Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: LauraBrenner

.openpublishing.redirection.json

@@ -18120,6 +18120,11 @@
       "redirect_url": "/azure/virtual-machine-scale-sets/disk-encryption-powershell",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/virtual-machines/linux/update-infrastructure-redhat.md",
+      "redirect_url": "/azure/virtual-machines/workloads/redhat/redhat-rhui",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/virtual-machine-scale-sets/virtual-machine-scale-sets-advanced-autoscale.md",
       "redirect_url": "/azure/monitoring-and-diagnostics/insights-advanced-autoscale-virtual-machine-scale-sets",
@@ -23527,7 +23532,7 @@
     },
     {
       "source_path": "articles/virtual-machines/virtual-machines-linux-update-infrastructure-redhat.md",
-      "redirect_url": "/azure/virtual-machines/linux/update-infrastructure-redhat",
+      "redirect_url": "/azure/virtual-machines/workloads/redhat/redhat-rhui",
       "redirect_document_id": false
     },
     {
@@ -35545,6 +35550,11 @@
       "redirect_url": "/azure/iot-accelerators/iot-accelerators-device-simulation-advanced-device",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/conditional-access/app-based-mfa.md",
+      "redirect_url": "/azure/active-directory/authentication/tutorial-enable-azure-mfa",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/active-directory/conditional-access/technical-reference.md",
       "redirect_url": "/azure/active-directory/conditional-access/concept-conditional-access-conditions",
@@ -48800,6 +48810,21 @@
       "source_path": "articles/terraform/terraform-vm-managed-identities-for-azure-resources.md",
       "redirect_url": "/azure/terraform/terraform-create-complete-vm",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Speech-Service/speech-devices-sdk-android-quickstart.md",
+      "redirect_url": "/azure/cognitive-services/speech-service/speech-devices-sdk-quickstart?pivots=platform-android",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Speech-Service/speech-devices-sdk-linux-quickstart.md",
+      "redirect_url": "/azure/cognitive-services/speech-service/speech-devices-sdk-quickstart?pivots=platform-linux",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Speech-Service/speech-devices-sdk-windows-quickstart.md",
+      "redirect_url": "/azure/cognitive-services/speech-service/speech-devices-sdk-quickstart?pivots=platform-windows",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md

@@ -93,10 +93,12 @@ Scoping filters are configured as part of the attribute mappings for each Azure
    i. **Greater_Than.** Clause returns "true" if the evaluated attribute is greater than the value. The value specified on the scoping filter must be an integer and the attribute on the user must be an integer [0,1,2,...]. 
 
    j. **Greater_Than_OR_EQUALS.** Clause returns "true" if the evaluated attribute is greater than or equal to the value. The value specified on the scoping filter must be an integer and the attribute on the user must be an integer [0,1,2,...]. 
+   
+   k. **Includes.** Clause returns "true" if the evaluated attribute contains the string value (case sensitive) as described [here](https://docs.microsoft.com/dotnet/api/system.string.contains?view=netframework-4.8). 
 
 
 >[!IMPORTANT] 
-> The Includes and IsMemberOf filters are not supported. They will soon be removed from the UI.
+> The IsMemberOf filter is not supported currently.
 
 9. Optionally, repeat steps 7-8 to add more scoping clauses.
 

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -1450,12 +1450,13 @@ If you're building an application that will be used by more than one tenant, you
 ### Gallery onboarding checklist
 Follow the checklist below to ensure that your application is onboarded quicky and customers have a smooth deployment experience. The information will be gathered from you when onboarding to the gallery. 
 > [!div class="checklist"]
-> * [Support SCIM 2.0 ](https://tools.ietf.org/html/draft-wahl-scim-profile-00) (Required)
+> * Support a [SCIM 2.0 ](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#step-2-understand-the-azure-ad-scim-implementation) user and group endpoint (Only one is required but both are recommended)
 > * Support at least 25 requests per second per tenant (Required)
-> * Support schema discovery (Recommended)
 > * Support the OAuth authorization code grant or a long lived token as described below (Required)
-> * Establish an engineering and support point of contact to support customer post gallery onboarding (Required)
+> * Establish an engineering and support point of contact to support customers post gallery onboarding (Required)
+> * Support updating multiple group memberships with a single PATCH (Recommended) 
 > * Document your SCIM endpoint publicly (Recommended) 
+> * [Support schema discovery](https://tools.ietf.org/html/rfc7643#section-6) (Recommended)
 
 
 ### Authorization for provisioning connectors in the application gallery

articles/active-directory/conditional-access/TOC.yml

@@ -6,12 +6,14 @@
     href: overview.md
 - name: Quickstarts
   items:
-  - name: Require MFA for specific apps
-    href: app-based-mfa.md
   - name: Require terms of use to be accepted
     href: require-tou.md
   - name: Block access when a session risk is detected
     href: app-sign-in-risk.md
+- name: Tutorials
+  items:
+  - name: Require Azure Multi-Factor Authentication
+    href: /authentication/tutorial-enable-azure-mfa.md?toc=/azure/conditional-access/toc.json&bc=/azure/conditional-access/breadcrumb/toc.json
 - name: Concepts
   expanded: false
   items:

articles/active-directory/conditional-access/app-based-mfa.md

@@ -0,0 +1,11 @@
+- name: Azure
+  tocHref: /azure/
+  topicHref: /azure/index
+  items:
+  - name: Active Directory
+    tocHref: /azure/active-directory/
+    topicHref: /azure/active-directory/index
+    items:
+    - name: Conditional Access
+      tocHref: /azure/active-directory/conditional-access/
+      topicHref: /azure/active-directory/authentication/index

articles/active-directory/conditional-access/breadcrumb/toc.yml

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/11/2020
+ms.date: 02/21/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -52,13 +52,17 @@ Selecting this checkbox will require users to perform Azure Multi-Factor Authent
 
 Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet specific compliance requirements. This policy compliance information is forwarded from Intune to Azure AD where Conditional Access can make decisions to grant or block access to resources. For more information about compliance policies, see the article [Set rules on devices to allow access to resources in your organization using Intune](https://docs.microsoft.com/intune/protect/device-compliance-get-started).
 
+A device can be marked as compliant by Intune (for any device OS) or by third-party MDM system for Windows 10 devices. Third-party MDM systems for device OS types other than Windows 10 are not supported.
+
+Devices must be registered in Azure AD before they can be marked as compliant. More information about device registration can be found in the article, [What is a device identity](../devices/overview.md).
+
 ### Require hybrid Azure AD joined device
 
 Organizations can choose to use the device identity as part of their Conditional Access policy. Organizations can require that devices are hybrid Azure AD joined using this checkbox. For more information about device identities, see the article [What is a device identity?](../devices/overview.md).
 
 ### Require approved client app
 
-Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app.
+Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client aps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile-device management (MDM) solution.
 
 This setting applies to the following client apps:
 
@@ -99,9 +103,7 @@ This setting applies to the following client apps:
 
 ### Require app protection policy
 
-In your Conditional Access policy, you can require an app protection policy be present on the client app before access is available to the selected cloud apps. 
-
-![Control access with app protection policy](./media/technical-reference/22.png)
+In your Conditional Access policy, you can require an [Intune app protection policy](/intune/app-protection-policy) be present on the client app before access is available to the selected cloud apps. 
 
 This setting applies to the following client apps:
 
@@ -116,6 +118,10 @@ This setting applies to the following client apps:
 - The **Require app protection policy** requirements:
     - Only supports the iOS and Android for device platform condition.
 
+### Terms of use
+
+If your organization has created terms of use, additional options may be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy. More information about terms of use can be found in the article, [Azure Active Directory terms of use](terms-of-use.md).
+
 ## Next steps
 
 - [Conditional Access: Session controls](concept-conditional-access-session.md)

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 12/12/2019
+ms.date: 02/20/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -24,7 +24,7 @@ Organizations who have deployed Microsoft Intune can use the information returne
 * Requiring a minimum or maximum operating system version
 * Requiring a device is not jailbroken or rooted
 
-This policy compliance information is forwarded to Azure AD where Conditional Access can make decisions to grant or block access to resources.
+This policy compliance information is forwarded to Azure AD where Conditional Access can make decisions to grant or block access to resources. More information about device compliance policies can be found in the article, [Set rules on devices to allow access to resources in your organization using Intune](/intune/protect/device-compliance-get-started)
 
 ## Create a Conditional Access policy
 
@@ -58,4 +58,4 @@ On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD id
 
 [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
 
-[Device compliance policies work with Azure AD](https://docs.microsoft.com/intune/device-compliance-get-started#device-compliance-policies-work-with-azure-ad)
+[Device compliance policies work with Azure AD](/intune/device-compliance-get-started#device-compliance-policies-work-with-azure-ad)

articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md

@@ -30,7 +30,7 @@ You must have one of the following licenses to use group-based licensing:
 
 - Paid or trial subscription for Azure AD Premium P1 and above
 
-- Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 and above
+- Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for GCCH or Office 365 E3 for DOD and above
 
 ### Required number of licenses
 For any groups assigned a license, you must also have a license for each unique member. While you don't have to assign each member of the group a license, you must have at least enough licenses to include all of the members. For example, if you have 1,000 unique members who are part of licensed groups in your tenant, you must have at least 1,000 licenses to meet the licensing agreement.