etherscan-io
diff --git a/‎articles/active-directory/authentication/howto-mfa-userstates.md
+25-26 b/‎articles/active-directory/authentication/howto-mfa-userstates.md
+25-26
diff --git a/‎articles/active-directory/conditional-access/TOC.yml
+20 b/‎articles/active-directory/conditional-access/TOC.yml
+20
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-policy-common.md
+43 b/‎articles/active-directory/conditional-access/concept-conditional-access-policy-common.md
+43
diff --git a/‎articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md
+75 b/‎articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md
+75
diff --git a/‎articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md
+58 b/‎articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md
+58
diff --git a/‎articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md
+49 b/‎articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md
+49
diff --git a/‎articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md
+55 b/‎articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md
+55
@@ -136,32 +136,6 @@ which can also be shortened to:
 The following PowerShell can assist you in making the conversion to Conditional Access based Azure Multi-Factor Authentication.
 
 ```PowerShell
-# Disable MFA for all users, keeping their MFA methods intact
-Get-MsolUser -All | Disable-MFA -KeepMethods
-
-# Wrapper to disable MFA with the option to keep the MFA methods (to avoid having to proof-up again later)
-function Disable-Mfa {
-
-    [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        $User,
-        [switch] $KeepMethods
-    )
-
-    Process {
-
-        Write-Verbose ("Disabling MFA for user '{0}'" -f $User.UserPrincipalName)
-        $User | Set-MfaState -State Disabled
-
-        if ($KeepMethods) {
-            # Restore the MFA methods which got cleared when disabling MFA
-            Set-MsolUser -ObjectId $User.ObjectId `
-                         -StrongAuthenticationMethods $User.StrongAuthenticationMethods
-        }
-    }
-}
-
 # Sets the MFA requirement state
 function Set-MfaState {
 
@@ -191,6 +165,31 @@ function Set-MfaState {
     }
 }
 
+# Wrapper to disable MFA with the option to keep the MFA methods (to avoid having to proof-up again later)
+function Disable-Mfa {
+
+    [CmdletBinding()]
+    param(
+        [Parameter(ValueFromPipeline=$True)]
+        $User,
+        [switch] $KeepMethods
+    )
+
+    Process {
+
+        Write-Verbose ("Disabling MFA for user '{0}'" -f $User.UserPrincipalName)
+        $User | Set-MfaState -State Disabled
+
+        if ($KeepMethods) {
+            # Restore the MFA methods which got cleared when disabling MFA
+            Set-MsolUser -ObjectId $User.ObjectId `
+                         -StrongAuthenticationMethods $User.StrongAuthenticationMethods
+        }
+    }
+}
+
+# Disable MFA for all users, keeping their MFA methods intact
+Get-MsolUser -All | Disable-MFA -KeepMethods
 ```
 
 ## Next steps
 
@@ -19,6 +19,10 @@
 - name: Concepts
   expanded: false
   items:
+  - name: Adopting Conditional Access
+    href: howto-conditional-access-adoption-kit.md
+  - name: Common Conditional Access policies
+    href: concept-conditional-access-policy-common.md
   - name: Conditions
     href: conditions.md
   - name: Location conditions
@@ -38,6 +42,22 @@
     href: plan-conditional-access.md
   - name: Best practices
     href: best-practices.md
+  - name: Common policy templates
+    items: 
+    - name: Require MFA for administrators
+      href: howto-conditional-access-policy-admin-mfa.md
+    - name: Require MFA for Azure management
+      href: howto-conditional-access-policy-azure-management.md
+    - name: Block legacy authentication
+      href: howto-conditional-access-policy-block-legacy.md
+    - name: Risk-based Conditional Access
+      href: howto-conditional-access-policy-risk.md
+    - name: Require trusted location for MFA registration
+      href: howto-conditional-access-policy-registration.md
+    - name: Block access by location
+      href: howto-conditional-access-policy-location.md
+    - name: Require compliant devices
+      href: howto-conditional-access-policy-compliant-device.md
   - name: Block legacy authentication
     href: block-legacy-authentication.md
   - name: Conditional Access for MFA registration
 
@@ -0,0 +1,43 @@
+---
+title: Common Conditional Access policies - Azure Active Directory
+description: Commonly used Conditional Access policies for organizations
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 08/16/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: calebb, rogoya
+
+ms.collection: M365-identity-device-management
+---
+# Common Conditional Access policies
+
+Baseline protection policies are great but many organizations need more flexibility than they offer. For example, many organizations need the ability to exclude specific accounts like their emergency access or break-glass administration accounts from Conditional Access policies requiring multi-factor authentication. For those organizations, the common policies referenced in this article can be of use.
+
+![Conditional Access policies in the Azure portal](./media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png)
+
+## Emergency access accounts
+
+More information about emergency access accounts and why they are important can be found in the following articles: 
+
+* [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md)
+* [Create a resilient access control management strategy with Azure Active Directory](../authentication/concept-resilient-controls.md)
+
+## Typical policies deployed by organizations
+
+* [Require MFA for administrators](howto-conditional-access-policy-admin-mfa.md)
+* [Require MFA for Azure management](howto-conditional-access-policy-azure-management.md)
+* [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)
+* [Risk-based Conditional Access (Requires Azure AD Premium P2)](howto-conditional-access-policy-risk.md)
+* [Require trusted location for MFA registration](howto-conditional-access-policy-registration.md)
+* [Block access by location](howto-conditional-access-policy-location.md)
+* [Require compliant device](howto-conditional-access-policy-compliant-device.md)
+
+## Next steps
+
+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
@@ -0,0 +1,75 @@
+---
+title: Conditional Access - Require MFA for administrators - Azure Active Directory
+description: Create a custom Conditional Access policy to require administrators to perform multi-factor authentication
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 08/16/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: calebb, rogoya
+
+ms.collection: M365-identity-device-management
+---
+# Conditional Access: Require MFA for administrators
+
+Accounts that are assigned administrative rights are targeted by attackers. Requiring multi-factor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.
+
+Microsoft recommends you require MFA on the following roles at a minimum:
+
+* Global administrator
+* SharePoint administrator
+* Exchange administrator
+* Conditional Access administrator
+* Security administrator
+* Helpdesk (Password) administrator
+* Password administrator
+* Billing administrator
+* User administrator
+
+Organizations can choose to include or exclude roles as they see fit.
+
+## User exclusions
+
+Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
+
+* **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
+   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
+* **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
+   * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
+
+## Create a Conditional Access policy
+
+The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multi-factor authentication.
+
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users and groups**
+   1. Under **Include**, select **Directory roles (preview)** and choose the following roles at a minimum:
+      * Global administrator
+      * SharePoint administrator
+      * Exchange administrator
+      * Conditional Access administrator
+      * Security administrator
+      * Helpdesk administrator
+      * Password administrator
+      * Billing administrator
+      * User administrator
+   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
+   1. Select **Done**.
+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**, and select **Done**.
+1. Under **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and select **Select**.
+1. Confirm your settings and set **Enable policy** to **On**.
+1. Select **Create** to create to enable your policy.
+
+## Next steps
+
+[Conditional Access common policies](concept-conditional-access-policy-common.md)
+
+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
@@ -0,0 +1,58 @@
+---
+title: Conditional Access - Require MFA for Azure management - Azure Active Directory
+description: Create a custom Conditional Access policy to require multi-factor authentication for Azure management tasks
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 08/16/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: calebb, rogoya
+
+ms.collection: M365-identity-device-management
+---
+# Conditional Access: Require MFA for Azure management
+
+Organizations use a variety of Azure services and manage them from Azure Resource Manager based tools like:
+
+* Azure portal
+* Azure PowerShell
+* Azure CLI
+
+These tools can provide highly privileged access to resources, that can alter subscription-wide configurations, service settings, and subscription billing. To protect these privileged resources, Microsoft recommends requiring multi-factor authentication for any user accessing these resources.
+
+## User exclusions
+
+Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
+
+* **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
+   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
+* **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
+   * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
+
+## Create a Conditional Access policy
+
+The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multi-factor authentication.
+
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users and groups**
+   1. Under **Include**, select **All users**.
+   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
+   1. Select **Done**.
+1. Under **Cloud apps or actions** > **Include**, select **Select apps**, choose **Microsoft Azure Management**, and select **Select** then **Done**.
+1. Under **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and select **Select**.
+1. Confirm your settings and set **Enable policy** to **On**.
+1. Select **Create** to create to enable your policy.
+
+## Next steps
+
+[Conditional Access common policies](concept-conditional-access-policy-common.md)
+
+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
@@ -0,0 +1,49 @@
+---
+title: Conditional Access - Block legacy authentication - Azure Active Directory
+description: Create a custom Conditional Access policy to block legacy authentication protocols
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 08/16/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: calebb, rogoya
+
+ms.collection: M365-identity-device-management
+---
+# Conditional Access: Block legacy authentication
+
+Due to the increased risk associated with legacy authentication protocols, Microsoft recommends that organizations block authentication requests using these protocols and require modern authentication.
+
+## Create a Conditional Access policy
+
+The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multi-factor authentication.
+
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users and groups**
+   1. Under **Include**, select **All users**.
+   1. Under **Exclude**, select **Users and groups** and choose any accounts that must maintain the ability to use legacy authentication. 
+   1. Select **Done**.
+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
+   1. If you must exclude specific applications from your policy, you can choose them from the **Exclude** tab under **Select excluded cloud apps** and choose **Select**.
+   1. Select **Done**.
+1. Under **Conditions** > **Client apps (preview)**, set **Configure** to **Yes**.
+   1. Check only the boxes **Mobile apps and desktop clients** > **Other clients**.
+   2. Select **Done**.
+1. Under **Access controls** > **Grant**, select **Block access**.
+   1. Select **Select**.
+1. Confirm your settings and set **Enable policy** to **On**.
+1. Select **Create** to create to enable your policy.
+
+## Next steps
+
+[Conditional Access common policies](concept-conditional-access-policy-common.md)
+
+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
@@ -0,0 +1,55 @@
+---
+title: Conditional Access - Require compliant devices - Azure Active Directory
+description: Create a custom Conditional Access policy to require compliant devices
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 08/16/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: calebb, rogoya
+
+ms.collection: M365-identity-device-management
+---
+# Conditional Access: Require compliant devices
+
+Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet compliance requirements such as:
+
+* Requiring a PIN to unlock
+* Requiring device encryption
+* Requiring a minimum or maximum operating system version
+* Requiring a device is not jailbroken or rooted
+
+This policy compliance information is forwarded to Azure AD where Conditional Access can make decisions to grant or block access to resources.
+
+## Create a Conditional Access policy
+
+The following steps will help create a Conditional Access policy to require devices accessing resources be marked as compliant with your organization's Intune compliance policies.
+
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users and groups**
+   1. Under **Include**, select **All users**.
+   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
+   1. Select **Done**.
+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
+   1. If you must exclude specific applications from your policy, you can choose them from the **Exclude** tab under **Select excluded cloud apps** and choose **Select**.
+   1. Select **Done**.
+1. Under **Access controls** > **Grant**, select **Require device to be marked as compliant**.
+   1. Select **Select**.
+1. Confirm your settings and set **Enable policy** to **On**.
+1. Select **Create** to create to enable your policy.
+
+## Next steps
+
+[Conditional Access common policies](concept-conditional-access-policy-common.md)
+
+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
+
+[Device compliance policies work with Azure AD](/intune/device-compliance-get-started.md#device-compliance-policies-work-with-azure-ad)