From d56f2e6b255f30896340e4bd13161205319bfbdf Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 23 Jan 2019 10:51:42 -0800 Subject: [PATCH 1/3] update azure steps --- ...dows-defender-advanced-threat-protection.md | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index f5f0d320e5..8ae2466e2d 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 11/09/2018 --- # Use basic permissions to access the portal @@ -66,23 +65,8 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@C For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). ## Assign user access using the Azure portal +For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). -1. Go to the [Azure portal](https://portal.azure.com). - -2. Select **Azure Active Directory**. - -3. Select **Manage** > **Users and groups**. - -4. Select **Manage** > **All users**. - -5. Search or select the user you want to assign the role to. - -6. Select **Manage** > **Directory role**. - -7. Select **Add role** and choose the role you'd like to assign, then click **Select**. - - - ![Image of Microsoft Azure portal](images/atp-azure-assign-role.png) ## Related topic - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) From 343f1ac15b71cc836fbbdcb0e9e62d8a19e94394 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 24 Jan 2019 13:48:15 -0800 Subject: [PATCH 2/3] remove en-us --- ...c-permissions-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index 8ae2466e2d..9468f020d0 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -65,7 +65,7 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@C For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). ## Assign user access using the Azure portal -For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). +For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). ## Related topic From ece4d6e323b439cf659f42aa4e99229ef42b09c7 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Fri, 25 Jan 2019 01:40:38 +0000 Subject: [PATCH 3/3] Merged PR 13951: Updates to Windows Hello for Business documentation Updating the documentation for Windows Hello for Business. --- .../hello-how-it-works-device-registration.md | 4 ++-- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 6 +++--- .../hello-for-business/hello-identity-verification.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index a6b919a090..7f24f72843 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -77,8 +77,8 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | | A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| -|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines directs device registration to Azure Device Registration Service (ADRS).| -|C | For the federated environments, the computer authenticates ADFS/STS using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. +|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| +|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. |D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| |E | To provide SSO for on-premises federated application, the task requests an enterprise PRT from the on-premises STS. Windows Server 2016 running the Active Directory Federation Services role validate the request and return it the running task.| |F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index cd06ba9e92..b6cbd28438 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastructure](#public-key-infrastructure) +* [Public Key Infrastucture](#public-key-infastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authentication](#multifactor-authentication) @@ -114,9 +114,9 @@ Organizations wanting to deploy hybrid key trust need their domain joined device
### Next Steps ### -Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. +Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. -For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**. +For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Syncrhonization**. For federated and non-federated environments, start with **Configure Windows Hello for Business settings**. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 4d03a84747..9c0f5c3a35 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -39,7 +39,7 @@ Windows Hello addresses the following problems with passwords: * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory ### Hybrid Deployments -The table shows the minimum requirements for each deployment. +The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- |