Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: tynevi

.openpublishing.redirection.json

@@ -25734,6 +25734,11 @@
       "redirect_url": "https://azure.microsoft.com/resources/samples/hdinsight-java-storm-eventhub/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/hdinsight/storm/apache-storm-tutorial-get-started-linux.md",
+      "redirect_url": "/azure/hdinsight/storm/apache-storm-overview",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/hdinsight/hdinsight-apache-spark-resource-manager.md",
       "redirect_url": "/azure/hdinsight/spark/apache-spark-resource-manager",
@@ -25756,8 +25761,8 @@
     },
     {
       "source_path": "articles/hdinsight/hdinsight-apache-storm-tutorial-get-started-linux.md",
-      "redirect_url": "/azure/hdinsight/storm/apache-storm-tutorial-get-started-linux",
-      "redirect_document_id": true
+      "redirect_url": "/azure/hdinsight/storm/apache-storm-overview",
+      "redirect_document_id": false
     },
     {
       "source_path": "articles/hdinsight/hdinsight-connect-excel-hive-odbc-driver.md",

articles/active-directory-domain-services/active-directory-ds-ldaps-bind-lockdown.md

@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 05/20/2019
+ms.date: 06/28/2019
 ms.author: iainfou
 
 ---
@@ -31,6 +31,11 @@ First, open LDP and connect to the managed domain. Click **Connection** and clic
 
 Next, bind to the managed domain. Click **Connection** and click **Bind...** in the menu. Provide the credentials of a user account belonging to the 'AAD DC Administrators' group.
 
+> [!IMPORTANT]
+> Users (and service accounts) cannot perform LDAP simple binds if you have disabled NTLM password hash synchronization on your Azure AD Domain Services instance.  For more information on disabling NTLM password hash synchronization, read [Secure your Azure AD DOmain Services managed domain](secure-your-domain.md).
+>
+>
+
 Select **View**, and then select **Tree** in the menu. Leave the Base DN field blank, and click OK. Navigate to the container that you want to search, right-click the container, and select Search.
 
 > [!TIP]

articles/active-directory-domain-services/contact-us.md

@@ -14,22 +14,27 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 05/22/2019
+ms.date: 06/28/2019
 ms.author: iainfou
 
 ---
 # Azure AD Domain Services - Contact Us
-## Contact the product team
-If you have issues with your managed domain, check to see if the steps outlined in the [Troubleshooting Guide](troubleshoot.md) resolve the issue. If you're still having trouble, feel free to contact us.
 
-You may email us at: [Azure AD Domain Services Feedback](mailto:[email protected]).
+## Feedback
+If you have feedback for our service or non-technical questions, you can share your request with the Azure AD Domain Service product group by emailing us at: [Azure AD Domain Services Feedback](mailto:[email protected]). Emails to this address are reviewed. Members of the product group **may** respond to request further information. Requests for technical support to this email address will not be answered.
 
-Ensure that you include the following, so we can investigate the issue.
+## Technical assistance
+If you have issues with your managed domain, check to see if the steps outlined in the [Troubleshooting Guide](troubleshoot.md) resolve the issue. If you're still having trouble, sign in to the Azure portal. Open the **Azure AD Domain Services** home page and select **New support request** from the action pane under **Support + troubleshooting**.
 
-* The **tenant ID/directory ID** for your Azure AD directory. The tenant ID is the GUID you see in the directory ID field on the [Properties page for your directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties)
-* The **DNS domain name** you've configured for your AAD Domain Services managed domain.
+![new support request](./media/contact-us/supportRequest.png) 
 
-## Provide Feedback
-We welcome your feedback about Azure AD Domain Services via the **[Azure Active Directory User Voice channel](https://feedback.azure.com/forums/169401-azure-active-directory/)**.
+Fill out each section of the support request as accurately as possible. When choosing a service, ensure you select **Azure Active Directory Domain Services (VM - Domain Controllers)** to route your request to the proper support professional.
+
+> [!IMPORTANT]
+> Select **Azure Active Directory Directories, Domains, and Objects** from the services lists for help with domain validation with Azure Active Directory.
+>
+> 
+
+## Feature requests
+Do you have an idea on how we can improve Azure Active Directory Domain Services? We would like to hear about it. Go to the Azure Feedback Forums, navigate to the [Domain Services](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=160593) category and share your idea. Members of the product group review these requests.
 
-Ensure that you pre-pend your question or feedback with the words **'AADDS'**, for it to reach us.

articles/active-directory-domain-services/media/contact-us/supportrequest.png

@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 05/20/2019
+ms.date: 06/28/2019
 ms.author: iainfou
 
 ---
@@ -54,5 +54,10 @@ $securitySettings = @{"DomainSecuritySettings"=@{"NtlmV1"="Disabled";"SyncNtlmPa
 Set-AzResource -Id $DomainServicesResource.ResourceId -Properties $securitySettings -Verbose -Force
 ```
 
+> [!IMPORTANT]
+> Users (and service accounts) cannot perform LDAP simple binds if you have disabled NTLM password hash synchronization on your Azure AD Domain Services instance.  For more information on disabling NTLM password hash synchronization, read [Secure your Azure AD DOmain Services managed domain](secure-your-domain.md).
+>
+>
+
 ## Next steps
 * [Understand synchronization in Azure AD Domain Services](synchronization.md)

articles/active-directory-domain-services/secure-your-domain.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/31/2018
+ms.date: 06/28/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -38,7 +38,9 @@ Smart lockout can be integrated with hybrid deployments, using password hash syn
 When using [pass-through authentication](../hybrid/how-to-connect-pta.md), you need to make sure that:
 
 * The Azure AD lockout threshold is **less** than the Active Directory account lockout threshold. Set the values so that the Active Directory account lockout threshold is at least two or three times longer than the Azure AD lockout threshold. 
-* The Azure AD lockout duration **in seconds** is **longer** than the Active Directory reset account lockout counter after duration **minutes**.
+* The Azure AD lockout duration must be set longer than the Active Directory reset account lockout counter after duration. Be aware that the Azure AD duration is set in seconds, while the AD duration is set in minutes. 
+
+For example, if you want your Azure AD counter to be higher than AD, then Azure AD would be 120 seconds (2 minutes) while your on prem AD is set to 1 minute (60 seconds).
 
 > [!IMPORTANT]
 > Currently an administrator can't unlock the users' cloud accounts if they have been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire.

articles/active-directory/authentication/howto-password-smart-lockout.md

@@ -301,6 +301,8 @@
         href: app-objects-and-service-principals.md
       - name: How and why apps are added to Azure AD
         href: active-directory-how-applications-are-added.md
+      - name: Redirect URI/reply URL restrictions and limitations
+        href: reply-url.md
       - name: Single tenant and multi-tenant apps
         href: single-and-multi-tenant-apps.md
     - name: Permissions and consent

articles/active-directory/develop/TOC.yml

@@ -211,6 +211,7 @@ Looking for info about the AADSTS error codes that are returned from the Azure A
 | AADSTS90093 | GraphUserUnauthorized - Graph returned with a forbidden error code for the request. |
 | AADSTS90094 | AdminConsentRequired - Administrator consent is required. |
 | AADSTS90100 | InvalidRequestParameter - The parameter is empty or not valid. |
+| AADSTS901002 | AADSTS901002: The 'resource' request parameter is not supported. |
 | AADSTS90101 | InvalidEmailAddress - The supplied data isn't a valid email address. The email address must be in the format `[email protected]`. |
 | AADSTS90102 | InvalidUriParameter - The value must be a valid absolute URI. |
 | AADSTS90107 | InvalidXml - The request is not valid. Make sure your data doesn't have invalid characters.|

articles/active-directory/develop/reference-aadsts-error-codes.md

@@ -0,0 +1,64 @@
+---
+# required metadata
+title: Redirect URI/reply URL restrictions and limitations - Microsoft identity platform
+description: Reply URLs/redirect URls restrictions & limitations
+author: SureshJa
+ms.author: sureshja
+manager: CelesteDG
+ms.date: 06/29/2019
+ms.topic: article
+ms.subservice: develop
+ms.service: active-directory
+ms.reviewer: lenalepa, manrath
+ms.collection: M365-identity-device-management
+---
+# Redirect URI/reply URL restrictions and limitations
+
+A redirect URI, or reply URL, is the location that the authorization server will send the user to once the app has been successfully authorized, and granted an authorization code or access token. The code or token is contained in the redirect URI or reply token so it's important that you register the correct location as part of the app registration process.
+
+## Maximum number of redirect URIs
+
+The following table shows the maximum number of redirect URIs that you can add when you register your app. 
+
+| Accounts being signed in | Maximum number of redirect URIs | Description |
+|--------------------------|---------------------------------|-------------|
+| Microsoft work or school accounts in any organization's Azure Active Directory (Azure AD) tenant | 256 | `signInAudience` field in the application manifest is set to either *AzureADMyOrg* or *AzureADMultipleOrgs* |
+| Personal Microsoft accounts and work and school accounts | 100 | `signInAudience` field in the application manifest is set to *AzureADandPersonalMicrosoftAccount* |
+
+## Maximum URI length
+
+You can use a maximum of 256 characters for each redirect URI that you add to an app registration.
+
+## Restrictions using a wildcard in URIs
+
+Wildcard URIs, such as `https://*.contoso.com`, are convenient but should be avoided. Using wildcards in the redirect URI has security implications. According to the OAuth 2.0 specification ([section 3.1.2 of RFC 6749](https://tools.ietf.org/html/rfc6749#section-3.1.2)), a redirection endpoint URI must be an absolute URI. 
+
+The Azure AD application model doesn't support wildcard URIs for apps that are configured to sign in personal Microsoft accounts and work or school accounts. However, wildcard URIs are allowed for apps that are configured to sign in work or school accounts in an organization's Azure AD tenant today. 
+ 
+> [!NOTE]
+> The new [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience doesn't allow developers to add wildcard URIs on the UI. Adding wilcard URI for apps that sign in work or school accounts is supported only through the app manifest editor. Going forward, new apps won't be able to use wildcards in the redirect URI. However, older apps that contain wildcards in redirect URIs will continue to work.
+
+If your scenario requires more redirect URIs than the maximum limit allowed, instead of adding a wildcard redirect URI, consider one of the following approaches.
+
+### Use a state parameter
+
+If you have a number of sub-domains, and if your scenario requires you to redirect users upon successful authentication to the same page where they started, using a state parameter might be helpful. 
+
+In this approach:
+
+1. Create a "shared" redirect URI per application to process the security tokens you receive from the authorization endpoint.
+1. Your application can send application-specific parameters (such as sub-domain URL where the user originated or anything like branding information) in the state parameter. When using a state parameter, guard against CSRF protection as specified in [section 10.12 of RFC 6749](https://tools.ietf.org/html/rfc6749#section-10.12)). 
+1. The application-specific parameters will include all the information needed for the application to render the correct experience for the user, that is, construct the appropriate application state. The Azure AD authorization endpoint strips HTML from the state parameter so make sure you are not passing HTML content in this parameter.
+1. When Azure AD sends a response to the "shared" redirect URI, it will send the state parameter back to the application.
+1. The application can then use the value in the state parameter to determine which URL to further send the user to. Make sure you validate for CSRF protection.
+
+> [!NOTE]
+> This approach allows a compromised client to modify the additional parameters sent in the state parameter, thereby redirecting the user to a different URL, which is the [open redirector threat](https://tools.ietf.org/html/rfc6819#section-4.2.4) described in RFC 6819. Therefore, the client must protect these parameters by encrypting the state or verifying it by some other means such as validating domain name in the redirect URI against the token.
+
+### Add redirect URIs to service principals
+
+Another approach is to add redirect URIs to the [service principals](app-objects-and-service-principals.md#application-and-service-principal-relationship) that represent your app registration in any Azure AD tenant. You can use this approach when you can't use a state parameter or your scenario requires you to add new redirect URIs to your app registration for every new tenant you support. 
+
+## Next steps
+
+- Learn about the [Application manifest](reference-app-manifest.md)

articles/active-directory/develop/reply-url.md

@@ -1,21 +1,16 @@
 ---
 title: How to manage the local administrators group on Azure AD joined devices | Microsoft Docs
 description: Learn how to assign Azure roles to the local administrators group of a Windows device.
-services: active-directory
-documentationcenter: ''
-author: MicrosoftGuyJFlo
-manager: daveba
-editor: ''
 
-ms.assetid: 54e1b01b-03ee-4c46-bcf0-e01affc0419d
+services: active-directory
 ms.service: active-directory
 ms.subservice: devices
-ms.workload: identity
-ms.tgt_pltfrm: na
-ms.devlang: na
-ms.topic: article
-ms.date: 01/08/2019
+ms.topic: conceptual
+ms.date: 06/28/2019
+
 ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
 ms.reviewer: ravenn
 
 #Customer intent: As an IT admin, I want to manage the local administrators group assignment during an Azure AD join, so that I can control who can manage Azure AD joined devices
@@ -28,7 +23,6 @@ To manage a Windows device, you need to be a member of the local administrators
 
 This article explains how the membership update works and how you can customize it during an Azure AD Join. The content of this article doesn't apply to a **hybrid** Azure AD join.
 
-
 ## How it works
 
 When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
@@ -40,13 +34,11 @@ When you connect a Windows device with Azure AD using an Azure AD join, Azure AD
 By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Currently, you cannot assign groups to an administrator role.
 Azure AD also adds the Azure AD device administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been *only* assigned the device administrator role to manage a device. 
 
-
 ## Manage the global administrators role
 
 To view and update the membership of the global administrator role, see:
 
 - [View all members of an administrator role in Azure Active Directory](../users-groups-roles/directory-manage-roles-portal.md)
-
 - [Assign a user to administrator roles in Azure Active Directory](../fundamentals/active-directory-users-assign-role-azure-portal.md)
 
 
@@ -55,9 +47,9 @@ To view and update the membership of the global administrator role, see:
 In the Azure portal, you can manage the device administrator role on the **Devices** page. To open the **Devices** page:
 
 1. Sign in to your [Azure portal](https://portal.azure.com) as a global administrator or device administrator.
-2. On the left navbar, click **Azure Active Directory**. 
-3. In the **Manage** section, click **Devices**.
-4. On the **Devices** page, click **Device settings**.
+1. On the left navbar, click **Azure Active Directory**. 
+1. In the **Manage** section, click **Devices**.
+1. On the **Devices** page, click **Device settings**.
 
 To modify the device administrator role, configure **Additional local administrators on Azure AD joined devices**.  
 
@@ -66,27 +58,19 @@ To modify the device administrator role, configure **Additional local administra
 >[!NOTE]
 > This option requires an Azure AD Premium tenant. 
 
-
 Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. For the devices, a user is already signed into, the privilege update takes place:
-     
 
 - When a user signs off.
 - After 4 hours, when a new Primary Refresh Token is issued. 
 
-
-
-
 ## Manage regular users
 
 By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:
 
 - [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) -
 Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator. You can accomplish this by [creating an Autopilot profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile).
- 
 - [Bulk enrollment](https://docs.microsoft.com/intune/windows-bulk-enroll) - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined are not added to the administrators group.   
 
-
-
 ## Manually elevate a user on a device 
 
 In addition to using the Azure AD join process, you can also manually elevate a regular user to become a local administrator on one specific device. This step requires you to already be a member of the local administrators group. 
@@ -96,10 +80,8 @@ Starting with the **Windows 10 1709** release, you can do perform this task from
 Additionally, you can also add users using the command prompt:
 
 - If your tenant users are synchronized from on-premises Active Directory, use `net localgroup administrators /add "Contoso\username"`.
-
 - If your tenant users are created in Azure AD, use `net localgroup administrators /add "AzureAD\UserUpn"`
 
-
 ## Considerations 
 
 You cannot assign groups to the device administrator role, only individual users are allowed.
@@ -108,12 +90,7 @@ Device administrators are assigned to all Azure AD Joined devices. They can't be
 
 When you remove users from the device administrator role, they still have the local administrator privilege on a device as long as they are signed in to it. The privilege is revoked during the next sign-in, or after 4 hours when a new primary refresh token is issued.
 
-
-
 ## Next steps
 
 - To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](device-management-azure-portal.md)
-
 - To learn more about device-based Conditional Access, see [configure Azure Active Directory device-based Conditional Access policies](../conditional-access/require-managed-devices.md).
-
-