Merge pull request #162921 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

.openpublishing.redirection.json

@@ -31371,18 +31371,18 @@
       "redirect_document_id": false
     },
     {
-      "source_path_from_root": "/articles/articles/mysql/concepts-data-access-and-security-threat-protection.md",
-      "redirect_url": "/azure/security-center/defender-for-databases-introduction",
+      "source_path_from_root": "/articles/mysql/concepts-data-access-and-security-threat-protection.md",
+      "redirect_url": "/azure/security-center/defender-for-databases-usage",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/mariadb/concepts-data-access-and-security-threat-protection.md",
-      "redirect_url": "/azure/security-center/defender-for-databases-introduction",
+      "redirect_url": "/azure/security-center/defender-for-databases-usage",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/postgresql/concepts-data-access-and-security-threat-protection.md",
-      "redirect_url": "/azure/security-center/defender-for-databases-introduction",
+      "redirect_url": "/azure/security-center/defender-for-databases-usage",
       "redirect_document_id": false
     },
     {
@@ -64673,6 +64673,11 @@
       "source_path_from_root": "/articles/storage/files/storage-troubleshoot-cannot-delete-files-azure-file-share.md",
       "redirect_url": "/azure/storage/files/storage-troubleshoot-windows-file-connection-problems#unable-to-modify-moverename-or-delete-a-file-or-directory",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/cognitive-services/metrics-advisor/how-tos/diagnose-incident.md",
+      "redirect_url": "/azure/cognitive-services/metrics-advisor/how-tos/diagnose-an-incident",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/authorization-code-flow.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 05/04/2021
+ms.date: 06/18/2021
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -62,7 +62,7 @@ client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6
 | client_id |Required |The application ID assigned to your app in the [Azure portal](https://portal.azure.com). |
 | response_type |Required |The response type, which must include `code` for the authorization code flow. |
 | redirect_uri |Required |The redirect URI of your app, where authentication responses are sent and received by your app. It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL-encoded. |
-| scope |Required |A space-separated list of scopes. A single scope value indicates to Azure Active Directory (Azure AD) both of the permissions that are being requested. Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID.  The `offline_access` scope indicates that your app needs a refresh token for long-lived access to resources. You also can use the `openid` scope to request an ID token from Azure AD B2C. |
+| scope |Required |A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application will need a *refresh token* for extended access to resources. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
 | response_mode |Recommended |The method that you use to send the resulting authorization code back to your app. It can be `query`, `form_post`, or `fragment`. |
 | state |Recommended |A value included in the request that can be a string of any content that you want to use. Usually, a randomly generated unique value is  used, to prevent cross-site request forgery attacks. The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed. |
 | prompt |Optional |The type of user interaction that is required. Currently, the only valid value is `login`, which forces the user to enter their credentials on that request. Single sign-on will not take effect. |

articles/active-directory-b2c/conditional-access-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 05/13/2021
+ms.date: 06/18/2021
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -69,8 +69,8 @@ The **OutputClaims** element contains a list of claims generated by the Conditio
 
 | ClaimReferenceId | Required | Data Type | Description |
 | --------- | -------- | ----------- |----------- |
-| Challenges | Yes |stringCollection | List of actions to remediate the identified threat. Possible values: `block` |
-| MultiConditionalAccessStatus | Yes | stringCollection |  |
+| Challenges | Yes |stringCollection | List of actions to remediate the identified threat. Possible values: `block` , `mfa`, and `chg_pwd`. |
+| MultiConditionalAccessStatus | Yes | stringCollection | The status of conditional access evaluation.  |
 
 The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
 

articles/active-directory-b2c/openid-connect.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/15/2021
+ms.date: 06/18/2021
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -51,7 +51,7 @@ client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6
 | client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
 | nonce | Yes | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
 | response_type | Yes | Must include an ID token for OpenID Connect. If your web application also needs tokens for calling a web API, you can use `code+id_token`. |
-| scope | Yes | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application will need a *refresh token* for extended access to resources. |
+| scope | Yes | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application will need a *refresh token* for extended access to resources. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
 | prompt | No | The type of user interaction that's required. The only valid value at this time is `login`, which forces the user to enter their credentials on that request. |
 | redirect_uri | No | The `redirect_uri` parameter of your application, where authentication responses can be sent and received by your application. It must exactly match one of the `redirect_uri` parameters that you registered in the Azure portal, except that it must be URL encoded. |
 | response_mode | No | The method that is used to send the resulting authorization code back to your application. It can be either `query`, `form_post`, or `fragment`.  The `form_post` response mode is recommended for best security. |
@@ -292,4 +292,4 @@ To set the required ID Token in logout requests, see [Configure session behavior
 
 ## Next steps
 
-- Learn more about [Azure AD B2C session](session-behavior.md).
+- Learn more about [Azure AD B2C session](session-behavior.md).

articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md

@@ -13,7 +13,7 @@ ms.date: 09/24/2018
 ms.author: kkrishna
 ms.reviewer: jmprieur
 ms.custom: aaddev
-#Customer intent: As a tenant administrator, I want to restrict an application that I have registered in Azure AD to a select set of users available in my Azure AD tenant
+#Customer intent: As a tenant administrator, I want to restrict an application that I have registered in Azuren-e AD to a select set of users available in my Azure AD tenant
 ---
 # How to: Restrict your Azure AD app to a set of users in an Azure AD tenant
 
@@ -36,46 +36,34 @@ The option to restrict an app to a specific set of users or security groups in a
      > [!NOTE]
      > This feature is available for web app/web API and enterprise applications only. Apps that are registered as [native](./quickstart-register-app.md) cannot be restricted to a set of users or security groups in the tenant.
 
-## Update the app to enable user assignment
+## Update the app to require user assignment
 
-There are two ways to create an application with enabled user assignment. One requires the **Global Administrator** role, the second does not.
+To update an application to require user assignment, you must be owner of the application under Enterprise apps, or be assigned one of **Global administrator**,  **Application administrator** or **Cloud application administrator** directory roles.
 
-### Enterprise applications (requires the Global Administrator role)
-
-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a> as a **Global Administrator**.
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
 1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
 1. Search for and select **Azure Active Directory**.
 1. Under **Manage**, select **Enterprise Applications** > **All applications**.
-1. Select the application you want to assign a user or a security group to from the list. 
-    Use the filters at the top of the window to search for a specific application.
+1. Select the application you want to configure to require assignment. Use the filters at the top of the window to search for a specific application.
 1. On the application's **Overview** page, under **Manage**, select **Properties**.
-1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
+1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users and services attempting to access the application or services must first be assigned for this application, or they won't be able to sign-in or obtain an access token.
 1. Select **Save**.
 
-### App registration
-
-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
-1. Search for and select **Azure Active Directory**.
-1. Under **Manage**, select **App registrations**.
-1. Create or select the app you want to manage. You need to be the **Owner** of this application.
-1. On the application's **Overview** page, select the **Managed application in local directory** link in the **Essentials** section.
-1. Under **Manage**, select **Properties**.
-1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
-1. Select **Save**.
+> [!NOTE]
+> When an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed. Be sure to [grant tenant-wide admin consent](../manage-apps/grant-admin-consent.md) to apps that require assignment. 
 
-## Assign users and groups to the app
+## Assign the app to users and groups
 
-Once you've configured your app to enable user assignment, you can go ahead and assign users and groups to the app.
+Once you've configured your app to enable user assignment, you can go ahead and assign the app to users and groups.
 
 1. Under **Manage**, select the **Users and groups** > **Add user/group** .
 1. Select the **Users** selector. 
 
      A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
 
 1. Once you are done selecting the users and groups, select **Select**.
-1. (Optional) If you have defined App roles in your application, you can use the **Select role** option to assign the selected users and groups to one of the application's roles. 
-1. Select **Assign** to complete the assignments of users and groups to the app. 
+1. (Optional) If you have defined app roles in your application, you can use the **Select role** option to assign the app role to the selected users and groups. 
+1. Select **Assign** to complete the assignments of the app to the users and groups. 
 1. Confirm that the users and groups you added are showing up in the updated **Users and groups** list.
 
 ## More information

articles/active-directory/external-identities/add-users-administrator.md

@@ -46,7 +46,7 @@ To add B2B collaboration users to the directory, follow these steps:
    - **Email address (required)**. The email address of the guest user.
    - **Personal message (optional)** Include a personal welcome message to the guest user.
    - **Groups**: You can add the guest user to one or more existing groups, or you can do it later.
-   -  **Roles**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role by selecting **User** next to **Roles**.  
+   -  **Roles**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role by selecting **User** next to **Roles**.  [Learn more](/azure/role-based-access-control/role-assignments-external-users) about Azure roles for external guest users.
 
    > [!NOTE]
    > Group email addresses aren’t supported; enter the email address for an individual. Also, some email providers allow users to add a plus symbol (+) and additional text to their email addresses to help with things like inbox filtering. However, Azure AD doesn’t currently support plus symbols in email addresses. To avoid delivery issues, omit the plus symbol and any characters following it up to the @ symbol.

articles/active-directory/reports-monitoring/overview-sign-in-diagnostics.md

@@ -15,7 +15,7 @@ ms.topic: overview
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 12/15/2020
+ms.date: 06/18/2021
 ms.author: markvi
 ms.reviewer: tspring  
 
@@ -170,6 +170,54 @@ In this scenario, sign-in events weren't interrupted by conditional access or mu
 
 This diagnostic scenario provides details about user sign-in events that were expected to be interrupted due to conditional access policies or multifactor authentication.
 
+
+### The account is locked 
+
+In this scenario, a user signed-in with incorrect credentials too many times. 
+
+This diagnostic scenario provides details about the apps, the number of attempts, the device used, the operating system and the IP address. 
+
+### Incorrect Credentials Invalid username or password 
+
+In this scenario, a user tried to sign-in using an invalid username or password. 
+
+This diagnostic scenario provides details about the apps, the number of attempts, the device used, the operating system and the IP address. 
+
+### Enterprise apps service provider 
+
+In this scenario, a user tried to sign-in to an app, which failed due to a problem with the service provider problem. 
+
+### Enterprise apps configuration 
+
+In this scenario, a sign-in failed due to an application configuration issue. 
+
+#### Error code insights 
+
+When an event does not have a contextual analysis in the Sign-in Diagnostic an updated error code explanation and relevant content may be shown. The error code insights will contain detailed text about the scenario, how to remediate the problem and any content to read regarding the problem.  
+
+#### Legacy Authentication 
+
+This diagnostics scenario diagnosis a sign-in event which was blocked or interrupted since the client was attempting to use Basic (also known as Legacy) Authentication. 
+
+Preventing legacy authentication sign-in is recommended as a best practice for security. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI cannot enforce Multi-Factor Authentication (MFA) which makes them preferred entry points for adversaries to attack your organization. 
+
+#### B2B Blocked Sign-in 
+
+This diagnostic scenario detects a blocked or interrupted sign-in due to the user being from another organization-a B2B sign-in-where a Conditional Access policy requires that the clients device is joined to the resource tenant. 
+
+#### Blocked by Risk Policy 
+
+This scenario is where Identity Protection Policy blocks a sign-in attempt due to the sign-in attempt having been identified as risky. 
+
+### Security Defaults 
+
+This scenario covers sign-in events where the user’s sign-in was interrupted due to Security Defaults settings. Security Defaults enforce best practice security for your organization and will require Multi-Factor Authentication (MFA) to be configured and used in many scenarios to prevent password sprays, replay attacks and phishing attempts from being successful. 
+
+
+
+
+
+
 ## Next steps
 
 - [What are Azure Active Directory reports?](overview-reports.md)

articles/active-directory/roles/delegate-by-task.md

@@ -221,7 +221,7 @@ In this article, you can find the information needed to restrict a user's admini
 > [!div class="mx-tableFixed"]
 > | Task | Least privileged role | Additional roles |
 > | ---- | --------------------- | ---------------- |
-> | Read sign-in logs | Reports Reader | Security Reader<br/>Security Administrator |
+> | Read sign-in logs | Reports Reader | Security Reader<br/>Security Administrator<br/> Global Reader |
 
 ## Multi-factor authentication