Merge pull request #116428 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

.openpublishing.redirection.json

@@ -33927,6 +33927,11 @@
       "redirect_url": "/azure/role-based-access-control/role-assignments-portal",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/role-based-access-control/tutorial-role-assignments-user-template.md",
+      "redirect_url": "/azure/role-based-access-control/quickstart-role-assignments-template",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/active-directory/privileged-identity-management/active-directory-securing-privileged-access.md",
       "redirect_url": "/azure/active-directory/users-groups-roles/directory-admin-roles-secure",

articles/active-directory-domain-services/alert-service-principal.md

@@ -98,7 +98,7 @@ To recreate the Azure AD application used for credential synchronization, use Az
     $app = Get-AzureADApplication -Filter "IdentifierUris eq 'https://sync.aaddc.activedirectory.windowsazure.com'"
     Remove-AzureADApplication -ObjectId $app.ObjectId
     $spObject = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Azure AD Domain Services Sync'"
-    Remove-AzureADServicePrincipal -ObjectId $app.ObjectId
+    Remove-AzureADServicePrincipal -ObjectId $spObject
     ```
 
 After you delete both applications, the Azure platform automatically recreates them and tries to resume password synchronization. The Azure AD DS managed domain's health automatically updates itself within two hours and removes the alert.

articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md

@@ -242,9 +242,9 @@ In this section, you configure your VPN server to use RADIUS authentication. The
     b. For the **Shared secret**, select **Change**, and then enter the shared secret password that you created and recorded earlier.
 
     c. In the **Time-out (seconds)** box, enter a value of **30**.  
-    The timeout value is necessary to allow enough time to complete the second authentication factor.
+    The timeout value is necessary to allow enough time to complete the second authentication factor. Some VPNs or regions require time-out settings greater than 30 seconds to prevent users from receiving multiple phone calls. If users do experience this issue, increase the **Time-out (seconds)** value in increments of 30 seconds until the issue doesn't reoccur.
 
-    ![Add RADIUS Server window configuring the Time-out](./media/howto-mfa-nps-extension-vpn/image16.png)
+    ![Add RADIUS Server window configuring the Time-out](./media/howto-mfa-nps-extension-vpn/image16.png) 
 
 8. Select **OK**.
 

articles/active-directory/authentication/howto-mfaserver-iis.md

@@ -20,7 +20,8 @@ ms.collection: M365-identity-device-management
 Use the IIS Authentication section of the Azure Multi-Factor Authentication (MFA) Server to enable and configure IIS authentication for integration with Microsoft IIS web applications. The Azure MFA Server installs a plug-in that can filter requests being made to the IIS web server to add Azure Multi-Factor Authentication. The IIS plug-in provides support for Form-Based Authentication and Integrated Windows HTTP Authentication. Trusted IPs can also be configured to exempt internal IP addresses from two-factor authentication.
 
 > [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. When you use cloud-based Azure Multi-Factor Authentication, there is no alternative to the IIS plugin provided by Azure Multi-Factor Authentication (MFA) Server. Instead, use Web Application Proxy (WAP) with Active Directory Federation Services (AD FS) or
+Azure Active Directory's Application Proxy.
 
 ![IIS Authentication in MFA Server](./media/howto-mfaserver-iis/iis.png)
 

articles/active-directory/conditional-access/howto-conditional-access-policy-registration.md

@@ -58,6 +58,7 @@ Some may choose to use device state instead of location in step 6 above:
 
 > [!WARNING]
 > If you use device state as a condition in your policy this may impact guest users in the directory. [Report-only mode](concept-conditional-access-report-only.md) can help determine the impact of policy decisions.
+> Note that report-only mode is not applicable for CA policies with "User Actions" scope.
 
 ## Next steps
 

articles/active-directory/develop/active-directory-saml-claims-customization.md

@@ -164,9 +164,9 @@ To add a claim condition:
 
 The order in which you add the conditions are important. Azure AD evaluates the conditions from top to bottom to decide which value to emit in the claim. 
 
-For example, Brita Simon is a guest user in the Contoso tenant. She belongs to another organization that also uses Azure AD. Given the below configuration for the Fabrikam application, when Brita tries to sign in to Fabrikam, Azure AD will evaluate the conditions as follow.
+For example, Britta Simon is a guest user in the Contoso tenant. She belongs to another organization that also uses Azure AD. Given the below configuration for the Fabrikam application, when Britta tries to sign in to Fabrikam, Azure AD will evaluate the conditions as follow.
 
-First, Azure AD verifies if Brita's user type is `All guests`. Since, this is true then Azure AD assigns the source for the claim to `user.extensionattribute1`. Second, Azure AD verifies if Brita's user type is `AAD guests`, since this is also true then Azure AD assigns the source for the claim to `user.mail`. Finally, the claim is emitted with value `user.email` for Brita.
+First, Azure AD verifies if Britta's user type is `All guests`. Since, this is true then Azure AD assigns the source for the claim to `user.extensionattribute1`. Second, Azure AD verifies if Britta's user type is `AAD guests`, since this is also true then Azure AD assigns the source for the claim to `user.mail`. Finally, the claim is emitted with value `user.mail` for Britta.
 
 ![Claims conditional configuration](./media/active-directory-saml-claims-customization/sso-saml-user-conditional-claims.png)
 

articles/active-directory/develop/authentication-national-cloud.md

@@ -56,8 +56,8 @@ The following table lists the base URLs for the Azure AD endpoints used to acqui
 
 You can form requests to the Azure AD authorization or token endpoints by using the appropriate region-specific base URL. For example, for Azure Germany:
 
-  - Authorization common endpoint is `https://login.microsoftonline.de/common/oauth2/authorize`.
-  - Token common endpoint is `https://login.microsoftonline.de/common/oauth2/token`.
+  - Authorization common endpoint is `https://login.microsoftonline.de/common/oauth2/v2.0/authorize`.
+  - Token common endpoint is `https://login.microsoftonline.de/common/oauth2/v2.0/token`.
 
 For single-tenant applications, replace "common" in the previous URLs with your tenant ID or name. An example is `https://login.microsoftonline.de/contoso.com`.
 

articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md

@@ -146,7 +146,7 @@ private void ValidateAppRole(string appRole)
 }
 ```
 
-This time, the code snippet is for ASP.NET. For ASP.NET Core, just replace `ClaimsPrincipal.Current` with `HttpContext.User`, and replace the `"roles"` claim name with `"http://schemas.microsoft.com/identity/claims/roles"`. Also see the code snippet earlier in this article.
+This time, the code snippet is for ASP.NET. For ASP.NET Core, just replace `ClaimsPrincipal.Current` with `HttpContext.User`, and replace the `"roles"` claim name with `"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"`. Also see the code snippet earlier in this article.
 
 ### Accepting app-only tokens if the web API should be called only by daemon apps
 

articles/active-directory/hybrid/how-to-connect-sso-faq.md

@@ -69,9 +69,9 @@ You can use both Azure AD Join and Seamless SSO on your tenant. These two featur
 
 Yes, this scenario needs version 2.1 or later of the [workplace-join client](https://www.microsoft.com/download/details.aspx?id=53554).
 
-**Q: How can I roll over the Kerberos decryption key of the `AZUREADSSOACC` computer account?**
+**Q: How can I roll over the Kerberos decryption key of the `AZUREADSSO` computer account?**
 
-It is important to frequently roll over the Kerberos decryption key of the `AZUREADSSOACC` computer account (which represents Azure AD) created in your on-premises AD forest.
+It is important to frequently roll over the Kerberos decryption key of the `AZUREADSSO` computer account (which represents Azure AD) created in your on-premises AD forest.
 
 >[!IMPORTANT]
 >We highly recommend that you roll over the Kerberos decryption key at least every 30 days.
@@ -96,7 +96,7 @@ Follow these steps on the on-premises server where you are running Azure AD Conn
    >[!NOTE]
    >The domain administrator account used must not be a member of the Protected Users group. If so, the operation will fail.
 
-   2. Call `Update-AzureADSSOForest -OnPremCredentials $creds`. This command updates the Kerberos decryption key for the `AZUREADSSOACC` computer account in this specific AD forest and updates it in Azure AD.
+   2. Call `Update-AzureADSSOForest -OnPremCredentials $creds`. This command updates the Kerberos decryption key for the `AZUREADSSO` computer account in this specific AD forest and updates it in Azure AD.
    3. Repeat the preceding steps for each AD forest that you’ve set up the feature on.
 
    >[!IMPORTANT]
@@ -140,7 +140,7 @@ Follow these steps on the on-premises server where you are running Azure AD Conn
    4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
    5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
 
-   **Step 3. Manually delete the `AZUREADSSOACCT` computer account from each AD forest that you see listed.**
+   **Step 3. Manually delete the `AZUREADSSO` computer account from each AD forest that you see listed.**
 
 ## Next steps
 

articles/active-directory/manage-apps/application-proxy-sign-in-bad-gateway-timeout-error.md

@@ -68,7 +68,7 @@ As a first quick step, double check and fix the internal URL by opening the appl
 To verify the application is assigned to a working Connector Group:
 
 1. Open the application in the portal by going to **Azure Active Directory**, clicking on **Enterprise Applications**, then **All Applications.** Open the application, then select **Application Proxy** from the left menu.
-1. Look at the Connector Group field. If there are no active connectors in the group, you see a warning. If you don’t see any warnings, move on to verify all required ports are allowed.
+1. Look at the Connector Group field. If there are no active connectors in the group, you see a warning. If you don’t see any warnings, move on to verify all [required ports](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-connectivity-ports-how-to) are allowed.
 1. If the wrong Connector Group is showing, use the drop-down to select the correct group, and confirm you no longer see any warnings. If the intended Connector Group is showing, click the warning message to open the page with Connector management.
 1. From here, there are a few ways to drill in further:
 
@@ -80,7 +80,7 @@ After using these steps to ensure the application is assigned to a group with wo
 
 ## Check all required ports are open
 
-To verify that all required ports are open, see the documentation on opening ports. If all the required ports are open, move to the next section.
+To verify that all required ports are open, see the [documentation on opening ports](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-connectivity-ports-how-to). If all the required ports are open, move to the next section.
 
 ## Check for other Connector Errors