Merge pull request #54138 from MicrosoftDocs/main

Auto Publish – main to live - 2026-04-07 17:00 UTC

Author: learn-build-service-prod[bot]

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/12-summary-resources.md

@@ -16,7 +16,7 @@ Copilot can assist you in designing Azure infrastructure solutions. Copilot can
 
 - Read about [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/).
 
-- Research business-to-customer solutions with [Azure AD B2C](/azure/active-directory-b2c/overview).
+- Research business-to-customer solutions with [Microsoft Entra External ID](/entra/external-id/customers/overview-customers-ciam).
 
 - Get more information about [Azure role-based access control (RBAC)](/azure/role-based-access-control/overview).
 

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/2-design-for-identity-access-management.md

@@ -18,8 +18,8 @@ As you look at your authentication and authorization options for Tailwind Trader
 
 Your first step is to determine the ideal IAM solution for Tailwind Traders. The following table lists three basic choices. We'll look closely at these options in the next units.
 
-- **Consider using Microsoft Entra ID**. Develop with [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) for a solution that combines core directory services, application access management, and identity protection. Microsoft Entra ID provides an identity and access management system for Tailwind Traders employees that can operate in a cloud or hybrid environment.
+- **Consider using Microsoft Entra ID**. Develop with [Microsoft Entra ID](/entra/identity/) for a solution that combines core directory services, application access management, and identity protection. Microsoft Entra ID provides an identity and access management system for Tailwind Traders employees that can operate in a cloud or hybrid environment.
 
 - **Consider your business-to-business (B2B) requirements**. Support collaboration for guest users and external business partners of Tailwind Traders, such as suppliers and vendors. Build your solution with Microsoft Entra B2B (business-to-business) to support business-to-business operations.
 
-- **Consider your business-to-customer scenarios**. Control how Tailwind Traders customers sign up, sign in, and manage their profiles when they use your apps. Use [Azure AD B2C (business-to-customer)](/azure/active-directory-b2c/overview) to develop a Microsoft Entra solution that supports customer-focused operations.
+- **Consider your business-to-customer scenarios**. Control how Tailwind Traders customers sign up, sign in, and manage their profiles when they use your apps. Use Microsoft Entra External ID (external tenant configuration) to develop a Microsoft Entra solution that supports customer-focused operations. For existing Azure AD B2C deployments, B2C continues to be supported until at least May 2030.

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/3-design-for-azure-active-directory.md

@@ -30,7 +30,7 @@ Tailwind Traders plans to use Microsoft Entra ID in its identity management solu
 
 - **Consider limiting account synchronization**. Don't synchronize accounts to Active Directory that have high privileges in your existing Microsoft Entra Tailwind Traders instance. By default, Microsoft Entra Connect filters out these high privileged accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could result in a major incident).
 
-- **Consider password hash synchronization**. Enable [password hash synchronization](/azure/active-directory/hybrid/whatis-phs) to sync user password hashes from on-premises to a cloud-based Microsoft Entra instance. This sync helps to protect Tailwind Traders against leaked credentials being replayed from previous sign-ins.
+- **Consider phishing-resistant authentication methods**. Microsoft recommends designing passwordless phishing-resistant credentials, like security keys and passkeys. These methods use origin-bound public-key cryptography and satisfy MFA in a single step.
 
 - **Consider single sign-on (SSO)**. Enable SSO to reduce the need for multiple passwords. Multiple passwords increase the likelihood of users reusing passwords or using weak passwords. With SSO, users provide their primary work or school account for their domain-joined devices and company resources. Their application access can be automatically provisioned (or deprovisioned) based on their Tailwind Traders organization group memberships and their status as an employee. 
 

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/5-design-business-customer.md

@@ -8,6 +8,9 @@ After you set up your Azure AD B2C tenant, you must register your app. You use u
 
 ### Things to know about Azure AD B2C
 
+> [!IMPORTANT]
+> Azure AD B2C is no longer available for new customers as of May 1, 2025 and is supported until at least May 2030. For all new projects, use Microsoft Entra External ID.
+
 You review the B2B features of Microsoft Entra ID and consider how they might be implemented in an identity solution for Tailwind Traders. Let's look at the customer features offered by Azure AD B2C.
 
 - Azure AD B2C provides secure authentication for your customers by using their preferred identity providers.
@@ -38,7 +41,7 @@ Tailwind Traders wants to investigate how to implement identity management for u
 
 Now that you have some basic knowledge about the Microsoft Entra identity solutions, let's compare the options for Tailwind Traders.
 
-| <!-- Blank --> | Microsoft Entra B2B (business-to-business) | Azure AD B2C (business-to-customer) |
+| <!-- Blank --> | Microsoft Entra B2B (business-to-business) | Microsoft Entra External ID / Azure AD B2C (legacy) |
 | --- | --- | --- |
 | **Define your focus** | Tailwind Traders wants to collaborate with business partners from external organizations like suppliers, partners, and vendors. You support users as guest users in your directory, and they might or might not use IT. | Tailwind Traders wants to engage with customers of their products. You manage users in a separate Microsoft Entra directory / tenant. |
 | **Identify your users** | Your users represent a Tailwind Traders partner company, or be employees of Tailwind Traders. | Your users are customers of Tailwind Traders who represent themselves. |

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/6-design-for-conditional-access.md

@@ -44,6 +44,13 @@ Tailwind Traders wants to implement Conditional Access into their identity solut
 
 - **Consider blocking legacy authentication protocols**. Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. Configure Conditional Access to [block legacy protocols](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy) from accessing Tailwind Traders apps.
 
+- **Consider per-policy impact reporting**: Each enabled policy now has a built-in impact graph in the Microsoft Entra admin center. A Log Analytics workspace isn’t required.
+
+- **Consider Microsoft-managed Conditional Access policies**: Microsoft provides managed policies aligned to Secure Future Initiative. These policies can limit device code flow and legacy authentication.
+
+- **Consider Conditional Access Optimization Agent**: AI-powered agent that monitors policy gaps and recommends fixes with one-click application (requires Microsoft Entra P1 + Security Copilot SCUs).
+
+
 - **Consider running Report-only mode**. Run Report-only mode to predict the number and names of Tailwind Traders users who are affected with common deployment initiatives. Use Report-only mode to test blocking legacy authentication, requiring MFA, and implementing sign-in risk policies. 
 
 - **Consider using the What If tool**. Use the What If tool to test your proposed Conditional Access policies before you implement them.

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/7-design-for-identity-protection.md

@@ -1,10 +1,10 @@
-[Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection) is a tool that allows organizations to accomplish three key tasks:
+[Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview-identity-protection) helps organizations detect, investigate, and remediate identity-based risks. 
 
 - [Automate the detection and remediation of identity-based risks](/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies).
 
 - [Investigate risks](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk) by using data in the Azure portal.
 
-- [Export risk detection data](/azure/sentinel/connect-azure-ad-identity-protection) to other tools.
+- [Export risk detection data](/azure/sentinel/connect-azure-ad-identity-protection) with Microsoft Sentinel data connector.
 
 The signals that are generated and fed into Identity Protection can be exported to other tools. You learned how the Conditional Access tool can make decisions based on your organization's policies. By using Identity Protection, you can pass this information to a security information and event management (SIEM) tool for more investigation. 
 
@@ -22,21 +22,26 @@ As the CTO of Tailwind Traders, you'd like to know how Identity Protection can b
 
    :::image type="content" source="../media/risk-detections.png" alt-text="Diagram that shows risky users, risky sign-ins, and risk detections." border="false":::
 
-- [**User risk**](/azure/active-directory/identity-protection/concept-identity-protection-risks) represents the probability that a given identity or account is compromised. An example is when a user's valid credentials are leaked. User risks are calculated offline by using Microsoft's internal and external threat intelligence sources. Here are some user risks that can be identified:
+- **User risk** represents the probability that a given identity or account is compromised. An example is when a user's valid credentials are leaked. User risks are calculated offline by using Microsoft's internal and external threat intelligence sources. Here are some user risks that can be identified:
 
    - **Leaked credentials**: Microsoft checks for leaked credentials from the dark web, paste sites, or other sources. These leaked credentials are checked against Microsoft Entra users' current valid credentials for valid matches.
 
    - **Microsoft Entra threat intelligence**: This risk detection type indicates user activity that's unusual for the given user or is consistent with known attack patterns.
 
-- [**Sign-in risk**](/azure/active-directory/identity-protection/concept-identity-protection-risks) represents the probability that a given sign-in (authentication request) isn't authorized by the identity owner. Sign-in risk can be calculated in real time or offline. Here are some sign-in risks that can be identified:
+- **Sign-in risk** represents the probability that a given sign-in (authentication request) isn't authorized by the identity owner. Sign-in risk can be calculated in real time or offline. Here are some [sign-in risks](/azure/active-directory/identity-protection/concept-identity-protection-risks) that can be identified:
 
    - **Anonymous IP address**: A sign-in attempt from an anonymous IP address like a Tor browser or an anonymized VPN.
 
    - **Atypical travel**: Two sign-ins from the same user that originate from a geographically distant location. Given past behavior, at least one of the locations might also be atypical for the user.
 
-   - **Malware-linked IP address**: An infected IP address sign-in known to actively communicate with a bot server.
+   - **Malicious IP address**: Sign-in from an IP with high failure rates due to invalid credentials or known bad IP reputation.
+
+   - **Password spray**: A password spray attack is where multiple identities are attacked using common passwords in a unified brute force manner. 
+
+   - **Anomalous token**: Abnormal token characteristics, such as unusual lifetime or token played from an unfamiliar location.
+
+   - **Verified threat actor IP**: Sign-in from an IP associated with known nation-state or cybercriminal threat actors.
 
-   - **Password spray**: A password spray attack where a bad actor tries to defeat lockout and detection by attempting sign-in with different user names and the same password.
 
 ### Things to consider when using Identity Protection
 
@@ -49,3 +54,5 @@ Tailwind Traders decides to implement Identity Protection into their security so
 - **Consider investigating risks in the Azure portal**. Investigate Tailwind Traders risk events in the Azure portal and identify any weak areas in your security implementation. Download the risk events in .CSV format and view the output in the Security section of Microsoft Entra ID. Use the Microsoft Graph API integrations to aggregate your data with other sources.
 
 - **Consider exporting your risk detection data**. Export the risk detection data for Tailwind Traders by using the Microsoft Sentinel data connector for Identity Protection.
+
+- **Consider unified risk signals**: ID Protection can now ingest signals from Microsoft Defender alongside native detections to calculate a unified Identity Risk Score.

learn-pr/wwl-azure/design-authentication-authorization-solutions/index.yml

@@ -3,15 +3,15 @@ uid: learn.wwl.design-authentication-authorization-solutions
 metadata:
   title: Design Authentication and Authorization Solutions
   description: "Azure Architects design and recommend authentication and authorization solutions."
-  ms.date: 01/18/2026
+  ms.date: 03/23/2026
   author: wwlpublish
   ms.author: cynthist
   ms.topic: module
   ms.collection: N/A
   ms.custom:
   - N/A
   ms.service: azure
-  ai-usage: human-only
+  ai-usage: ai-assisted
 title: Design authentication and authorization solutions
 summary: Azure Architects design and recommend authentication and authorization solutions.
 abstract: |
@@ -23,8 +23,6 @@ abstract: |
 
   -   Design for Microsoft Entra business-to-business (B2B).
 
-  -   Design for Azure Active Directory B2C (business-to-customer).
-
   -   Design for conditional access.
 
   -   Design for identity protection.

learn-pr/wwl-azure/design-data-integration/includes/2-solution-azure-data-factory.md

@@ -7,9 +7,12 @@
 There are four major steps to create and implement a data-driven workflow in the Azure Data Factory architecture:
 
 1. **Connect and collect**. First, ingest the data to collect all the data from different sources into a centralized location.
-2. **Transform and enrich**. Next, transform the data by using a compute service like Azure Databricks and Azure HDInsight Hadoop.
-3. **Provide continuous integration and delivery (CI/CD) and publish**. Support CI/CD by using GitHub and Azure Pipelines to deliver the ETL process incrementally before publishing the data to the analytics engine.
-4. **Monitor**. Finally, use the Azure portal to monitor the pipeline for scheduled activities and for any failures.
+   
+1. **Transform and enrich**. Next, transform the data by using a compute service like Azure Databricks and Azure HDInsight Hadoop.
+   
+1. **Provide continuous integration and delivery (CI/CD) and publish**. Support CI/CD by using GitHub and Azure Pipelines to deliver the ETL process incrementally before publishing the data to the analytics engine.
+   
+1. **Monitor**. Finally, use the Azure portal to monitor the pipeline for scheduled activities and for any failures.
 
 The following diagram shows how Azure Data Factory orchestrates the ingestion of data from different data sources. Data is ingested into a Storage blob and stored in Azure Synapse Analytics. Analysis and visualization components are also connected to Azure Data Factory. Azure Data Factory provides a common management interface for all of your data integration needs.
 
@@ -34,16 +37,25 @@ A significant challenge for a fast-growing home improvement retailer like Tailwi
 Let's review how the Azure Data Factory components are involved in a data preparation and movement scenario for Tailwind Traders. They have many different data sources to connect to and that data needs to be ingested and transformed through stored procedures that are run on the data. Finally, the data should be pushed to an analytics platform for analysis.
 
 - In this scenario, the linked service enables Tailwind Traders to ingest data from different sources and it stores connection strings to fire up compute services on demand.
+  
 - You can execute stored procedures for data transformation that happens through the linked service in Azure-SSIS, which is the integration runtime environment for Tailwind Traders.
+  
 - The datasets components are used by the activity object and the activity object contains the transformation logic.
+  
 - You can trigger the pipeline, which is all the activities grouped together.
+  
 - You can use Azure Data Factory to publish the final dataset consumed by technologies, such as Power BI or Machine Learning.
 
 ### Things to consider when using Azure Data Factory
 
 Evaluate Azure Data Factory against the following decision criteria and consider how the service can benefit your data integration solution for Tailwind Traders.
 
 - **Consider requirements for data integration**. Azure Data Factory serves two communities: the big data community and the relational data warehousing community that uses SQL Server Integration Services (SSIS). Depending on your organization's data needs, you can set up pipelines in the cloud by using Azure Data Factory. You can access data from both cloud and on-premises data services.
+  
 - **Consider coding resources**. If you prefer a graphical interface to set up pipelines, then Azure Data Factory authoring and monitoring tool is the right fit for your needs. Azure Data Factory provides a low code/no code process for working with data sources.
-- **Consider support for multiple data sources**. Azure Data Factory supports 90+ connectors to integrate with disparate data sources.
+  
+- **Consider support for multiple data sources**. Azure Data Factory supports 100+ connectors, including Microsoft Fabric Warehouse and Fabric Lakehouse alongside Azure, AWS, Google Cloud, SaaS, and database sources.
+  
 - **Consider serverless infrastructure**. There are advantages to using a fully managed, serverless solution for data integration. There's no need to maintain, configure, or deploy servers, and you gain the ability to scale with fluctuating workloads.
+
+