Merge pull request #54132 from staleycyn/patch-3

Content drift changes design auth module

Author: v-ccolin

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/12-summary-resources.md

@@ -16,7 +16,7 @@ Copilot can assist you in designing Azure infrastructure solutions. Copilot can
 
 - Read about [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/).
 
-- Research business-to-customer solutions with [Azure AD B2C](/azure/active-directory-b2c/overview).
+- Research business-to-customer solutions with [Microsoft Entra External ID](/entra/external-id/customers/overview-customers-ciam).
 
 - Get more information about [Azure role-based access control (RBAC)](/azure/role-based-access-control/overview).
 

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/2-design-for-identity-access-management.md

@@ -18,8 +18,8 @@ As you look at your authentication and authorization options for Tailwind Trader
 
 Your first step is to determine the ideal IAM solution for Tailwind Traders. The following table lists three basic choices. We'll look closely at these options in the next units.
 
-- **Consider using Microsoft Entra ID**. Develop with [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) for a solution that combines core directory services, application access management, and identity protection. Microsoft Entra ID provides an identity and access management system for Tailwind Traders employees that can operate in a cloud or hybrid environment.
+- **Consider using Microsoft Entra ID**. Develop with [Microsoft Entra ID](/entra/identity/) for a solution that combines core directory services, application access management, and identity protection. Microsoft Entra ID provides an identity and access management system for Tailwind Traders employees that can operate in a cloud or hybrid environment.
 
 - **Consider your business-to-business (B2B) requirements**. Support collaboration for guest users and external business partners of Tailwind Traders, such as suppliers and vendors. Build your solution with Microsoft Entra B2B (business-to-business) to support business-to-business operations.
 
-- **Consider your business-to-customer scenarios**. Control how Tailwind Traders customers sign up, sign in, and manage their profiles when they use your apps. Use [Azure AD B2C (business-to-customer)](/azure/active-directory-b2c/overview) to develop a Microsoft Entra solution that supports customer-focused operations.
+- **Consider your business-to-customer scenarios**. Control how Tailwind Traders customers sign up, sign in, and manage their profiles when they use your apps. Use Microsoft Entra External ID (external tenant configuration) to develop a Microsoft Entra solution that supports customer-focused operations. For existing Azure AD B2C deployments, B2C continues to be supported until at least May 2030.

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/3-design-for-azure-active-directory.md

@@ -30,7 +30,7 @@ Tailwind Traders plans to use Microsoft Entra ID in its identity management solu
 
 - **Consider limiting account synchronization**. Don't synchronize accounts to Active Directory that have high privileges in your existing Microsoft Entra Tailwind Traders instance. By default, Microsoft Entra Connect filters out these high privileged accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could result in a major incident).
 
-- **Consider password hash synchronization**. Enable [password hash synchronization](/azure/active-directory/hybrid/whatis-phs) to sync user password hashes from on-premises to a cloud-based Microsoft Entra instance. This sync helps to protect Tailwind Traders against leaked credentials being replayed from previous sign-ins.
+- **Consider phishing-resistant authentication methods**. Microsoft recommends designing passwordless phishing-resistant credentials, like security keys and passkeys. These methods use origin-bound public-key cryptography and satisfy MFA in a single step.
 
 - **Consider single sign-on (SSO)**. Enable SSO to reduce the need for multiple passwords. Multiple passwords increase the likelihood of users reusing passwords or using weak passwords. With SSO, users provide their primary work or school account for their domain-joined devices and company resources. Their application access can be automatically provisioned (or deprovisioned) based on their Tailwind Traders organization group memberships and their status as an employee. 
 

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/5-design-business-customer.md

@@ -8,6 +8,9 @@ After you set up your Azure AD B2C tenant, you must register your app. You use u
 
 ### Things to know about Azure AD B2C
 
+> [!IMPORTANT]
+> Azure AD B2C is no longer available for new customers as of May 1, 2025 and is supported until at least May 2030. For all new projects, use Microsoft Entra External ID.
+
 You review the B2B features of Microsoft Entra ID and consider how they might be implemented in an identity solution for Tailwind Traders. Let's look at the customer features offered by Azure AD B2C.
 
 - Azure AD B2C provides secure authentication for your customers by using their preferred identity providers.
@@ -38,7 +41,7 @@ Tailwind Traders wants to investigate how to implement identity management for u
 
 Now that you have some basic knowledge about the Microsoft Entra identity solutions, let's compare the options for Tailwind Traders.
 
-| <!-- Blank --> | Microsoft Entra B2B (business-to-business) | Azure AD B2C (business-to-customer) |
+| <!-- Blank --> | Microsoft Entra B2B (business-to-business) | Microsoft Entra External ID / Azure AD B2C (legacy) |
 | --- | --- | --- |
 | **Define your focus** | Tailwind Traders wants to collaborate with business partners from external organizations like suppliers, partners, and vendors. You support users as guest users in your directory, and they might or might not use IT. | Tailwind Traders wants to engage with customers of their products. You manage users in a separate Microsoft Entra directory / tenant. |
 | **Identify your users** | Your users represent a Tailwind Traders partner company, or be employees of Tailwind Traders. | Your users are customers of Tailwind Traders who represent themselves. |

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/6-design-for-conditional-access.md

@@ -44,6 +44,13 @@ Tailwind Traders wants to implement Conditional Access into their identity solut
 
 - **Consider blocking legacy authentication protocols**. Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. Configure Conditional Access to [block legacy protocols](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy) from accessing Tailwind Traders apps.
 
+- **Consider per-policy impact reporting**: Each enabled policy now has a built-in impact graph in the Microsoft Entra admin center. A Log Analytics workspace isn’t required.
+
+- **Consider Microsoft-managed Conditional Access policies**: Microsoft provides managed policies aligned to Secure Future Initiative. These policies can limit device code flow and legacy authentication.
+
+- **Consider Conditional Access Optimization Agent**: AI-powered agent that monitors policy gaps and recommends fixes with one-click application (requires Microsoft Entra P1 + Security Copilot SCUs).
+
+
 - **Consider running Report-only mode**. Run Report-only mode to predict the number and names of Tailwind Traders users who are affected with common deployment initiatives. Use Report-only mode to test blocking legacy authentication, requiring MFA, and implementing sign-in risk policies. 
 
 - **Consider using the What If tool**. Use the What If tool to test your proposed Conditional Access policies before you implement them.

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/7-design-for-identity-protection.md

@@ -1,10 +1,10 @@
-[Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection) is a tool that allows organizations to accomplish three key tasks:
+[Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview-identity-protection) helps organizations detect, investigate, and remediate identity-based risks. 
 
 - [Automate the detection and remediation of identity-based risks](/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies).
 
 - [Investigate risks](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk) by using data in the Azure portal.
 
-- [Export risk detection data](/azure/sentinel/connect-azure-ad-identity-protection) to other tools.
+- [Export risk detection data](/azure/sentinel/connect-azure-ad-identity-protection) with Microsoft Sentinel data connector.
 
 The signals that are generated and fed into Identity Protection can be exported to other tools. You learned how the Conditional Access tool can make decisions based on your organization's policies. By using Identity Protection, you can pass this information to a security information and event management (SIEM) tool for more investigation. 
 
@@ -22,21 +22,26 @@ As the CTO of Tailwind Traders, you'd like to know how Identity Protection can b
 
    :::image type="content" source="../media/risk-detections.png" alt-text="Diagram that shows risky users, risky sign-ins, and risk detections." border="false":::
 
-- [**User risk**](/azure/active-directory/identity-protection/concept-identity-protection-risks) represents the probability that a given identity or account is compromised. An example is when a user's valid credentials are leaked. User risks are calculated offline by using Microsoft's internal and external threat intelligence sources. Here are some user risks that can be identified:
+- **User risk** represents the probability that a given identity or account is compromised. An example is when a user's valid credentials are leaked. User risks are calculated offline by using Microsoft's internal and external threat intelligence sources. Here are some user risks that can be identified:
 
    - **Leaked credentials**: Microsoft checks for leaked credentials from the dark web, paste sites, or other sources. These leaked credentials are checked against Microsoft Entra users' current valid credentials for valid matches.
 
    - **Microsoft Entra threat intelligence**: This risk detection type indicates user activity that's unusual for the given user or is consistent with known attack patterns.
 
-- [**Sign-in risk**](/azure/active-directory/identity-protection/concept-identity-protection-risks) represents the probability that a given sign-in (authentication request) isn't authorized by the identity owner. Sign-in risk can be calculated in real time or offline. Here are some sign-in risks that can be identified:
+- **Sign-in risk** represents the probability that a given sign-in (authentication request) isn't authorized by the identity owner. Sign-in risk can be calculated in real time or offline. Here are some [sign-in risks](/azure/active-directory/identity-protection/concept-identity-protection-risks) that can be identified:
 
    - **Anonymous IP address**: A sign-in attempt from an anonymous IP address like a Tor browser or an anonymized VPN.
 
    - **Atypical travel**: Two sign-ins from the same user that originate from a geographically distant location. Given past behavior, at least one of the locations might also be atypical for the user.
 
-   - **Malware-linked IP address**: An infected IP address sign-in known to actively communicate with a bot server.
+   - **Malicious IP address**: Sign-in from an IP with high failure rates due to invalid credentials or known bad IP reputation.
+
+   - **Password spray**: A password spray attack is where multiple identities are attacked using common passwords in a unified brute force manner. 
+
+   - **Anomalous token**: Abnormal token characteristics, such as unusual lifetime or token played from an unfamiliar location.
+
+   - **Verified threat actor IP**: Sign-in from an IP associated with known nation-state or cybercriminal threat actors.
 
-   - **Password spray**: A password spray attack where a bad actor tries to defeat lockout and detection by attempting sign-in with different user names and the same password.
 
 ### Things to consider when using Identity Protection
 
@@ -49,3 +54,5 @@ Tailwind Traders decides to implement Identity Protection into their security so
 - **Consider investigating risks in the Azure portal**. Investigate Tailwind Traders risk events in the Azure portal and identify any weak areas in your security implementation. Download the risk events in .CSV format and view the output in the Security section of Microsoft Entra ID. Use the Microsoft Graph API integrations to aggregate your data with other sources.
 
 - **Consider exporting your risk detection data**. Export the risk detection data for Tailwind Traders by using the Microsoft Sentinel data connector for Identity Protection.
+
+- **Consider unified risk signals**: ID Protection can now ingest signals from Microsoft Defender alongside native detections to calculate a unified Identity Risk Score.

learn-pr/wwl-azure/design-authentication-authorization-solutions/index.yml

@@ -3,15 +3,15 @@ uid: learn.wwl.design-authentication-authorization-solutions
 metadata:
   title: Design Authentication and Authorization Solutions
   description: "Azure Architects design and recommend authentication and authorization solutions."
-  ms.date: 01/18/2026
+  ms.date: 03/23/2026
   author: wwlpublish
   ms.author: cynthist
   ms.topic: module
   ms.collection: N/A
   ms.custom:
   - N/A
   ms.service: azure
-  ai-usage: human-only
+  ai-usage: ai-assisted
 title: Design authentication and authorization solutions
 summary: Azure Architects design and recommend authentication and authorization solutions.
 abstract: |
@@ -23,8 +23,6 @@ abstract: |
 
   -   Design for Microsoft Entra business-to-business (B2B).
 
-  -   Design for Azure Active Directory B2C (business-to-customer).
-
   -   Design for conditional access.
 
   -   Design for identity protection.