~/identity/conditional-access/overview.md). Review the following table to determine the what capabilities are included in your licenses.
Our recommended approach to enforce MFA is using [Conditional Access](~/identity/conditional-access/overview.md). Review the following table to determine what capabilities are included in your licenses.

| Policy | Security defaults | Conditional Access | Per-user MFA |
| --- |:---:|:---:|:---:|
Expand All @@ -84,28 +84,17 @@ Our recommended approach to enforce MFA is using [Conditional Access](~/identity
| Support for "report only" mode | || |
| Ability to completely block users/services | || |

<a name='purchase-and-enable-azure-ad-multi-factor-authentication'></a>

## Purchase and enable Microsoft Entra multifactor authentication

To use Microsoft Entra multifactor authentication, register for or purchase an eligible Microsoft Entra tier. Microsoft Entra ID comes in four editions—Free, Office 365, Premium P1, and Premium P2.

The Free edition is included with an Azure subscription. See the [section below](#azure-ad-free-tier) for information on how to use security defaults or protect accounts with the *Microsoft Entra Global Administrator* role.

The Microsoft Entra ID P1 or P2 editions are available through your Microsoft representative, the [Open Volume License Program](https://www.microsoft.com/licensing/licensing-programs/open-license.aspx), and the [Cloud Solution Providers program](https://go.microsoft.com/fwlink/?LinkId=614968&clcid=0x409). Azure and Microsoft 365 subscribers can also buy Microsoft Entra ID P1 and P2 online. [Sign in](https://portal.office.com/Commerce/Catalog.aspx) to purchase.

After you have purchased the required Microsoft Entra tier, [plan and deploy Microsoft Entra multifactor authentication](howto-mfa-getstarted.md).

<a name='azure-ad-free-tier'></a>

### Microsoft Entra ID Free tier
## Microsoft Entra ID Free tier

All users in a Microsoft Entra ID Free tenant can use Microsoft Entra multifactor authentication by using security defaults. The mobile authentication app can be used for Microsoft Entra multifactor authentication when using Microsoft Entra ID Free security defaults.

* [Learn more about Microsoft Entra security defaults](~/fundamentals/security-defaults.md)
* [Enable security defaults for users in Microsoft Entra ID Free](~/fundamentals/security-defaults.md#enabling-security-defaults)

If you don't want to enable Microsoft Entra multifactor authentication for all users, you can instead choose to only protect user accounts with the *Microsoft Entra Global Administrator* role. This approach provides more authentication prompts for critical administrator accounts. You enable Microsoft Entra multifactor authentication in one of the following ways, depending on the type of account you use:
You enable Microsoft Entra multifactor authentication in one of the following ways, depending on the type of account you use:

* If you use a Microsoft Account, [register for multifactor authentication](https://support.microsoft.com/help/12408/microsoft-account-about-two-step-verification).
* If you aren't using a Microsoft Account, [turn on multifactor authentication for a user or group in Microsoft Entra ID](howto-mfa-userstates.md).
Expand Down
Loading

0 comments on commit 45494a8

Please sign in to comment.