Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-marmalade

Author: v-alje

.openpublishing.redirection.json

@@ -20,7 +20,7 @@
       "redirect_url": "/previous-versions/azure/virtual-network/virtual-networks-create-vnet-classic-cli",
       "redirect_document_id": false
     },
-	
+
     {
       "source_path": "articles/virtual-network/virtual-networks-specifying-a-dns-settings-in-a-virtual-network-configuration-file.md",
       "redirect_url": "/previous-versions/azure/virtual-network/virtual-networks-specifying-a-dns-settings-in-a-virtual-network-configuration-file",
@@ -727,6 +727,13 @@
       "redirect_url": "/azure/cognitive-services/personalizer/how-to-manage-model",
       "redirect_document_id": false
     },
+
+      {
+        "source_path": "articles/cognitive-services/LUIS/luis-migration-api-authoring.md",
+        "redirect_url": "/azure/cognitive-services/LUIS/luis-migration-authoring-entities",
+        "redirect_document_id": false
+      },
+
     {
       "source_path": "articles/cognitive-services/LUIS/luis-resources-faq.md",
       "redirect_url": "/azure/cognitive-services/LUIS/troubleshooting",
@@ -5291,7 +5298,7 @@
       "source_path": "articles/event-grid/event-sources.md",
       "redirect_url": "/azure/event-grid/overview#event-sources",
       "redirect_document_id": false
-    },    
+    },
     {
       "source_path": "articles/event-grid/event-subscription-template.md",
       "redirect_url": "/azure/event-grid/template-samples",
@@ -51229,6 +51236,11 @@
       "source_path": "articles/media-services/previous/media-services-configure-tricaster-live-encoder.md",
       "redirect_url": "/azure/media-services",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/aks/kubernetes-draft.md",
+      "redirect_url": "/azure/aks/quickstart-helm",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory/authentication/howto-authentication-sms-signin.md

@@ -38,7 +38,8 @@ To complete this article, you need the following resources and privileges:
 * You need *global administrator* privileges in your Azure AD tenant to enable SMS-based authentication.
 * Each user that's enabled in the text message authentication method policy must be licensed, even if they don't use it. Each enabled user must have one of the following Azure AD or Microsoft 365 licenses:
     * [Azure AD Premium P1 or P2][azuread-licensing]
-    * [Microsoft 365 F1 or F3][m365-firstline-workers-licensing]
+    * [Microsoft 365 (M365) F1 or F3][m365-firstline-workers-licensing]
+    * [Enterprise Mobility + Security (EMS) E3 or E5][ems-licensing] or [Microsoft 365 (M365) E3 or E5][m365-licensing]
 
 ## Limitations
 
@@ -159,3 +160,5 @@ For additional ways to sign in to Azure AD without a password, such as the Micro
 [office]: https://www.office.com
 [m365-firstline-workers-licensing]: https://www.microsoft.com/licensing/news/m365-firstline-workers
 [azuread-licensing]: https://azure.microsoft.com/pricing/details/active-directory/
+[ems-licensing]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing
+[m365-licensing]: https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans

articles/active-directory/fundamentals/concept-fundamentals-continuous-access-evaluation.md

@@ -0,0 +1,93 @@
+---
+title: Continuous access evaluation in Azure AD
+description: Responding to changes in user state faster with continuous access evaluation in Azure AD
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 04/21/2020
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: jlu
+
+ms.collection: M365-identity-device-management
+---
+# Continuous access evaluation
+
+Microsoft services, like Azure Active Directory (Azure AD) and Office 365, use open standards and protocols to maximize interoperability. One of the most critical ones is Open ID Connect (OIDC). When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, those access tokens are valid for one hour. When they expire, the client is redirected back to Azure AD to refresh them. That also provides an opportunity to reevaluate policies for user access – we might choose not to refresh the token because of a Conditional Access policy, or because the user has been disabled in the directory. 
+
+We have heard the overwhelming feedback from our customers: a one-hour lag due to access token lifetime for reapplying Conditional Access policies and changes in user state (for example: disabled due to furlough) is not good enough.
+
+Microsoft has been an early participant in the Continuous Access Evaluation Protocol (CAEP) initiative as part of the [Shared Signals and Events](https://openid.net/wg/sse/) working group at the OpenID Foundation. Identity providers and relying parties will be able to leverage the security events and signals defined by the working group to reauthorize or terminate access. It is exciting work and will improve security across many platforms and applications.
+
+Because the security benefits are so great, we are rolling out a Microsoft-specific initial implementation in parallel to our continued work within the standards bodies. As we work to deploy these continuous access evaluation (CAE) capabilities across Microsoft services, we have learned a lot and are sharing this information with the standards community. We hope our experience in deployment can help inform an even better industry standard and are committed to implementing that standard once ratified, allowing all participating services to benefit.
+
+## How does CAE work in Microsoft services?
+
+We are focusing our initial implementation of continuous access evaluation to Exchange and Teams. We hope to expand support to other Microsoft services in the future. We will start to enable continuous access evaluation only for tenants with no Conditional Access policies. We will use our learnings from this phase of CAE to inform our ongoing rollout of CAE.
+
+## Service side requirements
+
+Continuous access evaluation is implemented by enabling services (resource providers) to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. The following events will be enforced in this initial CAE rollout:
+
+- User Account is deleted or disabled
+- Password for a user is changed or reset
+- Admin explicitly revokes all refresh tokens for a user
+- Elevated user risk detected by Azure AD Identity Protection
+
+In the future we hope to add more events, including events like location and device state changes. **While our goal is for enforcement to be instant, in some cases latency of up to 15 minutes may be observed due to event propagation time**. 
+
+## Client-side claim challenge
+
+Before continuous access evaluation, clients would always try to replay the access token from its cache as long as it was not expired. With CAE, we are introducing a new case that a resource provider can reject a token even when it is not expired. In order to inform clients to bypass their cache even though the cached tokens have not expired, we introduce a mechanism called **claim challenge**. CAE requires a client update to understand claim challenge. The latest version of the following applications below support claim challenge:
+
+- Outlook for Windows 
+- Outlook iOS 
+- Outlook Android 
+- Outlook Mac 
+- Teams for Windows
+- Teams iOS 
+- Teams Android 
+- Teams Mac 
+
+## Token Lifetime
+
+Because risk and policy are evaluated in real time, clients that negotiate continuous access evaluation aware sessions will rely on CAE instead of existing static access token lifetime policies, which means that configurable token lifetime policy will not be honored anymore for CAE-capable clients that negotiate CAE-aware sessions.
+
+We will increase access token lifetime to 24 hours in CAE sessions. Revocation is driven by critical events and policy evaluation, not an arbitrary time period. This change increases the stability of your applications without affecting your security posture. 
+
+## Example flows
+
+### User revocation event flow:
+
+![User revocation event flow](./media/concept-fundamentals-continuous-access-evaluation/user-revocation-event-flow.png)
+
+1. A CAE-capable client presents credentials or a refresh token to AAD asking for an access token for some resource.
+1. An access token is returned along with other artifacts to the client.
+1. An Administrator explicitly [revokes all refresh tokens for the user](https://docs.microsoft.com/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0). A revocation event will be sent to the resource provider from Azure AD.
+1. An access token is presented to the resource provider. The resource provider evaluates the validity of the token and checks whether there is any revocation event for the user. The resource provider uses this information to decide to grant access to the resource or not.
+1. In this case, the resource provider denies access, and sends a 401+ claim challenge back to the client
+1. The CAE-capable client understands the 401+ claim challenge. It bypasses the caches and goes back to step 1, sending its refresh token along with the claim challenge back to Azure AD. Azure AD will then reevaluate all the conditions and prompt the user to reauthenticate in this case.
+ 
+## FAQs
+
+### What is the lifetime of my Access Token?
+
+If you are not using CAE-capable clients, your default Access Token lifetime will still be 1 hour unless you have configured your Access Token lifetime with the [Configurable Token Lifetime (CTL)](../develop/active-directory-configurable-token-lifetimes.md) preview feature.
+
+If you are using CAE-capable clients that negotiate CAE-aware sessions, your CTL settings for Access Token lifetime will be overwritten and Access Token lifetime will be 24 hours.
+
+### How quick is enforcement?
+
+While our goal is for enforcement to be instant, in some cases latency of up to 15 minutes may be observed due to event propagation time.
+
+### How will CAE work with Sign-in Frequency?
+
+Sign-in Frequency will be honored with or without CAE.
+
+## Next steps
+
+[Announcing continuous access evaluation](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933)

articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md

@@ -90,8 +90,6 @@ It's important to verify the identity of users who want to access Azure Resource
 
 After you enable security defaults in your tenant, any user who's accessing the Azure portal, Azure PowerShell, or the Azure CLI will need to complete additional authentication. This policy applies to all users who are accessing Azure Resource Manager, whether they're an administrator or a user. 
 
-If the user isn't registered for Multi-Factor Authentication, the user will be required to register by using the Microsoft Authenticator app in order to proceed. No 14-day Multi-Factor Authentication registration period will be provided.
-
 > [!NOTE]
 > Pre-2017 Exchange Online tenants have modern authentication disabled by default. In order to avoid the possibility of a login loop while authenticating through these tenants, you must [enable modern authentication](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online).
 

articles/active-directory/fundamentals/media/concept-fundamentals-continuous-access-evaluation/user-revocation-event-flow.png

@@ -31,6 +31,8 @@
       href: concept-fundamentals-block-legacy-authentication.md
     - name: Identity secure score
       href: identity-secure-score.md 
+    - name: Continuous access evaluation
+      href: concept-fundamentals-continuous-access-evaluation.md
   - name: Groups and users
     items:
     - name: Groups and access management

articles/active-directory/fundamentals/toc.yml

@@ -8,7 +8,7 @@ ms.assetid: ef2797d7-d440-4a9a-a648-db32ad137494
 ms.service: active-directory
 ms.topic: reference
 ms.workload: identity
-ms.date: 04/20/2020
+ms.date: 04/21/2020
 ms.subservice: hybrid
 ms.author: billmath
 
@@ -61,12 +61,6 @@ This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filte
 
 > [!IMPORTANT]
 > If you have cloned the **In from AD - Group Join** sync rule and have not cloned the **In from AD - Group Common** sync rule and plan to upgrade, complete the following steps as part of the upgrade:
-> 1. During Upgrade, on the configure page, uncheck the option **Start the synchronization process when configuration completes**.
-> 2. Edit cloned join sync rule and add the following two transformations:
-    - direct flow `objectGUID` to `sourceAnchorBinary`	
-    - expression flow `ConvertToBase64([objectGUID])` to `sourceAnchor`      
-> 3. Enable the scheduler using `Set-ADSyncScheduler -SyncCycleEnabled $true`
-> If you use mS-DS-ConsistencyGuid as the source anchor, and you have cloned the **In from AD - Group Join** sync rule and plan to upgrade, complete the following steps as part of the upgrade:
 > 1. During Upgrade, uncheck the option **Start the synchronization process when configuration completes**.
 > 2. Edit the cloned join sync rule and add the following two transformations:
 >     - Set direct flow `objectGUID` to `sourceAnchorBinary`.

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: pim
 ms.topic: overview
-ms.date: 11/08/2019
+ms.date: 04/21/2020
 ms.author: curtand
 ms.custom: pim 
 ms.collection: M365-identity-device-management
@@ -44,9 +44,7 @@ Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**
 
 ## Who can do what?
 
-If you're the first person to use Privileged Identity Management, you are automatically assigned the [Security Administrator](../users-groups-roles/directory-assign-admin-roles.md#security-administrator) and [Privileged Role Administrator](../users-groups-roles/directory-assign-admin-roles.md#privileged-role-administrator) roles in the directory.
-
-For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator role can manage assignments for other administrators. You can [grant access to other administrators to manage Privileged Identity Management](pim-how-to-give-access-to-pim.md). Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
+For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can [grant access to other administrators to manage Privileged Identity Management](pim-how-to-give-access-to-pim.md). Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
 
 For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management.
 

articles/active-directory/privileged-identity-management/pim-configure.md

@@ -11,7 +11,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: pim
-ms.date: 01/05/2019
+ms.date: 04/21/2020
 ms.author: curtand
 ms.reviewer: hanki
 ms.custom: pim
@@ -72,6 +72,18 @@ The email includes four tiles:
 
 The **Overview of your top roles** section lists the top five roles in your tenant based on total number of permanent and eligible administrators for each role. The **Take action** link opens the [PIM wizard](pim-security-wizard.md) where you can convert permanent administrators to eligible administrators in batches.
 
+## Email timing for activation approvals
+
+When users activates their role and the role setting requires approval, approvers will receive three emails for each approval:
+
+- Request to approve or deny the user's activation request (sent by the request approval engine)
+- The user's request is approved (sent by the request approval engine)
+- The user's role is activated (sent by Privileged Identity Management)
+
+The first two emails sent by the request approval engine can be delayed. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.
+
+If an approval request is approved in the Azure portal before the first email is sent, the first email will no longer be triggered and other approvers won't be notified by email of the approval request. It might appear as if the they didn't get an email but it's the expected behavior.
+
 ## PIM emails for Azure resource roles
 
 Privileged Identity Management sends emails to Owners and User Access Administrators when the following events occur for Azure resource roles: