Merge pull request #115730 from MicrosoftDocs/master

5/19 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -1,5 +1,15 @@
 {
   "redirections": [
+    {
+      "source_path": "articles/cosmos-db/sql-api-async-java-samples.md",
+      "redirect_url": "/azure/cosmos-db/sql-api-java-sdk-samples",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cosmos-db/sql-api-java-samples.md",
+      "redirect_url": "/azure/cosmos-db/sql-api-java-sdk-samples",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "articles/openshift/howto-azure-monitor-v4.md",
       "redirect_url": "articles/azure-monitor/insights/container-insights-azure-redhat4-setup.md",
@@ -40281,6 +40291,16 @@
       "redirect_url": "/azure/governance/policy/samples/index",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/governance/policy/concepts/rego-for-aks.md",
+      "redirect_url": "/azure/governance/policy/concepts/policy-for-kubernetes",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/governance/policy/concepts/aks-engine.md",
+      "redirect_url": "/azure/governance/policy/concepts/policy-for-kubernetes",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/azure-stack/azure-stack-tools-paas-services.md",
       "redirect_url": "/azure/azure-stack/azure-stack-offer-services-overview",

articles/active-directory-b2c/connect-with-saml-service-providers.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/20/2020
+ms.date: 05/18/2020
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -19,8 +19,6 @@ ms.custom: fasttrack-edit
 
 In this article, you learn how to configure Azure Active Directory B2C (Azure AD B2C) to act as a Security Assertion Markup Language (SAML) identity provider (IdP) to your applications.
 
-[!INCLUDE [active-directory-b2c-public-preview](../../includes/active-directory-b2c-public-preview.md)]
-
 ## Scenario overview
 
 Organizations that use Azure AD B2C as their customer identity and access management solution might require interaction with identity providers or applications that are configured to authenticate using the SAML protocol.

articles/active-directory-b2c/custom-policy-developer-notes.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/28/2020
+ms.date: 05/19/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -65,7 +65,7 @@ Custom policy/Identity Experience Framework capabilities are under constant and
 | [OAuth2 implicit flow](implicit-flow-single-page-application.md) |  |  | X |  |
 | [OAuth2 resource owner password credentials](ropc-custom.md) |  | X |  |  |
 | [OIDC Connect](openid-connect.md) |  |  | X |  |
-| [SAML2](connect-with-saml-service-providers.md)  |  |X  |  | POST and Redirect bindings. |
+| [SAML2](connect-with-saml-service-providers.md)  |  |  |X  | POST and Redirect bindings. |
 | OAuth1 |  |  |  | Not supported. |
 | WSFED | X |  |  |  |
 

articles/active-directory/authentication/howto-mfaserver-deploy-userportal.md

@@ -102,7 +102,7 @@ Installing the user portal on a server other than the Azure Multi-Factor Authent
     * Find the key **"USE_WEB_SERVICE_SDK"** and change **value="false"** to **value="true"**
     * Find the key **"WEB_SERVICE_SDK_AUTHENTICATION_USERNAME"** and change **value=""** to **value="DOMAIN\User"** where DOMAIN\User is a Service Account that is a part of "PhoneFactor Admins" Group.
     * Find the key **"WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD"** and change **value=""** to **value="Password"** where Password is the password for the Service Account entered in the previous line.
-    * Find the value **https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx** and change this placeholder URL to the Web Service SDK URL we installed in step 2.
+    * Find the value `https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx` and change this placeholder URL to the Web Service SDK URL we installed in step 2.
     * Save the Web.Config file and close Notepad.
 
 6. Open a web browser from any computer and navigate to the URL where the user portal was installed (Example: `https://mfa.contoso.com/MultiFactorAuth`). Ensure that no certificate warnings or errors are displayed.

articles/active-directory/b2b/facebook-federation.md

@@ -20,6 +20,8 @@ ms.collection: M365-identity-device-management
 # Add Facebook as an identity provider for External Identities
 
 You can add Facebook to your self-service sign-up user flows (Preview) so that users can sign in to your applications using their own Facebook accounts. To allow users to sign in using Facebook, you'll first need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. After you add Facebook as an identity provider, set up a user flow for the application and select Facebook as one of the sign-in options.
+> [!NOTE]
+> Users can only use their Facebook accounts to sign up through apps using self-service sign-up and user flows. Users cannot be invited and redeem their invitation using a Facebook account.
 
 ## Create an app in the Facebook developers console
 
@@ -51,7 +53,9 @@ To use a Facebook account as an [identity provider](identity-providers.md), you
 18. To make your Facebook application available to Azure AD, select the Status selector at the top right of the page and turn it **On** to make the Application public, and then select **Switch Mode**. At this point the Status should change from **Development** to **Live**.
 
 ## Configure a Facebook account as an identity provider
+Now you'll set the Facebook client ID and client secret, either by entering it in the Azure AD portal or by using PowerShell. You can test your Facebook configuration by signing up via a user flow on an app enabled for self-service sign-up.
 
+### To configure Facebook federation in the Azure AD portal
 1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of your Azure AD tenant.
 2. Under **Azure services**, select **Azure Active Directory**.
 3. In the left menu, select **External Identities**.
@@ -62,8 +66,39 @@ To use a Facebook account as an [identity provider](identity-providers.md), you
    ![Screenshot showing the Add social identity provider page](media/facebook-federation/add-social-identity-provider-page.png)
 
 7. Select **Save**.
+### To configure Facebook federation by using PowerShell
+1. Install the latest version of the Azure AD PowerShell for Graph module ([AzureADPreview](https://www.powershellgallery.com/packages/AzureADPreview)).
+2. Run the following command:
+   `Connect-AzureAD`.
+3. At the sign-in prompt, sign in with the managed Global Administrator account.  
+4. Run the following command: 
+   
+   `New-AzureADMSIdentityProvider -Type Facebook -Name Facebook -ClientId [Client ID] -ClientSecret [Client secret]`
+ 
+   > [!NOTE]
+   > Use the client ID and client secret from the app you created above in the Facebook developer console. For more information, see the [New-AzureADMSIdentityProvider](https://docs.microsoft.com/powershell/module/azuread/new-azureadmsidentityprovider?view=azureadps-2.0-preview) article. 
+
+## How do I remove Facebook federation?
+You can delete your Facebook federation setup. If you do so, any users who have signed up through user flows with their Facebook accounts will no longer be able to log in. 
+
+### To delete Facebook federation in the Azure AD portal: 
+1. Go to the [Azure portal](https://portal.azure.com). In the left pane, select **Azure Active Directory**. 
+2. Select **External Identities**.
+3. Select **All identity providers**.
+4. On the **Facebook** line, select the context menu (**...**) and then select **Delete**. 
+5. Select **Yes** to confirm deletion.
+
+### To delete Facebook federation by using PowerShell: 
+1. Install the latest version of the Azure AD PowerShell for Graph module ([AzureADPreview](https://www.powershellgallery.com/packages/AzureADPreview)).
+2. Run `Connect-AzureAD`.  
+4. In the sign-in prompt, sign in with the managed Global Administrator account.  
+5. Enter the following command:
+
+    `Remove-AzureADMSIdentityProvider -Id Facebook-OAUTH`
+
+   > [!NOTE]
+   > For more information, see [Remove-AzureADMSIdentityProvider](https://docs.microsoft.com/powershell/module/azuread/Remove-AzureADMSIdentityProvider?view=azureadps-2.0-preview). 
 
 ## Next steps
 
-- [Invite external users for collaboration](add-users-administrator.md)
 - [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)

articles/active-directory/cloud-provisioning/how-to-install.md

@@ -7,7 +7,7 @@ manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 02/26/2020
+ms.date: 05/19/2020
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -72,14 +72,7 @@ To verify the agent is being seen by Azure, follow these steps.
 
    ![On-premises provisioning agents screen](media/how-to-install/verify1.png)</br>
 
-### Verify the port
-To verify that Azure is listening on port 443 and that your agent can communicate with it, follow these steps.
 
-https://aadap-portcheck.connectorporttest.msappproxy.net/ 
-
-This test verifies that your agents can communicate with Azure over port 443. Open a browser, and go to the previous URL from the server where the agent is installed.
-
-![Verification of port reachability](media/how-to-install/verify2.png)
 
 ### On the local server
 To verify that the agent is running, follow these steps.

articles/active-directory/cloud-provisioning/tutorial-pilot-aadc-aadccp.md

@@ -7,7 +7,7 @@ manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 03/04/2020
+ms.date: 05/19/2020
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -196,7 +196,9 @@ Azure AD Connect sync synchronizes changes occurring in your on-premises directo
 3.  Run `Start-ADSyncSyncCycle`.  Hit Enter.  
 
 >[!NOTE] 
->If you are running your own custom scheduler for AAD Connect sync, then please enable the scheduler. 
+>If you are running your own custom scheduler for Azure AD Connect sync, then please enable the scheduler. 
+
+Once the scheduler is enabled, Azure AD Connect will stop exporting any changes on objects with `cloudNoFlow=true` in the metaverse, unless any reference attribute (eg. manager) is being updated. In case there is any reference attribute update on the object, Azure AD Connect will ignore the `cloudNoFlow` signal and export all updates on the object.
 
 ## Something went wrong
 In case the pilot does not work as expected, you can go back to the Azure AD Connect sync setup by following the steps below:

articles/active-directory/conditional-access/app-protection-based-conditional-access.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 04/02/2020
+ms.date: 05/08/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,10 +19,11 @@ ms.collection: M365-identity-device-management
 
 People regularly use their mobile devices for both personal and work tasks. While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications. With Conditional Access, organizations can restrict access to approved (modern authentication capable) client apps with Intune app protection policies applied to them.
 
-This article presents two scenarios to configure Conditional Access policies for resources like Office 365, Exchange Online, and SharePoint Online.
+This article presents three scenarios to configure Conditional Access policies for resources like Office 365, Exchange Online, and SharePoint Online.
 
 - [Scenario 1: Office 365 apps require approved apps with app protection policies](#scenario-1-office-365-apps-require-approved-apps-with-app-protection-policies)
-- [Scenario 2: Exchange Online and SharePoint Online require an approved client app and app protection policy](#scenario-2-exchange-online-and-sharepoint-online-require-an-approved-client-app-and-app-protection-policy)
+- [Scenario 2: Browser apps require approved apps with app protection policies](#scenario-2-browser-apps-require-approved-apps-with-app-protection-policies)
+- [Scenario 3: Exchange Online and SharePoint Online require an approved client app and app protection policy](#scenario-3-exchange-online-and-sharepoint-online-require-an-approved-client-app-and-app-protection-policy)
 
 In the Conditional Access, these client apps are known to be protected with an app protection policy. More information about app protection policies can be found in the article, [App protection policies overview](/intune/apps/app-protection-policy)
 
@@ -83,7 +84,40 @@ For the Conditional Access policy in this step, configure the following componen
 
 Review the article [How to create and assign app protection policies](/intune/apps/app-protection-policies), for steps to create app protection policies for Android and iOS. 
 
-## Scenario 2: Exchange Online and SharePoint Online require an approved client app and app protection policy
+## Scenario 2: Browser apps require approved apps with app protection policies
+
+In this scenario, Contoso has decided that all mobile web browsing access to Office 365 resources must use an approved client app, like Edge for iOS and Android, protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.
+
+Organizations must complete the following steps in order to require the use of an approved client app on mobile devices.
+
+**Step 1: Configure an Azure AD Conditional Access policy for Office 365**
+
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users and groups**
+   1. Under **Include**, select **All users** or the specific **Users and groups** you wish to apply this policy to. 
+   1. Select **Done**.
+1. Under **Cloud apps or actions** > **Include**, select **Office 365 (preview)**.
+1. Under **Conditions**, select **Device platforms**.
+   1. Set **Configure** to **Yes**.
+   1. Include **Android** and **iOS**.
+1. Under **Conditions**, select **Client apps (preview)**.
+   1. Set **Configure** to **Yes**.
+   1. Select **Browser**.
+1. Under **Access controls** > **Grant**, select the following options:
+   - **Require approved client app**
+   - **Require app protection policy (preview)**
+   - **Require all the selected controls**
+1. Confirm your settings and set **Enable policy** to **On**.
+1. Select **Create** to create and enable your policy.
+
+**Step 2: Configure Intune app protection policy for iOS and Android client applications**
+
+Review the article [How to create and assign app protection policies](/intune/apps/app-protection-policies), for steps to create app protection policies for Android and iOS. 
+
+## Scenario 3: Exchange Online and SharePoint Online require an approved client app and app protection policy
 
 In this scenario, Contoso has decided that users may only access email and SharePoint data on mobile devices as long as they use an approved client app like Outlook mobile protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.
 

articles/active-directory/develop/TOC.yml

@@ -28,7 +28,9 @@
     items:
     - name: Angular
       href: quickstart-v2-angular.md
-    - name: JavaScript
+    - name: JavaScript - Auth code flow
+      href: quickstart-v2-javascript-auth-code.md
+    - name: JavaScript - Implicit flow 
       href: quickstart-v2-javascript.md
   - name: Web apps
     items:
@@ -73,7 +75,9 @@
     items:
     - name: Angular
       href: tutorial-v2-angular.md
-    - name: JavaScript
+    - name: JavaScript - Auth code flow
+      href: tutorial-v2-javascript-auth-code.md  
+    - name: JavaScript - Implicit flow
       href: tutorial-v2-javascript-spa.md
   - name: Web apps
     items:
@@ -479,6 +483,10 @@
       href: active-directory-optional-claims.md
     - name: Configure token lifetimes
       href: active-directory-configurable-token-lifetimes.md
+    - name: Handle SameSite cookie changes in Chrome browser
+      href: howto-handle-samesite-cookie-changes-chrome-browser.md
+    - name: Handle ITP in Safari 
+      href: reference-third-party-cookies-spas.md
   - name: Application configuration
     displayName: App configuration
     items:
@@ -505,7 +513,7 @@
       href: howto-configure-publisher-domain.md
     - name: Configure Terms of Service and Privacy Statement
       href: howto-add-terms-of-service-privacy-statement.md
-    - name: Configure publisher verification for your app  
+    - name: Configure publisher verification for your app
       items:
       - name: Mark your app as publisher verified (preview)
         href: mark-app-as-publisher-verified.md
@@ -576,7 +584,7 @@
       href: vs-active-directory-webapi-what-happened.md
     - name: Diagnose errors during authentication
       href: vs-active-directory-error.md
-- name: References
+- name: Reference
   items:
   - name: Application manifest
     href: reference-app-manifest.md

articles/active-directory/develop/identity-videos.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 04/08/2020
+ms.date: 05/19/2020
 ms.author: marsma
 ms.custom: aaddev
 ms.reviewer: celested
@@ -19,9 +19,57 @@ ms.reviewer: celested
 
 Learn the basics of modern authentication, the Microsoft identity platform, and the Microsoft Authentication Libraries (MSAL).
 
+## Microsoft identity platform for developers
+
+The *Identity for Developers* video series focuses on just what you need to know to get started adding identity support to your application. Tuned for quick delivery of the fundamental aspects of the platform and how to use its authentication libraries, these are a good place to start for any developer.
+___
+
+:::row:::
+    :::column:::
+        1 - Overview of the Microsoft identity platform for developers (33:55)
+    :::column-end:::
+    :::column:::
+        > [!VIDEO https://www.youtube.com/embed/zjezqZPPOfc]
+    :::column-end:::
+     :::column:::
+        2 - How to authenticate users of your apps with the Microsoft identity platform (29:09)
+    :::column-end:::
+    :::column:::
+        > [!VIDEO https://www.youtube.com/embed/Mtpx_lpfRLs]
+    :::column-end:::
+:::row-end:::
+:::row:::
+    :::column:::
+        3 - Microsoft identity platform’s permissions and consent framework (45:08)
+    :::column-end:::
+    :::column:::
+        > [!VIDEO https://www.youtube.com/embed/toAWRNqqDL4]
+    :::column-end:::
+    :::column:::
+        4 - How to protect APIs using the Microsoft identity platform (33:17)
+    :::column-end:::
+    :::column:::
+        > [!VIDEO https://www.youtube.com/embed/IIQ7QW4bYqA]
+    :::column-end:::
+:::row-end:::
+:::row:::
+    :::column:::
+        5 - Application roles and security groups on the Microsoft identity platform (15:52)
+    :::column-end:::
+    :::column:::
+        > [!VIDEO https://www.youtube.com/embed/-BK2iBDrmNo]
+    :::column-end:::
+    :::column:::
+        <!-- BLANK TITLE CELL -->
+    :::column-end:::
+    :::column:::
+        <!-- BLANK VIDEO CELL -->
+    :::column-end:::
+:::row-end:::
+
 ## Authentication fundamentals
 
-If you're new to concepts like identity providers, security tokens, claims, and audience, this video series is a good place to start.
+If you're new to concepts like identity providers, security tokens, claims, and audience, this video series can help clear up the concepts and components in modern authentication.
 ___
 
 :::row:::