Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into acrfix4

Author: dlepow

.openpublishing.redirection.json

@@ -9,12 +9,12 @@ articles/jenkins/ @TomArcherMsft
 articles/terraform/ @TomArcherMsft
 
 # Requires Internal Review
-articles/best-practices-availability-paired-regions.md @jpconnock @arob98 @syntaxc4 @tysonn @snoviking
+articles/best-practices-availability-paired-regions.md @jpconnock @martinekuan @syntaxc4 @tysonn @snoviking
 
 # Governance
 articles/governance/ @DCtheGeek
 
 # Configuration
-*.json @SyntaxC4 @snoviking @arob98
-.acrolinx-config.edn @MonicaRush @arob98
-articles/zone-pivot-groups.yml @SyntaxC4 @snoviking @arob98
+*.json @SyntaxC4 @snoviking @martinekuan
+.acrolinx-config.edn @MonicaRush @martinekuan
+articles/zone-pivot-groups.yml @SyntaxC4 @snoviking @martinekuan

CODEOWNERS

@@ -1,30 +1,30 @@
 ---
 title: Self-service password reset policies - Azure Active Directory
-description: Configure Azure AD self-service password reset policy options
+description: Learn about the different Azure Active Directory self-service password reset policy options
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/21/2019
+ms.date: 03/20/2020
 
 ms.author: iainfou
 author: iainfoulds
 manager: daveba
 ms.reviewer: sahenry
 ms.collection: M365-identity-device-management
 ---
-# Password policies and restrictions in Azure Active Directory
+# Self-service password reset policies and restrictions in Azure Active Directory
 
 This article describes the password policies and complexity requirements associated with user accounts in your Azure Active Directory (Azure AD) tenant.
 
 ## Administrator reset policy differences
 
-**Microsoft enforces a strong default *two-gate* password reset policy for any Azure administrator role** this policy may be different from the one you have defined for your users and cannot be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned.
+**Microsoft enforces a strong default *two-gate* password reset policy for any Azure administrator role**. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned.
 
 With a two-gate policy, **administrators don't have the ability to use security questions**.
 
-The two-gate policy requires two pieces of authentication data, such as an **email address**, **authenticator app**, or a **phone number**. A two-gate policy applies in the following circumstances:
+The two-gate policy requires two pieces of authentication data, such as an *email address*, *authenticator app*, or a *phone number*. A two-gate policy applies in the following circumstances:
 
 * All the following Azure administrator roles are affected:
   * Helpdesk administrator
@@ -55,15 +55,15 @@ The two-gate policy requires two pieces of authentication data, such as an **ema
 
 ### Exceptions
 
-A one-gate policy requires one piece of authentication data, such as an email address *or* phone number. A one-gate policy applies in the following circumstances:
+A one-gate policy requires one piece of authentication data, such as an email address or phone number. A one-gate policy applies in the following circumstances:
 
 * It's within the first 30 days of a trial subscription; or
-* A custom domain hasn't been configured for your Azure AD tenant so is using the default **.onmicrosoft.com*. Note that the default **.onmicrosoft.com* domain isn't recommended for production use; and
+* A custom domain hasn't been configured for your Azure AD tenant so is using the default **.onmicrosoft.com*. The default **.onmicrosoft.com* domain isn't recommended for production use; and
 * Azure AD Connect isn't synchronizing identities
 
 ## UserPrincipalName policies that apply to all user accounts
 
-Every user account that needs to sign in to Azure AD must have a unique user principal name (UPN) attribute value associated with their account. The following table outlines the policies that apply to both on-premises Active Directory user accounts that are synchronized to the cloud and to cloud-only user accounts:
+Every user account that needs to sign in to Azure AD must have a unique user principal name (UPN) attribute value associated with their account. The following table outlines the policies that apply to both on-premises Active Directory Domain Services user accounts that are synchronized to the cloud and to cloud-only user accounts:
 
 | Property | UserPrincipalName requirements |
 | --- | --- |
@@ -77,19 +77,19 @@ The following table describes the password policy settings applied to user accou
 
 | Property | Requirements |
 | --- | --- |
-| Characters allowed |<ul><li>A – Z</li><li>a - z</li><li>0 – 9</li> <li>@ # $ % ^ & * - _ ! + = [ ] { } &#124; \ : ‘ , . ? / \` ~ " ( ) ;</li> <li>blank space</li></ul> |
+| Characters allowed |<ul><li>A – Z</li><li>a - z</li><li>0 – 9</li> <li>@ # $ % ^ & * - _ ! + = [ ] { } &#124; \ : ' , . ? / \` ~ " ( ) ;</li> <li>blank space</li></ul> |
 | Characters not allowed | Unicode characters. |
 | Password restrictions |<ul><li>A minimum of 8 characters and a maximum of 256 characters.</li><li>Requires three out of four of the following:<ul><li>Lowercase characters.</li><li>Uppercase characters.</li><li>Numbers (0-9).</li><li>Symbols (see the previous password restrictions).</li></ul></li></ul> |
 | Password expiry duration (Maximum password age) |<ul><li>Default value: **90** days.</li><li>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure Active Directory Module for Windows PowerShell.</li></ul> |
 | Password expiry notification (When users are notified of password expiration) |<ul><li>Default value: **14** days (before password expires).</li><li>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet.</li></ul> |
-| Password expiry (Let password's never expire) |<ul><li>Default value: **false** (indicates that password's have an expiration date).</li><li>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet.</li></ul> |
+| Password expiry (Let passwords never expire) |<ul><li>Default value: **false** (indicates that password's have an expiration date).</li><li>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet.</li></ul> |
 | Password change history | The last password *can't* be used again when the user changes a password. |
 | Password reset history | The last password *can* be used again when the user resets a forgotten password. |
-| Account lockout | After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time. [Smart lockout](howto-password-smart-lockout.md) tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lockout. |
+| Account lockout | After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time. [Smart lockout](howto-password-smart-lockout.md) tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lock out. |
 
 ## Set password expiration policies in Azure AD
 
-A global administrator or user administrator for a Microsoft cloud service can use the Microsoft Azure AD Module for Windows PowerShell to set user passwords not to expire. You can also use Windows PowerShell cmdlets to remove the never-expires configuration or to see which user passwords are set to never expire. 
+A *global administrator* or *user administrator* for a Microsoft cloud service can use the *Microsoft Azure AD Module for Windows PowerShell* to set user passwords not to expire. You can also use Windows PowerShell cmdlets to remove the never-expires configuration or to see which user passwords are set to never expire.
 
 This guidance applies to other providers, such as Intune and Office 365, which also rely on Azure AD for identity and directory services. Password expiration is the only part of the policy that can be changed.
 
@@ -98,14 +98,14 @@ This guidance applies to other providers, such as Intune and Office 365, which a
 
 ## Set or check the password policies by using PowerShell
 
-To get started, you need to [download and install the Azure AD PowerShell module](https://docs.microsoft.com/powershell/module/Azuread/?view=azureadps-2.0). After you have it installed, you can use the following steps to configure each field.
+To get started, [download and install the Azure AD PowerShell module](https://docs.microsoft.com/powershell/module/Azuread/?view=azureadps-2.0). After the module is installed, use the following steps to configure each field.
 
 ### Check the expiration policy for a password
 
 1. Connect to Windows PowerShell by using your user administrator or company administrator credentials.
-1. Execute one of the following commands:
+1. Run one of the following commands:
 
-   * To see if a single user’s password is set to never expire, run the following cmdlet by using the UPN (for example, *aprilr\@contoso.onmicrosoft.com*) or the user ID of the user you want to check:
+   * To see if a single user's password is set to never expire, run the following cmdlet by using the UPN (for example, *aprilr\@contoso.onmicrosoft.com*) or the user ID of the user you want to check:
 
    ```powershell
    Get-AzureADUser -ObjectId <user ID> | Select-Object @{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}
@@ -152,7 +152,7 @@ To get started, you need to [download and install the Azure AD PowerShell module
    ```
 
    > [!WARNING]
-   > Passwords set to `-PasswordPolicies DisablePasswordExpiration` still age based on the `pwdLastSet` attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the `pwdLastSet` attribute, if you change the expiration to `-PasswordPolicies None`, all passwords that have a `pwdLastSet` older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.
+   > Passwords set to `-PasswordPolicies DisablePasswordExpiration` still age based on the `pwdLastSet` attribute. Based on the `pwdLastSet` attribute, if you change the expiration to `-PasswordPolicies None`, all passwords that have a `pwdLastSet` older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.
 
 ## Next steps
 

articles/active-directory/authentication/concept-sspr-policy.md

@@ -1,5 +1,5 @@
 ---
-title: Passwordless security key sign (preview) - Azure Active Directory
+title: Passwordless security key sign-in (preview) - Azure Active Directory
 description: Enable passwordless security key sign-in to Azure AD using FIDO2 security keys (preview)
 
 services: active-directory

articles/active-directory/authentication/howto-authentication-passwordless-security-key.md

@@ -123,13 +123,13 @@ The sign-in activity reports for MFA give you access to the following informatio
 
 First, ensure that you have the [MSOnline V1 PowerShell module](https://docs.microsoft.com/powershell/azure/active-directory/overview?view=azureadps-1.0) installed.
 
-Identify users who have registered for MFA using the PowerShell that follows.
+Identify users who have registered for MFA using the PowerShell that follows. This set of commands excludes disabled users since these accounts cannot authenticate against Azure AD.
 
-```Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName```
+```Get-MsolUser -All | Where-Object {$.StrongAuthenticationMethods -ne $null -and $.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName```
 
-Identify users who have not registered for MFA using the PowerShell that follows.
+Identify users who have not registered for MFA using the PowerShell that follows. This set of commands excludes disabled users since these accounts cannot authenticate against Azure AD.
 
-```Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName```
+```Get-MsolUser -All | Where-Object {$.StrongAuthenticationMethods.Count -eq 0 -and $.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName```
 
 Identify users and output methods registered. 
 

articles/active-directory/authentication/howto-mfa-reporting.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/25/2020
+ms.date: 03/20/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -104,6 +104,8 @@ The safety feature is necessary because *block all users and all cloud apps* has
 
 You can satisfy this safety feature by excluding one user from your policy. Ideally, you should define a few [emergency-access administrative accounts in Azure AD](../users-groups-roles/directory-emergency-access.md) and exclude them from your policy.
 
+Using [report-only mode](concept-conditional-access-report-only.md) when enabling your policy to block legacy authentication provides your organization an opportunity to monitor what the impact of the policy would be.
+
 ## Policy deployment
 
 Before you put your policy into production, take care of:
@@ -133,5 +135,6 @@ If you block legacy authentication using the **Other clients** condition, you ca
 
 ## Next steps
 
+- [Determine impact using Conditional Access report-only mode](howto-conditional-access-report-only.md)
 - If you are not familiar with configuring Conditional Access policies yet, see [require MFA for specific apps with Azure Active Directory Conditional Access](app-based-mfa.md) for an example.
 - For more information about modern authentication support, see [How modern authentication works for Office 2013 and Office 2016 client apps](/office365/enterprise/modern-auth-for-office-2013-and-2016) 

articles/active-directory/conditional-access/block-legacy-authentication.md

@@ -78,6 +78,7 @@ This setting applies to the following iOS and Android apps:
 - Microsoft Kaizala
 - Microsoft Launcher
 - Microsoft Office
+- Microsoft Office Hub
 - Microsoft OneDrive
 - Microsoft OneNote
 - Microsoft Outlook

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/11/2020
+ms.date: 03/20/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,6 +19,9 @@ ms.collection: M365-identity-device-management
 
 To configure a Conditional Access policy in report-only mode:
 
+> [!IMPORTANT]
+> If your organization has not already, [Set up Azure Monitor integration with Azure AD](#set-up-azure-monitor-integration-with-azure-ad). This process must take place before data will be available to review.
+
 1. Sign into the **Azure portal** as a Conditional Access administrator, security administrator, or global administrator.
 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
 1. Select **New policy**.
@@ -52,7 +55,7 @@ More information about Azure Monitor pricing can be found on the [Azure Monitor
 
 ## View Conditional Access Insights workbook
 
-Once you’ve integrated your Azure AD logs with Azure Monitor, you can monitor the impact of Conditional Access policies using the new Conditional Access insights workbooks.
+Once you've integrated your Azure AD logs with Azure Monitor, you can monitor the impact of Conditional Access policies using the new Conditional Access insights workbooks.
 
 1. Sign into the **Azure portal** as a security administrator or global administrator.
 1. Browse to **Azure Active Directory** > **Workbooks**.
@@ -75,9 +78,9 @@ Once you’ve integrated your Azure AD logs with Azure Monitor, you can monitor
 
 Customers have noticed that queries sometimes fail if the wrong or multiple workspaces are associated with the workbook. To fix this problem, click **Edit** at the top of the workbook and then the Settings gear. Select and then remove workspaces that are not associated with the workbook. There should be only one workspace associated with each workbook.
 
-### Why doesn’t the Conditional Access Policies dropdown parameter contain my policies?
+### Why doesn't the Conditional Access Policies dropdown parameter contain my policies?
 
-The Conditional Access Policies dropdown is populated by querying the most recent sign-ins over a period of 4 hours. If a tenant doesn’t have any sign-ins in the past 4 hours, it is possible that the dropdown will be empty. If this delay is a persistent problem, such as in small tenants with infrequent sign-ins, admins can edit the query for the Conditional Access Policies dropdown and extend the time for the query to a time longer than 4 hours.
+The Conditional Access Policies dropdown is populated by querying the most recent sign-ins over a period of 4 hours. If a tenant doesn't have any sign-ins in the past 4 hours, it is possible that the dropdown will be empty. If this delay is a persistent problem, such as in small tenants with infrequent sign-ins, admins can edit the query for the Conditional Access Policies dropdown and extend the time for the query to a time longer than 4 hours.
 
 ## Next steps
 

articles/active-directory/conditional-access/howto-conditional-access-report-only.md

@@ -74,6 +74,23 @@ Tokens are only valid for a limited amount of time. Usually the STS provides a p
 
 Access tokens are passed to a Web API as the bearer token in the `Authorization` header. An app can provide a refresh token to the STS, and if the user access to the app wasn't revoked, it will get back a new access token and a new refresh token. This is how the scenario of someone leaving the enterprise is handled. When the STS receives the refresh token, it won't issue another valid access token if the user is no longer authorized.
 
+### How each flow emits tokens and codes
+
+Depending on how your client is built, it can use one (or several) of the authentication flows supported by Azure AD. These flows can produce a variety of tokens (id_tokens, refresh tokens, access tokens) as well as authorization codes, and require different tokens to make them work. This chart provides an overview:
+
+|Flow | Requires | id_token | access token | refresh token | authorization code | 
+|-----|----------|----------|--------------|---------------|--------------------|
+|[Authorization code flow](v2-oauth2-auth-code-flow.md) | | x | x | x | x|  
+|[Implicit flow](v2-oauth2-implicit-grant-flow.md) | | x        | x    |      |                    |
+|[Hybrid OIDC flow](v2-protocols-oidc.md#get-access-tokens)| | x  | |          |            x   |
+|[Refresh token redemption](v2-oauth2-auth-code-flow.md#refresh-the-access-token) | refresh token | x | x | x| |
+|[On-behalf-of flow](v2-oauth2-on-behalf-of-flow.md) | access token| x| x| x| |
+|[Client credentials](v2-oauth2-client-creds-grant-flow.md) | | | x (app-only)| | |
+
+Tokens issued via the implicit mode have a length limitation due to being passed back to the browser via the URL (where `response_mode` is `query` or `fragment`).  Some browsers have a limit on the size of the URL that can be put in the browser bar and fail when it is too long.  Thus, these tokens do not have `groups` or `wids` claims. 
+
+Now that you have an overview of the basics, read on to understand the identity app model and API, learn how provisioning works in Azure AD, and get links to detailed information about common scenarios Azure AD supports.
+
 ## Application model
 
 Applications can sign in users themselves or delegate sign-in to an identity provider. See [Authentication flows and app scenarios](authentication-flows-app-scenarios.md) to learn about sign-in scenarios supported by Azure AD.

articles/active-directory/develop/authentication-scenarios.md

@@ -80,7 +80,6 @@ In this quickstart, you use a code sample to learn how a JavaScript single-page
 > [Download the code sample](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2/archive/quickstart.zip)
 
 > [!div renderon="docs"]
-
 > #### Step 3: Configure your JavaScript app
 >
 > In the *JavaScriptSPA* folder, edit *authConfig.js*, and set the `clientID`, `authority` and `redirectUri` values under `msalConfig`.