Merge pull request #2 from MicrosoftDocs/master

syncing with master.

Author: v-rajagt-zz

.openpublishing.publish.config.json

@@ -329,6 +329,11 @@
       "url": "https://github.com/Azure/MachineLearningNotebooks",
       "branch": "sdk-codetest"
     },
+    {
+      "path_to_root": "azureml-examples-main",
+      "url": "https://github.com/azure/azureml-examples",
+      "branch": "main"
+    },
     {
       "path_to_root": "samples-qnamaker-nodejs",
       "url": "https://github.com/Azure-Samples/cognitive-services-qnamaker-nodejs",

.openpublishing.redirection.json

@@ -179,6 +179,136 @@
             "source_path_from_root": "/articles/media-services/latest/job-state-events-cli-how-to.md",
             "redirect_url": "monitoring/job-state-events-cli-how-to",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/media-services-account-concept.md",
+            "redirect_url": "account-create-how-to",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/analyze-videos-tutorial-with-api.md",
+            "redirect_url": "analyze-videos-tutorial",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/analyzing-video-audio-files-concept.md",
+            "redirect_url": "analyze-video-audio-files-concept",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/architectures-concept.md",
+            "redirect_url": "architecture-concept",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/design-multi-drm-system-with-access-control.md",
+            "redirect_url": "architecture-design-multi-drm-system",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/media-services-high-availability-encoding.md",
+            "redirect_url": "architecture-high-availability-encoding-concept",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/cli-publish-asset.md",
+            "redirect_url": "asset-publish-cli-how-to",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/how-to-create-asset.md",
+            "redirect_url": "asset-create-asset-how-to",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/how-to-upload-media.md",
+            "redirect_url": "asset-create-asset-upload-portal-quickstart",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/manage-assets-quickstart.md",
+            "redirect_url": "asset-upload-media-how-to",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/azure-ad-content-protection.md",
+            "redirect_url": "architecture-azure-ad-content-protection",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/create-account-howto.md",
+            "redirect_url": "account-create-how-to",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/cli-reset-account-credentials.md",
+            "redirect_url": "asset-reset-account-credentials",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/concept-compliance.md",
+            "redirect_url": "compliance-concept",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/content-key-policy-concept.md",
+            "redirect_url": "drm-content-key-policy-concept",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/content-protection-overview.md",
+            "redirect_url": "drm-content-protection-concept",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/encrypt-content-quickstart.md",
+            "redirect_url": "drm-encrypt-content-how-to",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/fairplay-license-overview.md",
+            "redirect_url": "drm-fairplay-license-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/get-content-key-policy-dotnet-howto.md",
+            "redirect_url": "drm-get-content-key-policy-dotnet-how-to",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/offline-fairplay-for-ios.md",
+            "redirect_url": "drm-offline-fairplay-for-ios-concept",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/offline-plaready-streaming-for-windows-10.md",
+            "redirect_url": "drm-offline-playready-streaming-for-windows-10",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/offline-widevine-for-android.md",
+            "redirect_url": "drm-offline-widevine-for-android",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/playready-license-template-overview.md",
+            "redirect_url": "drm-playready-license-template-concept",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/protect-with-aes128.md",
+            "redirect_url": "drm-protect-with-aes128-tutorial",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/protect-with-drm.md",
+            "redirect_url": "drm-protect-with-drm-tutorial",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/widevine-license-template-overview.md",
+            "redirect_url": "drm-widevine-license-template-concept",
+            "redirect_document_id": false
         }
     ]
 }

.openpublishing.redirection.media-services.json

@@ -179,6 +179,8 @@
       href: identity-provider-google.md
     - name: ID.me
       href: identity-provider-id-me.md
+    - name: itsme
+      href: partner-itsme.md
     - name: LinkedIn
       href: identity-provider-linkedin.md
     - name: Microsoft Account
@@ -220,8 +222,25 @@
     - name: Disable email verification
       href: disable-email-verification.md
     - name: Enable MFA
-      href: multi-factor-authentication.md
-      displayName: multi-factor auth
+      items:
+      - name: Multi-factor authentication
+        href: multi-factor-authentication.md
+      - name: Partner integration
+        items:
+        - name: HYPR
+          href: partner-hypr.md
+        - name: Keyless
+          href: partner-keyless.md
+        - name: Nevis
+          href: partner-nevis.md
+        - name: Trusona
+          href: partner-trusona.md
+        - name: Twilio
+          href: partner-twilio.md
+        - name: TypingDNA
+          href: partner-typingdna.md
+        - name: WhoIAM
+          href: partner-whoiam.md
     - name: Set up direct sign-in
       href: direct-signin.md
   - name: Tokens and session management
@@ -383,46 +402,39 @@
     items:
     - name: Azure AD B2C partner gallery
       href: partner-gallery.md
-    - name: Arkose Labs
-      href: partner-arkose-labs.md
+  - name: Identity verification and proofing
+    items: 
+    - name: Identity verification and proofing partners
+      href: identity-verification-proofing.md
+      displayName: id verify, id verification, azure ad b2c proofing, id proofing
     - name: Experian
       href: partner-experian.md
-    - name: HYPR
-      href: partner-hypr.md
     - name: IDology
       href: partner-idology.md
-    - name: itsme
-      href: partner-itsme.md
     - name: Jumio
       href: partner-jumio.md
-    - name: Keyless
-      href: partner-keyless.md
     - name: LexisNexis
       href: partner-lexisnexis.md
-    - name: Microsoft Dynamics 365 Fraud Protection
-      href: partner-dynamics-365-fraud-protection.md
-    - name: N8 Identity
-      href: partner-n8identity.md
-    - name: Nevis
-      href: partner-nevis.md
     - name: Onfido
       href: partner-onfido.md
+  - name: Fraud protection
+    items: 
+    - name: Microsoft Dynamics 365 Fraud Protection
+      href: partner-dynamics-365-fraud-protection.md
+      displayName: m365 dynamics, dynamics fraud protection, fraud, 365 protection
+    - name: Arkose Labs
+      href: partner-arkose-labs.md
+      displayName: fraud protection, fraud, Azure AD b2c, protection, B2Cprotection
+  - name: Secure legacy and on-premises apps
+    items:
     - name: Ping Identity
       href: partner-ping-identity.md
-    - name: Saviynt
-      href: partner-saviynt.md
     - name: Strata
       href: partner-strata.md
-    - name: Trusona
-      href: partner-trusona.md
-    - name: Twilio
-      href: partner-twilio.md
-    - name: TypingDNA
-      href: partner-typingdna.md
-    - name: WhoIAM
-      href: partner-whoiam.md
+      displayName: AAD b2c access, legacy app, onpremises apps
     - name: Zscaler
       href: partner-zscaler.md
+      displayName: zscaler b2c, vpn, sdp b2c
   - name: Domain name
     items:
     - name: b2clogin.com overview
@@ -443,9 +455,17 @@
     - name: Manage policies with PowerShell
       href: manage-custom-policies-powershell.md
       displayName: scripting, scripts, psh, custom policy
-  - name: Manage users - Azure portal
-    href: manage-users-portal.md
-    displayName: create users, add users, delete users
+  - name: Manage users
+    items:
+    - name: Azure portal
+      href: manage-users-portal.md
+      displayName: create users, add users, delete users
+    - name: Partner integration
+      items:
+      - name: N8identity
+        href: partner-n8identity.md
+      - name: Saviynt 
+        href: partner-saviynt.md
   - name: Secure API Management API
     href: secure-api-management.md
     displayName: apim, api management, migrate, b2clogin.com
@@ -496,6 +516,7 @@
     href: custom-policy-developer-notes.md
   - name: Page layout versions
     href: page-layout.md
+    displayName: Page version
   - name: Region availability & data residency
     href: data-residency.md
   - name: Build for resilience

articles/active-directory-b2c/TOC.yml

@@ -5,7 +5,7 @@ services: active-directory-b2c
 ms.service: active-directory
 ms.subservice: B2C
 ms.topic: how-to
-ms.date: 10/15/2020
+ms.date: 03/24/2021
 
 ms.author: mimart
 author: msmimart
@@ -47,14 +47,24 @@ HTTP basic authentication is defined in [RFC 2617](https://tools.ietf.org/html/r
 > [!IMPORTANT]
 > This functionality is in preview and is provided without a service-level agreement. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
-Client certificate authentication is a mutual certificate-based authentication, where the client provides a client certificate to the server to prove its identity. In this case, Azure AD B2C will use the certificate that you upload as part of the API connector configuration. This happens as a part of the SSL handshake. Only services that have proper certificates can access your REST API service. The client certificate is an X.509 digital certificate. In production environments, it should be signed by a certificate authority. 
+Client certificate authentication is a mutual certificate-based authentication method where the client provides a client certificate to the server to prove its identity. In this case, Azure AD B2C will use the certificate that you upload as part of the API connector configuration. This happens as a part of the SSL handshake. Your API service can then limit access to only services that have proper certificates. The client certificate is an PKCS12 (PFX) X.509 digital certificate. In production environments, it should be signed by a certificate authority. 
 
+To create a certificate, you can use [Azure Key Vault](../key-vault/certificates/create-certificate.md), which has options for self-signed certificates and integrations with certificate issuer providers for signed certificates. Recommended settings include:
+- **Subject**: `CN=<yourapiname>.<tenantname>.onmicrosoft.com`
+- **Content Type**: `PKCS #12`
+- **Lifetime Acton Type**: `Email all contacts at a given percentage lifetime` or `Email all contacts a given number of days before expiry`
+- **Key Type**: `RSA`
+- **Key Size**: `2048`
+- **Exportable Private Key**: `Yes` (in order to be able to export pfx file)
 
-To create a certificate, you can use [Azure Key Vault](../key-vault/certificates/create-certificate.md), which has options for self-signed certificates and integrations with certificate issuer providers for signed certificates. You can then [export the certificate](../key-vault/certificates/how-to-export-certificate.md) and upload it for use in the API connectors configuration. Note that password is only required for certificate files protected by a password. You can also use PowerShell's [New-SelfSignedCertificate cmdlet](./secure-rest-api.md#prepare-a-self-signed-certificate-optional) to generate a self-signed certificate.
+You can then [export the certificate](../key-vault/certificates/how-to-export-certificate.md). You can alternatively use PowerShell's [New-SelfSignedCertificate cmdlet](../active-directory-b2c/secure-rest-api.md#prepare-a-self-signed-certificate-optional) to generate a self-signed certificate.
 
-For Azure App Service and Azure Functions, see [configure TLS mutual authentication](../app-service/app-service-web-configure-tls-mutual-auth.md) to learn how to enable and validate the certificate from your API endpoint.
+After you have a certificate, you can then upload it as part of the API connector configuration. Note that password is only required for certificate files protected by a password.
 
-It's recommended you set reminder alerts for when your certificate will expire. To upload a new certificate to an existing API connector, select the API connector under **API connectors (preview)** and click on **Upload new certificate**. The most recently uploaded certificate which is not expired and is past the start date will be used automatically by Azure AD B2C.
+Your API must implement the authorization based on sent client certificates in order to protect the API endpoints. For Azure App Service and Azure Functions, see [configure TLS mutual authentication](../app-service/app-service-web-configure-tls-mutual-auth.md) to learn how to enable and *validate the certificate from your API code*.  You can also use Azure API Management to [check client certificate properties](
+../api-management/api-management-howto-mutual-certificates-for-clients.md)  against desired values using policy expressions.
+
+It's recommended you set reminder alerts for when your certificate will expire. You will need to generate a new certificate and repeat the steps above. Your API service can temporarily continue to accept old and new certificates while the new certificate is deployed. To upload a new certificate to an existing API connector, select the API connector under **API connectors** and click on **Upload new certificate**. The most recently uploaded certificate which is not expired and is past the start date will automatically be used  by Azure Active Directory.
 
 ### API Key
 Some services use an "API key" mechanism to obfuscate access to your HTTP endpoints during development. For [Azure Functions](../azure-functions/functions-bindings-http-webhook-trigger.md#authorization-keys), you can accomplish this by including the `code` as a query parameter in the **Endpoint URL**. For example, `https://contoso.azurewebsites.net/api/endpoint`<b>`?code=0123456789`</b>). 
@@ -298,7 +308,7 @@ Content-type: application/json
 | ----------- | ------- | -------- | -------------------------------------------------------------------------- |
 | version     | String  | Yes      | The version of your API.                                                    |
 | action      | String  | Yes      | Value must be `ValidationError`.                                           |
-| status      | Integer | Yes      | Must be value `400` for a ValidationError response.                        |
+| status      | Integer / String | Yes      | Must be value `400`, or `"400"` for a ValidationError response.  |
 | userMessage | String  | Yes      | Message to display to the user.                                            |
 
 > [!NOTE]

articles/active-directory-b2c/add-api-connector.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 12/17/2020
+ms.date: 03/22/2021
 ms.author: mimart
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -19,22 +19,23 @@ zone_pivot_groups: b2c-policy-type
 
 [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
 
-::: zone pivot="b2c-user-flow"
+In Azure Active Directory B2C (Azure AD B2C), you can enable users who are signed in with a local account to change their password without having to prove their identity through email verification. The password change flow involves following steps:
 
-[!INCLUDE [active-directory-b2c-limited-to-custom-policy](../../includes/active-directory-b2c-limited-to-custom-policy.md)]
+1. The user signs in to their local account. If the session is still active, Azure AD B2C authorizes the user and skips to the next step.
+1. The user verifies the **Old password**, and then creates and confirms the **New password**.
 
-::: zone-end
+![Password change flow](./media/add-password-change-policy/password-change-flow.png)  
 
-::: zone pivot="b2c-custom-policy"
+> [!TIP]
+> The password change flow allows users to change their password only when the user knows their password and wants to change it. We recommend you to also enable [self-service password reset](add-password-reset-policy.md) to support cases where the user forgets their password.
 
-[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
+::: zone pivot="b2c-user-flow"
 
-In Azure Active Directory B2C (Azure AD B2C), you can enable users who are signed in with a local account to change their password without having to prove their authenticity by email verification. The password change flow involves following steps:
+[!INCLUDE [active-directory-b2c-limited-to-custom-policy](../../includes/active-directory-b2c-limited-to-custom-policy.md)]
 
-1. Sign-in with a local account. If the session is still active, Azure AD B2C authorizes the user, and skips to the next step.
-1. Users must verify the **old password**, create, and confirm the **new password**.
+::: zone-end
 
-![Password change flow](./media/add-password-change-policy/password-change-flow.png)
+::: zone pivot="b2c-custom-policy"
 
 ## Prerequisites