Merge pull request #87539 from MicrosoftDocs/master

9/5 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -16884,6 +16884,11 @@
       "redirect_url": "/azure/service-fabric/service-fabric-tutorial-deploy-app-to-party-cluster",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/migrate/how-to-prepare-linux-for-migration.md",
+      "redirect_url": "tutorial-prepare-vmware",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/migrate/how-to-create-group-dependencies.md",
       "redirect_url": "how-to-create-a-group#refine-a-group-with-dependency-mapping",

articles/active-directory/reports-monitoring/reference-sign-ins-error-codes.md

@@ -150,6 +150,8 @@ You can also programmatically access the sign-in data using the [reporting API](
 |70018|Invalid verification code due to User typing in wrong user code for device code flow. Authorization is not approved.|
 |70019|Verification code expired. Have the user retry the sign-in.|
 |70037|Incorrect challenge response provided. Remote auth session denied.|
+|70043|Azure Conditional Access session management forces the session to expire|
+|70044|Azure Conditional Access session management forces the session to expire|
 |75001|An error occurred during SAML message binding.|
 |75003|The application returned an error related to unsupported Binding (SAML protocol response cannot be sent via bindings other than HTTP POST). Contact the application owner.|
 |75005|Azure AD doesn’t support the SAML Request sent by the application for Single Sign-on. Contact the application owner.|

articles/active-directory/users-groups-roles/roles-create-custom.md

@@ -1,6 +1,6 @@
 ---
-title: Create a custom role definition in Azure AD role-based access control - Azure Active Directory | Microsoft Docs
-description: Create custom Azure AD roles with resource scope on Azure Active Directory resources.
+title: Create and assign a custom role in Azure AD role-based access control - Azure Active Directory | Microsoft Docs
+description: Create and assign custom Azure AD roles with resource scope on Azure Active Directory resources.
 services: active-directory
 author: curtand
 manager: mtillman
@@ -9,20 +9,20 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: users-groups-roles
 ms.topic: article
-ms.date: 07/31/2019
+ms.date: 09/04/2019
 ms.author: curtand
 ms.reviewer: vincesm
 ms.custom: it-pro
 
 ms.collection: M365-identity-device-management
 ---
-# Create a custom role and assign at resource scope in Azure Active Directory
+# Create and assign a custom role in Azure Active Directory
 
-This article describes how to create new custom roles in Azure Active Directory (Azure AD). Custom roles can be created in the [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) tab on the Azure AD overview page. The role can be assigned either at the directory-level scope or an app registration resource scope only.
+This article describes how to create new custom roles in Azure Active Directory (Azure AD). For the basics of custom roles, see the [custom roles overview](roles-custom-overview.md). The role can be assigned either at the directory-level scope or an app registration resource scope only.
 
-For more information, see the [custom roles overview](roles-custom-overview.md) for the basics of custom roles.
+Custom roles can be created in the [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) tab on the Azure AD overview page.
 
-## Using the Azure AD portal
+## Create a role in the Azure portal
 
 ### Create a new custom role to grant access to manage app registrations
 
@@ -45,22 +45,7 @@ For more information, see the [custom roles overview](roles-custom-overview.md)
 
 Your custom role will show up in the list of available roles to assign.
 
-## Assign a role scoped to a resource
-
-Like built-in roles, custom roles can be assigned at organization-wide scope to grant access over all app registrations. But custom roles can also be assigned at resource scope. This allows you to give the assignee the permission to update credentials and basic properties of a single app without having to create a second custom role.
-
-1. If not already, sign in to the [Azure AD admin center](https://aad.portal.azure.com) with Application developer permissions in the Azure AD organization.
-1. Select **App registrations**.
-1. Select the app registration to which you are granting access to manage. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization.
-
-    ![Select the app registration as a resource scope for a role assignment](./media/roles-create-custom/appreg-all-apps.png)
-
-1. In the app registration, select **Roles and administrators**. If you haven't already created one, instructions are in the [preceding procedure](#create-a-new-custom-role-to-grant-access-to-manage-app-registrations).
-
-1. Select the role to open the **Assignments** page.
-1. Select **Add assignment** to add a user. The user won't be granted any permissions over any app registration other than the selected one.
-
-## Create a custom role using Azure AD PowerShell
+## Create a role using PowerShell
 
 ### Prepare PowerShell
 
@@ -121,7 +106,7 @@ $resourceScope = '/' + $appRegistration.objectId
 $roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
 ```
 
-## Create a custom role using Microsoft Graph API
+## Create a role with Graph API
 
 1. Create the role definition.
 
@@ -172,6 +157,21 @@ $roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -Rol
    }
     ```
 
+## Assign a custom role scoped to a resource
+
+Like built-in roles, custom roles are assigned by default at the default organization-wide scope to grant access permissions over all app registrations in your organization. But unlike built-in roles, custom roles can also be assigned at the scope of a single Azure AD resource. This allows you to give the user the permission to update credentials and basic properties of a single app without having to create a second custom role.
+
+1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with Application developer permissions in the Azure AD organization.
+1. Select **App registrations**.
+1. Select the app registration to which you are granting access to manage. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization.
+
+    ![Select the app registration as a resource scope for a role assignment](./media/roles-create-custom/appreg-all-apps.png)
+
+1. In the app registration, select **Roles and administrators**. If you haven't already created one, instructions are in the [preceding procedure](#create-a-new-custom-role-to-grant-access-to-manage-app-registrations).
+
+1. Select the role to open the **Assignments** page.
+1. Select **Add assignment** to add a user. The user will be granted any permissions over only the selected app registration.
+
 ## Next steps
 
 - Feel free to share with us on the [Azure AD administrative roles forum](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=166032).

articles/active-directory/users-groups-roles/roles-custom-overview.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: users-groups-roles
 ms.topic: article
-ms.date: 07/31/2019
+ms.date: 09/04/2019
 ms.author: curtand
 ms.reviewer: vincesm
 ms.custom: it-pro
@@ -18,30 +18,31 @@ ms.collection: M365-identity-device-management
 
 # Custom administrator roles in Azure Active Directory (preview)
 
-This article describes how to understand the new custom roles-based access control (RBAC) and resource scopes in Azure Active Directory (Azure AD). Custom RBAC roles surfaces the underlying permissions of the [built-in roles](directory-assign-admin-roles.md) , so you can create and organize your own custom roles. This approach allows you to grant access in a more granular way than built-in roles, when needed. This first release of custom RBAC roles includes the ability to create a role to assign permissions for managing app registrations. Over time, additional permissions for organization resources like enterprise applications, users, and devices will be added.  
+This article describes how to understand Azure AD custom roles in Azure Active Directory (Azure AD) with roles-based access control and resource scopes. Custom Azure AD roles surface the underlying permissions of the [built-in roles](directory-assign-admin-roles.md), so that you can create and organize your own custom roles. This approach allows you to grant access in a more granular way than built-in roles, whenever they're needed. This first release of Azure AD custom roles includes the ability to create a role to assign permissions for managing app registrations. Over time, additional permissions for organization resources like enterprise applications, users, and devices will be added.  
 
-Additionally, custom RBAC roles support assignments on a per-resource basis, in addition to the more traditional organization-wide assignments. This approach gives you the ability to grant access to manage some resources (for example, one app registration) without giving access to all resources (all app registrations).
+Additionally, Azure AD custom roles support assignments on a per-resource basis, in addition to the more traditional organization-wide assignments. This approach gives you the ability to grant access to manage some resources (for example, one app registration) without giving access to all resources (all app registrations).
 
 Azure AD role-based access control is a public preview feature of Azure AD and is available with any paid Azure AD license plan. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
 ## Understand Azure AD role-based access control
 
-Granting permission using custom RBAC roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.  
+Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.  
 
-Once you’ve created your role definition, you can assign it to someone by creating a role assignment. A role assignment grants someone the permissions in a role definition at a specific scope. This two-step process allows you to create one role definition and assign it many times at different scopes. A scope defines the set of resources the role member has access to. The most common scope is organization-wide (org-wide) scope. A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. This way the same role can be assigned to Sally over all applications in the organization and then Naveen over just the Contoso Expense Reports app.  
+Once you’ve created your role definition, you can assign it to a user by creating a role assignment. A role assignment grants the user the permissions in a role definition at a specified scope. This two-step process allows you to create a single role definition and assign it many times at different scopes. A scope defines the set of Azure AD resources the role member has access to. The most common scope is organization-wide (org-wide) scope. A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. The same role can be assigned to one user over all applications in the organization and then to another user with a scope of only the Contoso Expense Reports app.  
 
-Azure AD RBAC operates on concepts similar to [Azure role-based access control](../../role-based-access-control/overview.md). The difference being Azure RBAC controls access to Azure resources such as virtual machines and websites, and Azure AD RBAC controls access to Azure AD. Both systems leverage the concept of role definitions and role assignments.
+Azure AD built-in and custom roles operate on concepts similar to [Azure role-based access control](../../role-based-access-control/overview.md). The [difference between these two role-based access control systems](../../role-based-access-control/rbac-and-directory-admin-roles.md) is that Azure RBAC controls access to Azure resources such as virtual machines or storage using Azure Resource Management, and Azure AD custom roles control access to Azure AD resources using Graph API. Both systems leverage the concept of role definitions and role assignments.
 
 ### Role assignments
 
-A role assignment is the process of attaching a role definition to a user at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment. A role assignment consists of three elements:
-- User
+A role assignment is the object that attaches a role definition to a user at a particular scope to grant Azure AD resource access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment. At its core, a role assignment consists of three elements:
+
+- User (an individual who has a user profile in Azure Active Directory)
 - Role definition
 - Resource scope
 
-You can [create role assignments](roles-create-custom.md) using the Azure portal, Azure AD PowerShell, or Graph API. You can also [view the assignments for a custom role](roles-view-assignments.md#view-the-assignments-of-a-role-with-single-application-scope-using-the-azure-ad-portal-preview).
+You can [create role assignments](roles-create-custom.md) using the Azure portal, Azure AD PowerShell, or Graph API. You can also [view the assignments for a custom role](roles-view-assignments.md#view-the-assignments-of-a-role).
 
-The following diagram shows an example of a role assignment. In this example, Chris Green has been assigned the App registration administrator custom role at the scope of the Contoso Widget Builder app registration. This assignment grants Chris the permissions of the App registration administrator role only on this specific app registration.
+The following diagram shows an example of a role assignment. In this example, Chris Green has been assigned the App registration administrator custom role at the scope of the Contoso Widget Builder app registration. The assignment grants Chris the permissions of the App registration administrator role for only this specific app registration.
 
 ![Role assignment is how permissions are enforced and has three parts](./media/roles-custom-overview/rbac-overview.png)
 
@@ -53,7 +54,7 @@ A security principal represents the user that is to be assigned access to Azure
 
 A role definition, or role, is a collection of permissions. A role definition lists the operations that can be performed on Azure AD resources, such as create, read, update, and delete. There are two types of roles in Azure AD:
 
-- Built-in roles created by Microsoft that can't be changed. The Global administrator built-in role has all permissions on all Azure AD resources.
+- Built-in roles created by Microsoft that can't be changed.
 - Custom roles created and managed by your organization.
 
 ### Scope
@@ -62,7 +63,7 @@ A scope is the restriction of permitted actions to a particular Azure AD resourc
 
   > [!Note]
   > Custom roles can be assigned at directory scope and resource scoped. They cannot yet be assigned at Administrative Unit scope.
-  > Built-in roles can can be assigned at directory scope, and in some cases Administrative Unit scope. They cannot yet be assigned at object scope.
+  > Built-in roles can can be assigned at directory scope, and in some cases, Administrative Unit scope. They cannot yet be assigned at Azure AD resource scope.
 
 ## Required license plan
 
@@ -71,4 +72,4 @@ A scope is the restriction of permitted actions to a particular Azure AD resourc
 ## Next steps
 
 - Create custom role assignments using [the Azure portal, Azure AD PowerShell, and Graph API](roles-create-custom.md)
-- [View the assignments for a custom role](roles-view-assignments.md#view-the-assignments-of-a-role-with-single-application-scope-using-the-azure-ad-portal-preview)
+- [View the assignments for a custom role](roles-view-assignments.md#view-assignments-of-a-role-with-single-application-scope-preview)

articles/active-directory/users-groups-roles/roles-delegate-app-roles.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: users-groups-roles
 ms.topic: article
-ms.date: 08/06/2019
+ms.date: 09/04/2019
 ms.author: curtand
 ms.reviewer: vincesm
 ms.custom: it-pro
@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 
 # Delegate app registration permissions in Azure Active Directory
 
-This article describes how to use app permissions in custom roles in Azure Active Directory (Azure AD) to address your application management needs. Azure Active Directory (Azure AD) allows you to delegate Application creation and management permissions in the following ways:
+This article describes how to use permissions granted by custom roles in Azure Active Directory (Azure AD) to address your application management needs. In Azure AD, you can delegate Application creation and management permissions in the following ways:
 
 - [Restricting who can create applications](#restrict-who-can-create-applications) and manage the applications they create. By default in Azure AD, all users can register application registrations and manage all aspects of applications they create. This can be restricted to only allow selected people that permission.
 - [Assigning one or more owners to an application](#assign-application-owners). This is a simple way to grant someone the ability to manage all aspects of Azure AD configuration for a specific application.
@@ -38,7 +38,7 @@ By default in Azure AD, all users can register application registrations and man
 ### To disable the default ability to create application registrations or consent to applications
 
 1. Sign in to your Azure AD organization with an account that eligible for the Global administrator role in your Azure AD organization.
-1. When you have obtained sufficient permissions, set one or both of the following:
+1. Set one or both of the following:
 
     - On the [User settings page for your organization](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings), set the **Users can register applications** setting to No. This will disable the default ability for users to create application registrations.
     - On the [user settings for enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/), set the **Users can consent to applications accessing company data on their behalf** setting to No. This will disable the default ability for users to consent to applications accessing company data on their behalf.