Merge pull request #103290 from MicrosoftDocs/master

2/4 AM Publish again

Author: huypub

.openpublishing.redirection.json

@@ -47875,6 +47875,24 @@
       "source_path":  "articles/cognitive-services/speech-service/quickstart-platform-python.md",
       "redirect_url": "/azure/cognitive-services/speech-service/quickstarts/setup-platform?pivots=programming-language-python",
       "redirect_document_id": false
+    },
+    {
+       "source_path": "articles/cognitive-services/Bing-News-Search/vs-bing-news-search-connected-service.md",
+       "redirect_url": "/azure/cognitive-services/bing-news-search/search-the-web",
+       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Computer-vision/vs-computer-vision-connected-service.md",
+      "redirect_url": "/azure/cognitive-services/computer-vision/",
+      "redirect_document_id": false
+    },    {
+      "source_path": "articles/cognitive-services/Face/vs-face-connected-service.md",
+      "redirect_url": "/azure/cognitive-services/face/",
+      "redirect_document_id": false
+    },    {
+      "source_path": "articles/cognitive-services/text-analytics/vs-text-connected-service.md",
+      "redirect_url": "/azure/cognitive-services/text-analytics/",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/contentdefinitions.md

@@ -142,11 +142,11 @@ The ID attribute of the **ContentDefinition** element specifies the type of page
 | **api.error** | [exception.cshtml](https://login.microsoftonline.com/static/tenant/default/exception.cshtml) | **Error page** - Displays an error page when an exception or an error is encountered. |
 | **api.idpselections** | [idpSelector.cshtml](https://login.microsoftonline.com/static/tenant/default/idpSelector.cshtml) | **Identity provider selection page** - Lists identity providers that users can choose from during sign-in. The options are usually enterprise identity providers, social identity providers such as Facebook and Google+, or local accounts. |
 | **api.idpselections.signup** | [idpSelector.cshtml](https://login.microsoftonline.com/static/tenant/default/idpSelector.cshtml) | **Identity provider selection for sign-up** - Lists identity providers that users can choose from during sign-up. The options are usually enterprise identity providers, social identity providers such as Facebook and Google+, or local accounts. |
-| **api.localaccountpasswordreset** | [selfasserted.html](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Forgot password page** - Displays a form that users must complete to initiate a password reset. |
-| **api.localaccountsignin** | [selfasserted.html](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Local account sign-in page** - Displays a form for signing in with a local account that's based on an email address or a user name. The form can contain a text input box and password entry box. |
-| **api.localaccountsignup** | [selfasserted.html](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Local account sign-up page** - Displays a form for signing up for a local account that's based on an email address or a user name. The form can contain various input controls, such as: a text input box, a password entry box, a radio button, single-select drop-down boxes, and multi-select check boxes. |
+| **api.localaccountpasswordreset** | [selfasserted.cshtml](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Forgot password page** - Displays a form that users must complete to initiate a password reset. |
+| **api.localaccountsignin** | [selfasserted.cshtml](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Local account sign-in page** - Displays a form for signing in with a local account that's based on an email address or a user name. The form can contain a text input box and password entry box. |
+| **api.localaccountsignup** | [selfasserted.cshtml](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Local account sign-up page** - Displays a form for signing up for a local account that's based on an email address or a user name. The form can contain various input controls, such as: a text input box, a password entry box, a radio button, single-select drop-down boxes, and multi-select check boxes. |
 | **api.phonefactor** | [multifactor-1.0.0.cshtml](https://login.microsoftonline.com/static/tenant/default/multifactor-1.0.0.cshtml) | **Multi-factor authentication page** - Verifies phone numbers, by using text or voice, during sign-up or sign-in. |
-| **api.selfasserted** | [selfasserted.html](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Social account sign-up page** - Displays a form that users must complete when they sign up by using an existing account from a social identity provider. This page is similar to the preceding social account sign up page, except for the password entry fields. |
-| **api.selfasserted.profileupdate** | [updateprofile.html](https://login.microsoftonline.com/static/tenant/default/updateProfile.cshtml) | **Profile update page** - Displays a form that users can access to update their profile. This page is similar to the social account sign up page, except for the password entry fields. |
-| **api.signuporsignin** | [unified.html](https://login.microsoftonline.com/static/tenant/default/unified.cshtml) | **Unified sign-up or sign-in page** - Handles the user sign-up and sign-in process. Users can use enterprise identity providers, social identity providers such as Facebook or Google+, or local accounts. |
+| **api.selfasserted** | [selfasserted.cshtml](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Social account sign-up page** - Displays a form that users must complete when they sign up by using an existing account from a social identity provider. This page is similar to the preceding social account sign up page, except for the password entry fields. |
+| **api.selfasserted.profileupdate** | [updateprofile.cshtml](https://login.microsoftonline.com/static/tenant/default/updateProfile.cshtml) | **Profile update page** - Displays a form that users can access to update their profile. This page is similar to the social account sign up page, except for the password entry fields. |
+| **api.signuporsignin** | [unified.cshtml](https://login.microsoftonline.com/static/tenant/default/unified.cshtml) | **Unified sign-up or sign-in page** - Handles the user sign-up and sign-in process. Users can use enterprise identity providers, social identity providers such as Facebook or Google+, or local accounts. |
 

articles/active-directory/authentication/concept-sspr-writeback.md

@@ -160,7 +160,7 @@ Passwords are *not* written back in any of the following situations:
    * Any administrator-initiated end-user password reset from the [Microsoft 365 admin center](https://admin.microsoft.com)
 
 > [!WARNING]
-> Use of the checkbox "User must change password at next logon" in on-premises Active Directory administrative tools like Active Directory Users and Computers or the Active Directory Administrative Center is supported as a preview feature of Azure AD Connect. For more information, see the article, [Implement password hash synchronization with Azure AD Connect sync](../hybrid/how-to-connect-password-hash-synchronization.md#public-preview-of-synchronizing-temporary-passwords-and-force-password-reset-on-next-logon).
+> Use of the checkbox "User must change password at next logon" in on-premises Active Directory administrative tools like Active Directory Users and Computers or the Active Directory Administrative Center is supported as a preview feature of Azure AD Connect. For more information, see the article, [Implement password hash synchronization with Azure AD Connect sync](../hybrid/how-to-connect-password-hash-synchronization.md#public-preview-of-synchronizing-temporary-passwords-and-force-password-change-on-next-logon).
 
 ## Next steps
 

articles/active-directory/cloud-provisioning/concept-attributes.md

@@ -69,7 +69,7 @@ To view the schema and verify it, follow these steps.
 1.  Go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
 1.  Sign in with your global administrator account.
 1.  On the left, select **modify permissions** and ensure that **Directory.ReadWrite.All** is *Consented*.
-1.  Run the query https://graph.microsoft.com/beta/serviceprincipals/. This query returns a list of service principals.
+1.  Run the query https://graph.microsoft.com/beta/serviceprincipals/?$filter=startswith(Displayname,'Active'). This query returns a filtered list of service principals.
 1.  Locate `"appDisplayName": "Active Directory to Azure Active Directory Provisioning"` and note the value for `"id"`.
     ```
     "value": [

articles/active-directory/cloud-provisioning/reference-cloud-provisioning-faq.md

@@ -26,6 +26,10 @@ Cloud provisioning is scheduled to run every 2 mins. Every 2 mins, any user, gro
 
 This is expected. The failures are due to the user object not present in Azure AD. Once the user is provisioned to Azure AD, password hashes should provisioning in the subsequent run. Wait for a couple of runs and confirm that password hash sync no longer has the errors.
 
+**Q: What happens if the Active Directory instance has attributes that are not supported by cloud provisoning (for instance, directory extensions)?**
+
+Cloud provisioning will run and provision the supported attributes. The unsupported attributes will not be provisioned to Azure AD. Review the directory extensions in Active Directory and ensure that you don't need those attribute to flow to Azure AD. If one or more attributes are required, consider using Azure AD Connect sync or moving the required information to one of the supported attributes (for instance, extension attributes 1-15).
+
 **Q: What's the difference between Azure AD Connect sync and cloud provisioning?**
 
 With Azure AD Connect sync, provisioning runs on the on-premises sync server. Configuration is stored on the on-premises sync server. With Azure AD Connect cloud provisioning, the provisioning configuration is stored in the cloud and runs in the cloud as part of the Azure AD provisioning service. 

articles/active-directory/cloud-provisioning/what-is-cloud-provisioning.md

@@ -42,6 +42,8 @@ The following table provides a comparison between Azure AD Connect and Azure AD
 | Support for contact objects |● |● |
 | Support for device objects |● | |
 | Allow basic customization for attribute flows |● |● |
+| Sychronize Exchange online attributes |● |● |
+| Synchronize extension attributes 1-15 |● |● |
 | Synchronize customer defined AD attributes (directory extensions) |● | |
 | Support for Password Hash Sync |●|●|
 | Support for Pass-Through Authentication |●||
@@ -56,7 +58,7 @@ The following table provides a comparison between Azure AD Connect and Azure AD
 | Allow advanced customization for attribute flows |● | |
 | Support for writeback (passwords, devices, groups) |● | |
 | Azure AD Domain Services support|● | |
-| Exchange hybrid configuration |● | |
+| [Exchange hybrid writeback](../hybrid/reference-connect-sync-attributes-synchronized.md#exchange-hybrid-writeback) |● | |
 | Support for more than 50,000 objects per AD domain |● | |
 
 ## Next steps 

articles/active-directory/develop/media/single-sign-on-macos-ios/keychain-example.png

@@ -14,7 +14,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 08/28/2019
+ms.date: 02/03/2020
 ms.author: twhitney
 ms.reviewer: 
 ms.custom: aaddev
@@ -67,9 +67,9 @@ For the Microsoft identity platform to know which applications can share tokens,
 
 The way the Microsoft identity platform tells apps that use the same Application ID apart is by their **Redirect URIs**. Each application can have multiple Redirect URIs registered in the onboarding portal. Each app in your suite will have a different redirect URI. For example:
 
-App1 Redirect URI: `msauth.com.contoso.mytestapp1://auth`
-App2 Redirect URI: `msauth.com.contoso.mytestapp2://auth`
-App3 Redirect URI: `msauth.com.contoso.mytestapp3://auth`
+App1 Redirect URI: `msauth.com.contoso.mytestapp1://auth`  
+App2 Redirect URI: `msauth.com.contoso.mytestapp2://auth`  
+App3 Redirect URI: `msauth.com.contoso.mytestapp3://auth`  
 
 > [!IMPORTANT]
 > The format of redirect uris must be compatible with the format MSAL supports, which is documented in [MSAL Redirect URI format requirements](redirect-uris-ios.md#msal-redirect-uri-format-requirements).
@@ -94,6 +94,18 @@ When you have the entitlements set up correctly, you'll see a `entitlements.plis
 </plist>
 ```
 
+#### Add a new keychain group
+
+Add a new keychain group to your project **Capabilities**. The keychain group should be:
+* `com.microsoft.adalcache` on iOS 
+* `com.microsoft.identity.universalstorage` on macOS.
+
+![keychain example](media/single-sign-on-macos-ios/keychain-example.png)
+
+For more information, see [keychain groups](howto-v2-keychain-objc.md).
+
+## Configure the application object
+
 Once you have the keychain entitlement enabled in each of your applications, and you're ready to use SSO, configure `MSALPublicClientApplication` with your keychain access group as in the following example:
 
 Objective-C:
@@ -111,17 +123,15 @@ Swift:
 ```swift
 let config = MSALPublicClientApplicationConfig(clientId: "<my-client-id>")
 config.cacheConfig.keychainSharingGroup = "my.keychain.group"
-        
+
 do {
-	let application = try MSALPublicClientApplication(configuration: config)
-  // continue on with application          
+   let application = try MSALPublicClientApplication(configuration: config)
+  // continue on with application
 } catch let error as NSError {
   // handle error here
-}       
+}
 ```
 
-
-
 > [!WARNING]
 > When you share a keychain across your applications, any application can delete users or even all of the tokens across your application.
 > This is particularly impactful if you have applications that rely on tokens to do background work.
@@ -204,7 +214,7 @@ func scene(_ scene: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>)
         MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: sourceApp)
     }
 ```
-    
+
 ## Next steps
 
-Learn more about [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)
+Learn more about [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)

articles/active-directory/develop/single-sign-on-macos-ios.md

@@ -119,7 +119,7 @@ Caveat: If there are synchronized accounts that need to have non-expiring passwo
 > [!NOTE]
 > This feature is in Public Preview right now.
 
-#### Public Preview of synchronizing temporary passwords and "Force Password Reset on Next Logon"
+#### Public Preview of synchronizing temporary passwords and "Force Password Change on Next Logon"
 
 It is typical to force a user to change their password during their first logon, especially after an admin password reset occurs.  It is commonly known as setting a "temporary" password and is completed by checking the "User must change password at next logon" flag on a user object in Active Directory (AD).
 

articles/active-directory/hybrid/how-to-connect-password-hash-synchronization.md

@@ -30,21 +30,21 @@ This table describes the ports and protocols that are required for communication
 | --- | --- | --- |
 | DNS |53 (TCP/UDP) |DNS lookups on the destination forest. |
 | Kerberos |88 (TCP/UDP) |Kerberos authentication to the AD forest. |
-| MS-RPC |135 (TCP/UDP) |Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest, and also during Password synchronization. |
+| MS-RPC |135 (TCP) |Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest, and also during Password synchronization. |
 | LDAP |389 (TCP/UDP) |Used for data import from AD. Data is encrypted with Kerberos Sign & Seal. |
-| SMB | 445 (TCP/UDP) |Used by Seamless SSO to create a computer account in the AD forest. |
+| SMB | 445 (TCP) |Used by Seamless SSO to create a computer account in the AD forest. |
 | LDAP/SSL |636 (TCP/UDP) |Used for data import from AD. The data transfer is signed and encrypted. Only used if you are using SSL. |
-| RPC |49152- 65535 (Random high RPC Port)(TCP/UDP) |Used during the initial configuration of Azure AD Connect when it binds to the AD forests, and during Password synchronization. See [KB929851](https://support.microsoft.com/kb/929851), [KB832017](https://support.microsoft.com/kb/832017), and [KB224196](https://support.microsoft.com/kb/224196) for more information. |
-|WinRM  | 5985 (TCP/UDP) |Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard|
-|AD DS Web Services | 9389 (TCP/UDP) |Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard |
+| RPC |49152- 65535 (Random high RPC Port)(TCP) |Used during the initial configuration of Azure AD Connect when it binds to the AD forests, and during Password synchronization. See [KB929851](https://support.microsoft.com/kb/929851), [KB832017](https://support.microsoft.com/kb/832017), and [KB224196](https://support.microsoft.com/kb/224196) for more information. |
+|WinRM  | 5985 (TCP) |Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard|
+|AD DS Web Services | 9389 (TCP) |Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard |
 
 ## Table 2 - Azure AD Connect and Azure AD
 This table describes the ports and protocols that are required for communication between the Azure AD Connect server and Azure AD.
 
 | Protocol | Ports | Description |
 | --- | --- | --- |
-| HTTP |80 (TCP/UDP) |Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates. |
-| HTTPS |443(TCP/UDP) |Used to synchronize with Azure AD. |
+| HTTP |80 (TCP) |Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates. |
+| HTTPS |443(TCP) |Used to synchronize with Azure AD. |
 
 For a list of URLs and IP addresses you need to open in your firewall, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
 
@@ -53,23 +53,23 @@ This table describes the ports and protocols that are required for communication
 
 | Protocol | Ports | Description |
 | --- | --- | --- |
-| HTTP |80 (TCP/UDP) |Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates. |
-| HTTPS |443(TCP/UDP) |Used to synchronize with Azure AD. |
+| HTTP |80 (TCP) |Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates. |
+| HTTPS |443(TCP) |Used to synchronize with Azure AD. |
 | WinRM |5985 |WinRM Listener |
 
 ## Table 4 - WAP and Federation Servers
 This table describes the ports and protocols that are required for communication between the Federation servers and WAP servers.
 
 | Protocol | Ports | Description |
 | --- | --- | --- |
-| HTTPS |443(TCP/UDP) |Used for authentication. |
+| HTTPS |443(TCP) |Used for authentication. |
 
 ## Table 5 - WAP and Users
 This table describes the ports and protocols that are required for communication between users and the WAP servers.
 
 | Protocol | Ports | Description |
 | --- | --- | --- |
-| HTTPS |443(TCP/UDP) |Used for device authentication. |
+| HTTPS |443(TCP) |Used for device authentication. |
 | TCP |49443 (TCP) |Used for certificate authentication. |
 
 ## Table 6a & 6b - Pass-through Authentication with Single Sign On (SSO) and Password Hash Sync with Single Sign On (SSO)