Update 2FA docs for GHES 3.17 changes related to members_without_2fa_enabled (#55047)

Co-authored-by: Joe Clark <[email protected]>

Author: mayamessinger

assets/images/help/2fa/ghes-filter-org-members-by-2fa.png

@@ -41,8 +41,8 @@ Before you require use of two-factor authentication, we recommend notifying orga
 {% data reusables.two_fa.ghes_ntp %}
 
 > [!WARNING]
-> * When you require two-factor authentication for your enterprise, outside collaborators (including bot accounts) in all organizations owned by your enterprise who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable 2FA for their account within three months of their removal from your organization. For more information, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
-> * Any outside collaborator in any of the organizations owned by your enterprise who disables 2FA for their account after you've enabled required two-factor authentication will automatically be removed from the organization. Members and billing managers who disable 2FA will not be able to access organization resources until they re-enable it.
+> * When you require two-factor authentication for your enterprise, {% ifversion ghes < 3.17 %}members and {% endif %}outside collaborators (including bot accounts) in all organizations owned by your enterprise who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable 2FA for their account within three months of their removal from your organization. For more information, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
+> * Any {% ifversion ghes < 3.17 %}member or {% endif %}outside collaborator in any of the organizations owned by your enterprise who disables 2FA for their account after you've enabled required two-factor authentication will automatically be removed from the organization. Members {% ifversion fpt or ghes %}and billing managers{% endif %} who disable 2FA will not be able to access organization resources until they re-enable it.
 > * If you're the sole owner of an enterprise that requires two-factor authentication, you won't be able to disable 2FA for your user account without disabling required 2FA for the enterprise.
 
 {% ifversion mandatory-2fa-dotcom-contributors %}
@@ -58,7 +58,7 @@ Before you require use of two-factor authentication, we recommend notifying orga
 1. Under "Two-factor authentication", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %}
 1. Under "Two-factor authentication", select **Require two-factor authentication for the enterprise and all of its organizations**, then click **Save**.
 1. If prompted, read the information about how user access to organization resources will be affected by a 2FA requirement. To confirm the change, click **Confirm**.
-1. Optionally, if any outside collaborators are removed from the organizations owned by your enterprise, we recommend sending them an invitation to reinstate their former privileges and access to your organization. Each person must enable 2FA before they can accept your invitation.
+1. Optionally, if any {% ifversion ghes < 3.17 %}members or {% endif %}outside collaborators are removed from the organizations owned by your enterprise, we recommend sending them an invitation to reinstate their former privileges and access to your organization. Each person must enable 2FA before they can accept your invitation.
 
 {% ifversion fpt or ghec %}
 

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md

@@ -24,16 +24,24 @@ For more information, see [AUTOTITLE](/authentication/securing-your-account-with
 
 ## Requirements for enforcing two-factor authentication
 
-Before you can require organization members and outside collaborators to use 2FA, you must [enable two-factor authentication](/authentication/securing-your-account-with-two-factor-authentication-2fa) for your own personal account.
+Before you can require organization members and outside collaborators to use two-factor authentication, you must [enable 2FA](/authentication/securing-your-account-with-two-factor-authentication-2fa) for your own personal account.
 
-Before you require use of two-factor authentication, we recommend notifying organization members and outside collaborators and asking them to set up 2FA for their accounts. You can [see if members and outside collaborators already use 2FA](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled) on an organization's People tab.
+Before you require use of 2FA, we recommend notifying organization members and outside collaborators and asking them to set up 2FA for their accounts. You can [see if members and outside collaborators already use 2FA](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled) on an organization's People tab.
 
 {% data reusables.two_fa.ghes_ntp %}
 
+{% ifversion ghes < 3.17 %}
 > [!WARNING]
-> * When you require two-factor authentication, members and outside collaborators (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can reinstate their access privileges and settings, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
+> * When you require 2FA, members and outside collaborators (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can reinstate their access privileges and settings, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
 > * When 2FA is required, organization members or outside collaborators who disable 2FA will automatically be removed from the organization.
-> * If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required two-factor authentication for the organization.
+> * If you're the sole owner of an organization that requires 2FA, you won't be able to disable 2FA for your personal account without disabling required two-factor authentication for the organization.
+{% else %}
+> [!WARNING]
+> * When you require 2FA, members who do not use 2FA will not be able to access your enterprise resources until they enable 2FA on their account. They will retain membership even without 2FA, including occupying seats in your enterprise and organizations.
+> * When your require 2FA, outside collaborators (including bot accounts) who do not use 2FA will be removed from the enterprise and its organization and lose access to repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can [reinstate their access privileges and settings](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
+> * When 2FA is required, outside collaborators who disable 2FA will automatically be removed from the enterprise and its organizations. Members who disable 2FA will not be able to access your enterprise and organization resources until they re-enable it.
+> * If you're the sole owner of an organization that requires 2FA, you won't be able to disable 2FA for your personal account without disabling required 2FA for the organization.
+{% endif %}
 
 ## Requiring two-factor authentication for an organization
 

content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/requiring-two-factor-authentication-for-an-organization.md

@@ -57,7 +57,7 @@ You can also remove an administrator. For more information. see [AUTOTITLE](/adm
 
 You can see all the current members for your enterprise. You can see useful information about each account and filter the list in useful ways, such as by role. In addition to the list of members, you will see an overview of the number of members in your enterprise, grouped by role{% ifversion ghec %}, type of license, and type of deployment{% endif %}.
 
-You can find a specific person by searching for the person's username or display name. To view more information about the person's access to your enterprise, such as the organizations the person belongs to, you can click the person's name.
+You can find a specific person by searching for the person's username or display name. To view more information about the person's access to your enterprise, such as the organizations the person belongs to, you can select the person's name.
 
 {% ifversion remove-enterprise-members %}
 You can also remove any enterprise member from all organizations owned by the enterprise. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/removing-a-member-from-your-enterprise).
@@ -66,7 +66,7 @@ You can also remove any enterprise member from all organizations owned by the en
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
 {% ifversion enterprise-member-csv %}
-1. Optionally, to export the list of members as a CSV report, click **CSV report**. For more information about the information included in the report, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise).{% endif %}
+1. Optionally, to export the list of members as a CSV report, select **CSV report**. For more information about the information included in the report, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise).{% endif %}
 
 ### About the membership overview
 
@@ -130,11 +130,11 @@ If you use {% data variables.product.prodname_emus %}, verify a domain, or confi
 
 You can see all the current outside collaborators for your enterprise. You can see useful information about each collaborator and filter the list in useful ways, such as by organization. You can find a specific collaborator by searching for their username or display name.
 
-You can view more information about the person's access to your enterprise, such as a list of all the repositories the collaborator has access to, by clicking on the person's name.
+You can view more information about the person's access to your enterprise, such as a list of all the repositories the collaborator has access to, by selecting the person's name.
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
-1. Under "People", click **Outside collaborators**.
+1. Under "People", select **Outside collaborators**.
 
 {% ifversion ghec %}
 
@@ -151,11 +151,11 @@ If you use {% data variables.visual_studio.prodname_vss_ghe %}, the list of pend
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
-1. Under "People", click **Invitations**.
-1. Optionally, you can cancel all invitations for an account to join organizations owned by your enterprise. To the right of the account, click {% octicon "kebab-horizontal" aria-label="Show actions" %}, then click **Cancel invitation**.
+1. Under "People", select **Invitations**.
+1. Optionally, you can cancel all invitations for an account to join organizations owned by your enterprise. To the right of the account, select {% octicon "kebab-horizontal" aria-label="Show actions" %}, then select **Cancel invitation**.
 
    ![Screenshot of a single invitation on the "Invitations" page. A button, titled "Cancel invitation", is highlighted with an orange outline.](/assets/images/help/enterprises/cancel-enterprise-member-invitation.png)
-1. Optionally, you can view pending invitations for enterprise administrators or outside collaborators. Under "Invitations", click **Administrators** or **Outside collaborators**.
+1. Optionally, you can view pending invitations for enterprise administrators or outside collaborators. Under "Invitations", select **Administrators** or **Outside collaborators**.
 1. Optionally, to filter the list of pending invitations by license, by organization, or by source, use the dropdown menus at the top of the list.
 
    ![Screenshot of the "Invitations" page. Three dropdown menus, titled "License", "Organizations", and "Source" are highlighted with an orange outline.](/assets/images/help/enterprises/enterprise-filter-pending-invitations.png)
@@ -168,7 +168,7 @@ If your enterprise uses {% ifversion ghec %}{% data variables.product.prodname_e
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
-1. Under "People", click **Suspended**.
+1. Under "People", select **Suspended**.
 
 ## Viewing dormant users
 
@@ -180,11 +180,11 @@ You can view a list of all dormant users {% ifversion ghes %} who have not been
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 1. Under "Organizations", in the search bar, begin typing the organization's name until it appears in the search results.
-1. Click the name of the organization.
-1. Above the organization name, click **{% octicon "person" aria-hidden="true" %} People**.
+1. Select the name of the organization.
+1. Above the organization name, select **{% octicon "person" aria-hidden="true" %} People**.
 
    ![Screenshot of the tabs above an organization name. The "People" tab is highlighted with an orange outline.](/assets/images/help/enterprises/emu-organization-people-tab.png)
-1. Above the list of members, click **Type**, then select the type of members you want to view.
+1. Above the list of members, select **Type**, then select the type of members you want to view.
    ![Screenshot of the list of members. A dropdown menu labeled "Type" is outlined and expanded.](/assets/images/help/enterprises/filter-by-member-type.png)
 
 {% ifversion scim-for-ghes-public-beta %}
@@ -210,7 +210,7 @@ You can view a list of members in your enterprise who don't have an email addres
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.verified-domains-tab %}
-1. Under "Notification preferences", click the **{% octicon "eye" aria-hidden="true" %} View enterprise members without an approved or verified domain email** link.
+1. Under "Notification preferences", select the **{% octicon "eye" aria-hidden="true" %} View enterprise members without an approved or verified domain email** link.
 
 ## Viewing whether members in your enterprise have 2FA enabled
 
@@ -220,7 +220,7 @@ You can see which people in your enterprise have enabled two-factor authenticati
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
-1. To view the two-factor authentication security levels of enterprise members, on the right, select **Two-factor authentication**, then click **Secure**, **Insecure**, or **Disabled**.
+1. To view the two-factor authentication security levels of enterprise members, on the right, select **Two-factor authentication**, then select **Secure**, **Insecure**, or **Disabled**.
 
    ![Screenshot of the list of enterprise members. A dropdown menu, labeled "Two-factor authentication", is expanded and outlined in orange.](/assets/images/help/2fa/filter-enterprise-members-by-2fa.png)
 
@@ -234,9 +234,13 @@ You can see which people in your enterprise have enabled two-factor authenticati
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
-1. To view enterprise members who have enabled or disabled two-factor authentication, on the right, select **2FA**, then click **Enabled** or **Disabled**.
+1. To view enterprise members who have enabled or disabled two-factor authentication, on the right, select {% ifversion ghes > 3.16 %}**Two-factor authentication**{% else %}**2FA**{% endif %}, then select {% ifversion ghes > 3.16 %}**Secure**{% else %}**Enabled**{% endif %} or **Disabled**.
 
+   {% ifversion ghes > 3.16 %}
+   ![Screenshot of the list of organization members. A dropdown menu, labeled "Two-factor Authentication", is expanded and outlined in orange.](/assets/images/help/2fa/ghes-filter-org-members-by-2fa.png)
+   {% else %}
    ![Screenshot of the list of organization members. A dropdown menu, labeled "2FA", is expanded and outlined in orange.](/assets/images/help/2fa/legacy-filter-org-members-by-2fa.png)
+   {% endif %}
 
 {% endif %}
 

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md

@@ -36,10 +36,16 @@ If you're a member of an {% data variables.enterprise.prodname_emu_enterprise %}
 {% endif %}
 {% endif %}
 
+{% ifversion ghes < 3.17 %}
+> [!WARNING]
+> * If you're a member or outside collaborator to a private repository of an organization that requires 2FA, you must leave the organization before you can disable 2FA.
+> * If you disable 2FA, you will automatically lose access to the organization and any private forks you have of the organization's private repositories. To regain access to the organization and your forks, re-enable 2FA and contact an organization owner.
+{% else %}
 > [!WARNING]
 > * If you're an outside collaborator to a private repository of an organization that requires 2FA, you must leave the organization before you can disable 2FA.
 > * If you're a member{% ifversion fpt or ghec %} or billing manager{% endif %} of an organization that requires 2FA, you will be unable to access that organization's resources while you have 2FA disabled.
 > * If you disable 2FA, you will automatically lose access to the organization. To regain access to the organization, if you're a member{% ifversion fpt or ghec %} or billing manager{% endif %}, you must re-enable 2FA. If you're an outside collaborator, you will also lose access to any private forks you have of the organization's private repositories after disabling 2FA, and must re-enable 2FA and contact an organization owner to have access restored.
+{% endif %}
 
 > [!NOTE]
 > You can reconfigure your 2FA settings without disabling 2FA entirely, allowing you to keep both your recovery codes and your membership in organizations that require 2FA.