Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into 1626302-loc-fix-confusing-sentence

Author: v-thpra

.openpublishing.redirection.json

@@ -41940,7 +41940,12 @@
     },
     {
       "source_path": "articles/iot-central/howto-use-device-groups-pnp.md",
-      "redirect_url": "/azure/iot-central/core/howto-use-device-groups-pnp/",
+      "redirect_url": "/azure/iot-central/core/tutorial-use-device-groups-pnp/",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/core/howto-use-device-groups-pnp.md",
+      "redirect_url": "/azure/iot-central/core/tutorial-use-device-groups-pnp/",
       "redirect_document_id": true
     },
     {

articles/active-directory/authentication/howto-authentication-passwordless-security-key-windows.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Enable passwordless security key sign in to Windows 10 devices (preview)
 
-This document focuses on enabling security key based passwordless authentication for Windows 10 devices. At the end of this article, you will be able to sign in to both web-based applications and your Azure AD joined Windows 10 devices with your Azure AD account using a FIDO2 security key.
+This document focuses on enabling FIDO2 security key based passwordless authentication with Windows 10 devices. At the end of this article, you will be able to sign in to both web-based applications and your Azure AD joined Windows 10 devices with your Azure AD account using a FIDO2 security key.
 
 |     |
 | --- |
@@ -31,7 +31,7 @@ This document focuses on enabling security key based passwordless authentication
 | [Azure Multi-Factor Authentication](howto-mfa-getstarted.md) | X | X |
 | [Combined security information registration preview](concept-registration-mfa-sspr-combined.md) | X | X |
 | Compatible [FIDO2 security keys](concept-authentication-passwordless.md#fido2-security-keys) | X | X |
-| WebAuthN requires Microsoft Edge on Windows 10 version 1809 or higher | X | X |
+| WebAuthN requires Windows 10 version 1809 or higher | X | X |
 | [Azure AD joined devices](../devices/concept-azure-ad-join.md) require Windows 10 version 1809 or higher | X |   |
 | [Hybrid Azure AD joined devices](../devices/concept-azure-ad-join-hybrid.md) require Windows 10 Insider Build 18945 or higher |   | X |
 | Fully patched Windows Server 2016/2019 Domain Controllers. |   | X |

articles/active-directory/authentication/howto-authentication-passwordless-security-key.md

@@ -31,9 +31,9 @@ This document focuses on enabling security key based passwordless authentication
 - [Azure Multi-Factor Authentication](howto-mfa-getstarted.md)
 - [Combined security information registration preview](concept-registration-mfa-sspr-combined.md)
 - Compatible [FIDO2 security keys](concept-authentication-passwordless.md#fido2-security-keys)
-- WebAuthN requires Microsoft Edge on Windows 10 version 1809 or higher**
+- WebAuthN requires Windows 10 version 1809 or higher**
 
-**Other vendors are also working to support WebAuthN in their browsers.
+To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol. These include Microsoft Edge, Chrome, Firefox, and Safari.
 
 ## Prepare devices for preview
 
@@ -64,13 +64,13 @@ Registration features for passwordless authentication methods rely on the combin
 1. Add a FIDO2 Security key by clicking **Add method** and choosing **Security key**.
 1. Choose **USB device** or **NFC device**.
 1. Have your key ready and choose **Next**.
-1. A box will appear and ask you to create/enter a PIN for your security key, then perform the required gesture for your key either biometric or touch.
-1. You will be returned to the combined registration experience and asked to provide a meaningful name for your token so you can identify which one if you have multiple. Click **Next**.
+1. A box will appear and ask the user to create/enter a PIN for your security key, then perform the required gesture for the key, either biometric or touch.
+1. The user will be returned to the combined registration experience and asked to provide a meaningful name for the key so the user can identify which one if they have multiple. Click **Next**.
 1. Click **Done** to complete the process.
 
 ## Sign in with passwordless credential
 
-In the example below a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of the Microsoft Edge browser on Windows 10 version 1809 or higher.
+In the example below a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1809 or higher.
 
 ![Security key sign-in Microsoft Edge](./media/howto-authentication-passwordless-security-key/fido2-windows-10-1903-edge-sign-in.png)
 

articles/active-directory/authentication/howto-sspr-windows.md

@@ -21,29 +21,10 @@ For machines running Windows 7, 8, 8.1, and 10 you can enable users to reset the
 
 ![Example Windows 7 and 10 login screens with SSPR link shown](./media/howto-sspr-windows/windows-reset-password.png)
 
-## General prerequisites
-
-- An administrator must enable Azure AD self-service password reset from the Azure portal.
-- **Users must register for SSPR before using this feature**
-- Network proxy requirements
-   - Windows 10 devices 
-       - Port 443 to `passwordreset.microsoftonline.com` and `ajax.aspnetcdn.com`
-       - Windows 10 devices only support machine-level proxy configuration
-   - Windows 7, 8, and 8.1 devices
-       - Port 443 to `passwordreset.microsoftonline.com`
-
 ## General limitations
 
 - Password reset is not currently supported from a Remote Desktop or from Hyper-V enhanced sessions.
 - This feature does not work for networks with 802.1x network authentication deployed and the option “Perform immediately before user logon”. For networks with 802.1x network authentication deployed it is recommended to use machine authentication to enable this feature.
-
-## Windows 10 password reset
-
-### Windows 10 specific prerequisites
-
-- Run at least Windows 10, version April 2018 Update (v1803), and the devices must be either:
-    - Azure AD joined
-    - Hybrid Azure AD joined
 - Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials.
 - If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. More information about this step can be found in the support article [Performance poor when using custom default user profile](https://support.microsoft.com/help/4056823/performance-issue-with-custom-default-user-profile).
 - The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices
@@ -57,7 +38,21 @@ For machines running Windows 7, 8, 8.1, and 10 you can enable users to reset the
 - The combination of the following specific three settings can cause this feature to not work.
     - Interactive logon: Do not require CTRL+ALT+DEL = Disabled
     - DisableLockScreenAppNotifications = 1 or Enabled
-    - IsContentDeliveryPolicyEnforced = 1 or True 
+    - IsContentDeliveryPolicyEnforced = 1 or True
+
+## Windows 10 password reset
+
+### Windows 10 prerequisites
+
+- An administrator must enable Azure AD self-service password reset from the Azure portal.
+- **Users must register for SSPR before using this feature**
+- Network proxy requirements
+   - Windows 10 devices 
+       - Port 443 to `passwordreset.microsoftonline.com` and `ajax.aspnetcdn.com`
+       - Windows 10 devices only support machine-level proxy configuration
+- Run at least Windows 10, version April 2018 Update (v1803), and the devices must be either:
+    - Azure AD joined
+    - Hybrid Azure AD joined
 
 ### Enable for Windows 10 using Intune
 
@@ -91,7 +86,6 @@ Deploying the configuration change to enable password reset from the login scree
    - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount`
       - `"AllowPasswordReset"=dword:00000001`
 
-
 #### Troubleshooting Windows 10 password reset
 
 The Azure AD audit log will include information about the IP address and ClientType where the password reset occurred.
@@ -102,8 +96,13 @@ When users reset their password from the login screen of a Windows 10 device, a
 
 ## Windows 7, 8, and 8.1 password reset
 
-### Windows 7, 8, and 8.1 specific prerequisites
+### Windows 7, 8, and 8.1 prerequisites
 
+- An administrator must enable Azure AD self-service password reset from the Azure portal.
+- **Users must register for SSPR before using this feature**
+- Network proxy requirements
+   - Windows 7, 8, and 8.1 devices
+       - Port 443 to `passwordreset.microsoftonline.com`
 - Patched Windows 7 or Windows 8.1 Operating System.
 - TLS 1.2 enabled using the guidance found in [Transport Layer Security (TLS) registry settings](https://docs.microsoft.com/windows-server/security/tls/tls-registry-settings#tls-12).
 - If more than one 3rd party credential provider is enabled on your machine, users will see more than one user profile on the login screen.

articles/active-directory/conditional-access/best-practices.md

@@ -86,7 +86,7 @@ For every sign-in, Azure Active Directory evaluates all policies and ensures tha
 
 Yes, you can use Exchange ActiveSync in a Conditional Access policy.
 
-Some cloud apps like SharePoint Online and Exchange Online also support legacy authentication protocols. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.
+Some cloud apps like SharePoint Online and Exchange Online also support legacy authentication protocols. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a Conditional Access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.
 
 ### How should you configure Conditional Access with Office 365 apps?
 

articles/active-directory/conditional-access/untrusted-networks.md

@@ -44,10 +44,10 @@ With Azure AD Conditional Access, you can address this requirement with a single
 
 The challenge of this scenario is to translate *access from an untrusted network location* into a Conditional Access condition. In a Conditional Access policy, you can configure the [locations condition](location-condition.md) to address scenarios that are related to network locations. The locations condition enables you to select named locations, which are logical groupings of IP address ranges, countries and regions.  
 
-Typically, your organization owns one or more address ranges, for example, 199.30.16.0 - 199.30.16.24.
+Typically, your organization owns one or more address ranges, for example, 199.30.16.0 - 199.30.16.15.
 You can configure a named location by:
 
-- Specifying this range (199.30.16.0/24) 
+- Specifying this range (199.30.16.0/28) 
 - Assigning a descriptive name such as **Corporate Network** 
 
 Instead of trying to define what all locations are that are not trusted, you can:

articles/active-directory/develop/authentication-flows-app-scenarios.md

@@ -142,7 +142,7 @@ Applications running on a device without a browser can still call an API on beha
 
 Though we don't recommend you use it, the [Username/Password flow](https://aka.ms/msal-net-up) is available in public client applications. This flow is still needed in some scenarios like DevOps.
 
-But using this flow imposes constraints on your applications. For instance, applications using this flow can't sign in a user who needs to perform multi-factor authentication or conditional access. Your applications also don't benefit from single sign-on.
+But using this flow imposes constraints on your applications. For instance, applications using this flow can't sign in a user who needs to perform multi-factor authentication or Conditional Access. Your applications also don't benefit from single sign-on.
 
 Authentication with the Username/Password flow goes against the principles of modern authentication and is provided only for legacy reasons.
 
@@ -158,7 +158,7 @@ Similar to a desktop app, a mobile app calls the interactive token-acquisition m
 
 MSAL iOS and MSAL Android use the system web browser by default. However, you can direct them to use the embedded Web View instead. There are specificities that depend on the mobile platform: Universal Windows Platform (UWP), iOS, or Android.
 
-Some scenarios, like those that involve conditional access related to a device ID or a device enrollment, require a [broker](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS) to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. Also, MSAL can now interact with brokers.
+Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a [broker](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS) to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. Also, MSAL can now interact with brokers.
 
 > [!NOTE]
 > Your mobile app that uses MSAL.iOS, MSAL.Android, or MSAL.NET on Xamarin can have app protection policies applied to it. For instance, the policies might prevent a user from copying protected text. The mobile app is [managed by Intune](https://docs.microsoft.com/intune/app-sdk) and recognized by Intune as a managed app. The [Intune App SDK](https://docs.microsoft.com/intune/app-sdk-get-started) is separate from MSAL libraries and interacts with Azure AD on its own.

articles/active-directory/develop/authentication-scenarios.md

@@ -34,7 +34,7 @@ This article covers many of the authentication concepts you'll need to understan
 
 Instead of creating apps that each maintain their own username and password information, which incurs a high administrative burden when you need to add or remove users across multiple apps, apps can delegate that responsibility to a centralized identity provider.
 
-Azure Active Directory (Azure AD) is a centralized identify provider in the cloud. Delegating authentication and authorization to it enables scenarios such as conditional access policies that require a user to be in a specific location, the use of multi-factor authentication, as well as enabling a user to sign in once and then be automatically signed in to all of the web apps that share the same centralized directory. This capability is referred to as Single Sign On (SSO).
+Azure Active Directory (Azure AD) is a centralized identify provider in the cloud. Delegating authentication and authorization to it enables scenarios such as Conditional Access policies that require a user to be in a specific location, the use of multi-factor authentication, as well as enabling a user to sign in once and then be automatically signed in to all of the web apps that share the same centralized directory. This capability is referred to as Single Sign On (SSO).
 
 A centralized identity provider is even more important for apps that have users located around the globe that don't necessarily sign in from the enterprise's network. Azure AD authenticates users and provides access tokens. An access token is a security token that is issued by an authorization server. It contains information about the user and the app for which the token is intended, which can be used to access Web APIs and other protected resources.
 

articles/active-directory/develop/brokered-auth.md

@@ -23,7 +23,7 @@ ms.collection: M365-identity-device-management
 
 ## Introduction
 
-You must use one of Microsoft's authentication brokers to participate in device-wide Single Sign-On (SSO) and to meet organizational conditional access policies. Integrating with a broker provides the following benefits:
+You must use one of Microsoft's authentication brokers to participate in device-wide Single Sign-On (SSO) and to meet organizational Conditional Access policies. Integrating with a broker provides the following benefits:
 
 - Device single sign-on
 - Conditional access for:
@@ -62,7 +62,7 @@ When a broker is installed on a device, all subsequent interactive token request
 Installing a broker does not require the user to sign in again. Only when the user needs to resolve an `MsalUiRequiredException` will the next request go to the broker. `MsalUiRequiredException` is thrown for a number of reasons, and needs to be resolved interactively. These are some common reasons:
 
 - The user changed the password associated with their account.
-- The user's account no longer meets a conditional access policy.
+- The user's account no longer meets a Conditional Access policy.
 - The user revoked their consent for the app to be associated with their account.
 
 ### When a broker is uninstalled

articles/active-directory/develop/migrate-objc-adal-msal.md

@@ -135,7 +135,7 @@ MSAL introduces some token acquisition call changes:
 
 MSAL provides more clarity between errors that can be handled by your app and those that require intervention by the user. There are a limited number of errors developer must handle:
 
-* `MSALErrorInteractionRequired`: The user must do an interactive request. This can be caused for various reasons such as an expired authentication session, conditional access policy has changed, a refresh token expired or was revoked, there are no valid tokens in the cache, and so on.
+* `MSALErrorInteractionRequired`: The user must do an interactive request. This can be caused for various reasons such as an expired authentication session, Conditional Access policy has changed, a refresh token expired or was revoked, there are no valid tokens in the cache, and so on.
 * `MSALErrorServerDeclinedScopes`: The request wasn't fully completed and some scopes weren't granted access. This can be caused by a user declining consent to one or more scopes.
 
 Handling all other errors in the [`MSALError` list](https://github.com/AzureAD/microsoft-authentication-library-for-objc/blob/master/MSAL/src/public/MSALError.h#L128) is optional. You could use the information in those errors to improve the user experience.
@@ -144,7 +144,7 @@ See [Handling exceptions and errors using MSAL](msal-handling-exceptions.md) for
 
 ### Broker support
 
-MSAL, starting with version 0.3.0, provides support for brokered authentication using the Microsoft Authenticator app. Microsoft Authenticator also enables support for conditional access scenarios. Examples of conditional access scenarios include device compliance policies that require the user to enroll the device through Intune or register with AAD to get a token. And Mobile Application Management (MAM) conditional access policies, which require proof of compliance before your app can get a token.
+MSAL, starting with version 0.3.0, provides support for brokered authentication using the Microsoft Authenticator app. Microsoft Authenticator also enables support for Conditional Access scenarios. Examples of Conditional Access scenarios include device compliance policies that require the user to enroll the device through Intune or register with AAD to get a token. And Mobile Application Management (MAM) Conditional Access policies, which require proof of compliance before your app can get a token.
 
 To enable broker for your application:
 
@@ -208,7 +208,7 @@ On macOS, MSAL can achieve SSO with other MSAL for iOS and macOS based applicati
 MSAL on iOS also supports two other types of SSO:
 
 * SSO through the web browser. MSAL for iOS supports `ASWebAuthenticationSession`, which provides SSO through cookies shared between other apps on the device and specifically the Safari browser.
-* SSO through an Authentication broker. On an iOS device, Microsoft Authenticator acts as the Authentication broker. It can follow conditional access policies such as requiring a compliant device, and provides SSO for registered devices. MSAL SDKs starting with version 0.3.0 support a broker by default.
+* SSO through an Authentication broker. On an iOS device, Microsoft Authenticator acts as the Authentication broker. It can follow Conditional Access policies such as requiring a compliant device, and provides SSO for registered devices. MSAL SDKs starting with version 0.3.0 support a broker by default.
 
 ## Intune MAM SDK