Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into twhitney-titles2

Author: Tyler Whitney

.openpublishing.redirection.json

@@ -1942,11 +1942,6 @@
       "redirect_url": "/azure/cosmos-db/sql-api-get-started",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/search/search-traffic-analytics.md",
-      "redirect_url": "/azure/search/search-monitor-usage",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/search/knowledge-store-howto.md",
       "redirect_url": "/azure/search/knowledge-store-create-rest",

articles/active-directory/develop/howto-app-gallery-listing.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/16/2019
+ms.date: 12/06/2019
 ms.author: ryanwi
 ms.reviewer: jeedes
 ms.custom: aaddev, seoapril2019
@@ -39,6 +39,10 @@ This article shows how to list an application in the Azure Active Directory (Azu
 - For password SSO, make sure that your application supports form authentication so that password vaulting can be done to get single sign-on to work as expected.
 - You need a permanent account for testing with at least two users registered.
 
+**How to get Azure AD for developers?**
+
+You can get a free test account with all the premium Azure AD features - 90 days free and can get extended as long as you do dev work with it: https://docs.microsoft.com/office/developer-program/office-365-developer-program
+
 ## Submit the request in the portal
 
 After you've tested that your application integration works with Azure AD, submit your request for access in the [Application Network portal](https://microsoft.sharepoint.com/teams/apponboarding/Apps). If you have an Office 365 account, use that to sign in to this portal. If not, use your Microsoft account, such as Outlook or Hotmail, to sign in.
@@ -57,6 +61,26 @@ Our team reviews the details and gives you access accordingly. After your reques
 
 ![Submit Request (ISV) tile on home page](./media/howto-app-gallery-listing/homepage.png)
 
+## Issues on logging into portal
+
+If you are seeing this error while logging in then here are the detail on the issue and this is how you can fix it.
+
+* If your sign-in was blocked as shown below:
+
+  ![issues resolving application in the gallery](./media/howto-app-gallery-listing/blocked.png)
+
+**What’s happening:**
+
+The guest user is federated to a home tenant which is also an Azure AD. The guest user is at High risk. Microsoft doesn’t allow High risk users to access its resources. All High risk users (employees or guests / vendors) must remediate / close their risk to access Microsoft resources. For guest users, this user risk comes from the home tenant and the policy comes from the resource tenant (Microsoft in this case).
+ 
+**Secure solutions:**
+
+* MFA registered guest users remediate their own user risk. This can be done by the guest user performing a secured password change or reset (https://aka.ms/sspr) at their home tenant (this needs MFA and SSPR at the home tenant). The secured password change or reset must be initiated on Azure AD and not on-prem.
+
+* Guest users have their admins remediate their risk. In this case, the admin will perform a password reset (temporary password generation). This does not need Identity Protection. The guest user’s admin can go to https://aka.ms/RiskyUsers and click on ‘Reset password’.
+
+* Guest users have their admins close / dismiss their risk. Again, this does not need Identity Protection. The admin can go to https://aka.ms/RiskyUsers and click on ‘Dismiss user risk’. However, the admin must do the due diligence to ensure this was a false positive risk assessment before closing the user risk. Otherwise, they are putting their and Microsoft’s resources at risk by suppressing a risk assessment without investigation.
+
 > [!NOTE]
 > If you have any issues with access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>).
 
@@ -76,6 +100,7 @@ To list an application in the Azure AD app gallery, you first need to implement
   ![Listing a SAML 2.0 or WS-Fed application in the gallery](./media/howto-app-gallery-listing/saml.png)
 
   * If you want to add your application to list in the gallery by using **SAML 2.0** or **WS-Fed**, select **SAML 2.0/WS-Fed** as shown.
+
   * If you have any issues with access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>).
 
 ## Implement SSO by using the password SSO

articles/active-directory/develop/media/howto-app-gallery-listing/blocked.png

@@ -287,28 +287,36 @@ If legacy authentication is widely used in your environment, you should plan to
 
 ### Consent grants
 
-In an illicit consent grant attack, the attacker creates an Azure AD-registered application that requests access to data such as contact information, email, or documents. Users might be granting consent to malicious applications via phishing attacks, or indirectly by not being careful when landing on malicious websites.
+In an illicit consent grant attack, the attacker creates an Azure AD-registered application that requests access to data such as contact information, email, or documents. Users might be granting consent to malicious applications via phishing attacks when landing on malicious websites.
 
-Below are the permissions you might want to scrutinize for Microsoft cloud services:
+Below are a list of apps with permissions you might want to scrutinize for Microsoft cloud services:
 
-- Applications with app or delegated \*.ReadWrite Permissions
-- Applications with delegated permissions can read, send, or manage email on behalf of the user
-- Applications that are granted the using the following permissions:
+- Apps with app or delegated \*.ReadWrite Permissions
+- Apps with delegated permissions can read, send, or manage email on behalf of the user
+- Apps that are granted the using the following permissions:
 
 | Resource | Permission |
-| -------------------------- | -------------------- |
+| :- | :- |
 | Office 365 Exchange Online | EAS.AccessAsUser.All |
 | | EWS.AccessAsUser.All |
 | | Mail.Read |
 | Microsoft Graph | Mail.Read |
 | | Mail.Read.Shared |
 | | Mail.ReadWrite |
 
-To avoid this scenario, you should refer to [Detect and Remediate Illicit Consent Grants in Office 365](https://docs.microsoft.com/office365/securitycompliance/detect-and-remediate-illicit-consent-grants) to identify and fix any applications with illicit grants or applications that have more grants than are necessary. Schedule regular reviews of app permissions and remove them when not needed; or remove self-service altogether and establish governance procedures.
+- Apps granted full user impersonation of the signed-in user. For example:
+
+|Resource | Permission |
+| :- | :- |
+| Azure AD Graph | Directory.AccessAsUser.All |
+| Microsoft Graph | Directory.AccessAsUser.All |
+| Azure REST API | user_impersonation |
+
+To avoid this scenario, you should refer to [detect and remediate illicit consent grants in Office 365](https://docs.microsoft.com/office365/securitycompliance/detect-and-remediate-illicit-consent-grants) to identify and fix any applications with illicit grants or applications that have more grants than are necessary. Next, [remove self-service altogether](https://docs.microsoft.com/azure/active-directory/manage-apps/configure-user-consent) and [establish governance procedures](https://docs.microsoft.com/azure/active-directory/manage-apps/configure-admin-consent-workflow). Finally, schedule regular reviews of app permissions and remove them when they are not needed.
 
 #### Consent grants recommended reading
 
-- [Azure Active Directory (AD) Graph API Permission Scopes](https://msdn.microsoft.com/library/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes)
+- [Microsoft Graph permissions](https://docs.microsoft.com/graph/permissions-reference)
 
 ### User and group settings
 

articles/active-directory/fundamentals/active-directory-ops-guide-auth.md

@@ -135,7 +135,7 @@ The SCIM RFC defines a core user and group schema, while also allowing for exten
    1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com), select **Enterprise Applications**, select your application, and then select **Provisioning**.
    2. Under **Mappings**, select the object (user or group) for which you'd like to add a custom attribute.
    3. At the bottom of the page, select **Show advanced options**.
-   4. Select **Edit attribute list for *application*.
+   4. Select **Edit attribute list for AppName*.
    5. At the bottom of the attribute list, enter information about the custom attribute in the fields provided. Then select **Add Attribute**.
 
 For SCIM applications, the attribute name must follow the pattern shown in the example below. The "CustomExtensionName" and "CustomAttribute" can be customized per your application's requirements, for example:  urn:ietf:params:scim:schemas:extension:2.0:CustomExtensionName:CustomAttribute

articles/active-directory/manage-apps/customize-application-attributes.md

@@ -141,7 +141,7 @@ The ASP.NET runtime merges the contents of the external file with the markup in
 
             // Connection refers to a property that returns a ConnectionMultiplexer
             // as shown in the previous example.
-            IDatabase cache = lazyConnection.Value.GetDatabase();
+            IDatabase cache = lazyConnection.GetDatabase();
 
             // Perform cache operations using the cache object...
 
@@ -164,7 +164,7 @@ The ASP.NET runtime merges the contents of the external file with the markup in
             ViewBag.command5 = "CLIENT LIST";
             ViewBag.command5Result = cache.Execute("CLIENT", "LIST").ToString().Replace(" id=", "\rid=");
 
-            lazyConnection.Value.Dispose();
+            lazyConnection.Dispose();
 
             return View();
         }

articles/azure-cache-for-redis/cache-web-app-howto.md

@@ -113,7 +113,7 @@ mvn azure-functions:run
 ```
 
 > [!NOTE]  
-> Because you enabled extension bundles in the host.json, the [Storage binding extension](functions-bindings-storage-blob.md#packages---functions-2x) was downloaded and installed for you during startup, along with the other Microsoft binding extensions.
+> Because you enabled extension bundles in the host.json, the [Storage binding extension](functions-bindings-storage-blob.md#packages---functions-2x-and-higher) was downloaded and installed for you during startup, along with the other Microsoft binding extensions.
 
 As before, trigger the function from the command line using cURL in a new terminal window:
 

articles/azure-functions/functions-add-output-binding-storage-queue-java.md

@@ -50,7 +50,7 @@ func host start
 ```
 
 > [!NOTE]  
-> Because you enabled extension bundles in the host.json, the [Storage binding extension](functions-bindings-storage-blob.md#packages---functions-2x) was downloaded and installed for you during startup, along with the other Microsoft binding extensions.
+> Because you enabled extension bundles in the host.json, the [Storage binding extension](functions-bindings-storage-blob.md#packages---functions-2x-and-higher) was downloaded and installed for you during startup, along with the other Microsoft binding extensions.
 
 Copy the URL of your `HttpTrigger` function from the runtime output and paste it into your browser's address bar. Append the query string `?name=<yourname>` to this URL and run the request. You should see the same response in the browser as you did in the previous article.
 

articles/azure-functions/functions-add-output-binding-storage-queue-python.md

@@ -17,7 +17,7 @@ ms.custom: seodec18
 This article explains how to work with [Azure Cosmos DB](../cosmos-db/serverless-computing-database.md) bindings in Azure Functions. Azure Functions supports trigger, input, and output bindings for Azure Cosmos DB.
 
 > [!NOTE]
-> This article is for Azure Functions 1.x. For information about how to use these bindings in Functions 2.x, see [Azure Cosmos DB bindings for Azure Functions 2.x](functions-bindings-cosmosdb-v2.md).
+> This article is for Azure Functions 1.x. For information about how to use these bindings in Functions 2.x and higher, see [Azure Cosmos DB bindings for Azure Functions 2.x](functions-bindings-cosmosdb-v2.md).
 >
 >This binding was originally named DocumentDB. In Functions version 1.x, only the trigger was renamed Cosmos DB; the input binding, output binding, and NuGet package retain the DocumentDB name.
 

articles/azure-functions/functions-bindings-cosmosdb.md

@@ -20,7 +20,7 @@ If you prefer, you can use an HTTP trigger to handle Event Grid Events; see [Use
 
 [!INCLUDE [intro](../../includes/functions-bindings-intro.md)]
 
-## Packages - Functions 2.x
+## Packages - Functions 2.x and higher
 
 The Event Grid trigger is provided in the [Microsoft.Azure.WebJobs.Extensions.EventGrid](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.EventGrid) NuGet package, version 2.x. Source code for the package is in the [azure-functions-eventgrid-extension](https://github.com/Azure/azure-functions-eventgrid-extension/tree/v2.x) GitHub repository.
 
@@ -44,9 +44,9 @@ See the language-specific example for an Event Grid trigger:
 
 For an HTTP trigger example, see [How to use HTTP trigger](#use-an-http-trigger-as-an-event-grid-trigger) later in this article.
 
-### C# (2.x)
+### C# (2.x and higher)
 
-The following example shows a Functions 2.x [C# function](functions-dotnet-class-library.md) that binds to `EventGridEvent`:
+The following example shows a [C# function](functions-dotnet-class-library.md) that binds to `EventGridEvent`:
 
 ```cs
 using Microsoft.Azure.EventGrid.Models;
@@ -114,9 +114,9 @@ Here's the binding data in the *function.json* file:
 }
 ```
 
-#### C# script (Version 2.x)
+#### C# script (Version 2.x and higher)
 
-Here's Functions 2.x C# script code that binds to `EventGridEvent`:
+Here's an example that binds to `EventGridEvent`:
 
 ```csharp
 #r "Microsoft.Azure.EventGrid"
@@ -322,7 +322,7 @@ For C# and F# functions in Azure Functions 1.x, you can use the following parame
 * `JObject`
 * `string`
 
-For C# and F# functions in Azure Functions 2.x, you also have the option to use the following parameter type for the Event Grid trigger:
+For C# and F# functions in Azure Functions 2.x and higher, you also have the option to use the following parameter type for the Event Grid trigger:
 
 * `Microsoft.Azure.EventGrid.Models.EventGridEvent`- Defines properties for the fields common to all event types.
 
@@ -391,7 +391,7 @@ To create a subscription by using [the Azure CLI](https://docs.microsoft.com/cli
 
 The command requires the endpoint URL that invokes the function. The following example shows the version-specific URL pattern:
 
-#### Version 2.x runtime
+#### Version 2.x (and higher) runtime
 
     https://{functionappname}.azurewebsites.net/runtime/webhooks/eventgrid?functionName={functionname}&code={systemkey}
 
@@ -403,7 +403,7 @@ The system key is an authorization key that has to be included in the endpoint U
 
 Here's an example that subscribes to a blob storage account (with a placeholder for the system key):
 
-#### Version 2.x runtime
+#### Version 2.x (and higher) runtime
 
 ```azurecli
 az eventgrid resource event-subscription create -g myResourceGroup \
@@ -431,7 +431,7 @@ For more information about how to create a subscription, see [the blob storage q
 
 You can get the system key by using the following API (HTTP GET):
 
-#### Version 2.x runtime
+#### Version 2.x (and higher) runtime
 
 ```
 http://{functionappname}.azurewebsites.net/admin/host/systemkeys/eventgrid_extension?code={masterkey}
@@ -519,7 +519,7 @@ Use a tool such as [Postman](https://www.getpostman.com/) or [curl](https://curl
 * Set an `aeg-event-type: Notification` header.
 * Paste the RequestBin data into the request body.
 * Post to the URL of your Event Grid trigger function.
-  * For 2.x use the following pattern:
+  * For 2.x and higher use the following pattern:
 
     ```
     http://localhost:7071/runtime/webhooks/eventgrid?functionName={FUNCTION_NAME}
@@ -588,7 +588,7 @@ The ngrok URL doesn't get special handling by Event Grid, so your function must
 
 Create an Event Grid subscription of the type you want to test, and give it your ngrok endpoint.
 
-Use this endpoint pattern for Functions 2.x:
+Use this endpoint pattern for Functions 2.x and higher:
 
 ```
 https://{SUBDOMAIN}.ngrok.io/runtime/webhooks/eventgrid?functionName={FUNCTION_NAME}