Merge branch 'release-preview-dsvm' of https://github.com/microsoftdocs/azure-docs-pr into release-preview-dsvm

Author: lobrien

.openpublishing.redirection.json

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 07/04/2019
+ms.date: 12/18/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -42,9 +42,9 @@ In your custom policies, you may have [ContentDefinitions](contentdefinitions.md
 </ContentDefinition>
 ```
 
-To select a page layout, you change the **DataUri** values in your [ContentDefinitions](contentdefinitions.md) in your policies. By switching from the old **DataUri** values to the new values, you're selecting an immutable package. The benefit of using this package is that you’ll know it won't change and cause unexpected behavior on your page.
+To select a page layout, you change the **DataUri** values in your [ContentDefinitions](contentdefinitions.md) in your policies. By switching from the old **DataUri** values to the new values, you're selecting an immutable package. The benefit of using this package is that you know it won't change and cause unexpected behavior on your page.
 
-To set up a page layout, use the following table to find **DataUri** values.
+To specify a page layout in your custom policies that use an old **DataUri** value, insert `contract` between `elements` and the page type (for example, `selfasserted`), and specify the version number. For example:
 
 | Old DataUri value | New DataUri value |
 | ----------------- | ----------------- |
@@ -64,17 +64,23 @@ To set up a page layout, use the following table to find **DataUri** values.
 
 Page layout packages are periodically updated to include fixes and improvements in their page elements. The following change log specifies the changes introduced in each version.
 
-### 1.2.0 
+### 2.0.0
+
+- Self-asserted page (`selfasserted`)
+  - Added support for [display controls](display-controls.md) in custom policies.
+
+### 1.2.0
+
 - All pages
   - Accessibility fixes
   - You can now add the `data-preload="true"` attribute in your HTML tags to control the load order for CSS and JavaScript. Scenarios include:
-      - Use this on your CSS link to load the CSS at the same time as your HTML so that it doesn't 'flicker' between loading the files
-      - This attribute allows you to control the order in which your Script tags are fetched and executed before the page load
+    - Use this on your CSS link to load the CSS at the same time as your HTML so that it doesn't 'flicker' between loading the files
+    - This attribute allows you to control the order in which your Script tags are fetched and executed before the page load
   - Email field is now `type=email` and mobile keyboards will provide the correct suggestions
   - Support for Chrome translate
 - Unified and self-asserted page
   - The username/email and password fields now use the form HTML element.  This will now allow Edge and IE to properly save this information
-  
+
 ### 1.1.0
 
 - Exception page (globalexception)

articles/active-directory-b2c/page-layout.md

@@ -61,7 +61,7 @@ The certificate you request or create must meet the following requirements. Your
 
 * **Trusted issuer** - The certificate must be issued by an authority trusted by computers connecting to the managed domain using secure LDAP. This authority may be a public CA or an Enterprise CA trusted by these computers.
 * **Lifetime** - The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires.
-* **Subject name** - The subject name on the certificate must be your managed domain. For instance, if your domain is named *aadds.contoso.com*, the certificate's subject name must be **aadds.contoso.com*.
+* **Subject name** - The subject name on the certificate must be your managed domain. For instance, if your domain is named *aadds.contoso.com*, the certificate's subject name must be **.aadds.contoso.com*.
     * The DNS name or subject alternate name of the certificate must be a wildcard certificate to ensure the secure LDAP works properly with the Azure AD Domain Services. Domain Controllers use random names and can be removed or added to ensure the service remains available.
 * **Key usage** - The certificate must be configured for *digital signatures* and *key encipherment*.
 * **Certificate purpose** - The certificate must be valid for SSL server authentication.

articles/active-directory-domain-services/tutorial-configure-ldaps.md

@@ -26,9 +26,9 @@ You can take one of two approaches for requiring two-step verification, both of
 
 **Enabled by changing user state** - This is the traditional method for requiring two-step verification and is discussed in this article. It works with both Azure MFA in the cloud and Azure MFA Server. Using this method requires users to perform two-step verification **every time** they sign in and overrides Conditional Access policies.
 
-Enabled by Conditional Access policy - This is the most flexible means to enable two-step verification for your users. Enabling using Conditional Access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD. More information on this method can be found in [Deploy cloud-based Azure Multi-Factor Authentication](howto-mfa-getstarted.md).
+**Enabled by Conditional Access policy** - This is the most flexible means to enable two-step verification for your users. Enabling using Conditional Access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD. More information on this method can be found in [Deploy cloud-based Azure Multi-Factor Authentication](howto-mfa-getstarted.md).
 
-Enabled by Azure AD Identity Protection - This method uses the Azure AD Identity Protection risk policy to require two-step verification based only on sign-in risk for all cloud applications. This method requires Azure Active Directory P2 licensing. More information on this method can be found in [Azure Active Directory Identity Protection](../identity-protection/howto-sign-in-risk-policy.md)
+**Enabled by Azure AD Identity Protection** - This method uses the Azure AD Identity Protection risk policy to require two-step verification based only on sign-in risk for all cloud applications. This method requires Azure Active Directory P2 licensing. More information on this method can be found in [Azure Active Directory Identity Protection](../identity-protection/howto-sign-in-risk-policy.md)
 
 > [!Note]
 > More information about licenses and pricing can be found on the [Azure AD](https://azure.microsoft.com/pricing/details/active-directory/

articles/active-directory/authentication/howto-mfa-userstates.md

@@ -36,7 +36,7 @@ Before enabling the new experience, review the article [Combined security inform
 Complete these steps to enable combined registration:
 
 1. Sign in to the Azure portal as a user administrator or global administrator.
-2. Go to **Azure Active Directory** > **User settings** > **Manage settings for access panel preview features**.
+2. Go to **Azure Active Directory** > **User settings** > **Manage user feature preview settings**.
 3. Under **Users can use preview features for registering and managing security info**, choose to enable for a **Selected** group of users or for **All** users.
 
    ![Enable the combined security info preview experience for All users](media/howto-registration-mfa-sspr-combined/enable-the-combined-security-info-preview.png)
@@ -63,7 +63,7 @@ The following policy applies to all selected users, who attempt to register usin
 
 ![Create a CA policy to control security info registration](media/howto-registration-mfa-sspr-combined/require-registration-from-trusted-location.png)
 
-1. In the **Azure portal**, browse to **Azure Active Directory** > **Conditional Access**
+1. In the **Azure portal**, browse to **Azure Active Directory** > **Security** > **Conditional Access**
 1. Select **New policy**
 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**
 1. Under **Assignments**, click **Users and groups**, and select the users and groups you want this policy to apply to

articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md

@@ -26,6 +26,8 @@ ms.collection: M365-identity-device-management
 | This article describes a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).|
 |     |
 
+> [!NOTE]
+> As of 12/22/2019, the Bulk invite users (Preview) feature has been temporarily disabled.
 
 If you use Azure Active Directory (Azure AD) B2B collaboration to work with external partners, you can invite multiple guest users to your organization at the same time. In this tutorial, you learn how to use the Azure portal to send bulk invitations to external users. Specifically, you do the following:
 

articles/active-directory/b2b/tutorial-bulk-invite.md

@@ -1,6 +1,6 @@
 ---
-title: 'Understanding the Azure AD schema and custom expressions'
-description: This topic describes the Azure AD schema, the attributes that the provisioning agent flows and custom expressions.
+title: 'Understand the Azure AD schema and custom expressions'
+description: This article describes the Azure AD schema, the attributes that the provisioning agent flows, and custom expressions.
 services: active-directory
 documentationcenter: ''
 author: billmath
@@ -19,41 +19,41 @@ ms.collection: M365-identity-device-management
 ---
 
 
-# Understanding the Azure AD schema
-An object in Azure AD, like any directory, is a programmatic high-level data construct that represents such things as users, groups, and contacts.  When you create a new user or contact in Azure AD, you are creating a new instance of that object.  These instances can be differentiated based on their properties.
+# Understand the Azure AD schema
+An object in Azure Active Directory (Azure AD), like any directory, is a programmatic high-level data construct that represents such things as users, groups, and contacts. When you create a new user or contact in Azure AD, you're creating a new instance of that object. These instances can be differentiated based on their properties.
 
-Properties, in Azure AD are the elements responsible for storing information about an instance of an object in Azure AD.  
+Properties in Azure AD are the elements responsible for storing information about an instance of an object in Azure AD.
 
-The Azure AD schema defines the rules for which properties may be used in an entry, the kinds of values that those properties may have, and how users may interact with those values. 
+The Azure AD schema defines the rules for which properties might be used in an entry, the kinds of values that those properties might have, and how users might interact with those values. 
 
-Azure AD has two types of properties.  The properties are:
-- **Built in properties** – Properties that are pre-defined by the Azure AD schema.  These properties provide different uses and may or may not be accessible.
-- **Directory extensions** – Properties that are provided so that you can customize Azure AD for your own use.  For example, if you have extended your on-premises Active Directory with a certain attribute and want to flow that attribute, you can use one of the custom properties that are provided. 
+Azure AD has two types of properties:
+- **Built-in properties**: Properties that are predefined by the Azure AD schema. These properties provide different uses and might or might not be accessible.
+- **Directory extensions**: Properties that are provided so that you can customize Azure AD for your own use. For example, if you've extended your on-premises Active Directory with a certain attribute and want to flow that attribute, you can use one of the custom properties that's provided. 
 
 ## Attributes and expressions
-When an object, such as a user is provisioned to Azure AD, a new instance of the user object is created.  This creation includes the properties of that object, which are also known as attributes.  Initially, the newly created object will have its attributes set to values that are determined by the synchronization rules.  These attributes are then kept up to date via the cloud provisioning agent.
+When an object such as a user is provisioned to Azure AD, a new instance of the user object is created. This creation includes the properties of that object, which are also known as attributes. Initially, the newly created object has its attributes set to values that are determined by the synchronization rules. These attributes are then kept up to date via the cloud provisioning agent.
 
-![](media/concept-attributes/attribute1.png)
+![Object provisioning](media/concept-attributes/attribute1.png)
 
-For example, if a user is part of the Marketing department, their Azure AD department attribute will initially be created when they are provisioned and then the value would be set to Marketing.  But then, six months later, they change to Sales.  Their on-premises AD department attribute is changed to Sales.  This change will then synchronize to Azure AD and be reflected on their Azure AD user object.
+For example, a user might be part of a Marketing department. Their Azure AD department attribute is initially created when they're provisioned, and the value is set to Marketing. Six months later if they change to Sales, their on-premises Active Directory department attribute is changed to Sales. This change synchronizes to Azure AD and is reflected in their Azure AD user object.
 
-Attribute synchronization may be either direct, where the value in Azure AD is directly set to the value of the on-premises attribute.  Or, there may be a programmatic expression that handles this synchronization.  A programmatic expression would be needed in cases where some logic or a determination needed to be made in order to populate the value.
+Attribute synchronization might be direct, where the value in Azure AD is directly set to the value of the on-premises attribute. Or, a programmatic expression might handle the synchronization. A programmatic expression is needed in cases where some logic or a determination must be made to populate the value.
 
-For example, if I had my mail attribute ("[email protected]") and I needed to strip out the "@contoso.com" portion and flow just the value "john.smith" I would use something like this:
+For example, if you had the mail attribute "[email protected]" and needed to strip out the "@contoso.com" portion and flow only the value "john.smith," you'd use something like this:
 
 `Replace([mail], "@contoso.com", , ,"", ,)`  
 
-**Sample input / output:** <br>
+**Sample input/output:** <br>
 
 * **INPUT** (mail): "[email protected]"
-* **OUTPUT**:  "john.smith"
+* **OUTPUT**: "john.smith"
 
-For additional information, on writing custom expressions, and the syntax see [Writing Expressions for Attribute Mappings in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/functions-for-customizing-application-data).
+For more information on how to write custom expressions and the syntax, see [Writing expressions for attribute mappings in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/functions-for-customizing-application-data).
 
-The following list are common attributes and how they are synchronized to Azure AD.
+The following table lists common attributes and how they're synchronized to Azure AD.
 
 
-|On-premises Active Directory|Mapping Type|Azure AD|
+|On-premises Active Directory|Mapping type|Azure AD|
 |-----|-----|-----|
 |cn|Direct|commonName
 |countryCode|Direct|countryCode|
@@ -63,14 +63,14 @@ The following list are common attributes and how they are synchronized to Azure
 |userprincipalName|Direct|userPrincipalName|
 |ProxyAdress|Direct|ProxyAddress|
 
-## Viewing the schema
-In order to view the schema and verify it, do the following steps:
+## View the schema
+To view the schema and verify it, follow these steps.
 
-1.  Navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
-2.  Sign in with your global administrator account
-3.  On the left, click **modify permissions** and ensure that **Directory.ReadWrite.All** is Consented.
-4.  Run the following query: https://graph.microsoft.com/beta/serviceprincipals/.  This query will return a list of service principals.
-5.  Locate "appDisplayName": "Active Directory to Azure Active Directory Provisioning" and note the "id:" value.
+1.  Go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1.  Sign in with your global administrator account.
+1.  On the left, select **modify permissions** and ensure that **Directory.ReadWrite.All** is *Consented*.
+1.  Run the query https://graph.microsoft.com/beta/serviceprincipals/. This query returns a list of service principals.
+1.  Locate `"appDisplayName": "Active Directory to Azure Active Directory Provisioning"` and note the value for `"id"`.
     ```
     "value": [
             {
@@ -143,8 +143,8 @@ In order to view the schema and verify it, do the following steps:
                 "passwordCredentials": []
             },
     ```
-6. Replace the {Service Principal id} with your value and run the following query: `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal id}/synchronization/jobs/`
-7. Locate the "id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976" section and note the "id:".
+1. Replace `{Service Principal id}` with your value, and run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal id}/synchronization/jobs/`.
+1. Locate `"id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976"` and note the value for `"id"`.
     ```
     {
                 "id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976",
@@ -235,16 +235,17 @@ In order to view the schema and verify it, do the following steps:
                 ]
             }
     ```
-8. Now run the following query: `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal Id}/synchronization/jobs/{AD2AAD Provisioning id}/schema`
+1. Now run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal Id}/synchronization/jobs/{AD2AAD Provisioning id}/schema`.
  
-    Example:  https://graph.microsoft.com/beta/serviceprincipals/653c0018-51f4-4736-a3a3-94da5dcb6862/synchronization/jobs/AD2AADProvisioning.e9287a7367e444c88dc67a531c36d8ec/schema
+    Example: https://graph.microsoft.com/beta/serviceprincipals/653c0018-51f4-4736-a3a3-94da5dcb6862/synchronization/jobs/AD2AADProvisioning.e9287a7367e444c88dc67a531c36d8ec/schema
 
- Replace the {Service Principal Id} and {AD2ADD Provisioning Id} with your values.
+   Replace `{Service Principal Id}` and `{AD2ADD Provisioning Id}` with your values.
 
-9. This query will return the schema.
-  ![](media/concept-attributes/schema1.png)
+1. This query returns the schema.
+
+   ![Returned schema](media/concept-attributes/schema1.png)
  
-## Next steps 
+## Next steps
 
 - [What is provisioning?](what-is-provisioning.md)
 - [What is Azure AD Connect cloud provisioning?](what-is-cloud-provisioning.md)