resolving merge conflict with master

Author: julieMSFT

.openpublishing.publish.config.json

@@ -377,6 +377,11 @@
       "url": "https://github.com/microsoft/immersive-reader-sdk",
       "branch": "master",
       "branch_mapping": {}
+    },
+    {
+      "path_to_root": "azure-cosmosdb-java-v2",
+      "url": "https://github.com/Azure/azure-cosmosdb-java",
+      "branch": "master"
     }
   ],
   "branch_target_mapping": {

.openpublishing.redirection.json

@@ -19196,9 +19196,14 @@
     },
     {
       "source_path": "articles/active-directory/active-directory-passwords.md",
-      "redirect_url": "active-directory-passwords-update-your-own-password",
+      "redirect_url": "/azure/active-directory/user-help/active-directory-passwords-update-your-own-password",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/user-help/user-help-reset-password.md",
+      "redirect_url": "/azure/active-directory/user-help/active-directory-passwords-update-your-own-password",
+      "redirect_document_id": false      
+    },
     {
       "source_path": "articles/active-directory/active-directory-protocols-oauth-code.md",
       "redirect_url": "/azure/active-directory/develop/active-directory-protocols-oauth-code",
@@ -43297,6 +43302,11 @@
       "source_path": "articles/terraform/terraform-vm-msi.md",
       "redirect_url": "/azure/terraform/terraform-vm-managed-identities-for-azure-resources",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/active-directory/develop/msal-acquire-token-interactively.md",
+      "redirect_url": "/azure/active-directory/develop/msal-acquire-cache-tokens",
+      "redirect_document_id": true
     }
   ]
 }

articles/active-directory-b2c/active-directory-b2c-reference-customize-ui-custom.md

@@ -39,7 +39,7 @@ You can provide as many content pages as you like by crafting HTML5/CSS files as
 > [!NOTE]
 > For security reasons, the use of JavaScript is currently blocked for customization. 
 
-In each of your HTML5/CSS templates, you provide an *anchor* element, which corresponds to the required `<div id=”api”>` element in the HTML or the content page as illustrate hereafter. Azure AD B2C requires that all content pages have this specific div.
+In each of your HTML5/CSS templates, you provide an *anchor* element, which corresponds to the required `<div id="api">` element in the HTML or the content page as illustrate hereafter. Azure AD B2C requires that all content pages have this specific div.
 
 ```
 <!DOCTYPE html>

articles/active-directory-b2c/predicates.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/10/2018
+ms.date: 10/28/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -27,6 +27,8 @@ The following diagram shows the relationship between the elements:
 
 The **Predicate** element defines a basic validation to check the value of a claim type and returns `true` or `false`. The validation is done by using a specified **Method** element and a set of **Parameter** elements relevant to the method. For example, a predicate can check whether the length of a string claim value is within the range of minimum and maximum parameters specified, or whether a string claim value contains a character set. The **UserHelpText** element provides an error message for users if the check fails. The value of **UserHelpText** element can be localized using [language customization](localization.md).
 
+The **Predicates** element must appear directly following the **ClaimsSchema** element within the [BuildingBlocks](buildingblocks.md) element.
+
 The **Predicates** element contains the following element:
 
 | Element | Occurrences | Description |
@@ -108,6 +110,8 @@ The following example shows a `IsDateRange` method with the parameters `Minimum`
 
 While the predicates define the validation to check against a claim type, the **PredicateValidations** group a set of predicates to form a user input validation that can be applied to a claim type. Each **PredicateValidation** element contains a set of **PredicateGroup** elements that contain a set of **PredicateReference** elements that points to a **Predicate**. To pass the validation, the value of the claim should pass all of the tests of any predicate under all of the **PredicateGroup** with their set of **PredicateReference** elements.
 
+The **PredicateValidations** element must appear directly following the **Predicates** element within the [BuildingBlocks](buildingblocks.md) element.
+
 ```XML
 <PredicateValidations>
   <PredicateValidation Id="">
@@ -190,7 +194,7 @@ With **Predicates** and **PredicateValidationsInput** you can control the comple
 - **Lowercase** using the `IncludesCharacters` method, validates that the password contains a lowercase letter.
 - **Uppercase** using the `IncludesCharacters` method, validates that the password contains an uppercase letter.
 - **Number** using the `IncludesCharacters` method, validates that the password contains a digit.
-- **Symbol** using the `IncludesCharacters` method, validates that the password contains one of following symbols `@#$%^&*\-_+=[]{}|\:',?/~"();!`
+- **Symbol** using the `IncludesCharacters` method, validates that the password contains one of several symbol characters.
 - **PIN** using the `MatchesRegex` method, validates that the password contains numbers only.
 - **AllowedAADCharacters** using the `MatchesRegex` method, validates that the password only invalid character was provided.
 - **DisallowedWhitespace** using the `MatchesRegex` method, validates that the password doesn't begin or end with a whitespace character.
@@ -229,7 +233,7 @@ With **Predicates** and **PredicateValidationsInput** you can control the comple
   <Predicate Id="Symbol" Method="IncludesCharacters">
     <UserHelpText>a symbol</UserHelpText>
     <Parameters>
-      <Parameter Id="CharacterSet">@#$%^&amp;*\-_+=[]{}|\:',?/`~"();!</Parameter>
+      <Parameter Id="CharacterSet">@#$%^&amp;*\-_+=[]{}|\\:',.?/`~"();!</Parameter>
     </Parameters>
   </Predicate>
 

articles/active-directory-domain-services/tutorial-configure-networking.md

@@ -151,7 +151,7 @@ To see this managed domain in action, create and join a virtual machine to the d
 > [!div class="nextstepaction"]
 > [Join a Windows Server virtual machine to your managed domain](join-windows-vm.md)
 
-<!-- INTERNAL LINKS -->
+<!-- INTERNAL LINKS --> 
 [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
 [associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
 [create-azure-ad-ds-instance]: tutorial-create-instance.md

articles/active-directory/authentication/TOC.yml

@@ -43,6 +43,8 @@
     items:
     - name: How MFA works
       href: concept-mfa-howitworks.md
+    - name: Enable MFA
+      href: concept-mfa-get-started.md
     - name: License your users
       href: concept-mfa-licensing.md
     - name: Manage an Auth Provider
@@ -135,6 +137,10 @@
         href: howto-authentication-passwordless-deployment.md
       - name: Passwordless security keys
         href: howto-authentication-passwordless-security-key.md
+      - name: Passwordless Windows 10
+        href: howto-authentication-passwordless-security-key-windows.md
+      - name: Passwordless on-premises
+        href: howto-authentication-passwordless-security-key-on-premises.md
       - name: Passwordless phone sign-in
         href: howto-authentication-passwordless-phone.md
       - name: Windows Hello for Business

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -25,15 +25,15 @@ Multi-factor authentication (MFA) is a great way to secure your organization, bu
 
 Each organization has different needs when it comes to authentication. Microsoft offers three passwordless authentication options:
 
-- Windows Hello for Business 
-- Microsoft Authenticator app 
+- Windows Hello for Business
+- Microsoft Authenticator app
 - FIDO2 security keys
 
 ![Authentication: Security versus convenience](./media/concept-authentication-passwordless/passwordless-convenience-security.png)
 
-## Windows Hello for Business 
+## Windows Hello for Business
 
-Windows Hello for Business is ideal for information workers who have their own designated Windows PC. The biometric and PIN  are directly tied to the user's PC, which prevents access from anyone other than the owner. With PKI integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a simple and convenient method for seamlessly accessing corporate resources on-premises and in the cloud.
+Windows Hello for Business is ideal for information workers who have their own designated Windows PC. The biometric and PIN are directly tied to the user's PC, which prevents access from anyone other than the owner. With PKI integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a simple and convenient method for seamlessly accessing corporate resources on-premises and in the cloud.
 
 The Windows Hello for Business [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-planning-guide) can be used to help you make decisions on the type of Windows Hello for Business deployment and the options you'll need to consider.
 
@@ -49,7 +49,7 @@ It turns any iOS or Android phone into a strong, passwordless credential by allo
 
 FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. It allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.
 
-For public preview, employees can use external security keys to sign in to their Azure Active Directory Joined Windows 10 machines (running version 1809 or higher) and get single-sign on to their cloud resources. They can also sign in to supported browsers.
+For public preview, employees can use security keys to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. They can also sign in to supported browsers.
 
 ![Sign in to Microsoft Edge with a security key](./media/concept-authentication-passwordless/concept-web-sign-in-security-key.png)
 
@@ -75,6 +75,9 @@ The following providers offer FIDO2 security keys of different form factors that
 | eWBM | [https://www.ewbm.com/page/sub1_5](https://www.ewbm.com/page/sub1_5) |
 | AuthenTrend | [https://authentrend.com/about-us/#pg-35-3](https://authentrend.com/about-us/#pg-35-3) |
 
+> [!NOTE]
+> If you purchase and plan to use NFC based security keys you will need a supported NFC reader.
+
 If you are a vendor and want to get your device on this list, contact [[email protected]](mailto:[email protected]).
 
 FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren’t willing or able to use their phone as a second factor.
@@ -86,7 +89,7 @@ FIDO2 security keys are a great option for enterprises who are very security sen
 - End users can register and manage these passwordless authentication methods in their account portal
 - End users can sign in with these passwordless authentication methods
    - Microsoft Authenticator App: Will work in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 Out Of Box (OOBE) setup, and with integrated mobile apps on any operating system.
-   - Security keys: Will work on lock screen for Windows 10 version 1809 or higher and the web in supported browsers like Microsoft Edge.
+   - Security keys: Will work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge.
 
 ## Next steps
 

articles/active-directory/authentication/concept-mfa-get-started.md

@@ -0,0 +1,65 @@
+---
+title: Enable Multi-Factor Authentication for your organization - Azure Active Directory
+description: Enable Azure MFA for your organization based on your license
+
+services: multi-factor-authentication
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 10/29/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: michmcla
+
+ms.collection: M365-identity-device-management
+---
+# Enable Multi-Factor Authentication for your organization
+
+There are multiple ways to enable Azure Multi-Factor Authentication (MFA) for your Azure Active Directory (AD) users based on the licenses that your organization owns. 
+
+![Investigate signals and enforce MFA if needed](./media/concept-mfa-get-started/verify-signals-and-perform-mfa-if-required.png)
+
+Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.
+
+So how does your organization turn on multi-factor authentication even for free, before becoming a statistic?
+
+## Free option
+
+Customers who are utilizing the free benefits of Azure AD can use [security defaults](../conditional-access/concept-conditional-access-security-defaults.md) to enable multi-factor authentication in their environment.
+
+## Office 365
+
+For customers with Office 365, there are two options:
+
+- [Security defaults](../conditional-access/concept-conditional-access-security-defaults.md) can be enabled through Azure AD to protect all of your users with Azure Multi-Factor Authentication.
+- If your organization requires more granularity in providing multi-factor authentication, your Office licenses include [per-user MFA](../authentication/howto-mfa-userstates.md) capabilities. Per-user MFA is enabled and enforced on each user individually by administrators.
+
+## Azure AD Premium P1
+
+For customers with Azure AD Premium P1 or similar licenses that include this functionality such as Enterprise Mobility + Security E3, Microsoft 365 F1, or Microsoft 365 E3: 
+
+The recommendation is to use [Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md) for the best user experience.
+
+## Azure AD Premium P2
+
+For customers with Azure AD Premium P2 or similar licenses that include this functionality such as Enterprise Mobility + Security E5 or Microsoft 365 E5: 
+
+The recommendation is to use [Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md) along with [Identity Protection](../identity-protection/overview-v2.md) risk policies for the best user experience and enforcement flexibility.
+
+## Authentication methods
+
+|   | Security defaults | All other methods |
+| --- | --- | --- |
+| Notification through mobile app | X | X |
+| Verification code from mobile app or hardware token |   | X |
+| Text message to phone |   | X |
+| Call to phone |   | X |
+| App passwords |   | X** |
+
+** App passwords are only available in per-user MFA with legacy authentication scenarios only if enabled by administrators.
+
+## Next steps
+
+[Azure AD pricing page](https://azure.microsoft.com/pricing/details/active-directory/)