Merge pull request #95624 from MicrosoftDocs/master

Merge Master to Live, 3 AM

Author: PMEds28

articles/active-directory/develop/access-tokens.md

@@ -260,9 +260,9 @@ Refresh tokens can be invalidated or revoked at any time, for different reasons.
 | [Single sign-out](v1-protocols-openid-connect-code.md#single-sign-out) on web | Revoked | Stays alive | Revoked | Stays alive | Stays alive |
 
 > [!NOTE]
-> A "Non-password based" login is one where the user didn't type in a password to get it. For example, using your face with Windows Hello, a FIDO key, or a PIN.
+> A "Non-password based" login is one where the user didn't type in a password to get it. For example, using your face with Windows Hello, a FIDO2 key, or a PIN.
 >
-> A known issue exists with the Windows Primary Refresh Token. If the PRT is obtained via a password, and then the user logs in via Hello, this does not change the origination of the PRT, and it will be revoked if the user changes their password.
+> Primary Refresh Tokens (PRT) on Windows 10 are segregated based on the credential. For example, Windows Hello and password have their respective PRTs, isolated from one another. When a user signs-in with a Hello credential (PIN or biometrics) and then changes the password, the password based PRT obtained previously will be revoked. Signing back in with a password invalidates the old PRT and requests a new one.
 >
 > Refresh tokens aren't invalidated or revoked when used to fetch a new access token and refresh token.  
 

articles/active-directory/develop/quickstart-v2-android.md

@@ -211,9 +211,9 @@ PublicClientApplication.createSingleAccountPublicClientApplication(getContext(),
             @Override
             public void onCreated(ISingleAccountPublicClientApplication application) {
                 /**
-                    * This test app assumes that the app is only going to support one account.
-                    * This requires "account_mode" : "SINGLE" in the config json file.
-                    **/
+                 * This test app assumes that the app is only going to support one account.
+                 * This requires "account_mode" : "SINGLE" in the config json file.
+                 **/
                 mSingleAccountApp = application;
                 loadAccount();
             }
@@ -280,17 +280,17 @@ The code to get a token interactively, that is with UI that will involve the use
  *  - password change
  *  - the resource you're acquiring a token for has a stricter set of requirement than your Single Sign-On refresh token.
  *  - you're introducing a new scope which the user has never consented for.
- */
+ **/
 mSingleAccountApp.acquireToken(getActivity(), getScopes(), getAuthInteractiveCallback());
 ```
 
 If the user has already signed in, `acquireTokenSilentAsync()` allows apps to request tokens silently as shown in `initializeUI()`, in the `callGraphApiSilentButton` click handler:
 
 ```java
 /**
-  * Once you've signed the user in,
-  * you can perform acquireTokenSilent to obtain resources without interrupting the user.
-  */
+ * Once you've signed the user in,
+ * you can perform acquireTokenSilent to obtain resources without interrupting the user.
+ **/
   mSingleAccountApp.acquireTokenSilentAsync(getScopes(), AUTHORITY, getAuthSilentCallback());
 ```
 
@@ -391,7 +391,7 @@ An example of a multiple account app is a mail app that allows you to work with
 In the `MultipleAccountModeFragment.java` file, in `onCreateView()`, a multiple account app object (`IMultipleAccountPublicClientApplication`) is created using the config information stored in the `auth_config_multiple_account.json file`:
 
 ```java
-// Creates a PublicClientApplication object with res/raw/auth_config_single_account.json
+// Creates a PublicClientApplication object with res/raw/auth_config_multiple_account.json
 PublicClientApplication.createMultipleAccountPublicClientApplication(getContext(),
         R.raw.auth_config_multiple_account,
         new IPublicClientApplication.IMultipleAccountApplicationCreatedListener() {
@@ -416,8 +416,8 @@ Multiple account apps usually call `getAccounts()` to select the account to use
 
 ```java
 /**
-     * Load currently signed-in accounts, if there's any.
-    */
+ * Load currently signed-in accounts, if there's any.
+ **/
 private void loadAccounts() {
     if (mMultipleAccountApp == null) {
         return;
@@ -463,7 +463,7 @@ Multiple account apps should typically acquire tokens interactively, that is wit
  *  - password change
  *  - the resource you're acquiring a token for has a stricter set of requirement than your SSO refresh token.
  *  - you're introducing a new scope which the user has never consented for.
- */
+ **/
 mMultipleAccountApp.acquireToken(getActivity(), getScopes(), getAuthInteractiveCallback());
 ```
 
@@ -484,12 +484,12 @@ mMultipleAccountApp.acquireTokenSilentAsync(getScopes(),
 
 #### Remove an account
 
-The code to remove an account, and any cached tokens for the account, is in the `MultipleAccountModeFragment.java` file in `initializeUI()` in the handler for the remove account button. Before you can remove an account, you need an account object, which you obtain from MSAL functions like `getAccounts()` and `acquireToken()`. Because removing an account is an asynchronous operation, the `onRemoved` callback is supplied to update the UI.
+The code to remove an account, and any cached tokens for the account, is in the `MultipleAccountModeFragment.java` file in `initializeUI()` in the handler for the remove account button. Before you can remove an account, you need an account object, which you obtain from MSAL methods like `getAccounts()` and `acquireToken()`. Because removing an account is an asynchronous operation, the `onRemoved` callback is supplied to update the UI.
 
 ```java
 /**
-  * Removes the selected account and cached tokens from this app (or device, if the device is in shared mode).
-  */
+ * Removes the selected account and cached tokens from this app (or device, if the device is in shared mode).
+ **/
 mMultipleAccountApp.removeAccount(accountList.get(accountListSpinner.getSelectedItemPosition()),
         new IMultipleAccountPublicClientApplication.RemoveAccountCallback() {
             @Override

articles/active-directory/develop/v2-supported-account-types.md

@@ -37,7 +37,7 @@ In the Microsoft Azure public Cloud, most types of apps can sign in users with a
   - With their work or school or personal Microsoft account.
   - With only personal Microsoft account.
     > [!NOTE]
-    > Currently the Microsoft identity platform supports personal Microsoft accounts only by registering an app for **work or school or Microsoft personal accounts**, and then, restrict sign-in in the code for the application by specifying an Azure AD authority, when building the application, such as `https://login.onmicrosoftonline.com/consumers`.
+    > Currently the Microsoft identity platform supports personal Microsoft accounts only by registering an app for **work or school or Microsoft personal accounts**, and then, restrict sign-in in the code for the application by specifying an Azure AD authority, when building the application, such as `https://login.microsoftonline.com/consumers`.
 
 - If you're writing a business to consumers application, you can also sign in users with their social identities, using Azure AD B2C.
 
@@ -57,4 +57,4 @@ Some account types can't be used with certain authentication flows. For instance
 ## Next steps
 
 - Learn more about [Tenancy in Azure Active Directory](./single-and-multi-tenant-apps.md)
-- Learn more about [National Clouds](./authentication-national-cloud.md)
+- Learn more about [National Clouds](./authentication-national-cloud.md)

articles/active-directory/develop/vs-active-directory-add-connected-service.md

@@ -1,5 +1,5 @@
 ---
-title: Add an Azure Active Directory using Connected Services in Visual Studio | Azure
+title: Add an Azure Active Directory using Connected Services | Azure
 description: Add an Azure Active Directory by using the Visual Studio Add Connected Services dialog box
 author: ghogen
 manager: jillfra

articles/active-directory/develop/vs-active-directory-error.md

@@ -1,5 +1,5 @@
 ---
-title: How to diagnose errors with the Azure Active Directory connected service
+title: Diagnose errors with Azure Active Directory connected service
 description: The active directory connected service detected an incompatible authentication type
 author: ghogen
 manager: jillfra

articles/active-directory/fundamentals/add-users-azure-active-directory.md

@@ -9,60 +9,66 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 04/01/2019
+ms.date: 11/11/2019
 ms.author: ajburnle
 ms.reviewer: jeffsta
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
 
 # Add or delete users using Azure Active Directory
-Add new users or delete existing users from your Azure Active Directory (Azure AD) organization. To add or delete users you must be a User administrator or Global administrator. 
+
+Add new users or delete existing users from your Azure Active Directory (Azure AD) organization. To add or delete users you must be a User administrator or Global administrator.
 
 ## Add a new user
+
 You can create a new user using the Azure Active Directory portal.
 
 ### To add a new user
+
 1. Sign in to the [Azure portal](https://portal.azure.com/) as a User administrator for the organization.
 
 2. Select **Azure Active Directory**, select **Users**, and then select **New user**.
 
     ![Users - All users page with New user highlighted](media/add-users-azure-active-directory/new-user-all-users-blade.png)
 
-3. On the **User** page, fill out the required information.
+3. On the **New user** page, select **Create user** and then add the user's information.
 
     ![Add new user, User page with user info](media/add-users-azure-active-directory/new-user-user-blade.png)
 
-   - **Name (required).** The first and last name of the new user. For example, Mary Parker.
+   - **Name (required)**: The first and last name of the new user. For example, Chris Green.
+
+   - **User name (required)**: The user name of the new user. For example, [email protected].
 
-   - **User name (required).** The user name of the new user. For example, [email protected].
-    
-       The domain part of the user name must use either the initial default domain name, <_yourdomainname_>.onmicrosoft.com, or a custom domain name, such as contoso.com. For more information about how to create a custom domain name, see [How to add a custom domain name to Azure Active Directory](add-custom-domain.md).
+     The domain part of the user name must use either the initial default domain name, <_yourdomainname_>.onmicrosoft.com, or a custom domain name in your Azure AD organization such as contoso.com. For more information about how to create a custom domain name, see [How to add a custom domain name to Azure Active Directory](add-custom-domain.md).
 
-   - **Profile.** Optionally, you can add more information about the user. You can also add user information at a later time. For more information about adding user info, see [How to add or change user profile information](active-directory-users-profile-azure-portal.md).
+   - **Groups**: You can add the user to one or more existing groups, or you can do it later. For more information about adding users to groups, see [How to create a basic group and add members](active-directory-groups-create-azure-portal.md).
 
-   - **Groups.** Optionally, you can add the user to one or more existing groups. You can also add the user to groups at a later time. For more information about adding users to groups, see [How to create a basic group and add members](active-directory-groups-create-azure-portal.md).
+   - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see [How to assign roles to users](active-directory-users-assign-role-azure-portal.md).
 
-   - **Directory role.** Optionally, you can add the user to an Azure AD administrator role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see [How to assign roles to users](active-directory-users-assign-role-azure-portal.md).
+   - **Job info**: You can add more information about the user here, or do it later. For more information about adding user info, see [How to add or change user profile information](active-directory-users-profile-azure-portal.md).
 
 4. Copy the auto-generated password provided in the **Password** box. You'll need to give this password to the user for the initial sign-in process.
 
 5. Select **Create**.
 
-    The user is created and added to your Azure AD tenant.
+The user is created and added to your Azure AD organization.
 
 ## Add a new user within a hybrid environment
+
 If you have an environment with both Azure Active Directory (cloud) and Windows Server Active Directory (on-premises), you can add new users by syncing the existing user account data. For more information about hybrid environments and users, see [Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md).
 
 ## Delete a user
+
 You can delete an existing user using Azure Active Directory portal.
 
 ### To delete a user
+
 1. Sign in to the [Azure portal](https://portal.azure.com/) using a User administrator account for the organization.
 
-2. Select **Azure Active Directory**, select **Users**, and then search for and select the user you want to delete from your Azure AD tenant. For example, _Mary Parker_.
+1. Select **Azure Active Directory**, select **Users**, and then search for and select the user you want to delete from your Azure AD tenant. For example, _Mary Parker_.
 
-3. Select **Delete user**.
+1. Select **Delete user**.
 
     ![Users - All users page with Delete user highlighted](media/add-users-azure-active-directory/delete-user-all-users-blade.png)
 
@@ -83,4 +89,4 @@ After you've added your users, you can perform the following basic processes:
 
 - [Work with dynamic groups and users](../users-groups-roles/groups-create-rule.md)
 
-Or you can perform other user management tasks, such as [adding guest users from another directory](../b2b/what-is-b2b.md) or [restoring a deleted user](active-directory-users-restore.md). For more information about other available actions, see [Azure Active Directory user management documentation](../users-groups-roles/index.yml).
+Or you can perform other user management tasks, such as [adding guest users from another Azure AD organization](../b2b/what-is-b2b.md) or [restoring a deleted user](active-directory-users-restore.md). For more information about other available actions, see [Azure Active Directory user management documentation](../users-groups-roles/index.yml).