Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into us1645361ae

Author: TimShererWithAquent

.openpublishing.redirection.json

@@ -39798,6 +39798,11 @@
       "redirect_url": "/azure/cognitive-services/Custom-Vision-Service/home",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/cognitive-services/Custom-Vision-Service/move-your-project-to-azure.md",
+      "redirect_url": "/azure/cognitive-services/Custom-Vision-Service/home",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/data-catalog/data-catalog-prerequisites.md",
       "redirect_url": "/azure/data-catalog/data-catalog-get-started",

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -105,7 +105,7 @@ This flowchart describes which methods are shown to a user when interrupted to r
 
 If you have both Multi-Factor Authentication and SSPR enabled, we recommend that you enforce Multi-Factor Authentication registration.
 
-If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up-to-date, or they can make changes if they need to.
+If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up-to-date, or they can make changes if they need to. Users must perform multi-factor authentication when accessing this page.
 
 ### Manage mode
 

articles/active-directory/authentication/concept-sspr-policy.md

@@ -50,15 +50,15 @@ The two-gate policy requires two pieces of authentication data, such as an **ema
   * Privileged Authentication administrator
 
 * If 30 days have elapsed in a trial subscription; or
-* A vanity domain is present, such as contoso.com; or
+* A custom domain has been configured for your Azure AD tenant, such as *contoso.com*; or
 * Azure AD Connect is synchronizing identities from your on-premises directory
 
 ### Exceptions
 
 A one-gate policy requires one piece of authentication data, such as an email address *or* phone number. A one-gate policy applies in the following circumstances:
 
 * It's within the first 30 days of a trial subscription; or
-* A vanity domain isn't present (*.onmicrosoft.com); and
+* A custom domain hasn't been configured for your Azure AD tenant so is using the default **.onmicrosoft.com*. Note that the default **.onmicrosoft.com* domain isn't recommended for production use; and
 * Azure AD Connect isn't synchronizing identities
 
 ## UserPrincipalName policies that apply to all user accounts

articles/active-directory/authentication/howto-mfa-nps-extension-errors.md

@@ -93,6 +93,10 @@ If you encounter one of these errors, we recommend that you [contact support](#c
 
 If your users are [Having trouble with two-step verification](../user-help/multi-factor-authentication-end-user-troubleshoot.md), help them self-diagnose problems.
 
+### Health check script
+
+The [Azure MFA NPS Extension health check script](https://gallery.technet.microsoft.com/Azure-MFA-NPS-Extension-648de6bb) is available on the TechNet Gallery to perform a basic health check when troubleshooting the NPS extension. Run the script and choose option 3.
+
 ### Contact Microsoft support
 
 If you need additional help, contact a support professional through [Azure Multi-Factor Authentication Server support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, the ID of the user who saw the error, and debug logs.

articles/active-directory/authentication/howto-mfa-reporting.md

@@ -131,6 +131,16 @@ Identify users who have not registered for MFA using the PowerShell that follows
 
 ```Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName```
 
+Identify users and output methods registered. 
+
+```PowerShell
+Get-MsolUser -All | Select-Object @{N='UserPrincipalName';E={$_.UserPrincipalName}},
+
+@{N='MFA Status';E={if ($_.StrongAuthenticationRequirements.State){$_.StrongAuthenticationRequirements.State} else {"Disabled"}}},
+
+@{N='MFA Methods';E={$_.StrongAuthenticationMethods.methodtype}} | Export-Csv -Path c:\MFA_Report.csv -NoTypeInformation
+```
+
 ## Possible results in activity reports
 
 The following table may be used to troubleshoot multi-factor authentication using the downloaded version of the multi-factor authentication activity report. They will not appear directly in the Azure portal.

articles/active-directory/authentication/howto-mfaserver-deploy.md

@@ -120,6 +120,9 @@ Now that you have downloaded the server you can install and configure it. Be sur
 
 5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Azure MFA Server in the boxes provided and click **Activate**.
 
+> [!NOTE]
+> Only global administrators are able to generate activation credentials in the Azure portal.
+
 ## Send users an email
 
 To ease rollout, allow MFA Server to communicate with your users. MFA Server can send an email to inform them that they have been enrolled for two-step verification.

articles/active-directory/authentication/multi-factor-authentication-faq.md

@@ -23,10 +23,13 @@ This FAQ answers common questions about Azure Multi-Factor Authentication and us
 
 > [!IMPORTANT]
 > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> 
+> Consumption-based licensing is no longer available to new customers effective September 1, 2018.
+> Effective September 1, 2018 new auth providers may no longer be created. Existing auth providers may continue to be used and updated. Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.
+
 > [!NOTE]
 > The information shared below regarding the Azure Multi-Factor Authentication Server is only applicable for users who already have the MFA server running.
 
-
 **Q: How does Azure Multi-Factor Authentication Server handle user data?**
 
 With Multi-Factor Authentication Server, user data is stored only on the on-premises servers. No persistent user data is stored in the cloud. When the user performs two-step verification, Multi-Factor Authentication Server sends data to the Azure Multi-Factor Authentication cloud service for authentication. Communication between Multi-Factor Authentication Server and the Multi-Factor Authentication cloud service uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) over port 443 outbound.

articles/active-directory/cloud-provisioning/how-to-install.md

@@ -43,7 +43,7 @@ Installing and configuring Azure AD Connect provisioning is accomplished in the
 6. On the **Configuration complete** screen, click **Confirm**.  This operation will register and restart the agent.</br>
 ![Welcome screen](media/how-to-install/install4.png)</br>
 
-7. Once this operation completes you should see a notice **Your was successfully verified.**  You can click **Exit**.</br>
+7. Once this operation completes you should see a notice **Your agent configuration was successfully verified.**  You can click **Exit**.</br>
 ![Welcome screen](media/how-to-install/install5.png)</br>
 8. If you still see the initial splash screen, click **Close**.
 

articles/active-directory/conditional-access/controls.md

@@ -74,7 +74,7 @@ For more information, see [how to require managed devices for cloud app access w
 
 ### Hybrid Azure AD joined device
 
-Requiring a Hybrid Azure AD joined device is another option you have to configure device-based Conditional Access policies. This requirement refers to Windows desktops, laptops, and enterprise tablets that are joined to an on-premises Active Directory. If this option is selected, your Conditional Access policy grants access to access attempts made with devices that are joined to your on-premises Active Directory and your Azure Active Directory.  
+Requiring a hybrid Azure AD joined device is another option you have to configure device-based Conditional Access policies. This requirement refers to Windows desktops, laptops, and enterprise tablets that are joined to an on-premises Active Directory. If this option is selected, your Conditional Access policy grants access to access attempts made with devices that are joined to your on-premises Active Directory and your Azure Active Directory. Mac devices do not support hybrid Azure AD join.
 
 For more information, see [set up Azure Active Directory device-based Conditional Access policies](require-managed-devices.md).
 

articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md

@@ -46,6 +46,10 @@ The following steps will help create a Conditional Access policy to require devi
 1. Confirm your settings and set **Enable policy** to **On**.
 1. Select **Create** to create to enable your policy.
 
+### Known behavior
+
+On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.
+
 ## Next steps
 
 [Conditional Access common policies](concept-conditional-access-policy-common.md)