Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-iotedge-fall19

Author: v-alje

.openpublishing.redirection.json

@@ -44002,6 +44002,11 @@
       "source_path": "articles/virtual-desktop/bandwidth-recommendations.md",
       "redirect_url": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/troubleshoot-client-connection.md",
+      "redirect_url": "/azure/virtual-desktop/troubleshoot-client",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/connect-with-saml-service-providers.md

@@ -61,7 +61,7 @@ If you don't yet have a SAML service provider and an associated metadata endpoin
 To build a trust relationship between your service provider and Azure AD B2C, you need to provide X509 certificates and their private keys.
 
 * **Service provider certificates**
-  * Certificate with a private key stored in your Web App. This certificate is used to by your service provider to sign the SAML request sent to Azure AD B2C. Azure AD B2C reads the public key from the service provider metadata to validate the signature.
+  * Certificate with a private key stored in your Web App. This certificate is used by your service provider to sign the SAML request sent to Azure AD B2C. Azure AD B2C reads the public key from the service provider metadata to validate the signature.
   * (Optional) Certificate with a private key stored in your Web App. Azure AD B2C reads the public key from the service provider metadata to encrypt the SAML assertion. The service provider then uses the private key to decrypt the assertion.
 * **Azure AD B2C certificates**
   * Certificate with a private key in Azure AD B2C. This certificate is used by Azure AD B2C to sign the SAML response sent to your service provider. Your service provider reads the Azure AD B2C metadata public key to validate the signature of the SAML response.
@@ -96,7 +96,7 @@ If you don't already have a certificate, you can use a self-signed certificate f
 Next, upload the SAML assertion and response signing certificate to Azure AD B2C.
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and browse to your Azure AD B2C tenant.
-1. Select **Settings** > **Identity Experience Framework** > **Policy Keys**.
+1. Under **Policies**, select **Identity Experience Framework** and then **Policy keys**.
 1. Select **Add**, and then select **Options** > **Upload**.
 1. Enter a **Name**, for example *SamlIdpCert*. The prefix *B2C_1A_* is automatically added to the name of your key.
 1. Upload your certificate using the upload file control.
@@ -318,7 +318,7 @@ For this tutorial, in which you use the SAML test application, set the `url` pro
 
 #### LogoutUrl (Optional)
 
-This optional property represents the `Logout` URL (`SingleLogoutService` URL in the relying party metadata), and the `BindingType` for this is assumed to be `HttpDirect`.
+This optional property represents the `Logout` URL (`SingleLogoutService` URL in the relying party metadata), and the `BindingType` for this is assumed to be `Http-Redirect`.
 
 For this tutorial which uses the SAML test application, leave `logoutUrl` set to `https://samltestapp2.azurewebsites.net/logout`:
 
@@ -374,4 +374,4 @@ The following SAML relying party (RP) scenarios are supported via your own metad
 You can find more information about the [SAML protocol on the OASIS website](https://www.oasis-open.org/).
 
 <!-- LINKS - External -->
-[samltest]: https://aka.ms/samltestapp
+[samltest]: https://aka.ms/samltestapp

articles/active-directory-b2c/custom-email.md

@@ -256,7 +256,8 @@ The `GenerateOtp` technical profile generates a code for the email address. The
         <InputClaim ClaimTypeReferenceId="verificationCode" PartnerClaimType="otpToVerify" />
       </InputClaims>
     </TechnicalProfile>
-  </ClaimsProviders>
+   </TechnicalProfiles>
+</ClaimsProviders>
 ```
 
 ## Add a REST API technical profile

articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md

@@ -121,7 +121,7 @@ Once you've added app roles in your application, you can assign users and groups
 
 - [Authorization in a web app using Azure AD application roles & role claims (Sample)](https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims)
 - [Using Security Groups and Application Roles in your apps (Video)](https://www.youtube.com/watch?v=V8VUPixLSiM)
-- [Azure Active Directory, now with Group Claims and Application Roles](https://cloudblogs.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles)
+- [Azure Active Directory, now with Group Claims and Application Roles](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862)
 - [Azure Active Directory app manifest](https://docs.microsoft.com/azure/active-directory/develop/reference-app-manifest)
 - [AAD Access tokens](access-tokens.md)
 - [AAD `id_tokens`](id-tokens.md)

articles/active-directory/develop/msal-net-migration-ios-broker.md

@@ -143,7 +143,7 @@ result = await app.AcquireTokenInteractive(scopes)
 </table>
 
 ### Step 3: Update AppDelegate to handle the callback
-Both ADAL and MSAL call the broker, and the broker in turn calls back to your application through the `OpenUrl` method of the `AppDelegate` class. For more information, see [this documentation](msal-net-use-brokers-with-xamarin-apps.md#step-2-update-appdelegate-to-handle-the-callback).
+Both ADAL and MSAL call the broker, and the broker in turn calls back to your application through the `OpenUrl` method of the `AppDelegate` class. For more information, see [this documentation](msal-net-use-brokers-with-xamarin-apps.md#step-3-update-appdelegate-to-handle-the-callback).
 
 There are no changes here between ADAL.NET and MSAL.NET.
 
@@ -217,6 +217,7 @@ Uses
 <key>LSApplicationQueriesSchemes</key>
 <array>
      <string>msauthv2</string>
+     <string>msauthv3</string>
 </array>
 ```
 </table>
@@ -243,7 +244,7 @@ Example:
 
 </table>
 
-For more information about how to register the redirect URI in the portal, see [Leverage the broker in Xamarin.iOS applications](msal-net-use-brokers-with-xamarin-apps.md#step-7-make-sure-the-redirect-uri-is-registered-with-your-app).
+For more information about how to register the redirect URI in the portal, see [Leverage the broker in Xamarin.iOS applications](msal-net-use-brokers-with-xamarin-apps.md#step-8-make-sure-the-redirect-uri-is-registered-with-your-app).
 
 ## Next steps
 

articles/active-directory/develop/msal-net-use-brokers-with-xamarin-apps.md

@@ -43,7 +43,21 @@ var app = PublicClientApplicationBuilder
                 .Build();
 ```
 
-### Step 2: Update AppDelegate to handle the callback
+### Step 2: Enable keychain access
+
+To enable keychain access, your application must have a keychain access group. You can use the `WithIosKeychainSecurityGroup()` API to set your keychain access group when you create your application:
+
+```csharp
+var builder = PublicClientApplicationBuilder
+     .Create(ClientId)
+      
+     .WithIosKeychainSecurityGroup("com.microsoft.adalcache")
+     .Build();
+```
+
+For more information, see [Enable keychain access](msal-net-xamarin-ios-considerations.md#enable-keychain-access).
+
+### Step 3: Update AppDelegate to handle the callback
 When the Microsoft Authentication Library for .NET (MSAL.NET) calls the broker, the broker in turn calls back to your application through the `OpenUrl` method of the `AppDelegate` class. Because MSAL waits for the response from the broker, your application needs to cooperate to call MSAL.NET back. To enable this cooperation, update the `AppDelegate.cs` file to override the following method.
 
 ```csharp
@@ -68,7 +82,7 @@ public override bool OpenUrl(UIApplication app, NSUrl url,
 
 This method is invoked every time the application is launched. It's used as an opportunity to process the response from the broker and complete the authentication process initiated by MSAL.NET.
 
-### Step 3: Set a UIViewController()
+### Step 4: Set a UIViewController()
 Still in `AppDelegate.cs`, you need to set an object window. Normally, with Xamarin iOS, you don't need to set the object window. To send and receive responses from the broker, you need an object window. 
 
 To do this, you do two things. 
@@ -94,7 +108,7 @@ result = await app.AcquireTokenInteractive(scopes)
              .ExecuteAsync();
 ```
 
-### Step 4: Register a URL scheme
+### Step 5: Register a URL scheme
 MSAL.NET uses URLs to invoke the broker and then return the broker response back to your app. To finish the round trip, register a URL scheme for your app in the `Info.plist` file.
 
 The `CFBundleURLSchemes` name must include `msauth.` as a prefix, followed by your `CFBundleURLName`.
@@ -124,7 +138,7 @@ The `CFBundleURLSchemes` name must include `msauth.` as a prefix, followed by yo
     </array>
 ```
 
-### Step 5: Add the broker identifier to the LSApplicationQueriesSchemes section
+### Step 6: Add the broker identifier to the LSApplicationQueriesSchemes section
 MSAL uses `–canOpenURL:` to check if the broker is installed on the device. In iOS 9, Apple locked down what schemes an application can query for. 
 
 Add `msauthv2` to the `LSApplicationQueriesSchemes` section of the `Info.plist` file.
@@ -133,10 +147,11 @@ Add `msauthv2` to the `LSApplicationQueriesSchemes` section of the `Info.plist`
 <key>LSApplicationQueriesSchemes</key>
     <array>
       <string>msauthv2</string>
+      <string>msauthv3</string>
     </array>
 ```
 
-### Step 6: Register your redirect URI in the application portal
+### Step 7: Register your redirect URI in the application portal
 Using the broker adds an extra requirement on your redirect URI. The redirect URI _must_ have the following format:
 ```csharp
 $"msauth.{BundleId}://auth"
@@ -147,7 +162,7 @@ public static string redirectUriOnIos = "msauth.com.yourcompany.XForms://auth";
 ```
 Notice that the redirect URI matches the `CFBundleURLSchemes` name you included in the `Info.plist` file.
 
-### Step 7: Make sure the redirect URI is registered with your app
+### Step 8: Make sure the redirect URI is registered with your app
 
 This redirect URI needs to be registered on the app registration portal (https://portal.azure.com) as a valid redirect URI for your application. 
 
@@ -181,4 +196,4 @@ The MSAL Android native library already supports it. For details see [Brokered a
 
 ## Next steps
 
-Learn about [Universal Windows Platform-specific considerations with MSAL.NET](msal-net-uwp-considerations.md).
+Learn about [Universal Windows Platform-specific considerations with MSAL.NET](msal-net-uwp-considerations.md).

articles/active-directory/develop/msal-net-xamarin-android-considerations.md

@@ -3,7 +3,7 @@ title: Xamarin Android considerations (MSAL.NET) | Azure
 titleSuffix: Microsoft identity platform
 description: Learn about specific considerations when using Xamarin Android with the Microsoft Authentication Library for .NET (MSAL.NET).
 services: active-directory
-author: TylerMSFT
+author: jmprieur
 manager: CelesteDG
 
 ms.service: active-directory
@@ -80,6 +80,23 @@ The `AndroidManifest.xml` should contain the following values:
 </activity>
 ```
 
+Or, you can [create the activity in code](https://docs.microsoft.com/xamarin/android/platform/android-manifest#the-basics) and not manually edit `AndroidManifest.xml`. For that, you must create a class that has the `Activity` and `IntentFilter` attribute. A class that represents the same values of the above xml would be:
+
+```csharp
+  [Activity]
+  [IntentFilter(new[] { Intent.ActionView },
+        Categories = new[] { Intent.CategoryBrowsable, Intent.CategoryDefault },
+        DataHost = "auth",
+        DataScheme = "msal{client_id}")]
+  public class MsalActivity : BrowserTabActivity
+  {
+  }
+```
+
+### XamarinForms 4.3.X manifest
+
+The code generated by XamarinForms 4.3.x sets the `package` attribute to `com.companyname.{appName}` in the `AndroidManifest.xml`. You might want to change the value to be same as the `MainActivity.cs` namespace, if you use the `DataScheme` as `msal{client_id}`.
+
 ## Use the embedded web view (optional)
 
 By default MSAL.NET uses the system web browser, which enables you to get SSO with Web applications and other apps. In some rare cases, you might want to specify that you want to use the embedded web view. For more information, see [MSAL.NET uses a Web browser](msal-net-web-browsers.md) and [Android system browser](msal-net-system-browser-android-considerations.md).
@@ -124,4 +141,4 @@ More details and samples are provided in the [Android Specific Considerations](h
 
 | Sample | Platform | Description |
 | ------ | -------- | ----------- |
-|[https://github.com/Azure-Samples/active-directory-xamarin-native-v2](https://github.com/azure-samples/active-directory-xamarin-native-v2) | Xamarin iOS, Android, UWP | A simple Xamarin Forms app showcasing how to use MSAL to authenticate MSA and Azure AD via the AADD v2.0 endpoint, and access the Microsoft Graph with the resulting token. <br>![Topology](media/msal-net-xamarin-android-considerations/topology.png) |
+|[https://github.com/Azure-Samples/active-directory-xamarin-native-v2](https://github.com/azure-samples/active-directory-xamarin-native-v2) | Xamarin iOS, Android, UWP | A simple Xamarin Forms app showcasing how to use MSAL to authenticate MSA and Azure AD via the AADD v2.0 endpoint, and access the Microsoft Graph with the resulting token. <br>![Topology](media/msal-net-xamarin-android-considerations/topology.png) |

articles/active-directory/develop/msal-net-xamarin-ios-considerations.md

@@ -3,7 +3,7 @@ title: Xamarin iOS considerations (MSAL.NET) | Azure
 titleSuffix: Microsoft identity platform
 description: Learn about specific considerations when using Xamarin iOS with the Microsoft Authentication Library for .NET (MSAL.NET).
 services: active-directory
-author: TylerMSFT
+author: jmprieur
 manager: CelesteDG
 
 ms.service: active-directory
@@ -27,13 +27,6 @@ On Xamarin iOS, there are several considerations that you must take into account
 - [Enable token cache sharing](#enable-token-cache-sharing-across-ios-applications)
 - [Enable Keychain access](#enable-keychain-access)
 
-## Known issues with iOS 12 and authentication
-Microsoft has released a [security advisory](https://github.com/aspnet/AspNetCore/issues/4647) to provide information about an incompatibility between iOS12 and some types of authentication. The incompatibility breaks social, WSFed, and OIDC logins. This advisory also provides guidance on what developers can do to remove current security restrictions added by ASP.NET to their applications to become compatible with iOS12.  
-
-When developing MSAL.NET applications on Xamarin iOS, you may see an infinite loop when trying to sign in to websites from iOS 12 (similar to this [ADAL issue](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/1329). 
-
-You might also see a break in ASP.NET Core OIDC authentication with iOS 12 Safari as described in this [WebKit issue](https://bugs.webkit.org/show_bug.cgi?id=188165).
-
 ## Implement OpenUrl
 
 First you need to override the `OpenUrl` method of the `FormsApplicationDelegate` derived class and call `AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs`.
@@ -53,40 +46,28 @@ You'll also need to define a URL scheme, require permissions for your app to cal
 To enable keychain access, your application must have a keychain access group.
 You can set your keychain access group by using the `WithIosKeychainSecurityGroup()` api when creating your application as shown below:
 
-To enable single sign-on, you need to set the `PublicClientApplication.iOSKeychainSecurityGroup` property to the same value in all of the applications.
+To benefit from the cache and single sign-on, you need to set the keychain access group to the same value in all of your applications.
 
-An example of this using MSAL v3.x would be:
+An example of this using MSAL v4.x would be:
 ```csharp
 var builder = PublicClientApplicationBuilder
      .Create(ClientId)
-     .WithIosKeychainSecurityGroup("com.microsoft.msalrocks")
+     .WithIosKeychainSecurityGroup("com.microsoft.adalcache")
      .Build();
 ```
 
-The entitlements.plist should be updated to look like the following XML fragment:
-
 This change is *in addition* to enabling keychain access in the `Entitlements.plist` file, using either the below access group or your own:
 
 ```xml
-<?xml version="1.0" encoding="UTF-8" ?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
 <dict>
   <key>keychain-access-groups</key>
   <array>
-    <string>$(AppIdentifierPrefix)com.microsoft.msalrocks</string>
+    <string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
   </array>
 </dict>
-</plist>
 ```
 
-An example of this using MSAL v4.x would be:
-
-```csharp
-PublicClientApplication.iOSKeychainSecurityGroup = "com.microsoft.msalrocks";
-```
-
-When using the `WithIosKeychainSecurityGroup()` api, MSAL will automatically append your security group to the end of the application's "team ID" (AppIdentifierPrefix) because when you build your application using xcode, it will do the same. [See iOS entitlements documentation for more details](https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps). That's why you need to update the entitlements to include $(AppIdentifierPrefix) before the keychain access group in the entitlements.plist.
+When you use the `WithIosKeychainSecurityGroup()` api, MSAL automatically appends your security group to the end of the application's *team ID* (AppIdentifierPrefix) because when you build your application using xcode, it will do the same. For more information, see [iOS entitlements documentation](https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps). That's why the entitlements need to include `$(AppIdentifierPrefix)` before the keychain access group in the `Entitlements.plist`.
 
 ### Enable token cache sharing across iOS applications
 
@@ -125,3 +106,10 @@ Sample | Platform | Description
 [https://github.com/Azure-Samples/active-directory-xamarin-native-v2](https://github.com/azure-samples/active-directory-xamarin-native-v2) | Xamarin iOS, Android, UWP | A simple Xamarin Forms app showcasing how to use MSAL to authenticate MSA and Azure AD via the Azure AD V2.0 endpoint, and access the Microsoft Graph with the resulting token.
 
 <!--- https://github.com/Azure-Samples/active-directory-xamarin-native-v2/blob/master/ReadmeFiles/Topology.png -->
+
+## Known issues with iOS 12 and authentication
+Microsoft has released a [security advisory](https://github.com/aspnet/AspNetCore/issues/4647) to provide information about an incompatibility between iOS12 and some types of authentication. The incompatibility breaks social, WSFed, and OIDC logins. This advisory also provides guidance on what developers can do to remove current security restrictions added by ASP.NET to their applications to become compatible with iOS12.  
+
+When developing MSAL.NET applications on Xamarin iOS, you might see an infinite loop when trying to sign in to websites from iOS 12 (similar to this [ADAL issue](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/1329)). 
+
+You might also see a break in ASP.NET Core OIDC authentication with iOS 12 Safari as described in this [WebKit issue](https://bugs.webkit.org/show_bug.cgi?id=188165).

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -34,6 +34,9 @@ There are many benefits of using Azure AD authentication to log in to Windows VM
    - Sign-in risk check
 - Automate and scale Azure AD join of Azure Windows VMs that are part for your VDI deployments.
 
+> [!NOTE]
+> Once you enable this capability, your Windows VMs in Azure will be Azure AD joined. You cannot join it to other domain like on prem AD or Azure AD DS. If you need to do so, you will need to disconnect the VM from your Azure AD tenant by uninstalling the extension.
+
 ## Requirements
 
 ### Supported Azure regions and Windows distributions