Mt erge branch 'master' of https://github.com/microsoftdocs/azure-docs-pr into master90

Author: genlin

articles/active-directory-b2c/active-directory-b2c-apps.md

@@ -128,12 +128,12 @@ This chained web API scenario can be supported by using the OAuth 2.0 JWT bearer
 
 Do not edit Azure AD B2C applications in these ways:
 
-- On other application management portals such as the [Application Registration Portal](https://apps.dev.microsoft.com/).
+- On other application management portals such as the [Application Registration Portal](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade).
 - Using Graph API or PowerShell.
 
 If you edit the Azure AD B2C application outside of the Azure portal, it becomes a faulted application and is no longer usable with Azure AD B2C. Delete the application and create it again.
 
-To delete the application, go to the [Application Registration Portal](https://apps.dev.microsoft.com/) and delete the application there. In order for the application to be visible, you need to be the owner of the application (and not just an admin of the tenant).
+To delete the application, go to the [Application Registration Portal](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) and delete the application there. In order for the application to be visible, you need to be the owner of the application (and not just an admin of the tenant).
 
 ## Next steps
 

articles/active-directory-b2c/active-directory-b2c-reference-audit-logs.md

@@ -88,12 +88,13 @@ To allow script- or application-based access to the Azure AD reporting API, you
 * Microsoft Graph
   * Application: Read all audit log data
 
-You can enable these permissions on an existing application registration within your B2C tenant, or create a new one specifically for use with audit log automation.
+You can enable these permissions on an existing Azure Active Directory application registration within your B2C tenant, or create a new one specifically for use with audit log automation.
 
 To create a new application, assign the required API permissions, and create a client secret, perform the following steps:
 
-1. Register application
-    1. Sign in to the [Azure portal](https://portal.azure.com), switch to the directory that contains your Azure AD B2C tenant, and then browse to **Azure AD B2C**.
+1. Register application in Azure Active Directory
+    1. Sign in to the [Azure portal](https://portal.azure.com) and switch to the directory that contains your Azure AD B2C tenant.
+    1. Select **Azure Active Directory** (*not* Azure AD B2C) from the left menu. Or, select **All services**, then search for and select **Azure Active Directory**.
     1. Under **Manage** in the left menu, select **App registrations (Legacy)**.
     1. Select **New application registration**
     1. Enter a name for the application. For example, *Audit Log App*.

articles/active-directory/b2b/add-users-administrator.md

@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 # Add Azure Active Directory B2B collaboration users in the Azure portal
 
-As a user who is assigned any of the limited administrator directory roles, you can use the Azure portal to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of *Guest*. The guest user must then redeem their invitation to access resources.
+As a user who is assigned any of the limited administrator directory roles, you can use the Azure portal to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of *Guest*. The guest user must then redeem their invitation to access resources. An invitation of a user does not expire.
 
 After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the redemption URL in the invitation email. For more information about the redemption process, see [B2B collaboration invitation redemption](redemption-experience.md).
 

articles/active-directory/develop/howto-app-gallery-listing.md

@@ -14,7 +14,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 09/06/2019
+ms.date: 09/16/2019
 ms.author: ryanwi
 ms.reviewer: elisol, bryanla
 ms.custom: aaddev, seoapril2019
@@ -45,13 +45,8 @@ This article shows how to list an application in the Azure AD application galler
 
 - For password SSO, please ensure that your application supports form authentication so that password vaulting can be done to get single sign-on work as expected.
 
-- For automatic user-provisioning requests, application should be listed in the gallery with single sign-on feature enabled using SAML 2.0/WS-Fed. You can request for SSO and User provisioning together on the portal, if it's not already listed.
-
 - Need a permanent account for testing with atleast 2 users registered.
 
-> [!NOTE]
-> We are running with high number of SCIM connector requests, so we have stopped taking new requests on our portal. Please hold on your requests until further notice. We apologize for this delay and any inconvenience this may have caused.
-
 ## Submit the request in the portal
 
 After you've tested that your application integration works with Azure AD, submit your request for access on our [Application Network Portal](https://microsoft.sharepoint.com/teams/apponboarding/Apps). If you have an Office 365 account, use that to sign in to this portal. If not, use your Microsoft account (such as Outlook or Hotmail) to sign in.

articles/active-directory/develop/scenario-web-app-sign-user-overview.md

@@ -52,7 +52,7 @@ As a second phase you can also enable your application to call Web APIs on behal
 
 ## Specifics
 
-- During the application registration, you'll need to provide one, or several (if you deploy your app to several locations) Reply URIs. In some cases (ASP.NET/ASP.NET Core), you'll need to enable the IDToken. Finally you'll want to set up a sign-out URI so that your application reacts to users signing-out.
+- During the application registration, you'll need to provide one, or several (if you deploy your app to several locations) Reply URIs. In some cases (ASP.NET/ASP.NET Core), you'll need to enable the ID token. Finally you'll want to set up a sign-out URI so that your application reacts to users signing-out.
 - In the code for your application, you'll need to provide the authority to which you web app delegates sign-in. You might want to customize token validation (in particular in ISV scenarios).
 - Web applications support any account types. For more info, see [Supported account types](v2-supported-account-types.md).
 

articles/active-directory/governance/entitlement-management-delegate.md

@@ -68,7 +68,7 @@ Entitlement management has the following roles that are specific to entitlement
 
 | Role | Description |
 | --- | --- |
-| Catalog creator | Create and manage catalogs. Typically an IT administrator who is not a Global administrator, or a resource owner for a collection of resources. The person that creates a catalog automatically becomes the catalog's first catalog owner, and can add additional catalog owners. |
+| Catalog creator | Create and manage catalogs. Typically an IT administrator who is not a Global administrator, or a resource owner for a collection of resources. The person that creates a catalog automatically becomes the catalog's first catalog owner, and can add additional catalog owners. A catalog creator can’t manage or see catalogs that they don’t own and can’t add resources they don’t own to a catalog. If the catalog creator needs to manage another catalog or add resources they don’t own, they can request to be a co-owner of that catalog or resource. |
 | Catalog owner | Edit and manage existing catalogs. Typically an IT administrator or resource owners, or a user who the catalog owner has designated. |
 | Access package manager | Edit and manage all existing access packages within a catalog. |
 
@@ -138,7 +138,15 @@ If you want to delegate catalog creation, you add users to the catalog creator r
 
 ## Add a catalog owner or an access package manager
 
-If you want to delegate management of a catalog or access packages in the catalog, you add users to the catalog owner or access package manager roles. Whoever creates a catalog becomes the first catalog owner. Follow these steps to assign a user to the catalog owner or access package manager role.
+To delegate management of a catalog or access packages in the catalog, you add users to the catalog owner or access package manager roles. Whoever creates a catalog becomes the first catalog owner. 
+
+The assigned catalog owner or access package manager must be familiar with the project. The catalog creator should create the access package if involved in the day to day operations of the project, and they know the following information:
+- what resources are needed
+- who will need access
+- who needs to approve access
+- how long the project will last
+
+The catalog creator should delegate the task to the project lead, who will create and manage the access package, if not involved in the day to day operations of the project. Follow these steps to assign a user to the catalog owner or access package manager role:
 
 **Prerequisite role:** Global administrator, User administrator or Catalog owner
 

articles/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation.md

@@ -167,7 +167,7 @@ The outbound synchronization rule permits the attribute value to flow from the m
     | sourceObjectType | EQUAL | User |
     | cloudMastered | NOTEQUAL | True |
 
-    Scoping filter determines which Azure AD objects this outbound synchronization rule is applied to. In this example, we use the same scoping filter from “Out to AD – User Identity” OOB (out-of-box) synchronization rule. It prevents the synchronization rule from being applied to **User** objects that are not synchronized from on-premises Active Directory. You might need to tweak the scoping filter according to your Azure AD Connect deployment.
+    Scoping filter determines which Azure AD objects this outbound synchronization rule is applied to. In this example, we use the same scoping filter from “Out to Azure AD – User Identity” OOB (out-of-box) synchronization rule. It prevents the synchronization rule from being applied to **User** objects that are not synchronized from on-premises Active Directory. You might need to tweak the scoping filter according to your Azure AD Connect deployment.
 
 6. Go to the **Transformation** tab, and implement the following transformation rule:
 

articles/active-directory/manage-apps/application-provisioning-config-problem-no-users-provisioned.md

@@ -12,9 +12,9 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 09/20/2018
+ms.date: 09/03/2019
 ms.author: mimart
-ms.reviewer: asteen
+ms.reviewer: arvinh
 ms.collection: M365-identity-device-management
 ---
 
@@ -25,29 +25,29 @@ After automatic provisioning has been configured for an application (including v
 -   Whether or not **attribute mappings** are enabled, and configured to sync valid attributes from Azure AD to the app. For more information on attribute mappings, see [Customizing User Provisioning Attribute Mappings for SaaS Applications in Azure Active Directory](customize-application-attributes.md).
 -   Whether or not there is a **scoping filter** present that is filtering users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).
 
-If you observe that users are not being provisioned, consult the Audit logs in Azure AD. Search for log entries for a specific user.
+If you observe that users are not being provisioned, consult the [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) in Azure AD. Search for log entries for a specific user.
 
-The provisioning audit logs can be accessed in the Azure portal, in the **Azure Active Directory > Enterprise Apps > \[Application Name\] > Audit Logs** tab. Filter the logs on the **Account Provisioning** category to only see the provisioning events for that app. You can search for users based on the “matching ID” that was configured for them in the attribute mappings. For example, if you configured the “user principal name” or “email address” as the matching attribute on the Azure AD side, and the user not being provisioning has a value of “[email protected]”, then search the audit logs for “[email protected]” and review the entries returned.
+You can access the provisioning logs in the Azure portal by selecting **Azure Active Directory** > **Enterprise Apps** > **Provisioning logs (preview)** in the **Activity** section. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). 
 
-The provisioning audit logs record all the operations performed by the provisioning service, including querying Azure AD for assigned users that are in scope for provisioning, querying the target app for the existence of those users, comparing the user objects between the system. Then add, update, or disable the user account in the target system based on the comparison.
+The provisioning logs record all the operations performed by the provisioning service, including querying Azure AD for assigned users that are in scope for provisioning, querying the target app for the existence of those users, comparing the user objects between the system. Then add, update, or disable the user account in the target system based on the comparison.
 
 ## General Problem Areas with Provisioning to consider
 Below is a list of the general problem areas that you can drill into if you have an idea of where to start.
 
 - [Provisioning service does not appear to start](#provisioning-service-does-not-appear-to-start)
-- [Audit logs say users are skipped and not provisioned, even though they are assigned](#audit-logs-say-users-are-skipped-and-not-provisioned-even-though-they-are-assigned)
+- [Provisioning logs say users are skipped and not provisioned, even though they are assigned](#provisioning-logs-say-users-are-skipped-and-not-provisioned-even-though-they-are-assigned)
 
 ## Provisioning service does not appear to start
-If you set the **Provisioning Status** to be **On** in the **Azure Active Directory > Enterprise Apps > \[Application Name\] >Provisioning** section of the Azure portal. However no other status details are shown on that page after subsequent reloads, it is likely that the service is running but has not completed an initial synchronization yet. Check the **Audit logs** described above to determine what operations the service is performing, and if there are any errors.
+If you set the **Provisioning Status** to be **On** in the **Azure Active Directory > Enterprise Apps > \[Application Name\] >Provisioning** section of the Azure portal. However no other status details are shown on that page after subsequent reloads, it is likely that the service is running but has not completed an initial cycle yet. Check the **Provisioning logs (preview)** described above to determine what operations the service is performing, and if there are any errors.
 
 >[!NOTE]
->An initial sync can take anywhere from 20 minutes to several hours, depending on the size of the Azure AD directory and the number of users in scope for provisioning. Subsequent syncs after the initial sync are faster, as the provisioning service stores watermarks that represent the state of both systems after the initial sync. The initial sync improves performance of subsequent syncs.
+>An initial cycle can take anywhere from 20 minutes to several hours, depending on the size of the Azure AD directory and the number of users in scope for provisioning. Subsequent syncs after the initial cycle are faster, as the provisioning service stores watermarks that represent the state of both systems after the initial cycle. The initial cycle improves performance of subsequent syncs.
 >
 
 
-## Audit logs say users are skipped and not provisioned even though they are assigned
+## Provisioning logs say users are skipped and not provisioned even though they are assigned
 
-When a user shows up as “skipped” in the audit logs, it is important to read the extended details in the log message to determine the reason. Below are common reasons and resolutions:
+When a user shows up as “skipped” in the provisioning logs, it is important to review the **Steps** tab of the log to determine the reason. Below are common reasons and resolutions:
 
 - **A scoping filter has been configured** **that is filtering the user out based on an attribute value**. For more information on scoping filters, see [scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).
 - **The user is “not effectively entitled”.** If you see this specific error message, it is because there is a problem with the user assignment record stored in Azure AD. To fix this issue, unassign the user (or group) from the app, and reassign it again. For more information on assignment, see [Assign user or group access](assign-user-or-group-access-portal.md).