Merge branch 'master' into usql-extract-script

Author: jingyanjingyan

.openpublishing.publish.config.json

@@ -155,6 +155,12 @@
       "branch": "GuidedSetup",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "iot-samples-node",
+      "url": "https://github.com/Azure-Samples/azure-iot-samples-node",
+      "branch": "master",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "samples-cognitive-services-speech-sdk",
       "url": "https://github.com/Azure-Samples/cognitive-services-speech-sdk",

.openpublishing.redirection.json

@@ -58,10 +58,10 @@
         href: https://github.com/Azure-Samples/active-directory-b2c-android-native-msal
       - name: Android using App Auth
         href: active-directory-b2c-devquickstarts-android.md
-      - name: .NET
-        href: https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop
-      - name: Xamarin
-        href: https://github.com/Azure-Samples/active-directory-b2c-xamarin-native
+    - name: .NET
+      href: https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop
+    - name: Xamarin
+      href: https://github.com/Azure-Samples/active-directory-b2c-xamarin-native
     - name: Resource owner password credentials
       href: configure-ropc.md
   - name: Web apps
@@ -268,7 +268,7 @@
   - name: Service updates
     href: https://azure.microsoft.com/updates/?product=active-directory-b2c
   - name: Stack Overflow 
-    href: https://stackoverflow.com/questions/tagged/azure-ad-b2c
+    href: https://stackoverflow.com/questions/tagged/azure-ad-b2c+identity-experience-framework
   - name: Support
     href: active-directory-b2c-support.md
   - name: Videos

articles/active-directory-b2c/TOC.yml

@@ -76,7 +76,7 @@ When requesting an access token, the client application needs to specify the des
 > Currently, custom domains are not supported along with access tokens. You must use your tenantName.onmicrosoft.com domain in the request URL.
 
 ```
-https://login.microsoftonline.com/<tenantName>.onmicrosoft.com/oauth2/v2.0/authorize?p=<yourPolicyId>&client_id=<appID_of_your_client_application>&nonce=anyRandomValue&redirect_uri=<redirect_uri_of_your_client_application>&scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fnotes%2Fread&response_type=code 
+https://login.microsoftonline.com/<tenantName>.onmicrosoft.com/<yourPolicyId>/oauth2/v2.0/authorize?client_id=<appID_of_your_client_application>&nonce=anyRandomValue&redirect_uri=<redirect_uri_of_your_client_application>&scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fnotes%2Fread&response_type=code 
 ```
 
 To acquire multiple permissions in the same request, you can add multiple entries in the single **scope** parameter, separated by spaces. For example:

articles/active-directory-b2c/active-directory-b2c-access-tokens.md

@@ -18,7 +18,7 @@ ms.author: davidmu
 Your Azure Active Directory (Azure AD) B2C directory comes with a built-in set of information (attributes): Given Name, Surname, City, Postal Code, and other attributes. However, every consumer-facing application has unique requirements on what attributes to gather from consumers. With Azure AD B2C, you can extend the set of attributes stored on each consumer account. You can create custom attributes on the [Azure portal](https://portal.azure.com/) and use it in your sign-up policies, as shown below. You can also read and write these attributes by using the [Azure AD Graph API](active-directory-b2c-devquickstarts-graph-dotnet.md).
 
 > [!NOTE]
-> Custom attributes use [Azure AD Graph API Directory Schema Extensions](https://msdn.microsoft.com/library/azure/dn720459.aspx).
+> Custom attributes use [Azure AD Graph API Directory Schema Extensions](https://msdn.microsoft.com/library/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions).
 > 
 > 
 

articles/active-directory-b2c/active-directory-b2c-reference-custom-attr.md

@@ -32,7 +32,7 @@ To use LinkedIn as an identity provider in Azure Active Directory (Azure AD) B2C
    > **Client Secret** is an important security credential.
    > 
    > 
-6. Enter `https://login.microsoftonline.com/te/{tenant}/oauth2/authresp` in the **Authorized Redirect URLs** field (under **OAuth 2.0**). Replace **{tenant}** with your tenant's name (for example, contoso.onmicrosoft.com). Click **Add**, and then click **Update**. The **{tenant}** value is case-sensitive.
+6. Enter `https://login.microsoftonline.com/te/{tenant}/oauth2/authresp` in the **Authorized Redirect URLs** field (under **OAuth 2.0**). Replace **{tenant}** with your tenant's name (for example, contoso.onmicrosoft.com). Click **Add**, and then click **Update**. The **{tenant}** value should be lowercase.
 
     ![LinkedIn - Setup app](./media/active-directory-b2c-setup-li-app/linkedin-setup.png)
 

articles/active-directory-b2c/active-directory-b2c-setup-li-app.md

@@ -25,8 +25,10 @@ To use Twitter as an identity provider in Azure Active Directory (Azure AD) B2C,
 3. In the form, provide a value for the **Name**, **Description**, and **Website**.
 4. For the **Callback URL**, enter `https://login.microsoftonline.com/te/{tenant}/oauth2/authresp`. Make sure to replace **{tenant}** with your tenant's name (for example, contosob2c.onmicrosoft.com).
 5. Check the box to agree to the **Developer Agreement** and click **Create your Twitter application**.
-6. After the app is created, click **Keys and Access Tokens**.
-7. Copy the value of **Consumer Key** and **Consumer Secret**. You will need both of them to configure Twitter as an identity provider in your tenant.
+6. After the app is created, select it in the list, and then select the **Settings** tab.
+7. Clear the **Enable Callback Locking** box, and then click **Update settings**.
+8. Select the **Keys and Access Tokens** tab.
+9. Copy the value of **Consumer Key** and **Consumer Secret**. You will need both of them to configure Twitter as an identity provider in your tenant.
 
 ## Configure Twitter as an identity provider in your tenant
 1. Log in to the [Azure portal](https://portal.azure.com/) as the Global Administrator of the Azure AD B2C tenant. 

articles/active-directory-b2c/active-directory-b2c-setup-twitter-app.md

@@ -152,21 +152,23 @@ To allow your single page app to call the ASP.NET Core web API, you need to enab
         builder.WithOrigins("http://localhost:6420").AllowAnyHeader().AllowAnyMethod());
     ```
 
+3. Open the **launchSettings.json** file under **Properties**, locate the *applicationURL* setting, and record the value for use in the next section.
+
 ### Configure the single page app
 
 The single page app uses Azure AD B2C for user sign-up, sign-in, and calls the protected ASP.NET Core web API. You need to update the single page app call the .NET Core web api.
 To change the app settings:
 
 1. Open the `index.html` file in the Node.js single page app sample.
-2. Configure the sample with the Azure AD B2C tenant registration information. Change the **b2cScopes** and **webApi** values in following lines of code:
+2. Configure the sample with the Azure AD B2C tenant registration information. In the following code, add your tenant name to **b2cScopes** and change the **webApi** value to the *applicationURL* value that you previously recorded:
 
     ```javascript
     // The current application coordinates were pre-registered in a B2C tenant.
     var applicationConfig = {
         clientID: '<Application ID for your SPA obtained from portal app registration>',
         authority: "https://login.microsoftonline.com/tfp/<your-tenant-name>.onmicrosoft.com/B2C_1_SiUpIn",
         b2cScopes: ["https://<Your tenant name>.onmicrosoft.com/HelloCoreAPI/demo.read"],
-        webApi: 'http://localhost:58553/api/values',
+        webApi: 'http://localhost:64791/api/values',
     };
     ```
 

articles/active-directory-b2c/active-directory-b2c-tutorials-spa-webapi.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 03/08/2018
+ms.date: 05/23/2018
 ms.author: maheshu
 
 ---
@@ -79,6 +79,9 @@ Yes. Members of the 'AAD DC Administrators' group are granted 'DNS Administrator
 ### What is the password lifetime policy on a managed domain?
 The default password lifetime on an Azure AD Domain Services managed domain is 90 days. This password lifetime is not synchronized with the password lifetime configured in Azure AD. Therefore, you may have a situation where users' passwords expire in your managed domain, but are still valid in Azure AD. In such scenarios, users need to change their password in Azure AD and the new password will synchronize to your managed domain. Additionally, the 'password-does-not-expire' and 'user-must-change-password-at-next-logon' attributes for user accounts are not synchronized to your managed domain.
 
+### Does Azure AD Domain Services provide AD account lockout protection?
+Yes. 4 invalid password attempts within 2 minutes on the managed domain cause a user account to be locked out for 30 minutes. After 30 minutes, the user account is automatically unlocked. Invalid password attempts on the managed domain do not lock out the user account in Azure AD. The user account is locked out only within your Azure AD Domain Services managed domain.
+
 ## Billing and availability
 ### Is Azure AD Domain Services a paid service?
 Yes. For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/active-directory-ds/).

articles/active-directory-domain-services/active-directory-ds-faqs.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 03/06/2017
+ms.date: 05/23/2018
 ms.author: maheshu
 
 ---
@@ -35,4 +35,5 @@ The following features are available in Azure AD Domain Services managed domains
 * **Create custom Organizational Units (OUs):** Members of the 'AAD DC Administrators' group can create custom OUs in the managed domain. These users are granted full administrative privileges over custom OUs, so they can add/remove service accounts, computers, groups etc. within these custom OUs.
 * **Available in multiple Azure regions:** See the [Azure services by region](https://azure.microsoft.com/regions/#services/) page to know the Azure regions in which Azure AD Domain Services is available.
 * **High availability:** Azure AD Domain Services offers high availability for your domain. This feature offers the guarantee of higher service uptime and resilience to failures. Built-in health monitoring offers automated remediation from failures by spinning up new instances to replace failed instances and to provide continued service for your domain.
+* **AD Account lockout protection:** Users accounts are locked out for 30 minutes if 4 invalid password attempts are encountered within 2 minutes. Accounts are automatically unlocked after 30 minutes.
 * **Use familiar management tools:** You can use familiar Windows Server Active Directory management tools such as the Active Directory Administrative Center or Active Directory PowerShell to administer managed domains.