TOC merge conflict

Author: curtand

.openpublishing.redirection.json

@@ -17436,6 +17436,11 @@
       "redirect_url": "/azure/storage/files/storage-troubleshoot-windows-file-connection-problems",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/storage/common/storage-account-container-recovery.md",
+      "redirect_url": "/azure/storage/common/storage-redundancy",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/storage/common/storage-quickstart-create-storage-account-cli.md",
       "redirect_url": "/azure/storage/common/storage-quickstart-create-account?tabs=azure-cli",

articles/active-directory/b2b/media/redemption-experience/invitation-redemption-flow.png

@@ -51,6 +51,36 @@ There are some cases where the invitation email is recommended over a direct lin
  - Sometimes the invited user object may not have an email address because of a conflict with a contact object (for example, an Outlook contact object). In this case, the user must click the redemption URL in the invitation email.
  - The user may sign in with an alias of the email address that was invited. (An alias is an additional email address associated with an email account.) In this case, the user must click the redemption URL in the invitation email.
 
+## Invitation redemption flow
+
+When a user clicks the **Accept invitation** link in an [invitation email](invitation-email-elements.md), Azure AD automatically redeems the invitation based on the redemption flow as shown below:
+
+![Screenshot showing the redemption flow diagram](media/redemption-experience/invitation-redemption-flow.png)
+
+1. The redemption process checks if the user has an existing personal [Microsoft account (MSA)](https://support.microsoft.com/help/4026324/microsoft-account-how-to-create).
+
+2. If an admin has enabled [direct federation](direct-federation.md), Azure AD checks if the user’s domain suffix matches the domain of a configured SAML/WS-Fed identity provider and redirects the user to the pre-configured identity provider.
+
+3. If an admin has enabled [Google federation](google-federation.md), Azure AD checks if the user’s domain suffix is gmail.com or googlemail.com and redirects the user to Google.
+
+4. Azure AD performs user-based discovery to determine if the user exists in an [existing Azure AD tenant](what-is-b2b.md#easily-add-guest-users-in-the-azure-ad-portal).
+
+5. Once the user’s **home directory** is identified, the user is sent to the corresponding identity provider to sign in.  
+
+6. If steps 1 to 4 fail to find a home directory for the invited user, Azure AD determines whether the inviting tenant has enabled the [Email one-time passcode (OTP)](one-time-passcode.md) feature for guests.
+
+7. If [Email one-time passcode for guests is enabled](one-time-passcode.md#when-does-a-guest-user-get-a-one-time-passcode), a passcode is sent to the user through the invited email. The user will retrieve and enter this passcode in the Azure AD sign-in page.
+
+8. If Email one-time passcode for guests is disabled, Azure AD checks the domain suffix against a consumer domain list maintained by Microsoft. If the domain matches any domain on the consumer domain list, the user is prompted to create a personal Microsoft account. If not, the user is prompted to create an [Azure AD self-service account](../users-groups-roles/directory-self-service-signup.md) (viral account).
+
+9. Azure AD attempts to create an Azure AD self-service account (viral account) by verifying access to the email. Verifying the account is done by sending a code to the email, and having the user retrieve and submit it to Azure AD. However, if the invited user’s tenant is federated or if the AllowEmailVerifiedUsers field is set to false in the invited user’s tenant, the user is unable to complete the redemption and the flow results in an error. For more information, refer to [Troubleshooting Azure Active Directory B2B collaboration](troubleshoot.md#the-user-that-i-invited-is-receiving-an-error-during-redemption).
+
+10. The user is prompted to create a personal Microsoft account (MSA).
+
+11. After authenticating to the right identity provider, the user is redirected to Azure AD to complete the [consent experience](redemption-experience.md#consent-experience-for-the-guest).  
+
+For just-in-time (JIT) redemptions, where redemption is through a tenanted application link, steps 8 through 10 are not available. If a user reaches step 6 and the Email one-time passcode feature is not enabled, the user receives an error message and is unable to redeem the invitation. To prevent this, admins should either [enable Email one-time passcode](one-time-passcode.md#when-does-a-guest-user-get-a-one-time-passcode) or ensure the user clicks an invitation link.
+
 ## Consent experience for the guest
 
 When a guest signs in to access resources in a partner organization for the first time, they're guided through the following pages. 
@@ -66,8 +96,7 @@ When a guest signs in to access resources in a partner organization for the firs
 
    ![Screenshot showing new terms of use](media/redemption-experience/terms-of-use-accept.png) 
 
-   > [!NOTE]
-   > You can configure see [terms of use](../governance/active-directory-tou.md) in **Manage** > **Organizational relationships** > **Terms of use**.
+   You can configure see [terms of use](../governance/active-directory-tou.md) in **Manage** > **Organizational relationships** > **Terms of use**.
 
 3. Unless otherwise specified, the guest is redirected to the Apps access panel, which lists the applications the guest can access.
 

articles/active-directory/b2b/redemption-experience.md

@@ -54,7 +54,7 @@ landingContent:
             url: whatis-phs.md
           - text: What is passthrough authentication?
             url: how-to-connect-pta.md
-          - text: What is federtation?
+          - text: What is federation?
             url: whatis-fed.md
           - text: What is single sign-on?
             url: how-to-connect-sso.md
@@ -100,4 +100,4 @@ landingContent:
 
 
 
-     
+     

articles/active-directory/hybrid/index.yml

@@ -13,7 +13,7 @@ ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: article
-ms.date: 04/03/2020
+ms.date: 04/16/2020
 ms.author: jeedes
 
 ms.collection: M365-identity-device-management
@@ -33,7 +33,7 @@ If you want to know more details about SaaS app integration with Azure AD, see [
 ![Amazon Web Services (AWS) in the results list](./media/aws-multi-accounts-tutorial/amazonwebservice.png)
 
 > [!NOTE]
-> Please note connecting one AWS app to all your AWS accounts is not our recommended approach. Instead we recommend you to use [this](https://docs.microsoft.com/azure/active-directory/saas-apps/amazon-web-service-tutorial) approach to configure multiple instances of AWS account to Multiple instances of AWS apps in Azure AD. You should only use [this](https://docs.microsoft.com/azure/active-directory/saas-apps/amazon-web-service-tutorial) approach if you have very less number of AWS Accounts and Roles in it. [this](https://docs.microsoft.com/azure/active-directory/saas-apps/amazon-web-service-tutorial) model is not scalable as the AWS accounts and roles inside these accounts grows. Also [this](https://docs.microsoft.com/azure/active-directory/saas-apps/amazon-web-service-tutorial) approach does not use AWS Role import functionality using Azure AD User Provisioning and so you have to manually add/update/delete the roles. For other limitations on [this](https://docs.microsoft.com/azure/active-directory/saas-apps/amazon-web-service-tutorial) approach please see the details below.
+> Please note connecting one AWS app to all your AWS accounts is not our recommended approach. Instead we recommend you to use [this](https://docs.microsoft.com/azure/active-directory/saas-apps/amazon-web-service-tutorial) approach to configure multiple instances of AWS account to Multiple instances of AWS apps in Azure AD. You should only use this approach if you have very less number of AWS Accounts and Roles in it, this model is not scalable as the AWS accounts and roles inside these accounts grows. Also this approach does not use AWS Role import functionality using Azure AD User Provisioning and so you have to manually add/update/delete the roles. For other limitations on this approach please see the details below.
 
 **Please note that we do not recommend to use this approach for following reasons:**
 

articles/active-directory/saas-apps/aws-multi-accounts-tutorial.md

@@ -81,15 +81,15 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
 
     a. In the **Identifier** text box, type a URL using the following pattern:
-    `https://<SUBDOMAIN>.highground.com/`
+    `https://app.highground.com/`
 
     b. In the **Reply URL** text box, type a URL using the following pattern:
-    `https://<SUBDOMAIN>.highground.com/svc/SSONoAuth/<companyName>`
+    `https://app.highground.com/svc/SSONoAuth/SAML?groupid=<company-guid>`
 
 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
 
     In the **Sign-on URL** text box, type a URL using the following pattern:
-    `https://app.highground.com/#/login/<companyName>`
+    `https://app.highground.com/#/login/<company-slug>`
 
 	> [!NOTE]
 	> These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [HighGround Client support team](https://youearnedit.freshdesk.com/support/home) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.