Merge pull request #5841 from MicrosoftDocs/main

11/6/2024 PM Publish

docs/external-id/customers/tutorial-configure-cloudflare-integration.md

@@ -13,7 +13,7 @@ ms.custom: it-pro
 
 # Tutorial: Configure Cloudflare Web Application Firewall with Microsoft Entra External ID
 
-In this tutorial, learn how to configure Cloudflare Web Applcation Firewall ([Cloudflare WAF](https://www.cloudflare.com/application-services/products/waf/)) to protect your organization from attacks, such as distributed denial of service (DDoS), malicious bots, Open Worldwide Application Security Project [(OWASP) Top-10](https://owasp.org/www-project-top-ten/) security risks, and others. 
+In this tutorial, learn how to configure Cloudflare Web Application Firewall ([Cloudflare WAF](https://www.cloudflare.com/application-services/products/waf/)) to protect your organization from attacks, such as distributed denial of service (DDoS), malicious bots, Open Worldwide Application Security Project [(OWASP) Top-10](https://owasp.org/www-project-top-ten/) security risks, and others. 
 
 ## Prerequisites
 

docs/global-secure-access/concept-universal-conditional-access.md

@@ -3,7 +3,7 @@ title: Learn about Universal Conditional Access through Global Secure Access
 description: Learn about how Microsoft Entra Internet Access and Microsoft Entra Private Access secures access to your resources through Conditional Access.
 ms.service: global-secure-access
 ms.topic: conceptual
-ms.date: 05/09/2024
+ms.date: 11/05/2024
 ms.author: kenwith
 author: kenwith
 manager: amycolannino
@@ -33,8 +33,8 @@ One example is if you block access to the Internet access target resource on non
 
 ### Other known limitations
 
-- Continuous access evaluation is not currently supported for Universal Conditional Access for Microsoft traffic.
-- Applying Conditional Access policies to Private Access traffic is not currently supported. To model this behavior, you can apply a Conditional Access policy at the application level for Quick Access and Global Secure Access apps. For more information, see [Apply Conditional Access to Private Access apps](how-to-target-resource-private-access-apps.md).
+- Continuous access evaluation isn't currently supported for Universal Conditional Access for Microsoft traffic.
+- Applying Conditional Access policies to Private Access traffic isn't currently supported. To model this behavior, you can apply a Conditional Access policy at the application level for Quick Access and Global Secure Access apps. For more information, see [Apply Conditional Access to Private Access apps](how-to-target-resource-private-access-apps.md).
 - Microsoft traffic can be accessed through remote network connectivity without the Global Secure Access Client; however the Conditional Access policy isn't enforced. In other words, Conditional Access policies for the Global Secure Access Microsoft traffic are only enforced when a user has the Global Secure Access Client.
 
 
@@ -46,6 +46,30 @@ With Conditional Access, you can enable access controls and security policies fo
 - Apply Conditional Access policies to your [Private Access apps](how-to-target-resource-private-access-apps.md), such as Quick Access.
 - Enable [Global Secure Access signaling in Conditional Access](how-to-source-ip-restoration.md) so the source IP address is visible in the appropriate logs and reports.
 
+## Internet Access – Universal Conditional Access
+
+The following example demonstrates how Microsoft Entra Internet Access works when you apply Universal Conditional Access policies to network traffic.
+
+> [!NOTE]
+> Microsoft's Security Service Edge solution comprises three tunnels: Microsoft traffic, Internet Access, and Private Access. Universal Conditional Access applies to the Internet Access and Microsoft traffic tunnels. There isn't support to target the Private Access tunnel. You must individually target Private Access Enterprise Applications.
+
+The following flow diagram illustrates Universal Conditional Access targeting internet resources and Microsoft apps with Global Secure Access.
+
+:::image type="content" source="media/concept-universal-conditional-access/internet-access-universal-conditional-access-inline.png" alt-text="Diagram shows flow for Universal Conditional Access when targeting internet resources with Global Secure Access and Microsoft apps with Global Secure Access." lightbox="media/concept-universal-conditional-access/internet-access-universal-conditional-access-expanded.png":::
+
+|Step|Description|
+|-----|-----|
+|1|The Global Secure Access client attempts to connect to Microsoft's Security Service Edge solution.|
+|2|The client redirects to Microsoft Entra ID for authentication and authorization.|
+|3|The user and the device authenticate. Authentication happens seamlessly when the user has a valid Primary Refresh Token.|
+|4|After the user and device authenticate, Universal Conditional Access policy enforcement occurs. Universal Conditional Access policies target the established Microsoft and internet tunnels between the Global Secure Access client and Microsoft Security Service Edge.|
+|5|Microsoft Entra ID issues the access token for the Global Secure Access client.|
+|6|The Global Secure Access client presents the access token to Microsoft Security Service Edge. The token validates.|
+|7|Tunnels establish between the Global Secure Access client and Microsoft Security Service Edge.|
+|8|Traffic starts being acquired and tunneled to the destination via the Microsoft and Internet Access tunnels.|
+
+> [!NOTE]
+> Target Microsoft apps with Global Secure Access to protect the connection between Microsoft Security Service Edge and the Global Secure Access client. To ensure that users can't bypass the Microsoft Security Service Edge service, create a Conditional Access policy that requires compliant network for your Microsoft 365 Enterprise applications.
 
 ## User experience
 

docs/global-secure-access/how-to-configure-web-content-filtering.md

@@ -5,7 +5,7 @@ author: kenwith
 ms.author: kenwith
 manager: amycolannino
 ms.topic: how-to
-ms.date: 09/25/2024
+ms.date: 11/05/2024
 ms.service: global-secure-access
 ms.subservice: entra-internet-access 
 ms.reviewer: frankgomulka
@@ -93,6 +93,31 @@ Create a Conditional Access policy for end users or groups and deliver your secu
 1. In the **Enable policy** section, ensure **On** is selected.
 1. Select **Create**.
 
+## Internet Access – web content filtering
+
+This example demonstrates the flow of Microsoft Entra Internet Access traffic when you apply web content filtering policies.
+
+The following flow diagram illustrates web content filtering policies blocking or allowing access to internet resources.
+
+:::image type="content" source="media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-inline.png" alt-text="Diagram shows flow for web content filtering policies blocking or allowing access to internet resources." lightbox="media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-expanded.png":::
+
+|Step|Description|
+|-----|-----|
+|1|The Global Secure Access client attempts to connect to Microsoft's Security Service Edge solution.|
+|2|The client redirects to Microsoft Entra ID for authentication and authorization.|
+|3|The user and device authenticate. Authentication happens seamlessly when the user has a valid Primary Refresh Token (PRT).|
+|4|After the user and device authenticate, Conditional Access (CA) matches on Internet Access CA rules and adds applicable security profiles to the token. It enforces applicable authorization policies.|
+|5|Microsoft Entra ID presents the token to Microsoft Security Service Edge for validation.|
+|6|The tunnel establishes between the Global Secure Access client and Microsoft Security Service Edge.|
+|7|Traffic starts being acquired and tunnels through the Internet Access tunnel.|
+|8|Microsoft Security Service Edge evaluates the security policies in the access token in priority order. After it matches on a web content filtering rule, web content filtering policy evaluation stops.|
+|9|Microsoft Security Service Edge enforces the security policies.|
+|10|Policy = block results in an error for HTTP traffic or a connection reset exception occurs for HTTPS traffic.|
+|11|Policy = allow results in traffic forwarding to the destination.|
+
+> [!NOTE]
+> Applying a new security profile can take up to 60-90 minutes due to security profile enforcement with access tokens. The user must receive a new access token with the new security profile ID as a claim before it takes effect. Changes to existing security profiles start being enforced much more quickly.
+
 ## User and group assignments
 You can scope the Internet Access profile to specific users and groups. To learn more about user and group assignment, see [How to assign and manage users and groups with traffic forwarding profiles](how-to-manage-users-groups-assignment.md).
 

docs/identity-platform/includes/registration/quickstart-register-app.md

@@ -120,7 +120,7 @@ Sometimes called a *public key*, a certificate is the recommended credential typ
 
 ### [Add a client secret](#tab/client-secret)
 
-Sometimes called an *application password*, a client secret is a string value your app can use in place of a certificate to identity itself.
+Sometimes called an *application password*, a client secret is a string value your app can use in place of a certificate to identify itself.
 
 Client secrets are considered less secure than certificate credentials. Application developers sometimes use client secrets during local app development because of their ease of use. However, you should use certificate credentials for any of your applications that are running in production.
 

docs/identity/authentication/TOC.yml

@@ -26,6 +26,9 @@
   items:
   - name: Authentication methods
     items:
+    - name: Accessibility
+      href: ./accessibility/authentication-methods-accessibility.md
+      displayName: Accessibility, Special People, MFA Accessibility
     - name: Overview
       href: concept-authentication-methods.md
     - name: Manage 

docs/identity/authentication/accessibility/authentication-methods-accessibility.md

@@ -0,0 +1,61 @@
+---
+title: Enhance accessibility with multifactor authentication in Microsoft Entra ID
+description: Explains authentication Methods Accessibility
+author:      gdaluz1 # GitHub alias
+ms.author: justinha
+ms.service: entra-id
+ms.topic: article
+ms.date:     11/05/2024
+ms.subservice: authentication
+---
+# Improve accessibility with multifactor authentication in Microsoft Entra ID
+
+As cybersecurity threats evolve, multifactor authentication (MFA) has become a cornerstone of secure digital identity. Microsoft Entra ID offers a range of MFA methods designed not only for robust security but also to cater to diverse user needs, including those with accessibility constraints. Here's a closer look at how these MFA options enhance accessibility and inclusivity.
+
+## Microsoft Authenticator
+
+The Microsoft Authenticator app provides either notifications for quick approval or generates time-based codes for more traditional MFA entry. This app is compatible with various assistive technologies, including screen readers, making it accessible for users with visual impairments. It also offers flexibility for individuals who prefer not to rely solely on SMS or voice calls.
+
+[Download Microsoft Authenticator](https://www.microsoft.com/security/mobile-authenticator-app?msockid=04750fac1789618938f71b4a16ee6056).
+
+## Text and voice calls
+
+Text and voice call options cater to those who may not use a smartphone app. This can be particularly beneficial for individuals with certain accessibility needs:
+
+- **Text:** Allows users to receive a verification code via text message, which can be useful for those with hearing impairments or those who prefer text-based communication.
+
+- **Voice calls:** Voice calls are a great option for users with visual impairments, as they provide audio cues rather than visual or tactile ones.
+
+For more information, see [Phone authentication methods](/entra/identity/authentication/concept-authentication-phone-options).
+
+## FIDO2 security keys
+
+FIDO2 security keys are physical devices that offer a highly accessible and secure MFA option. These hardware keys support biometric authentication (such as fingerprint scans) or PINs, making them ideal for users who may find traditional passwords or other authentication methods challenging. FIDO2 keys are particularly beneficial for users with physical disabilities who may have difficulty typing complex passwords.
+
+For more information, see [How to register passkey (FIDO2)](/entra/identity/authentication/how-to-register-passkey-with-security-key).
+
+## Windows Hello for Business
+
+Windows Hello for Business leverages biometric authentication (facial recognition or fingerprint) and PINs, offering a quick, secure, and accessible MFA option. This method eliminates the need for password input, which can be challenging for users with physical or cognitive disabilities. Biometric authentication allows for seamless access while maintaining strong security.
+
+For more information, see [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/policy-settings?tabs=feature).
+
+## Email verification
+
+While not as secure as other MFA methods, email verification can be useful in certain accessibility scenarios, providing a fallback option. For users who experience difficulty with text, voice, or app-based authentication, email can offer a familiar and easily accessible alternative.
+
+References:
+
+- [Available verification methods](/entra/identity/authentication/concept-mfa-howitworks)
+- [How to enable MFA](/entra/identity/authentication/tutorial-enable-azure-mfa)
+
+## Conclusion
+
+Microsoft Entra ID's range of MFA options enables individuals with diverse needs to access secure authentication without compromising on usability. By offering various options like the Authenticator app, SMS and voice calls, FIDO2 keys, Windows Hello, and email verification, Microsoft Entra ID ensures that security measures remain accessible and inclusive for all users.
+
+Selecting the right MFA method depends on individual needs and constraints. Microsoft’s commitment to flexible and inclusive authentication helps everyone stay secure, regardless of their physical or technological limitations. For those with specific accessibility requirements, it’s worth exploring each MFA option to find the one that aligns best with personal preferences and usability needs.
+
+## Related content
+
+- [Available verification methods](/entra/identity/authentication/concept-mfa-howitworks)
+- [How to enable MFA](/entra/identity/authentication/tutorial-enable-azure-mfa)