MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/howto-mfa-nps-extension.md
Lines changed: 10 additions & 0 deletions b/‎articles/active-directory/authentication/howto-mfa-nps-extension.md
Lines changed: 10 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/v2-oauth2-auth-code-flow.md
Lines changed: 5 additions & 5 deletions b/‎articles/active-directory/develop/v2-oauth2-auth-code-flow.md
Lines changed: 5 additions & 5 deletions
diff --git a/‎articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-monitor/app/correlation.md
Lines changed: 5 additions & 0 deletions b/‎articles/azure-monitor/app/correlation.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/batch/batch-ci-cd.md
Lines changed: 1 addition & 0 deletions b/‎articles/batch/batch-ci-cd.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/billing/billing-upgrade-azure-subscription.md
Lines changed: 17 additions & 8 deletions b/‎articles/billing/billing-upgrade-azure-subscription.md
Lines changed: 17 additions & 8 deletions
diff --git a/‎articles/billing/media/billing-upgrade-azure-subscription/search-subscriptions-ibiza.png
17.4 KB b/‎articles/billing/media/billing-upgrade-azure-subscription/search-subscriptions-ibiza.png
17.4 KB
diff --git a/‎articles/billing/media/billing-upgrade-azure-subscription/student-upgrade-ibiza.png
215 KB b/‎articles/billing/media/billing-upgrade-azure-subscription/student-upgrade-ibiza.png
215 KB
@@ -204,6 +204,8 @@ You can choose to create this key and set it to FALSE while your users are onboa
 
 Look for the self-signed certificate created by the installer in the cert store, and check that the private key has permissions granted to user **NETWORK SERVICE**. The cert has a subject name of **CN \<tenantid\>, OU = Microsoft NPS Extension**
 
+Self-signed certificates generated by the *AzureMfaNpsExtnConfigSetup.ps1* script also have a validity lifetime of two years. When verifying that the certificate is installed, you should also check that the certificate has not expired.
+
 -------------------------------------------------------------
 
 ### How can I verify that my client cert is associated to my tenant in Azure Active Directory?
@@ -259,6 +261,14 @@ Verify that AD Connect is running, and that the user is present in both Windows
 
 Verify that https://adnotifications.windowsazure.com is reachable from the server running the NPS extension.
 
+-------------------------------------------------------------
+
+### Why is authentication not working, despite a valid certificate being present?
+
+If your previous computer certificate has expired, and a new certificate has been generated, you should delete any expired certificates. Having expired certificates can cause issues with the NPS Extension starting.
+
+To check if you have a valid certificate, check the local Computer Account's Certificate Store using MMC, and ensure the certificate has not passed its expiry date. To generate a newly valid certificate, re-run the steps under the section "[Run the PowerShell script](#run-the-powershell-script)"
+
 ## Managing the TLS/SSL Protocols and Cipher Suites
 
 It is recommended that older and weaker cipher suites be disabled or removed unless required by your organization. Information on how to complete this task can be found in the article [Managing SSL/TLS Protocols and Cipher Suites for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs)
 
@@ -65,7 +65,7 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e
 | `tenant`    | required    | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints).  |
 | `client_id`   | required    | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app.  |
 | `response_type` | required    | Must include `code` for the authorization code flow.       |
-| `redirect_uri`  | recommended | The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. For native & mobile apps, you should use the default value of `https://login.microsoftonline.com/common/oauth2/nativeclient`.   |
+| `redirect_uri`  | required | The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. For native & mobile apps, you should use the default value of `https://login.microsoftonline.com/common/oauth2/nativeclient`.   |
 | `scope`  | required    | A space-separated list of [scopes](v2-permissions-and-consent.md) that you want the user to consent to. |
 | `response_mode`   | recommended | Specifies the method that should be used to send the resulting token back to your app. Can be one of the following:<br/><br/>- `query`<br/>- `fragment`<br/>- `form_post`<br/><br/>`query` provides the code as a query string parameter on your redirect URI. If you're requesting an ID token using the implicit flow, you cannot use `query` as specified in the [OpenID spec](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations). If you're requesting just the code, you can use `query`, `fragment`, or `form_post`. `form_post` executes a POST containing the code to your redirect URI. For more info, see [OpenID Connect protocol](https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-openid-connect-code).  |
 | `state`                 | recommended | A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The value can also encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. |
@@ -240,7 +240,9 @@ Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZn
 
 Access_tokens are short lived, and you must refresh them after they expire to continue accessing resources. You can do so by submitting another `POST` request to the `/token` endpoint, this time providing the `refresh_token` instead of the `code`.  Refresh tokens are valid for all permissions that your client has already received consent for - thus, a refresh token issued on a request for `scope=mail.read` can be used to request a new access token for `scope=api://contoso.com/api/UseResource`.  
 
-Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle [errors returned by the token issuance endpoint](#error-codes-for-token-endpoint-errors) correctly.  Note that refresh tokens are not revoked when used to acquire new access tokens. 
+Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle [errors returned by the token issuance endpoint](#error-codes-for-token-endpoint-errors) correctly. 
+
+Although refresh tokens are not revoked when used to acquire new access tokens, you are expected to discard the old refresh token. The [OAuth 2.0 spec](https://tools.ietf.org/html/rfc6749#section-6) says: "The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client."  
 
 ```
 // Line breaks for legibility only
@@ -252,7 +254,6 @@ Content-Type: application/x-www-form-urlencoded
 client_id=6731de76-14a6-49ae-97bc-6eba6914391e
 &scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
 &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
-&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
 &grant_type=refresh_token
 &client_secret=JqQX2PNo9bpM0uEihUPzyrh      // NOTE: Only required for web apps
 ```
@@ -270,8 +271,7 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e
 | `grant_type`    | required    | Must be `refresh_token` for this leg of the authorization code flow. |
 | `scope`         | required    | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the v2.0 endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). |
 | `refresh_token` | required    | The refresh_token that you acquired in the second leg of the flow. |
-| `redirect_uri`  | required    |  A `redirect_uri`registered on the client application. |
-| `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native  app, because client_secrets cannot be reliably stored on devices. It is required for web apps and web APIs, which have the ability to store the client_secret securely on the server side.                                                                                                                                                    |
+| `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native  app, because client_secrets cannot be reliably stored on devices. It is required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. |
 
 #### Successful response
 
 
@@ -56,7 +56,7 @@ If you’re not going to continue to use this application, you can delete the te
 
     The tenant and its associated information is deleted.
 
-    ![Create directory page, with sample information](media/active-directory-access-create-new-tenant/azure-ad-delete-new-tenant.png)
+    ![Overview page, with highlighted Delete directory button](media/active-directory-access-create-new-tenant/azure-ad-delete-new-tenant.png)
 
 ## Next steps
 - Change or add additional domain names, see [How to add a custom domain name to Azure Active Directory](add-custom-domain.md)
 
@@ -178,6 +178,11 @@ The [Application Insights SDK for Java](../../azure-monitor/app/java-get-started
 
 Currently, automatic context propagation across messaging technologies (such Kafka, RabbitMQ, or Azure Service Bus) isn't supported. However, it's possible to code such scenarios manually by using the `trackDependency` and `trackRequest` APIs. In these APIs, a dependency telemetry represents a message being enqueued by a producer, and the request represents a message being processed by a consumer. In this case, both `operation_id` and `operation_parentId` should be propagated in the message's properties.
 
+### Telemetry correlation in Asynchronous Java Application
+
+In order to correlate telemetry in Asynchronous Spring Boot application, please follow [this](https://github.com/Microsoft/ApplicationInsights-Java/wiki/Distributed-Tracing-in-Asynchronous-Java-Applications) in-depth article. It provides guidance for instrumenting Spring's [ThreadPoolTaskExecutor](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/scheduling/concurrent/ThreadPoolTaskExecutor.html) as well as [ThreadPoolTaskScheduler](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/scheduling/concurrent/ThreadPoolTaskScheduler.html). 
+
+
 <a name="java-role-name"></a>
 ## Role name
 
 
@@ -5,6 +5,7 @@ author: christianreddington
 ms.author: chredd
 ms.date: 03/28/2019
 ms.topic: conceptual
+ms.custom: fasttrack-new
 services: batch
 ---
 
 
@@ -21,7 +21,7 @@ ms.custom: H1Hack27Feb2017
 ---
 # Upgrade your Free Trial or Azure for Students Starter subscription to Pay-As-You-Go
 
-If you have a [Free Trial](https://azure.microsoft.com/free/), you can upgrade to a [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) subscription in the Azure portal. If you have an [Azure for Students Starter](https://azure.microsoft.com/offers/ms-azr-0144p/) subscription, you can upgrade to [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) in the Azure Account Center.
+If you have a [Free Trial](https://azure.microsoft.com/free/) or an [Azure for Students Starter](https://azure.microsoft.com/offers/ms-azr-0144p/) subscription, you can upgrade to [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) in the Azure portal. If you have an Azure for Students Starter subscription and are eligible for a Free Trial, you can upgrade to Free Trial.
 
 <a id="freetrial"></a>
 
@@ -30,9 +30,9 @@ If you have a [Free Trial](https://azure.microsoft.com/free/), you can upgrade t
 When you upgrade from a Free Trial subscription, you keep your remaining credit for the full 30 days after you created the subscription. You also have access to free services for 12 months.
 
 1. Sign in to the [Azure portal](https://portal.azure.com)
-1. Search on **Cost Management + Billing.**
+1. Search on **Subscriptions.**
 
-    ![Screenshot that shows search](./media/billing-upgrade-azure-subscription/search.png)
+    ![Screenshot that shows search](./media/billing-upgrade-azure-subscription/search-subscriptions-ibiza.png)
 
 1. Select your Free Trial subscription.
 1. In the subscription overview blade, click **Upgrade subscription** in the command bar.
@@ -58,15 +58,24 @@ If you want to [transfer the subscription](billing-subscription-transfer.md) aft
 
 ## Upgrade your Azure for Students Starter subscription to Pay-As-You-Go
 
-1. Sign in to the [Azure Account Center](https://account.windowsazure.com/subscriptions).
+When you follow the steps below, we will give you the option to upgrade to a Free Trial if you are eligible.
+
+1. Sign in to the [Azure portal](https://portal.azure.com)
+1. Search on **Subscriptions.**
+
+    ![Screenshot that shows search](./media/billing-upgrade-azure-subscription/search-subscriptions-ibiza.png)
+
 1. Select your Azure for Students Starter subscription.
-1. Under **Subscription status**, click **Upgrade now**.
+1. In the subscription overview blade, click **Upgrade subscription** in the command bar.
 
-    ![Screenshot that shows upgrade for student](./media/billing-upgrade-azure-subscription/student-upgrade-button.png)
+    ![Screenshot that shows upgrade button for students](./media/billing-upgrade-azure-subscription/student-upgrade-ibiza.png)
 
-1. Enter a name for your subscription.
+1. If you're upgrading to Pay-As-You-Go and don't already have a payment method for your subscription, you'll be prompted to add one.
+1. You might need to enter a phone number to verify your identity.
+1. Type in a name for your subscription.
+1. If you're upgrading to Pay-As-You-Go, choose a support plan for your subscription. To learn more about support plans, see [Azure support plans](https://azure.microsoft.com/us/support/plans/).
 
-1. Click **Upgrade now**.
+1. Click **Upgrade**.
 
 ## Next steps