Merge pull request #109563 from MicrosoftDocs/master

3/30 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -50470,6 +50470,10 @@
     {
       "source_path": "articles/cognitive-services/speech-service/how-to-custom-speech-test-data.md",
       "redirect_url": "/azure/cognitive-services/speech-service/how-to-custom-speech-test-and-train"
+    },
+    {
+      "source_path": "articles/sql-database/sql-database-paas-index.yml",
+      "redirect_url": "/azure/sql-database/sql-database-technical-overview"
     }
   ]
 }

articles/active-directory-b2c/TOC.yml

@@ -404,7 +404,7 @@
     href: error-codes.md
   - name: Extensions app
     href: extensions-app.md
-  - name: Identity Experience Framework release notes
+  - name: IEF release notes
     href: custom-policy-developer-notes.md
   - name: Microsoft Graph API operations
     href: microsoft-graph-operations.md

articles/active-directory-b2c/custom-policy-developer-notes.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 02/12/2020
+ms.date: 03/30/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -55,85 +55,102 @@ Developers consuming the custom policy feature set should adhere to the followin
 
 Custom policy/Identity Experience Framework capabilities are under constant and rapid development. The following table is an index of features and component availability.
 
-### Identity Providers, Tokens, Protocols
+
+### Protocols and authorization flows
 
 | Feature | Development | Preview | GA | Notes |
 |-------- | :-----------: | :-------: | :--: | ----- |
-| IDP-OpenIDConnect |  |  | X | For example, Google+.  |
-| IDP-OAUTH2 |  |  | X | For example, Facebook.  |
-| IDP-OAUTH1 (twitter) |  | X |  | For example, Twitter. |
-| IDP-OAUTH1 (ex-twitter) |  |  |  | Not supported |
-| IDP-SAML |  |   | X | For example, Salesforce, ADFS. |
-| IDP-WSFED | X |  |  |  |
-| Relying Party OAUTH1 |  |  |  | Not supported. |
-| Relying Party OAUTH2 |  |  | X |  |
-| Relying Party OIDC |  |  | X |  |
-| Relying Party SAML |  |X  |  |  |
-| Relying Party WSFED | X |  |  |  |
-| REST API with basic and certificate auth |  |  | X | For example, Azure Logic Apps. |
-
-### Component Support
+| [OAuth2 authorization code](authorization-code-flow.md) |  |  | X |  |
+| OAuth2 authorization code with PKCE |  |  | X | Mobile applications only  |
+| [OAuth2 implicit flow](implicit-flow-single-page-application.md) |  |  | X |  |
+| [OAuth2 resource owner password credentials](ropc-custom.md) |  | X |  |  |
+| [OIDC Connect](openid-connect.md) |  |  | X |  |
+| [SAML2](connect-with-saml-service-providers.md)  |  |X  |  | POST and Redirect bindings. |
+| OAuth1 |  |  |  | Not supported. |
+| WSFED | X |  |  |  |
+
+### Identify providers federation 
+
+| Feature | Development | Preview | GA | Notes |
+|-------- | :-----------: | :-------: | :--: | ----- |
+| [OpenID Connect](openid-connect-technical-profile.md) |  |  | X | For example, Google+.  |
+| [OAuth2](oauth2-technical-profile.md) |  |  | X | For example, Facebook.  |
+| [OAuth1](oauth1-technical-profile.md) |  | X |  | For example, Twitter. |
+| [SAML2](saml-technical-profile.md) |  |   | X | For example, Salesforce, ADFS. |
+| WSFED| X |  |  |  |
+
+
+### REST API integration
+
+| Feature | Development | Preview | GA | Notes |
+|-------- | :-----------: | :-------: | :--: | ----- |
+| [REST API with basic auth](secure-rest-api.md#http-basic-authentication) |  |  | X |  |
+| [REST API with client certificate auth](secure-rest-api.md#https-client-certificate-authentication) |  |  | X |  |
+| [REST API with OAuth2 bearer auth](secure-rest-api.md#oauth2-bearer-authentication) |  | X |  |  |
+
+### Component support
 
 | Feature | Development | Preview | GA | Notes |
 | ------- | :-----------: | :-------: | :--: | ----- |
-| Azure Multi Factor Authentication |  |  | X |  |
-| Azure Active Directory as local directory |  |  | X |  |
-| Azure Email subsystem for email verification |  |  | X |  |
-| Multi-language support|  |  | X |  |
-| Predicate Validations |  |  | X | For example, password complexity. |
-| Using third party email service providers |  |X  |  |  |
+| [Phone factor authentication](phone-factor-technical-profile.md) |  |  | X |  |
+| [Azure MFA authentication](multi-factor-auth-technical-profile.md) |  | X |  |  |
+| [One-time password](one-time-password-technical-profile.md) |  | X |  |  |
+| [Azure Active Directory](active-directory-technical-profile.md) as local directory |  |  | X |  |
+| Azure email subsystem for email verification |  |  | X |  |
+| [Third party email service providers](custom-email.md) |  |X  |  |  |
+| [Multi-language support](localization.md)|  |  | X |  |
+| [Predicate validations](predicates.md) |  |  | X | For example, password complexity. |
+| [Display controls](display-controls.md) |  |X  |  |  |
 
-### Content Definition
+
+### Page layout versions
 
 | Feature | Development | Preview | GA | Notes |
 | ------- | :-----------: | :-------: | :--: | ----- |
-| Error page, api.error |  |  | X |  |
-| IDP selection page, api.idpselections |  |  | X |  |
-| IDP selection for signup, api.idpselections.signup |  |  | X |  |
-| Forgot Password, api.localaccountpasswordreset |  |  | X |  |
-| Local Account Sign-in, api.localaccountsignin |  |  | X |  |
-| Local Account Sign-up, api.localaccountsignup |  |  | X |  |
-| MFA page, api.phonefactor |  |  | X |  |
-| Self-asserted social account sign-up, api.selfasserted |  |  | X |  |
-| Self-asserted profile update, api.selfasserted.profileupdate |  |  | X |  |
-| Unified signup or sign-in page, api.signuporsignin, with parameter "disableSignup" |  |  | X |  |
-| JavaScript / Page layout |  | X |  |  |
+| [2.0.0](page-layout.md#200) |  | X |  |  |
+| [1.2.0](page-layout.md#120) |  | X |  |  |
+| [1.1.0](page-layout.md#110) |  |  | X |  |
+| [1.0.0](page-layout.md#100) |  |  | X |  |
+| [JavaScript support](javascript-samples.md) |  | X |  |  |
 
 ### App-IEF integration
 
 | Feature | Development | Preview | GA | Notes |
 | ------- | :-----------: | :-------: | :--: | ----- |
-| Query string parameter domain_hint |  |  | X | Available as claim, can be passed to IDP. |
-| Query string parameter login_hint |  |  | X | Available as claim, can be passed to IDP. |
-| Insert JSON into UserJourney via client_assertion | X |  |  | Will be deprecated. |
-| Insert JSON into UserJourney as id_token_hint |  | X |  | Go-forward approach to pass JSON. |
-| Pass IDP TOKEN to the application |  | X |  | For example, from Facebook to app. |
+| Query string parameter `domain_hint` |  |  | X | Available as claim, can be passed to IDP. |
+| Query string parameter `login_hint` |  |  | X | Available as claim, can be passed to IDP. |
+| Insert JSON into user journey via `client_assertion` | X |  |  | Will be deprecated. |
+| Insert JSON into user journey as `id_token_hint` |  | X |  | Go-forward approach to pass JSON. |
+| [Pass identity provider token to the application](idp-pass-through-custom.md) |  | X |  | For example, from Facebook to app. |
 
 ### Session Management
 
 | Feature | Development | Preview | GA | Notes |
 | ------- | :-----------: | :-------: | :--: | ----- |
-| SSO Session Provider |  |  | X |  |
-| External Login Session Provider |  |  | X |  |
-| SAML SSO  Session Provider |  |  | X |  |
-| Default SSO Session Provider |  |  | X |  |
+| [Default SSO session provider](custom-policy-reference-sso.md#defaultssosessionprovider) |  |  | X |  |
+| [External login session provider](custom-policy-reference-sso.md#externalloginssosessionprovider) |  |  | X |  |
+| [SAML SSO session provider](custom-policy-reference-sso.md#samlssosessionprovider) |  |  | X |  |
+
 
 ### Security
 
 | Feature | Development | Preview | GA | Notes |
 |-------- | :-----------: | :-------: | :--: | ----- |
 | Policy Keys- Generate, Manual, Upload |  |  | X |  |
 | Policy Keys- RSA/Cert, Secrets |  |  | X |  |
-| Policy upload |  |  | X |  |
+
 
 ### Developer interface
 
 | Feature | Development | Preview | GA | Notes |
 | ------- | :-----------: | :-------: | :--: | ----- |
 | Azure Portal-IEF UX |  |  | X |  |
-| Application Insights UserJourney Logs |  | X |  | Used for troubleshooting during development.  |
-| Application Insights Event Logs (via orchestration steps) |  | X |  | Used to monitor user flows in production. |
+| Policy upload |  |  | X |  |
+| [Application Insights user journey logs](troubleshoot-with-application-insights.md) |  | X |  | Used for troubleshooting during development.  |
+| [Application Insights event logs](application-insights-technical-profile.md) |  | X |  | Used to monitor user flows in production. |
+
 
 ## Next steps
 
-Learn more about [custom policies and the differences with user flows](custom-policy-overview.md).
+- Check the [Microsoft Graph operations available for Azure AD B2C](microsoft-graph-operations.md)
+- Learn more about [custom policies and the differences with user flows](custom-policy-overview.md).

articles/active-directory-b2c/saml-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/13/2020
+ms.date: 03/30/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -86,11 +86,32 @@ The **Name** attribute of the Protocol element needs to be set to `SAML2`.
 
 The **OutputClaims** element contains a list of claims returned by the SAML identity provider under the `AttributeStatement` section. You may need to map the name of the claim defined in your policy to the name defined in the identity provider. You can also include claims that aren't returned by the identity provider as long as you set the `DefaultValue` attribute.
 
-To read the SAML assertion **NamedId** in **Subject** as a normalized claim, set the claim **PartnerClaimType** to `assertionSubjectName`. Make sure the **NameId** is the first value in assertion XML. When you define more than one assertion, Azure AD B2C picks the subject value from the last assertion.
+### Subject name output claim
+
+To read the SAML assertion **NameId** in the **Subject** as a normalized claim, set the claim **PartnerClaimType** to value of the `SPNameQualifier` attribute. If the `SPNameQualifier`attribute is not presented, set the claim **PartnerClaimType** to value of the `NameQualifier` attribute. 
 
-The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
 
-The following example shows the claims returned by the Facebook identity provider:
+SAML assertion: 
+
+```XML
+<saml:Subject>
+  <saml:NameID SPNameQualifier="http://your-idp.com/unique-identifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[email protected]</saml:NameID>
+	<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+	  <SubjectConfirmationData InResponseTo="_cd37c3f2-6875-4308-a9db-ce2cf187f4d1" NotOnOrAfter="2020-02-15T16:23:23.137Z" Recipient="https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer" />
+    </SubjectConfirmation>
+  </saml:SubjectConfirmation>
+</saml:Subject>
+```
+
+Output claim:
+
+```XML
+<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="http://your-idp.com/unique-identifier" />
+```
+
+If both `SPNameQualifier` or `NameQualifier` attributes are not presented in the SAML assertion, set the claim **PartnerClaimType** to `assertionSubjectName`. Make sure the **NameId** is the first value in assertion XML. When you define more than one assertion, Azure AD B2C picks the subject value from the last assertion.
+
+The following example shows the claims returned by a SAML identity provider:
 
 - The **issuerUserId** claim is mapped to the **assertionSubjectName** claim.
 - The **first_name** claim is mapped to the **givenName** claim.
@@ -115,6 +136,8 @@ The technical profile also returns claims that aren't returned by the identity p
 </OutputClaims>
 ```
 
+The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
+
 ## Metadata
 
 | Attribute | Required | Description |

articles/active-directory-domain-services/network-considerations.md

@@ -5,12 +5,11 @@ services: active-directory-ds
 author: iainfoulds
 manager: daveba
 
-ms.assetid: 23a857a5-2720-400a-ab9b-1ba61e7b145a
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 01/21/2020
+ms.date: 03/30/2020
 ms.author: iainfou
 
 ---
@@ -72,7 +71,7 @@ You can connect a virtual network to another virtual network (VNet-to-VNet) in t
 
 ![Virtual network connectivity using a VPN Gateway](./media/active-directory-domain-services-design-guide/vnet-connection-vpn-gateway.jpg)
 
-For more information on using virtual private networking, read [Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal).
+For more information on using virtual private networking, read [Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md).
 
 ## Name resolution when connecting virtual networks
 
@@ -93,11 +92,11 @@ An Azure AD DS managed domain creates some networking resources during deploymen
 | Load balancer rules                     | When an Azure AD DS managed domain is configured for secure LDAP on TCP port 636, three rules are created and used on a load balancer to distribute the traffic. |
 
 > [!WARNING]
-> Don't delete any of the network resource created by Azure AD DS. If you delete any of the network resources, an Azure AD DS service outage occurs.
+> Don't delete or modify any of the network resource created by Azure AD DS, such as manually configuring the load balancer or rules. If you delete or modify any of the network resources, an Azure AD DS service outage may occur.
 
 ## Network security groups and required ports
 
-A [network security group (NSG)](https://docs.microsoft.com/azure/virtual-network/virtual-networks-nsg) contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. A network security group is created when you deploy Azure AD DS that contains a set of rules that let the service provide authentication and management functions. This default network security group is associated with the virtual network subnet your Azure AD DS managed domain is deployed into.
+A [network security group (NSG)](../virtual-network/virtual-networks-nsg.md) contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. A network security group is created when you deploy Azure AD DS that contains a set of rules that let the service provide authentication and management functions. This default network security group is associated with the virtual network subnet your Azure AD DS managed domain is deployed into.
 
 The following network security group rules are required for Azure AD DS to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet your Azure AD DS managed domain is deployed into.