From 7fdc32eddcb7a53ba02eab20d9bdb1fe6789bdc9 Mon Sep 17 00:00:00 2001
From: msft-bob <82617611+msft-bob@users.noreply.github.com>
Date: Thu, 15 Apr 2021 15:59:36 -0700
Subject: [PATCH] Update policy-csp-authentication.md
Update to add description of new ConfigureWebSignInAllowedUrls policy.
---
.../mdm/policy-csp-authentication.md | 65 +++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 51f56ffbbb..0edf2ca1ef 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -37,6 +37,9 @@ manager: dansimp
Authentication/AllowSecondaryAuthenticationDevice
+
+ Authentication/ConfigureWebSignInAllowedUrls
+
Authentication/EnableFastFirstSignIn
@@ -359,6 +362,68 @@ The following list shows the supported values:
+
+**Authentication/ConfigureWebSignInAllowedUrls**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+  |
+
+
+ | Pro |
+  4 |
+
+
+ | Business |
+ 4 |
+
+
+ | Enterprise |
+ 4 |
+
+
+ | Education |
+ 4 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10, version 1803. Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a 3rd party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092).
+
+Example: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**Authentication/EnableFastFirstSignIn**