Merge pull request #7042 from MicrosoftDocs/main

2/20/2025 AM Publish

docs/global-secure-access/scripts/powershell-get-token.md

@@ -77,6 +77,7 @@ $folderPath = "C:\Program Files\Microsoft Entra private network connector\Module
 # Check if the Module exists
 if (Test-Path -Path $folderPath) {
     Write-Host "The Module is successfully made available at path: $folderPath"
+}
    
 # Set the prompt path to C:\Program Files\Microsoft Entra private network connector\Modules\MicrosoftEntraPrivateNetworkConnectorPSModule
 cd "C:\Program Files\Microsoft Entra private network connector\Modules\MicrosoftEntraPrivateNetworkConnectorPSModule"

docs/global-secure-access/troubleshoot-global-secure-access-client-advanced-diagnostics.md

@@ -124,7 +124,7 @@ The following files are collected:
 | - | - |
 |Application-Crash.evtx|Application log filtered by event ID 1001. This log is useful when services are crashing.|
 |BindingNetworkDrivers.txt|Result of "Get-NetAdapterBinding -AllBindings -IncludeHidden" showing all the modules bound to network adapters. This output is useful to identify if non-Microsoft drivers are bound to the network stack|
-|ClientChecker.log|Results of the Global Secure Access client health checks. These results are easier to analyze if you load the zip file in the Global Secure Access client (see [Analyze Global Secure Access client logs on a dfferent device than where they were collected](troubleshoot-global-secure-access-client-advanced-diagnostics.md#Analyze Global Secure Access client logs on a dfferent device than where they were collected)|
+|ClientChecker.log|Results of the Global Secure Access client health checks. These results are easier to analyze if you load the zip file in the Global Secure Access client, see [Analyze Global Secure Access client logs on a different device than where they were collected](troubleshoot-global-secure-access-client-advanced-diagnostics.md#analyze-global-secure-access-client-logs-on-a-different-device-than-where-they-were-collected)|
 |DeviceInformation.log|Environment variables including OS version and Global Secure Access client version.|
 |dsregcmd.txt|Output of dsregcmd /status showing device state including Microsoft Entra Joined, Hybrid Joined, PRT details, and Windows Hello for Business details|
 |filterDriver.txt|Windows Filtering Platform filters|

docs/identity/conditional-access/policy-block-authentication-flows.md

@@ -45,7 +45,7 @@ After administrators confirm the settings using [report-only mode](howto-conditi
 
 ## Authentication transfer policies 
 
-The ability to control [authentication transfer](concept-authentication-transfer.md) is in preview, use the **Authentication flows** condition in Conditional Access to manage the feature. You might want to block authentication transfer if you don’t want users to transfer authentication from their PC to a mobile device. For example, if you don’t allow Outlook to be used on personal devices by certain groups. Blocking authentication transfer can be done with the following Conditional Access policy:   
+Use the **Authentication flows** condition in Conditional Access to manage the feature. You might want to block [authentication transfer](concept-authentication-transfer.md) if you don’t want users to transfer authentication from their PC to a mobile device. For example, if you don’t allow Outlook to be used on personal devices by certain groups. Blocking authentication transfer can be done with the following Conditional Access policy:   
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator). 
 1. Browse to **Protection** > **Conditional Access**. 

docs/identity/hybrid/connect/how-to-connect-password-hash-synchronization.md

@@ -185,8 +185,8 @@ With password hash synchronization enabled, this AD password hash is synced with
 > Previously, when SCRIL was re-enabled and a new randomized AD password was generated, the user was still able to use their old password to authenticate to Microsoft Entra ID. Now, Connect Sync has been updated so that new randomized AD password is synced to Microsoft Entra ID and the old password cannot be used once smart card login is enabled. 
 >
 > We recommend that admins person any of the below actions if they have users with a SCRIL bit in their AD Domain
-> 1.	Perform a full PHS sync as per [this guide](tshoot-connect-password-hash-synchronization.md) to ensure password of SCRIL users is scrambled
-> 2.	Scramble the password of each user by toggling SCRIL settings or directly changing the user's passwords
+> 1.	Perform a full PHS sync as per [this guide](tshoot-connect-password-hash-synchronization.md) to ensure the passwords of all SCRIL users are scrambled
+> 2.	Scramble the password of an individual user by toggling SCRIL settings off then back on or directly changing the user's password
 > 3.	Periodically rotate the passwords for SCRIL users. Eventually all such users will have their passwords scrambled
 
 

docs/identity/hybrid/connect/tshoot-connect-password-hash-synchronization.md

@@ -431,33 +431,33 @@ Write-Host
 
 You can trigger a full sync of all passwords by using the following script:
 
-1. Assign the local Active Directory *$adConnector* value
+1. Assign the local Active Directory **$adConnector** value
 
     ```$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"```
 
-2. Assign the AzureAD *$aadConnector* value
+2. Assign the AzureAD **$aadConnector** value
 
     ```$aadConnector = "<CASE SENSITIVE AAD CONNECTOR NAME>"```
 
 3. Install the AzureAD Sync Module
 
    ```Import-Module adsync```
 
-4. Create a new Force Full Password Sync configuration oarameter object
+4. Create a new Force Full Password Sync configuration parameter object
 
     ```$c = Get-ADSyncConnector -Name $adConnector```
 
 5. Update the existing connector with the following new configurations. Run each line separately
 
-    ```$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null,   $null, $null```
+   a.  ```$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null,   $null, $null```
 
-    ```$p.Value = 1```
+    b. ```$p.Value = 1```
 
-    ```$c.GlobalParameters.Remove($p.Name)```
+    c. ```$c.GlobalParameters.Remove($p.Name)```
 
-    ```$c.GlobalParameters.Add($p)```
+    d. ```$c.GlobalParameters.Add($p)```
 
-    ```$c = Add-ADSyncConnector -Connector $c```
+    e. ```$c = Add-ADSyncConnector -Connector $c```
 
 6. Disable Entra ID Connect
 

docs/standards/nist-authenticator-assurance-level-1.md

@@ -29,7 +29,7 @@ To achieve AAL1, you can use any NIST single-factor or multifactor [permitted au
 
 |Microsoft Entra authentication method|NIST authenticator type |
 | - | - |
-|Password |Memorized Secret |
+|Password <br> QR Code (PIN) |Memorized Secret |
 |Phone (SMS): Not recommended | Single-factor out-of-band |
 |Microsoft Authenticator app (Phone Sign-In)|Multi-factor out-of-band |
 |Single-factor software certificate | Single-factor crypto software |

docs/standards/nist-authenticator-assurance-level-2.md

@@ -34,10 +34,10 @@ The following table has authenticator types permitted for AAL2:
 | Multi-factor hardware protected certificate <br> FIDO 2 security key <br> Platform SSO for macOS (Secure Enclave) <br> Windows Hello for Business with hardware TPM <br> Passkey in Microsoft Authenticator | Yes |  Multi-factor crypto hardware |
 | **Additional methods** |  
 | Microsoft Authenticator app (Phone Sign-in)  | No | Multi-factor out-of-band|
-| Password <br> **AND** <br>- Microsoft Authenticator app (Push Notification) <br>- **OR** <br>- Microsoft Authenticator Lite (Push Notification) <br>- **OR** <br>- Phone (SMS) | No | Memorized secret <br>**AND**<br> Single-factor out-of-band |
-| Password <br> **AND** <br>- OATH hardware tokens (preview) <br>- **OR**<br>- Microsoft Authenticator app (OTP)<br>- **OR**<br>- Microsoft Authenticator Lite (OTP)<br>- **OR** <br>- OATH software tokens | No | Memorized secret <br>**AND** <br>Single-factor OTP|
-| Password <br>**AND** <br>- Single-factor software certificate <br>- **OR**<br>- Microsoft Entra joined  with software TPM <br>- **OR**<br>- Microsoft Entra hybrid joined with software TPM  <br>- **OR**<br>- Compliant mobile device | Yes<sup>1</sup> | Memorized secret <br>**AND**<br> Single-factor crypto software |
-| Password <br>**AND**<br>- Microsoft Entra joined with hardware TPM <br>- **OR**<br>- Microsoft Entra hybrid joined with hardware TPM| Yes<sup>1</sup> |  Memorized secret <br>**AND**<br>Single-factor crypto hardware |
+| Password **OR** QR Code (PIN) <br> **AND** <br>- Microsoft Authenticator app (Push Notification) <br>- **OR** <br>- Microsoft Authenticator Lite (Push Notification) <br>- **OR** <br>- Phone (SMS) | No | Memorized secret <br>**AND**<br> Single-factor out-of-band |
+| Password **OR** QR Code (PIN) <br>**AND** <br>- OATH hardware tokens (preview) <br>- **OR**<br>- Microsoft Authenticator app (OTP)<br>- **OR**<br>- Microsoft Authenticator Lite (OTP)<br>- **OR** <br>- OATH software tokens | No | Memorized secret <br>**AND** <br>Single-factor OTP|
+| Password **OR** QR Code (PIN) <br>**AND** <br>- Single-factor software certificate <br>- **OR**<br>- Microsoft Entra joined  with software TPM <br>- **OR**<br>- Microsoft Entra hybrid joined with software TPM  <br>- **OR**<br>- Compliant mobile device | Yes<sup>1</sup> | Memorized secret <br>**AND**<br> Single-factor crypto software |
+| Password **OR** QR Code (PIN) <br>**AND**<br>- Microsoft Entra joined with hardware TPM <br>- **OR**<br>- Microsoft Entra hybrid joined with hardware TPM| Yes<sup>1</sup> |  Memorized secret <br>**AND**<br>Single-factor crypto hardware |
 
 <sup>1</sup> [Protection from external phishing](../standards/memo-22-09-multi-factor-authentication.md#protection-from-external-phishing)
 

docs/standards/nist-authenticator-assurance-level-3.md

@@ -32,7 +32,7 @@ Use Microsoft authentication methods to meet required NIST authenticator types.
 | **Recommended methods**|    |
 |  Multi-factor hardware protected certificate <br> FIDO 2 security key <br> Platform SSO for macOS (Secure Enclave) <br> Windows Hello for Business with hardware TPM <br> Passkey in Microsoft Authenticator<sup>1</sup>| Multi-factor cryptographic hardware |
 | **Additional methods**||
-|Password<br>**AND**<br>Single-factor hardware protected certificate|Memorized secret <br>**AND**<br>Single-factor cryptographic hardware|
+|Password **OR** QR Code (PIN) <br>**AND**<br>Single-factor hardware protected certificate|Memorized secret <br>**AND**<br>Single-factor cryptographic hardware|
 
 <sup>1</sup> Passkey in Microsoft Authenticator is overall considered partial AAL3 and can qualify as AAL3 on platforms with FIPS 140 Level 2 Overall (or higher) and FIPS 140 level 3 physical security (or higher). For additional information on FIPS 140 compliance for Microsoft Authenticator (iOS/Android) See [FIPS 140 compliant for Microsoft Entra authentication](~/identity/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-microsoft-entra-authentication)
 ### Recommendations

docs/standards/nist-authenticator-types.md

@@ -18,7 +18,7 @@ The authentication process begins when a claimant asserts its control of one of
 
 |NIST authenticator type| Microsoft Entra authentication method|
 | - | - |
-|Memorized secret <br> (something you know)|  Password|
+|Memorized secret <br> (something you know)|  Password <br> QR Code (PIN)|
 |Look-up secret <br> (something you have)| None|
 |Single-factor out-of-band <br>(something you have)| Microsoft Authenticator app (Push Notification) <br> Microsoft Authenticator Lite (Push Notification) <br> Phone (SMS): Not recommended |
 Multi-factor Out-of-band <br> (something you have + something you know/are) | Microsoft Authenticator app (Phone Sign-In) |