Merge pull request #111487 from MicrosoftDocs/master

4/15 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -50091,6 +50091,11 @@
       "redirect_url": "/azure/cognitive-services/speech-service",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/hdinsight/spark/azure-synapse-analytics-job-definition.md",
+      "redirect_url": "../../synapse-analytics/spark/apache-spark-job-definitions.md",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/media-services/latest/access-api-portal.md",
       "redirect_url": "/azure/media-services/latest/access-api-howto",
@@ -50784,6 +50789,11 @@
       "source_path": "articles/security/fundamentals/database-security-overview.md",
       "redirect_url": "/azure/sql-database/sql-database-security-overview",
       "redirect_document_id": false
+    },
+	{
+      "source_path": "articles/azure-monitor/insights/key-vault-insights-overview.md",
+      "redirect_url": "/azure/azure-monitor/overview",
+      "redirect_document_id": false
     },
     {
       "source_path": "articles/security/fundamentals/database-best-practices.md",

.vscode/settings.json

@@ -62,4 +62,4 @@
         "auditd"
     ],
     "git.ignoreLimitWarning": true
-}
+}

articles/active-directory-b2c/custom-policy-get-started.md

@@ -112,7 +112,7 @@ Next, expose the API by adding a scope:
 1. In **App registrations (Legacy)**, select **New application registration**.
 1. For **Name**, enter `ProxyIdentityExperienceFramework`.
 1. For **Application type**, choose **Native**.
-1. For **Redirect URI**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com`, where `your-tenant-name` is your Azure AD B2C tenant.
+1. For **Redirect URI**, enter `myapp://auth`.
 1. Select **Create**. After it's created, copy the application ID and save it to use later.
 1. Select **Settings**, then select **Required permissions**, and then select **Add**.
 1. Choose **Select an API**, search for and select **IdentityExperienceFramework**, and then click **Select**.
@@ -125,7 +125,7 @@ Next, expose the API by adding a scope:
 1. For **Name**, enter `ProxyIdentityExperienceFramework`.
 1. Under **Supported account types**, select **Accounts in this organizational directory only**.
 1. Under **Redirect URI**, use the drop-down to select **Public client/native (mobile & desktop)**.
-1. For **Redirect URI**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com`, where `your-tenant-name` is your Azure AD B2C tenant.
+1. For **Redirect URI**, enter `myapp://auth`.
 1. Under **Permissions**, select the *Grant admin consent to openid and offline_access permissions* check box.
 1. Select **Register**.
 1. Record the **Application (client) ID** for use in a later step.

articles/active-directory/b2b/invitation-email-elements.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 02/06/2019
+ms.date: 04/15/2020
 
 ms.author: mimart
 author: msmimart

articles/active-directory/b2b/media/invitation-email-elements/invitation-email.png

@@ -116,7 +116,7 @@ If you are migrating from AD FS (or other federation technologies) to Pass-throu
 
 ## Can I use Pass-through Authentication in a multi-forest Active Directory environment?
 
-Yes. Multi-forest environments are supported if there are forest trusts between your Active Directory forests and if name suffix routing is correctly configured.
+Yes. Multi-forest environments are supported if there are forest trusts (two-way) between your Active Directory forests and if name suffix routing is correctly configured.
 
 ## Does Pass-through Authentication provide load balancing across multiple Authentication Agents?
 

articles/active-directory/b2b/media/invitation-email-elements/invitation-message.png

@@ -58,11 +58,6 @@ When UserPrincipalName (UPN)/Alternate Login ID suffix is not verified with the
 
 ![Azure AD replaces UPN](media/tshoot-connect-objectsync/objsynch2.png)
 
-### Changing UPN Suffix from one federated domain to another federated domain
-Azure Active Directory does not allow the synchronization of UserPrincipalName (UPN)/Alternate Login ID suffix change from one federated domain to another federated domain. This applies to domains, that are verified with the Azure AD Tenant and have the Authentication Type as Federated.
-
-![No UPN synch from one federated domain to another](media/tshoot-connect-objectsync/objsynch3.png) 
-
 ### Azure AD Tenant DirSync Feature ‘SynchronizeUpnForManagedUsers’ is disabled
 When the Azure AD Tenant DirSync Feature ‘SynchronizeUpnForManagedUsers’ is disabled, Azure Active Directory does not allow synchronization updates to UserPrincipalName/Alternate Login ID for licensed user accounts with managed authentication.
 

articles/active-directory/hybrid/how-to-connect-pta-faq.md

@@ -47,21 +47,70 @@ When the installation of a connector fails, the root cause is usually one of the
 
 3.  Open a browser (separate tab) and go to the following web page: `https://login.microsoftonline.com`, make sure that you can login to that page.
 
-## Verify Machine and backend components support for Application Proxy trust cert
+## Verify Machine and backend components support for Application Proxy trust certificate
 
-**Objective:** Verify that the connector machine, backend proxy and firewall can support the certificate created by the connector for future trust.
+**Objective:** Verify that the connector machine, backend proxy and firewall can support the certificate created by the connector for future trust and that the certificate is valid.
 
 >[!NOTE]
 >The connector tries to create a SHA512 cert that is supported by TLS1.2. If the machine or the backend firewall and proxy does not support TLS1.2, the installation fails.
 >
 >
 
-**To resolve the issue:**
+**Review the pre-requisites required:**
 
 1.  Verify the machine supports TLS1.2 – All Windows versions after 2012 R2 should support TLS 1.2. If your connector machine is from a version of 2012 R2 or prior, make sure that the following KBs are installed on the machine: <https://support.microsoft.com/help/2973337/sha512-is-disabled-in-windows-when-you-use-tls-1.2>
 
 2.  Contact your network admin and ask to verify that the backend proxy and firewall do not block SHA512 for outgoing traffic.
 
+**To verify the client certificate:**
+
+Verify the thumbprint of the current client certificate. The certificate store can be found in %ProgramData%\microsoft\Microsoft AAD Application Proxy Connector\Config\TrustSettings.xml
+
+```
+<?xml version="1.0" encoding="utf-8"?>
+<ConnectorTrustSettingsFile xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <CloudProxyTrust>
+    <Thumbprint>4905CC64B2D81BBED60962ECC5DCF63F643CCD55</Thumbprint>
+    <IsInUserStore>false</IsInUserStore>
+  </CloudProxyTrust>
+</ConnectorTrustSettingsFile>
+```
+
+Here are the possible **IsInUserStore** values and meanings:
+
+- **false** - The client certificate was created during the installation or registration initiated by Register-AppProxyConnector command. It is stored in the personal container in the certificate store of the local machine. 
+
+Follow the steps to verify the certificate:
+
+1. Run **certlm.msc**
+2. In the management console expand the Personal container and click on Certificates
+3. Locate the certificate issued by **connectorregistrationca.msappproxy.net**
+
+- **true** - The automatically renewed certificate is stored in the personal container in the user certificate store of the Network Service. 
+
+Follow the steps to verify the certificate:
+
+1. Download [PsTools.zip](https://docs.microsoft.com/sysinternals/downloads/pstools)
+2. Extract [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) from the package and run **psexec -i -u "nt authority\network service" cmd.exe** from an elevated command prompt.
+3. Run **certmgr.msc** in the newly appeared command prompt
+2. In the management console expand the Personal container and click on Certificates
+3. Locate the certificate issued by **connectorregistrationca.msappproxy.ne
+
+**To renew the client certificate:**
+
+If a connector is not connected to the service for several months, its certificates may be outdated. The failure of the certificate renewal leads to an expired certificate. This makes the connector service to stop working. The event 1000 is recorded in the admin log of the connector:
+
+"Connector re-registration failed: The Connector trust certificate expired. Run the PowerShell cmdlet Register-AppProxyConnector on the computer on which the Connector is running to re-register your Connector."
+
+In this case, uninstall and reinstall the connector to trigger registration or you can run the following PowerShell commands:
+
+```
+Import-module AppProxyPSModule
+Register-AppProxyConnector
+```
+
+To learn more about the Register-AppProxyConnector command, please see [Create an unattended installation script for the Azure AD Application Proxy connector](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-register-connector-powershell)
+
 ## Verify admin is used to install the connector
 
 **Objective:** Verify that the user who tries to install the connector is an administrator with correct credentials. Currently, the user must be at least an application administrator for the installation to succeed.

articles/active-directory/hybrid/tshoot-connect-objectsync.md

@@ -113,7 +113,7 @@ The wildcard application is represented with just one tile in the [MyApps panel]
 
 ### Kerberos constrained delegation
 
-For applications using [kerberos constrained delegation (KCD) as the SSO method](application-proxy-configure-single-sign-on-with-kcd.md), the SPN listed for the SSO method may also need a wildcard. For example, the SPN could be: `HTTP/*.adventure-works.com`. You still need to have the individual SPNs configured on your backend servers (for example, `http://expenses.adventure-works.com and HTTP/travel.adventure-works.com`).
+For applications using [kerberos constrained delegation (KCD) as the SSO method](application-proxy-configure-single-sign-on-with-kcd.md), the SPN listed for the SSO method may also need a wildcard. For example, the SPN could be: `HTTP/*.adventure-works.com`. You still need to have the individual SPNs configured on your backend servers (for example, `HTTP/expenses.adventure-works.com and HTTP/travel.adventure-works.com`).
 
 ## Scenario 1: General wildcard application