Merge branch 'master' of github.com:MicrosoftDocs/azure-docs-pr

Author: mmacy

.markdownlint.json

@@ -9,6 +9,7 @@
     "MD007": false,
     "MD009": false,
     "MD010": false,
+    "MD011": true,
     "MD012": false,
     "MD013": false,
     "MD014": false,
@@ -32,10 +33,28 @@
     "MD035": false,
     "MD036": false,
     "MD037": false,
+    "MD038": true,
+    "MD039": true,
     "MD040": false,
     "MD041": false,
     "MD042": false,
+    "MD043": true,
+    "MD044": {
+        "code_blocks": false,
+        "names": [
+            ".NET",
+            "ASP.NET",
+            "Azure",
+            "JavaScript",
+            "NuGet",
+            "PowerShell",
+            "macOS",
+            "C#",
+            "CLI"
+        ]
+    },
     "MD045": false,
     "MD046": false,
-    "MD047": false
+    "MD047": false,
+    "MD048": true
 }

.openpublishing.redirection.json

@@ -24,7 +24,11 @@ You can add your own JavaScript client-side code to your Azure Active Directory
 
 ## Prerequisites
 
-Select a page layout for the user interface elements of your application. If you intend to use JavaScript, you need to define a page layout version for all of your content definitions in your custom policy.
+### Select a page layout
+
+* [Select a page layout](page-layout.md) for the user interface elements of your application.
+
+    If you intend to use JavaScript, you need to [define a page layout version](page-layout.md#replace-datauri-values) for *all* of the content definitions in your custom policy.
 
 ## Add the ScriptExecution element
 

articles/active-directory-b2c/javascript-samples.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 07/04/2019
+ms.date: 12/18/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -42,9 +42,9 @@ In your custom policies, you may have [ContentDefinitions](contentdefinitions.md
 </ContentDefinition>
 ```
 
-To select a page layout, you change the **DataUri** values in your [ContentDefinitions](contentdefinitions.md) in your policies. By switching from the old **DataUri** values to the new values, you're selecting an immutable package. The benefit of using this package is that you’ll know it won't change and cause unexpected behavior on your page.
+To select a page layout, you change the **DataUri** values in your [ContentDefinitions](contentdefinitions.md) in your policies. By switching from the old **DataUri** values to the new values, you're selecting an immutable package. The benefit of using this package is that you know it won't change and cause unexpected behavior on your page.
 
-To set up a page layout, use the following table to find **DataUri** values.
+To specify a page layout in your custom policies that use an old **DataUri** value, insert `contract` between `elements` and the page type (for example, `selfasserted`), and specify the version number. For example:
 
 | Old DataUri value | New DataUri value |
 | ----------------- | ----------------- |
@@ -64,17 +64,23 @@ To set up a page layout, use the following table to find **DataUri** values.
 
 Page layout packages are periodically updated to include fixes and improvements in their page elements. The following change log specifies the changes introduced in each version.
 
-### 1.2.0 
+### 2.0.0
+
+- Self-asserted page (`selfasserted`)
+  - Added support for [display controls](display-controls.md) in custom policies.
+
+### 1.2.0
+
 - All pages
   - Accessibility fixes
   - You can now add the `data-preload="true"` attribute in your HTML tags to control the load order for CSS and JavaScript. Scenarios include:
-      - Use this on your CSS link to load the CSS at the same time as your HTML so that it doesn't 'flicker' between loading the files
-      - This attribute allows you to control the order in which your Script tags are fetched and executed before the page load
+    - Use this on your CSS link to load the CSS at the same time as your HTML so that it doesn't 'flicker' between loading the files
+    - This attribute allows you to control the order in which your Script tags are fetched and executed before the page load
   - Email field is now `type=email` and mobile keyboards will provide the correct suggestions
   - Support for Chrome translate
 - Unified and self-asserted page
   - The username/email and password fields now use the form HTML element.  This will now allow Edge and IE to properly save this information
-  
+
 ### 1.1.0
 
 - Exception page (globalexception)

articles/active-directory-b2c/page-layout.md

@@ -61,7 +61,7 @@ The certificate you request or create must meet the following requirements. Your
 
 * **Trusted issuer** - The certificate must be issued by an authority trusted by computers connecting to the managed domain using secure LDAP. This authority may be a public CA or an Enterprise CA trusted by these computers.
 * **Lifetime** - The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires.
-* **Subject name** - The subject name on the certificate must be your managed domain. For instance, if your domain is named *aadds.contoso.com*, the certificate's subject name must be **aadds.contoso.com*.
+* **Subject name** - The subject name on the certificate must be your managed domain. For instance, if your domain is named *aadds.contoso.com*, the certificate's subject name must be **.aadds.contoso.com*.
     * The DNS name or subject alternate name of the certificate must be a wildcard certificate to ensure the secure LDAP works properly with the Azure AD Domain Services. Domain Controllers use random names and can be removed or added to ensure the service remains available.
 * **Key usage** - The certificate must be configured for *digital signatures* and *key encipherment*.
 * **Certificate purpose** - The certificate must be valid for SSL server authentication.

articles/active-directory-domain-services/tutorial-configure-ldaps.md

@@ -26,9 +26,9 @@ You can take one of two approaches for requiring two-step verification, both of
 
 **Enabled by changing user state** - This is the traditional method for requiring two-step verification and is discussed in this article. It works with both Azure MFA in the cloud and Azure MFA Server. Using this method requires users to perform two-step verification **every time** they sign in and overrides Conditional Access policies.
 
-Enabled by Conditional Access policy - This is the most flexible means to enable two-step verification for your users. Enabling using Conditional Access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD. More information on this method can be found in [Deploy cloud-based Azure Multi-Factor Authentication](howto-mfa-getstarted.md).
+**Enabled by Conditional Access policy** - This is the most flexible means to enable two-step verification for your users. Enabling using Conditional Access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD. More information on this method can be found in [Deploy cloud-based Azure Multi-Factor Authentication](howto-mfa-getstarted.md).
 
-Enabled by Azure AD Identity Protection - This method uses the Azure AD Identity Protection risk policy to require two-step verification based only on sign-in risk for all cloud applications. This method requires Azure Active Directory P2 licensing. More information on this method can be found in [Azure Active Directory Identity Protection](../identity-protection/howto-sign-in-risk-policy.md)
+**Enabled by Azure AD Identity Protection** - This method uses the Azure AD Identity Protection risk policy to require two-step verification based only on sign-in risk for all cloud applications. This method requires Azure Active Directory P2 licensing. More information on this method can be found in [Azure Active Directory Identity Protection](../identity-protection/howto-sign-in-risk-policy.md)
 
 > [!Note]
 > More information about licenses and pricing can be found on the [Azure AD](https://azure.microsoft.com/pricing/details/active-directory/

articles/active-directory/authentication/howto-mfa-userstates.md

@@ -28,9 +28,6 @@ This page covers a new installation of the server and setting it up with on-prem
 
 ## Plan your deployment
 
-> [!WARNING]
-> Starting in March of 2019 MFA Server downloads will only be available to paid tenants. Free/trial tenants will no longer be able to download or generate and use activation credentials.
-
 Before you download the Azure Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy.
 
 A good guideline for the amount of memory you need is the number of users you expect to authenticate on a regular basis.
@@ -93,9 +90,6 @@ If you aren't using the Event Confirmation feature, and your users aren't using
 
 ## Download the MFA Server
 
-> [!WARNING]
-> Starting in March of 2019 MFA Server downloads will only be available to paid tenants. Free/trial tenants will no longer be able to download or generate and use activation credentials.
-
 Follow these steps to download the Azure Multi-Factor Authentication Server from the Azure portal:
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

articles/active-directory/authentication/howto-mfaserver-deploy.md

@@ -126,11 +126,13 @@ There are two required installers for Azure AD password protection. They're avai
      The result should show a **Status** of "Running."
 
 1. Register the proxy.
-   * After step 3 is completed, the proxy service is running on the machine. But the service doesn't yet have the necessary credentials to communicate with Azure AD. Registration with Azure AD is required:
+   * After step 3 is completed, the proxy service is running on the machine, but does not yet have the necessary credentials to communicate with Azure AD. Registration with Azure AD is required:
 
      `Register-AzureADPasswordProtectionProxy`
 
-     This cmdlet requires global administrator credentials for your Azure tenant. You also need on-premises Active Directory domain administrator privileges in the forest root domain. After this command succeeds once for a proxy service, additional invocations of it will succeed but are unnecessary.
+     This cmdlet requires global administrator credentials for your Azure tenant. You also need on-premises Active Directory domain administrator privileges in the forest root domain. You must also run this cmdlet using an account with local administrator privileges.
+
+     After this command succeeds once for a proxy service, additional invocations of it will succeed but are unnecessary.
 
       The `Register-AzureADPasswordProtectionProxy` cmdlet supports the following three authentication modes. The first two modes support Azure Multi-Factor Authentication but the third mode does not. Please see comments below for more details.
 
@@ -174,7 +176,9 @@ There are two required installers for Azure AD password protection. They're avai
    > There might be a noticeable delay before completion the first time that this cmdlet is run for a specific Azure tenant. Unless a failure is reported, don't worry about this delay.
 
 1. Register the forest.
-   * You must initialize the on-premises Active Directory forest with the necessary credentials to communicate with Azure by using the `Register-AzureADPasswordProtectionForest` PowerShell cmdlet. The cmdlet requires global administrator credentials for your Azure tenant. It also requires on-premises Active Directory Enterprise Administrator privileges. This step is run once per forest.
+   * You must initialize the on-premises Active Directory forest with the necessary credentials to communicate with Azure by using the `Register-AzureADPasswordProtectionForest` PowerShell cmdlet.
+
+      The cmdlet requires global administrator credentials for your Azure tenant.  You must also run this cmdlet using an account with local administrator privileges. It also requires on-premises Active Directory Enterprise Administrator privileges. This step is run once per forest.
 
       The `Register-AzureADPasswordProtectionForest` cmdlet supports the following three authentication modes. The first two modes support Azure Multi-Factor Authentication but the third mode does not. Please see comments below for more details.
 

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -36,7 +36,7 @@ Before enabling the new experience, review the article [Combined security inform
 Complete these steps to enable combined registration:
 
 1. Sign in to the Azure portal as a user administrator or global administrator.
-2. Go to **Azure Active Directory** > **User settings** > **Manage settings for access panel preview features**.
+2. Go to **Azure Active Directory** > **User settings** > **Manage user feature preview settings**.
 3. Under **Users can use preview features for registering and managing security info**, choose to enable for a **Selected** group of users or for **All** users.
 
    ![Enable the combined security info preview experience for All users](media/howto-registration-mfa-sspr-combined/enable-the-combined-security-info-preview.png)
@@ -63,7 +63,7 @@ The following policy applies to all selected users, who attempt to register usin
 
 ![Create a CA policy to control security info registration](media/howto-registration-mfa-sspr-combined/require-registration-from-trusted-location.png)
 
-1. In the **Azure portal**, browse to **Azure Active Directory** > **Conditional Access**
+1. In the **Azure portal**, browse to **Azure Active Directory** > **Security** > **Conditional Access**
 1. Select **New policy**
 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**
 1. Under **Assignments**, click **Users and groups**, and select the users and groups you want this policy to apply to

articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md

@@ -21,9 +21,9 @@ ms.collection: M365-identity-device-management
 In this quickstart, you configure Azure Active Directory (AD) self-service password reset (SSPR) to enable users to reset their passwords or unlock their accounts. With SSPR, users can reset their own credentials without helpdesk or administrator assistance. This ability lets users regain access to their account without waiting for additional support.
 
 > [!IMPORTANT]
-> This quickstart shows an administrator how to enable self-service password reset. If your IT team hasn't already enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.
+> This quickstart shows an administrator how to enable self-service password reset. If you're an end user already registered for self-service password reset and need to get back into your account, go to https://aka.ms/sspr.
 >
-> If your IT team has enabled password reset, once you're [registered for self-service password reset][register-sspr] you can then [reset your work or school password][reset-password]. If you're not already registered for self-service password reset, reach out to your helpdesk for additional assistance.
+> If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.
 
 ## Prerequisites
 
@@ -82,4 +82,4 @@ In this quickstart, you learned how to configure self-service password reset for
 
 <!-- INTERNAL LINKS -->
 [register-sspr]: ../user-help/active-directory-passwords-reset-register.md
-[reset-password]: ../user-help/active-directory-passwords-update-your-own-password.md
+[reset-password]: ../user-help/active-directory-passwords-update-your-own-password.md