Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into endpoint

Author: billmath

.openpublishing.publish.config.json

@@ -163,6 +163,11 @@
       "url": "https://github.com/Azure/azure-functions-templates",
       "branch": "dev"
     },
+    {
+        "path_to_root": "azure-functions-samples-java",
+        "url": "https://github.com/Azure-Samples/azure-functions-samples-java",
+        "branch": "master"
+    },
     {
       "path_to_root": "functions-quickstart-java",
       "url": "https://github.com/Azure-Samples/functions-quickstarts-java",
@@ -515,6 +520,11 @@
       "url": "https://github.com/Azure-Samples/azure-cosmos-java-getting-started",
       "branch": "master"
     },
+    {
+      "path_to_root": "azure-cosmos-java-sql-api-samples",
+      "url": "https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples",
+      "branch": "master"
+    },    
     {
       "path_to_root": "azure-storage-snippets",
       "url": "https://github.com/azure-samples/AzureStorageSnippets",

.openpublishing.redirection.json

@@ -50,7 +50,7 @@ You can configure the token lifetime on any user flow.
 
 ## Next steps
 
-Learn more about how to [use access tokens](access-tokens.md).
+Learn more about how to [request access tokens](access-tokens.md).
 
 
 

articles/active-directory-b2c/configure-tokens.md

@@ -47,6 +47,8 @@
       href: synchronization.md
     - name: How password hash synchronization works
       href: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md?context=/azure/active-directory-domain-services/context/azure-ad-ds-context
+    - name: Classic deployment migration benefits
+      href: concepts-migration-benefits.md
     - name: What is Azure Active Directory?
       href: ../active-directory/fundamentals/active-directory-whatis.md?context=/azure/active-directory-domain-services/context/azure-ad-ds-context
     - name: Azure Active Directory architecture

articles/active-directory-domain-services/TOC.yml

@@ -0,0 +1,62 @@
+---
+title: Benefits of Classic deployment migration in Azure AD Domain Services | Microsoft Docs
+description: Learn more about the benefits of migrating a Classic deployment of Azure Active Directory Domain Services to the Resource Manager deployment model
+services: active-directory-ds
+author: iainfoulds
+manager: daveba
+
+ms.service: active-directory
+ms.subservice: domain-services
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 05/26/2020
+ms.author: iainfou
+---
+
+# Benefits of migration from the Classic to Resource Manager deployment model in Azure Active Directory Domain Services
+
+Azure Active Directory Domain Services (AD DS) lets you migrate an existing managed domain that uses the Classic deployment model to the Resource Manager deployment model. Azure AD DS managed domains that use the Resource Manager deployment model provide additional features such as fine-grained password policy, audit logs, and account lockout protection.
+
+This article outlines the benefits for migration. To get started, see [Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager][howto-migrate].
+
+> [!NOTE]
+> In 2017, Azure AD Domain Services became available to host in an Azure Resource Manager network. Since then, we have been able to build a more secure service using the Azure Resource Manager's modern capabilities. Because Azure Resource Manager deployments fully replace classic deployments, Azure AD DS classic virtual network deployments will be retired on March 1, 2023.
+>
+> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/)
+
+## Migration benefits
+
+The migration process takes an existing Azure AD DS instance that uses the Classic deployment model and moves to use the Resource Manager deployment model. When you migrate an Azure AD DS managed domain from the Classic to Resource Manager deployment model, you avoid the need to rejoin machines to the managed domain or delete the Azure AD DS instance and create one from scratch. VMs continue to be joined to the Azure AD DS managed domain at the end of the migration process.
+
+After migration, Azure AD DS provides many features that are only available for domains using Resource Manager deployment model, such as the following:
+
+* [Fine-grained password policy support][password-policy].
+* Faster synchronization speeds between Azure AD and Azure AD Domain Services.
+* Two new [attributes that synchronize from Azure AD][attributes] - *manager* and *employeeID*.
+* Access to higher-powered domain controllers when you [upgrade the SKU][skus].
+* AD account lockout protection.
+* [Email notifications for alerts on your managed domain][email-alerts].
+* [Use Azure Workbooks and Azure monitor to view audit logs and sign-in activity][workbooks].
+* In supported regions, [Azure Availability Zones][availability-zones].
+* Integrations with other Azure products such as [Azure Files][azure-files], [HD Insights][hd-insights], and [Windows Virtual Desktop][wvd].
+* Support has access to more telemetry and can help troubleshoot more effectively.
+* Encryption at rest using [Azure Managed Disks][managed-disks] for the data on the managed domain controllers.
+
+Azure AD DS managed domains that use a Resource Manager deployment model help you stay up-to-date with the latest new features. New features aren't available for Azure AD DS managed domains that use the Classic deployment model.
+
+## Next steps
+
+To get started, see [Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager[howto-migrate].
+
+<!-- LINKS - INTERNAL -->
+[password-policy]: password-policy.md
+[skus]: change-sku.md
+[email-alerts]: notifications.md
+[workbooks]: use-azure-monitor-workbooks.md
+[azure-files]: ../storage/files/storage-files-identity-auth-active-directory-domain-service-enable.md
+[hd-insights]: ../hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds.md
+[wvd]: ../virtual-desktop/overview.md
+[availability-zones]: ../availability-zones/az-overview.md
+[howto-migrate]: migrate-from-classic-vnet.md
+[attributes]: synchronization.md#attribute-synchronization-and-mapping-to-azure-ad-ds
+[managed-disks]: ../virtual-machines/windows/managed-disks-overview.md

articles/active-directory-domain-services/concepts-migration-benefits.md

@@ -17,16 +17,16 @@ ms.author: iainfou
 
 Azure Active Directory Domain Services (AD DS) supports a one-time move for customers currently using the Classic virtual network model to the Resource Manager virtual network model. Azure AD DS managed domains that use the Resource Manager deployment model provide additional features such as fine-grained password policy, audit logs, and account lockout protection.
 
-This article outlines the benefits and considerations for migration, then the required steps to successfully migrate an existing Azure AD DS instance.
+This article outlines considerations for migration, then the required steps to successfully migrate an existing Azure AD DS instance. For some of the benefits, see [Benefits of migration from the Classic to Resource Manager deployment model in Azure AD DS][migration-benefits].
 
 > [!NOTE]
 > In 2017, Azure AD Domain Services became available to host in an Azure Resource Manager network. Since then, we have been able to build a more secure service using the Azure Resource Manager's modern capabilities. Because Azure Resource Manager deployments fully replace classic deployments, Azure AD DS classic virtual network deployments will be retired on March 1, 2023.
 >
-> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/)
+> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/).
 
 ## Overview of the migration process
 
-The migration process takes an existing Azure AD DS instance that runs in a Classic virtual network and moves it to an existing Resource Manager virtual network. The migration is performed using PowerShell, and has two main stages of execution - *preparation* and *migration*.
+The migration process takes an existing Azure AD DS instance that runs in a Classic virtual network and moves it to an existing Resource Manager virtual network. The migration is performed using PowerShell, and has two main stages of execution: *preparation* and *migration*.
 
 ![Overview of the migration process for Azure AD DS](media/migrate-from-classic-vnet/migration-overview.png)
 
@@ -38,21 +38,6 @@ In the *migration* stage, the underlying virtual disks for the domain controller
 
 ![Migration of Azure AD DS](media/migrate-from-classic-vnet/migration-process.png)
 
-## Migration benefits
-
-When you move an Azure AD DS managed domain using this migration process, you avoid the need to rejoin machines to the managed domain or delete the Azure AD DS instance and create one from scratch. VMs continue to be joined to the Azure AD DS managed domain at the end of the migration process.
-
-After migration, Azure AD DS provides many features that are only available for domains using Resource Manager virtual networks, such as:
-
-* Fine-grained password policy support.
-* AD account lockout protection.
-* Email notifications of alerts on the Azure AD DS managed domain.
-* Audit logs using Azure Monitor.
-* Azure Files integration
-* HD Insights integration
-
-Azure AD DS managed domains that use a Resource Manager virtual network help you stay up-to-date with the latest new features. Support for Azure AD DS using Classic virtual networks is to be deprecated in the future.
-
 ## Example scenarios for migration
 
 Some common scenarios for migrating an Azure AD DS managed domain include the following examples.
@@ -364,6 +349,7 @@ With your Azure AD DS managed domain migrated to the Resource Manager deployment
 [troubleshoot-sign-in]: troubleshoot-sign-in.md
 [tshoot-ldaps]: tshoot-ldaps.md
 [get-credential]: /powershell/module/microsoft.powershell.security/get-credential
+[migration-benefits]: concepts-migration-benefits.md
 
 <!-- EXTERNAL LINKS -->
 [powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/

articles/active-directory-domain-services/migrate-from-classic-vnet.md

@@ -744,6 +744,17 @@ TLS 1.2 Cipher Suites minimum bar:
 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 
+### IP Ranges
+The Azure AD Provisionong service currently operates under the following IP ranges. 
+
+13.86.239.205; 52.188.178.195; 13.86.61.156; 40.67.254.206; 51.105.237.71; 20.44.38.166; 40.81.88.68; 52.184.94.250;
+20.43.180.59; 20.193.16.105; 20.40.167.232; 13.86.3.57; 52.188.72.113; 13.88.140.233; 52.142.121.156; 51.124.0.213;
+40.81.92.36; 20.44.39.175; 20.189.114.130; 20.44.193.163; 20.193.23.17; 20.40.173.237; 13.86.138.128; 52.142.29.23;
+13.86.2.238; 40.127.246.167; 51.136.72.4; 20.44.39.244; 40.81.92.186; 20.189.114.131; 20.44.193.210; 20.193.2.21; 20.40.174.46;
+13.86.219.18; 40.71.13.10; 20.44.16.38; 13.89.174.16; 13.69.66.182; 13.69.229.118; 104.211.147.176; 40.78.195.176;
+13.67.9.240; 13.75.38.48; 13.70.73.48; 13.77.52.176;
+
+
 
 ## Step 3: Build a SCIM endpoint
 

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -202,9 +202,12 @@ If your previous computer certificate has expired, and a new certificate has bee
 
 ### Microsoft Azure Government additional steps
 
-For customers that use Azure Government cloud, the following additional configuration steps are required on each NPS server:
+For customers that use Azure Government cloud, the following additional configuration steps are required on each NPS server.
 
-1. Open **Registry Editor** on the NPS server.
+> [!IMPORTANT]
+> Only configure these registry settings if you're an Azure Government customer.
+
+1. If you're an Azure Government customer, open **Registry Editor** on the NPS server.
 1. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa`. Set the following key values:
 
     | Registry key       | Value |

articles/active-directory/authentication/howto-mfa-nps-extension.md

@@ -106,7 +106,7 @@ Note: For users who have [Password hash synchronization (PHS)](https://docs.micr
 
 You can help users register quickly by deploying SSPR alongside another popular application or service in the organization. This action will generate a large volume of sign-ins and will drive registration.
 
-Before deploying SSPR, you may opt to determine the number and the average cost of each password reset call. YOU can use this data post deployment to show the value SSPR is bringing to the organization.
+Before deploying SSPR, you may opt to determine the number and the average cost of each password reset call. You can use this data post deployment to show the value SSPR is bringing to the organization.
 
 #### Enable combined registration for SSPR and MFA
 
@@ -344,4 +344,4 @@ Audit logs for registration and password reset are available for 30 days. If sec
 
 * [Consider implementing Azure AD password protection](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad)
 
-* [Consider implementing Azure AD Smart Lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout)
+* [Consider implementing Azure AD Smart Lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout)

articles/active-directory/authentication/howto-sspr-deployment.md

@@ -33,7 +33,7 @@ Administrators can assign a Conditional Access policy to the following cloud app
 - [Office 365 (preview)](#office-365-preview)
 - Azure Analysis Services
 - Azure DevOps
-- [Azure SQL Database and Data Warehouse](../../sql-database/sql-database-conditional-access.md)
+- [Azure SQL Database and Data Warehouse](../../azure-sql/database/conditional-access-configure.md)
 - Dynamics CRM Online
 - Microsoft Application Insights Analytics
 - [Microsoft Azure Information Protection](/azure/information-protection/faqs#i-see-azure-information-protection-is-listed-as-an-available-cloud-app-for-conditional-accesshow-does-this-work)