fixing merge conflicts

Author: jpconnock

articles/active-directory-b2c/active-directory-b2c-faqs.md

@@ -128,7 +128,7 @@ Not currently. This feature is on our roadmap. Verifying your domain in the **Do
 
 Follow these steps to delete your Azure AD B2C tenant.
 
-You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience. [Learn more about the preview experience](http://aka.ms/b2cappregintro).
+You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience. [Learn more about the preview experience](https://aka.ms/b2cappregintro).
 
 #### [Applications](#tab/applications/)
 

articles/active-directory-b2c/active-directory-b2c-troubleshoot-custom.md

@@ -1,113 +1,108 @@
 ---
-title: Application Insights to troubleshoot Custom Policies in Azure Active Directory B2C | Microsoft Docs
-description: how to setup Application Insights to trace the execution of custom policies.
+title: Troubleshoot custom policies with Application Insights - Azure Active Directory B2C
+description: How to set up Application Insights to trace the execution of your custom policies.
 services: active-directory-b2c
 author: mmacy
 manager: celestedg
 
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 08/04/2017
+ms.date: 11/04/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
 
-# Azure Active Directory B2C: Collecting Logs
+# Collect Azure Active Directory B2C logs with Application Insights
 
-This article provides steps for collecting logs from Azure AD B2C so that you can diagnose problems with your custom policies.
+This article provides steps for collecting logs from Active Directory B2C (Azure AD B2C) so that you can diagnose problems with your custom policies. Application Insights provides a way to diagnose exceptions and visualize application performance issues. Azure AD B2C includes a feature for sending data to Application Insights.
 
->[!NOTE]
->Currently, the detailed activity logs described here are designed **ONLY** to aid in development of custom policies. Do not use development mode  in production.  Logs collect all claims sent to and from the identity providers during development.  If used in production, the developer assumes responsibility for PII (Privately Identifiable Information) collected in the App Insights log that they own.  These detailed logs are only collected when the policy is placed on **DEVELOPMENT MODE**.
+The detailed activity logs described here should be enabled **ONLY** during the development of your custom policies.
 
+> [!WARNING]
+> Do not enable development mode in production. Logs collect all claims sent to and from identity providers. You as the developer assume responsibility for any personal data collected in your Application Insights logs. These detailed logs are collected only when the policy is placed in **DEVELOPER MODE**.
 
-## Use Application Insights
+## Set up Application Insights
 
-Azure AD B2C supports a feature for sending data to Application Insights.  Application Insights provides a way to diagnose exceptions and visualize application performance issues.
+If you don't already have one, create an instance of Application Insights in your subscription.
 
-### Setup Application Insights
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure subscription (not your Azure AD B2C directory).
+1. Select **Create a resource** in the left-hand navigation menu.
+1. Search for and select **Application Insights**, then select **Create**.
+1. Complete the form, select **Review + create**, and then select **Create**.
+1. Once the deployment has been completed, select **Go to resource**.
+1. Under **Configure** in Application Insights menu, select **Properties**.
+1. Record the **INSTRUMENTATION KEY** for use in a later step.
 
-1. Go to the [Azure portal](https://portal.azure.com). Ensure you are in the tenant with your Azure subscription (not your Azure AD B2C tenant).
-1. Click **+ New** in the left-hand navigation menu.
-1. Search for and select **Application Insights**, then click **Create**.
-1. Complete the form and click **Create**. Select **General** for the **Application Type**.
-1. Once the resource has been created, open the Application Insights resource.
-1. Find **Properties** in the left-menu, and click on it.
-1. Copy the **Instrumentation Key** and save it for the next section.
+## Configure the custom policy
 
-### Set up the custom policy
-
-1. Open the RP file (for example, SignUpOrSignin.xml).
+1. Open the relying party (RP) file, for example *SignUpOrSignin.xml*.
 1. Add the following attributes to the `<TrustFrameworkPolicy>` element:
 
    ```XML
    DeploymentMode="Development"
    UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"
    ```
 
-1. If it doesn't exist already, add a child node `<UserJourneyBehaviors>` to the `<RelyingParty>` node. It must be located immediately after the `<DefaultUserJourney ReferenceId="UserJourney Id from your extensions policy, or equivalent (for example:SignUpOrSigninWithAAD" />`
-2. Add the following node as a child of the `<UserJourneyBehaviors>` element. Make sure to replace `{Your Application Insights Key}` with the **Instrumentation Key** that you obtained from Application Insights in the previous section.
+1. If it doesn't already exist, add a `<UserJourneyBehaviors>` child node to the `<RelyingParty>` node. It must be located immediately after `<DefaultUserJourney ReferenceId="UserJourney Id" from your extensions policy, or equivalent (for example:SignUpOrSigninWithAAD" />`.
+1. Add the following node as a child of the `<UserJourneyBehaviors>` element. Make sure to replace `{Your Application Insights Key}` with the Application Insights **Instrumentation Key** that you recorded earlier.
 
-   ```XML
-   <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="{Your Application Insights Key}" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
-   ```
+    ```XML
+    <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="{Your Application Insights Key}" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
+    ```
 
-   * `DeveloperMode="true"` tells ApplicationInsights to expedite the telemetry through the processing pipeline, good for development, but constrained at high volumes.
-   * `ClientEnabled="true"` sends the ApplicationInsights client-side script for tracking page view and client-side errors (not needed).
-   * `ServerEnabled="true"` sends the existing UserJourneyRecorder JSON as a custom event to Application Insights.
-   Sample:
+    * `DeveloperMode="true"` tells ApplicationInsights to expedite the telemetry through the processing pipeline. Good for development, but constrained at high volumes.
+    * `ClientEnabled="true"` sends the ApplicationInsights client-side script for tracking page view and client-side errors. You can view these in the **browserTimings** table in the Application Insights portal. By setting `ClientEnabled= "true"`, you add Application Insights to your page script and you get timings of page loads and AJAX calls, counts, details of browser exceptions and AJAX failures, and user and session counts. This field is **optional**, and is set to `false` by default.
+    * `ServerEnabled="true"` sends the existing UserJourneyRecorder JSON as a custom event to Application Insights.
 
-   ```XML
-   <TrustFrameworkPolicy
-    ...
-    TenantId="fabrikamb2c.onmicrosoft.com"
-    PolicyId="SignUpOrSignInWithAAD"
-    DeploymentMode="Development"
-    UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"
-   >
+    For example:
+
+    ```XML
+    <TrustFrameworkPolicy
+      ...
+      TenantId="fabrikamb2c.onmicrosoft.com"
+      PolicyId="SignUpOrSignInWithAAD"
+      DeploymentMode="Development"
+      UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"
+    >
     ...
     <RelyingParty>
       <DefaultUserJourney ReferenceId="UserJourney ID from your extensions policy, or equivalent (for example: SignUpOrSigninWithAzureAD)" />
       <UserJourneyBehaviors>
         <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="{Your Application Insights Key}" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
       </UserJourneyBehaviors>
       ...
-   </TrustFrameworkPolicy>
-   ```
+    </TrustFrameworkPolicy>
+    ```
 
-3. Upload the policy.
+1. Upload the policy.
 
-### See the logs in Application Insights
+## See the logs in Application Insights
 
->[!NOTE]
-> There is a short delay (less than five minutes) before you can see new logs in Application Insights.
+There is a short delay, typically less than five minutes, before you can see new logs in Application Insights.
 
 1. Open the Application Insights resource that you created in the [Azure portal](https://portal.azure.com).
-1. In the **Overview** menu, click on **Analytics**.
+1. In the **Overview** menu, select **Analytics**.
 1. Open a new tab in Application Insights.
-1. Here is a list of queries you can use to see the logs
+
+Here is a list of queries you can use to see the logs:
 
 | Query | Description |
 |---------------------|--------------------|
-traces | See all of the logs generated by Azure AD B2C |
-traces \| where timestamp > ago(1d) | See all of the logs generated by Azure AD B2C for the last day
-
-The entries may be long.  Export to CSV for a closer look.
-
-You can learn more about the Analytics tool [here](https://docs.microsoft.com/azure/application-insights/app-insights-analytics).
-
->[!NOTE]
->The community has developed a user journey viewer to help identity developers.  It is not supported by Microsoft and made available strictly as-is.  It reads from your Application Insights instance and provides a well-structured view of the user journey events.  You obtain the source code and deploy it in your own solution.
+`traces` | See all of the logs generated by Azure AD B2C |
+`traces | where timestamp > ago(1d)` | See all of the logs generated by Azure AD B2C for the last day
 
-The version of the viewer that reads events from Application Insights is located [here](https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/wingtipgamesb2c/src/WingTipUserJourneyPlayerWebApplication)
+The entries may be long. Export to CSV for a closer look.
 
->[!NOTE]
->Currently, the detailed activity logs described here are designed **ONLY** to aid in development of custom policies. Do not use development mode in production.  Logs collect all claims sent to and from the identity providers during development.  If used in production, the developer assumes responsibility for PII (Privately Identifiable Information) collected in the App Insights log that they own.  These detailed logs are only collected when the policy is placed on **DEVELOPMENT MODE**.
+For more information about querying, see [Overview of log queries in Azure Monitor](../azure-monitor/log-query/log-query-overview.md).
 
-[GitHub Repository for Unsupported Custom Policy Samples and Related tools](https://github.com/Azure-Samples/active-directory-b2c-advanced-policies)
+## Next steps
 
+The community has developed a user journey viewer to help identity developers. It reads from your Application Insights instance and provides a well-structured view of the user journey events. You obtain the source code and deploy it in your own solution.
 
+The user journey player is not supported by Microsoft, and is made available strictly as-is.
 
-## Next Steps
+You can find the version of the viewer that reads events from Application Insights on GitHub, here:
 
-Explore the data in Application Insights to help you understand how the Identity Experience Framework underlying B2C works to deliver your own identity experiences.
+[Azure-Samples/active-directory-b2c-advanced-policies](https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/wingtipgamesb2c/src/WingTipUserJourneyPlayerWebApplication)

articles/active-directory-b2c/active-directory-b2c-tutorials-spa.md

@@ -44,7 +44,7 @@ Additionally, you need the following in your local development environment:
 
 In the second tutorial that you completed as part of the prerequisites, you registered a web application in Azure AD B2C. To enable communication with the sample in the tutorial, you need to add a redirect URI to the application in Azure AD B2C.
 
-You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience to update the application. [Learn more about the preview experience](http://aka.ms/b2cappregintro).
+You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience to update the application. [Learn more about the preview experience](https://aka.ms/b2cappregintro).
 
 #### [Applications](#tab/applications/)
 

articles/active-directory-b2c/active-directory-b2c-tutorials-web-app.md

@@ -37,7 +37,7 @@ In the tutorial that you completed as part of the prerequisites, you registered
 
 ### Add a redirect URI (reply URL)
 
-You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience to update the application. [Learn more about the preview experience](http://aka.ms/b2cappregintro).
+You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience to update the application. [Learn more about the preview experience](https://aka.ms/b2cappregintro).
 
 #### [Applications](#tab/applications/)
 

articles/active-directory-b2c/active-directory-b2c-user-migration.md

@@ -173,12 +173,12 @@ To validate the migration, use one of the following two methods:
    1. Open **Azure AD B2C**, and then select **Users**.
    1. In the search box, type the user's display name, and then view the user's profile.
 
-- To retrieve a user by sign-in email address, use this sample application:
+- To retrieve a user by sign-in email address, use the sample application:
 
    1. Run the following command:
 
       ```Console
-          UserMigration.exe 3 {email address}
+          UserMigration.exe 3 {email address} > UserProfile.json
       ```
 
       > [!TIP]

articles/active-directory-b2c/saml-technical-profile.md

@@ -1,5 +1,5 @@
 ---
-title: Define a SAML technical profile in a custom policy in Azure Active Directory B2C | Microsoft Docs
+title: Define a SAML technical profile in a custom policy in Azure Active Directory B2C
 description: Define a SAML technical profile in a custom policy in Azure Active Directory B2C.
 services: active-directory-b2c
 author: mmacy
@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 12/21/2018
+ms.date: 11/04/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -54,7 +54,6 @@ The following diagram shows the metadata and certificate exchange:
 
 ![metadata and certificate exchange](media/saml-technical-profile/technical-profile-idp-saml-metadata.png)
 
-
 ## Digital encryption
 
 To encrypt the SAML response assertion, the identity provider always uses a public key of an encryption certificate in an Azure AD B2C technical profile. When Azure AD B2C needs to decrypt the data, it uses the private portion of the encryption certificate.
@@ -129,7 +128,7 @@ The technical profile also returns claims that aren't returned by the identity p
 | NameIdPolicyFormat | No | Specifies constraints on the name identifier to be used to represent the requested subject. If omitted, any type of identifier supported by the identity provider for the requested subject can be used. For example,  `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`. **NameIdPolicyFormat** can be used with **NameIdPolicyAllowCreate**. Look at your identity provider’s documentation for guidance about which name ID policies are supported. |
 | NameIdPolicyAllowCreate | No | When using **NameIdPolicyFormat**, you can also specify the `AllowCreate` property of **NameIDPolicy**. The value of this metadata is `true` or `false` to indicate whether the identity provider is allowed to create a new account during the sign-in flow. Look at your identity provider’s documentation for guidance on how to do so. |
 | AuthenticationRequestExtensions | No | Optional protocol message extension elements that are agreed on between Azure AD BC and the identity provider. The extension is presented in XML format. You add the XML data inside the CDATA element `<![CDATA[Your IDP metadata]]>`. Check your identity provider’s documentation to see if the extensions element is supported. |
-| IncludeAuthnContextClassReferences | No | Specifies one or more URI references identifying authentication context classes. For example, to allow a user to sign in with username and password only, set the value to `urn:oasis:names:tc:SAML:2.0:ac:classes:Password`. To allow sign-in through username and password over a protected session (SSL/TLS), specify `PasswordProtectedTransport`. Look at your identity provider’s documentation for guidance about the **AuthnContextClassRef** URIs that are supported. |
+| IncludeAuthnContextClassReferences | No | Specifies one or more URI references identifying authentication context classes. For example, to allow a user to sign in with username and password only, set the value to `urn:oasis:names:tc:SAML:2.0:ac:classes:Password`. To allow sign-in through username and password over a protected session (SSL/TLS), specify `PasswordProtectedTransport`. Look at your identity provider’s documentation for guidance about the **AuthnContextClassRef** URIs that are supported. Specify multiple URIs as a comma-delimited list. |
 | IncludeKeyInfo | No | Indicates whether the SAML authentication request contains the public key of the certificate when the binding is set to `HTTP-POST`. Possible values: `true` or `false`. |
 
 ## Cryptographic keys
@@ -142,20 +141,9 @@ The **CryptographicKeys** element contains the following attributes:
 | SamlAssertionDecryption |Yes | The X509 certificate (RSA key set) to use to decrypt SAML messages. This certificate should be provided by the identity provider. Azure AD B2C uses this certificate to decrypt the data sent by the identity provider. |
 | MetadataSigning |No | The X509 certificate (RSA key set) to use to sign SAML metadata. Azure AD B2C uses this key to sign the metadata.  |
 
-## Examples
+## Next steps
+
+See the following articles for examples of working with SAML identity providers in Azure AD B2C:
 
 - [Add ADFS as a SAML identity provider using custom policies](active-directory-b2c-custom-setup-adfs2016-idp.md)
 - [Sign in by using Salesforce accounts via SAML](active-directory-b2c-setup-sf-app-custom.md)
-
-
-
-
-
-
-
-
-
-
-
-
-

articles/active-directory-b2c/secure-api-management.md

@@ -31,7 +31,7 @@ You need the following resources in place before continuing with the steps in th
 
 When you secure an API in Azure API Management with Azure AD B2C, you need several values for the [inbound policy](../api-management/api-management-howto-policies.md) that you create in APIM. First, record the application ID of an application you've previously created in your Azure AD B2C tenant. If you're using the application you created in the prerequisites, use the application ID for *webbapp1*.
 
-You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience to get the application ID. [Learn more about the preview experience](http://aka.ms/b2cappregintro).
+You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience to get the application ID. [Learn more about the preview experience](https://aka.ms/b2cappregintro).
 
 #### [Applications](#tab/applications/)