MicrosoftDocs · v-dirichards · Feb 18, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 25, 2025
diff --git a/docs/architecture/1-secure-access-posture.md b/docs/architecture/1-secure-access-posture.md
@@ -30,7 +30,7 @@ IT teams can delegate partner access to empower employees to collaborate with pa
 
 Compile and assess your organizations scenarios to help assess employee versus business partner access to resources. Financial institutions might have compliance standards that restrict employee access to resources such as account information. Conversely, the same institutions can enable delegated partner access for projects such as marketing campaigns.
 
-   ![Diagram of a balance of IT team goverened access to partner self-service.](media/secure-external-access/1-scenarios.png)
+   ![Diagram of a balance of IT team governed access to partner self-service.](media/secure-external-access/1-scenarios.png)
 
 ### Scenario considerations
 

diff --git a/docs/architecture/b2c-deployment-plans.md b/docs/architecture/b2c-deployment-plans.md
@@ -148,9 +148,9 @@ Use the following checklist for delivery.
 |---|---|
 |Protocol information| Gather the base path, policies, and metadata URL of both variants. </br>Specify attributes such as sample sign-in, client application ID, secrets, and redirects.|
 |Application samples | See, [Azure Active Directory B2C code samples](/azure/active-directory-b2c/integrate-with-app-code-samples).|
-|Penetration testing | Inform your operations team about pen tests, then test user flows including the OAuth implementation. </br>See, [Penetration testing](/azure/security/fundamentals/pen-testing) and [Penetration testing rules of engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement).
+|Penetration testing | Inform your operations team about pen tests, then test user flows including the OAuth implementation. </br>See, [Penetration testing](/azure/security/fundamentals/pen-testing) and [Penetration testing rules of engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement).|
 | Unit testing  | Unit test and generate tokens. </br>See, [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](~/identity-platform/v2-oauth-ropc.md). </br>If you reach the Azure AD B2C token limit, see [Azure AD B2C: File Support Requests](/azure/active-directory-b2c/find-help-open-support-ticket). </br>Reuse tokens to reduce investigation on your infrastructure. </br>[Set up a resource owner password credentials flow in Azure Active Directory B2C](/azure/active-directory-b2c/add-ropc-policy?pivots=b2c-user-flow&tabs=app-reg-ga). You shouldn't use ROPC flow to authenticate users in your apps.|
-| Load testing | Learn about [Azure AD B2C service limits and restrictions](/azure/active-directory-b2c/service-limits). </br>Calculate the expected authentications and user sign-ins per month. </br>Assess high load traffic durations and business reasons: holiday, migration, and event. </br>Determine expected peak rates for sign-up, traffic, and geographic distribution, for example per second.
+| Load testing | Learn about [Azure AD B2C service limits and restrictions](/azure/active-directory-b2c/service-limits). </br>Calculate the expected authentications and user sign-ins per month. </br>Assess high load traffic durations and business reasons: holiday, migration, and event. </br>Determine expected peak rates for sign-up, traffic, and geographic distribution, for example per second.|
 
 ### Security
 

diff --git a/docs/architecture/deployment-plans.md b/docs/architecture/deployment-plans.md
@@ -26,7 +26,7 @@ When beginning your deployment plans, include your key stakeholders. Identify an
 |End users|The people for whom the service is implemented. Users can participate in a pilot program.|
 |IT Support Manager|Provides input on the supportability of proposed changes |
 |Identity architect |Defines how the change aligns with identity management infrastructure|
-|Application business owner |Owns the affected applications, which might include access management. Provides input on the user experience.
+|Application business owner |Owns the affected applications, which might include access management. Provides input on the user experience.|
 |Security owner|Confirms the change plan meets security requirements|
 |Compliance Manager|Ensures compliance with corporate, industry, or governmental requirements|
 

diff --git a/docs/architecture/permissions-manage-ops-guide-alerts.md b/docs/architecture/permissions-manage-ops-guide-alerts.md
@@ -85,7 +85,7 @@ Permissions analytics alerts play a key role in the recommended Discover-Remedia
 
 Learn more in the article, [create and view a permission analytics trigger](~/permissions-management/product-permission-analytics.md).
 
-The following list of recommended permissions analytics alerts is for supported cloud environments. Add more permissions analytics alerts as needed. The recommendations for Microsoft Azure, Amazone Web Services (AWS), and Google Cloud Platform (GCP) don’t reflect a particular environment.
+The following list of recommended permissions analytics alerts is for supported cloud environments. Add more permissions analytics alerts as needed. The recommendations for Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) don’t reflect a particular environment.
 
 **Azure: Permissions analytics alerts recommendations**
 

diff --git a/docs/architecture/permissions-manage-ops-guide-three.md b/docs/architecture/permissions-manage-ops-guide-three.md
@@ -53,7 +53,7 @@ Use Permissions Management to create and save custom audit queries that others v
 
 **Review administrator and privileged account activity**
 
-   ![Diagram of a query to review admin and privelged account activity.](./media/permissions-manage-ops-guide/admin-privileged-account-activity.png)
+   ![Diagram of a query to review admin and privileged account activity.](./media/permissions-manage-ops-guide/admin-privileged-account-activity.png)
 
 **Review high-risk permissions usage**
 

diff --git a/docs/architecture/resilience-in-credentials.md b/docs/architecture/resilience-in-credentials.md
@@ -39,10 +39,10 @@ For second factors, the Microsoft Authenticator app or other authenticator apps
 ## Additional Detail on External (Non-Entra) Dependencies
 |Authentication Method|External (Non-Entra) Dependency|More Information|
 |---------------------|-------------------------------|---|
-|Certificate Based Authentication (CBA)|In most cases (depending on configuration) CBA will require a revocation check. This adds an external dependency on the CRL distribution point (CDP) |[Understanding the certificate revocation process](~/identity/authentication/concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-certificate-revocation-process)
-|Pass Through Authentication (PTA)|PTA uses on-premise agents to process the password authentication.|[How does Microsoft Entra pass-through authentication work?](~/identity/hybrid/connect/how-to-connect-pta-how-it-works.md#how-does-microsoft-entra-pass-through-authentication-work)
-|Federation| Federation server(s) must be online and available to process the authentication attempt|[High availability cross-geographic AD FS deployment in Azure with Azure Traffic Manager](/windows-server/identity/ad-fs/deployment/active-directory-adfs-in-azure-with-azure-traffic-manager)
-|External Authentication Methods (EAM)| EAM provides a path for customers to use external MFA providers.|[Manage an external authentication method in Microsoft Entra ID (Preview)](~/identity/authentication/how-to-authentication-external-method-manage.md)
+|Certificate Based Authentication (CBA)|In most cases (depending on configuration) CBA will require a revocation check. This adds an external dependency on the CRL distribution point (CDP) |[Understanding the certificate revocation process](~/identity/authentication/concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-certificate-revocation-process)|
+|Pass Through Authentication (PTA)|PTA uses on-premise agents to process the password authentication.|[How does Microsoft Entra pass-through authentication work?](~/identity/hybrid/connect/how-to-connect-pta-how-it-works.md#how-does-microsoft-entra-pass-through-authentication-work)|
+|Federation| Federation server(s) must be online and available to process the authentication attempt|[High availability cross-geographic AD FS deployment in Azure with Azure Traffic Manager](/windows-server/identity/ad-fs/deployment/active-directory-adfs-in-azure-with-azure-traffic-manager)|
+|External Authentication Methods (EAM)| EAM provides a path for customers to use external MFA providers.|[Manage an external authentication method in Microsoft Entra ID (Preview)](~/identity/authentication/how-to-authentication-external-method-manage.md)|
 
 ## How do multiple credentials help resilience?
 

diff --git a/docs/architecture/security-operations-consumer-accounts.md b/docs/architecture/security-operations-consumer-accounts.md
@@ -98,12 +98,12 @@ Use the remainder of the article for recommendations on what to monitor and aler
 | Account disabled or blocked for sign-ins | low | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | The event could indicate someone trying to gain account access after they've left the organization. Although the account is blocked, log and alert this activity. |
 | MFA fraud alert or block | High | Microsoft Entra sign-in log/Azure Log Analytics | Sign-ins>Authentication details<br> Result details = MFA denied, fraud code entered | Privileged user indicates they haven't instigated the MFA prompt, which could indicate an attacker has the account password. |
 | MFA fraud alert or block | High | Microsoft Entra sign-in log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken, based on fraud report tenant-level settings | Privileged user indicated no instigation of the MFA prompt. The scenario can indicate an attacker has the account password. |
-| Privileged account sign-ins outside of expected controls | High | Microsoft Entra sign-in log | Status = Failure<br>UserPricipalName = \<Admin account> <br> Location = \<unapproved location> <br> IP address = \<unapproved IP><br>Device info = \<unapproved Browser, Operating System> | Monitor and alert entries you defined as unapproved. |
+| Privileged account sign-ins outside of expected controls | High | Microsoft Entra sign-in log | Status = Failure<br>UserPrincipalName = \<Admin account> <br> Location = \<unapproved location> <br> IP address = \<unapproved IP><br>Device info = \<unapproved Browser, Operating System> | Monitor and alert entries you defined as unapproved. |
 | Outside of normal sign-in times | High | Microsoft Entra sign-in log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside expected times. Find the normal working pattern for each privileged account and alert if there are unplanned changes outside normal working times. Sign-ins outside normal working hours could indicate compromise or possible insider threat. |
 | Password change | High | Microsoft Entra audit logs | Activity actor = Admin/self-service<br>-and-<br>Target = User<br>-and-<br>Status = Success or failure | Alert when any administrator account password changes. Write a query for privileged accounts. |
 | Changes to authentication methods | High | Microsoft Entra audit logs | Activity: Create identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | The change could indicate an attacker adding an auth method to the account to have continued access. |
 | Identity Provider updated by nonapproved actors | High | Microsoft Entra audit logs | Activity: Update identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | The change could indicate an attacker adding an auth method to the account to have continued access. |
-Identity Provider deleted by nonapproved actors | High | Microsoft Entra access reviews | Activity: Delete identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | The change could indicate an attacker adding an auth method to the account to have continued access. |
+|Identity Provider deleted by nonapproved actors | High | Microsoft Entra access reviews | Activity: Delete identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | The change could indicate an attacker adding an auth method to the account to have continued access. |
 
 ## Applications
 
@@ -120,7 +120,7 @@ Identity Provider deleted by nonapproved actors | High | Microsoft Entra access
 | Redirect URI configuration changes | High | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Success – Property Name AppAddress | Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are **not** unique to the application, URIs that point to a domain you don't control. |
 | Changes to AppID URI | High | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Activity: Update Service principal | Look for AppID URI modifications, such as adding, modifying, or removing the URI. |
 | Changes to application ownership | Medium | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Add owner to application | Look for instances of users added as application owners outside normal change management activities. |
-| Changes to sign out URL | Low | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle | Look for modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.
+| Changes to sign out URL | Low | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle | Look for modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.|
 
 ## Infrastructure
 
@@ -137,10 +137,10 @@ Identity Provider deleted by nonapproved actors | High | Microsoft Entra access
 | User flow deleted by nonapproved actors | Medium | Microsoft Entra audit logs| Activity: Delete user flow<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on user flow changes. Initiated by (actor): approved to make changes to user flows? |
 | API connectors created by nonapproved actors | Medium | Microsoft Entra audit logs| Activity: Create API connector<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert API connector changes. Initiated by (actor): approved to make changes to API connectors? |
 | API connectors updated by nonapproved actors | Medium | Microsoft Entra audit logs| Activity: Update API connector<br>Category: ResourceManagement<br>Target: User Principal Name: ResourceManagement | Monitor and alert API connector changes. Initiated by (actor): approved to make changes to API connectors? |
-| API connectors deleted by nonapproved actors | Medium | Microsoft Entra audit logs|Activity: Update API connector<br>Category: ResourceManagment<br>Target: User Principal Name: ResourceManagment | Monitor and alert API connector changes. Initiated by (actor): approved to make changes to API connectors? |
+| API connectors deleted by nonapproved actors | Medium | Microsoft Entra audit logs|Activity: Update API connector<br>Category: ResourceManagement<br>Target: User Principal Name: ResourceManagement | Monitor and alert API connector changes. Initiated by (actor): approved to make changes to API connectors? |
 | Identity provider (IdP) created by nonapproved actors | High |Microsoft Entra audit logs | Activity: Create identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert IdP changes. Initiated by (actor): approved to make changes to IdP configuration? |
 | IdP updated by nonapproved actors | High | Microsoft Entra audit logs| Activity: Update identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert IdP changes. Initiated by (actor): approved to make changes to IdP configuration? |
-IdP deleted by nonapproved actors | Medium | Microsoft Entra audit logs| Activity: Delete identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert IdP changes. Initiated by (actor): approved to make changes to IdP configuration? |
+| IdP deleted by nonapproved actors | Medium | Microsoft Entra audit logs| Activity: Delete identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert IdP changes. Initiated by (actor): approved to make changes to IdP configuration? |
 
 
 ## Next steps

diff --git a/docs/architecture/security-operations-infrastructure.md b/docs/architecture/security-operations-infrastructure.md
@@ -281,8 +281,8 @@ Monitor changes to Conditional Access policies using the following information:
 | New Conditional Access Policy created by non-approved actors|Medium | Microsoft Entra audit logs|Activity: Add Conditional Access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name | Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
 |Conditional Access Policy removed by non-approved actors|Medium|Microsoft Entra audit logs|Activity: Delete Conditional Access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name|Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
 |Conditional Access Policy updated by non-approved actors|Medium|Microsoft Entra audit logs|Activity: Update Conditional Access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name|Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br><br>Review Modified Properties and compare “old” vs “new” value<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
-|Removal of a user from a group used to scope critical Conditional Access policies|Medium|Microsoft Entra audit logs|Activity: Remove member from group<br><br>Category: GroupManagement<br><br>Target: User Principal Name|Montior and Alert for groups used to scope critical Conditional Access Policies.<br><br>"Target" is the user that has been removed.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-|Addition of a user to a group used to scope critical Conditional Access policies|Low|Microsoft Entra audit logs|Activity: Add member to group<br><br>Category: GroupManagement<br><br>Target: User Principal Name|Montior and Alert for groups used to scope critical Conditional Access Policies.<br><br>"Target" is the user that has been added.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+|Removal of a user from a group used to scope critical Conditional Access policies|Medium|Microsoft Entra audit logs|Activity: Remove member from group<br><br>Category: GroupManagement<br><br>Target: User Principal Name|Monitor and Alert for groups used to scope critical Conditional Access Policies.<br><br>"Target" is the user that has been removed.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+|Addition of a user to a group used to scope critical Conditional Access policies|Low|Microsoft Entra audit logs|Activity: Add member to group<br><br>Category: GroupManagement<br><br>Target: User Principal Name|Monitor and Alert for groups used to scope critical Conditional Access Policies.<br><br>"Target" is the user that has been added.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
 
 ## Next steps