Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-ga-sentinel

Author: v-alje

articles/active-directory-b2c/active-directory-b2c-reference-audit-logs.md

@@ -1,14 +1,14 @@
 ---
-title: Audit logs samples and definitions in Azure Active Directory B2C | Microsoft Docs
-description: Guide and samples on accessing the Azure AD B2C Audit logs.
+title: Audit logs samples and definitions in Azure Active Directory B2C
+description: Guide and samples on accessing the Azure AD B2C audit logs.
 services: active-directory-b2c
 author: mmacy
 manager: celestedg
 
 ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 08/04/2017
+ms.date: 09/14/2019
 ms.author: marsma
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -25,6 +25,7 @@ Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity i
 > You cannot see user sign-ins for individual Azure AD B2C applications under the **Users** section of the **Azure Active Directory** or **Azure AD B2C** blades. The sign-ins there will show user activity, but cannot be correlated back to the B2C application that the user signed in to. You must use the audit logs for that, as explained further in this article.
 
 ## Overview of activities available in the B2C category of audit logs
+
 The **B2C** category in audit logs contains the following types of activities:
 
 |Activity type |Description  |
@@ -40,7 +41,8 @@ The **B2C** category in audit logs contains the following types of activities:
 > For user object CRUD activities, refer to the **Core Directory** category.
 
 ## Example activity
-The example below shows the data captured when a user signs in with an external identity provider:  
+
+The example below shows the data captured when a user signs in with an external identity provider:
     ![Example of Audit Log Activity Details page in Azure portal](./media/active-directory-b2c-reference-audit-logs/audit-logs-example.png)
 
 The activity details panel contains the following relevant information:
@@ -56,6 +58,7 @@ The activity details panel contains the following relevant information:
 | Additional Details | ApplicationId | The **Application ID** of the B2C application that the user is signing in to. |
 
 ## Accessing audit logs through the Azure portal
+
 1. Go to the [Azure portal](https://portal.azure.com). Make sure you are in your B2C directory.
 2. Click on **Azure Active Directory** in the favorites bar on the left
 
@@ -71,6 +74,7 @@ The activity details panel contains the following relevant information:
     ![Category and Apply button highlighted in Audit Log filter](./media/active-directory-b2c-reference-audit-logs/audit-logs-portal-category.png)
 
 You will see a list of activities logged over the last seven days.
+
 - Use the **Activity Resource Type** dropdown to filter by the activity types outlined above
 - Use the **Date Range** dropdown to filter the date range of the activities shown
 - If you click on a specific row in the list, a contextual box on the right will show you additional attributes associated with the activity
@@ -80,28 +84,34 @@ You will see a list of activities logged over the last seven days.
 > You can also see the audit logs by navigating to **Azure AD B2C** rather than **Azure Active Directory** in the favorites bar on the left. Under **Activities**, click on **Audit logs**, where you will find the same logs with similar filtering capabilities.
 
 ## Accessing audit logs through the Azure AD reporting API
-Audit logs are published to the same pipeline as other activities for Azure Active Directory, so they can be accessed through the [Azure Active Directory reporting API](https://docs.microsoft.com/azure/active-directory/active-directory-reporting-api-audit-reference).
+
+Audit logs are published to the same pipeline as other activities for Azure Active Directory, so they can be accessed through the [Azure Active Directory reporting API](https://docs.microsoft.com/graph/api/directoryaudit-list). For more information, see [Get started with the Azure Active Directory reporting API](../active-directory/reports-monitoring/concept-reporting-api.md).
 
 ### Prerequisites
+
 To authenticate to the Azure AD reporting API you first need to register an application. Make sure to follow the steps in [Prerequisites to access the Azure AD reporting APIs](https://azure.microsoft.com/documentation/articles/active-directory-reporting-api-getting-started/).
 
 ### Accessing the API
+
 To download the Azure AD B2C audit logs via the API, you'll want to filter the logs to the **B2C** category. To filter by category, use the query string parameter when calling the Azure AD reporting API endpoint, as shown below:
 
-`https://graph.windows.net/your-b2c-tentant.onmicrosoft.com/activities/audit?api-version=beta&$filter=category eq 'B2C'`
+```HTTP
+https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?filter=loggedByService eq 'B2C' and activityDateTime gt 2019-09-10T02:28:17Z
+```
 
 ### PowerShell script
-The following script provides an example of using PowerShell to query the Azure AD reporting API and store the results as a JSON file:
+
+The following script provides an example of using PowerShell to query the Azure AD reporting API and outputting the results to a JSON file:
 
 ```powershell
-# This script will require registration of a Web Application in Azure Active Directory (see https://azure.microsoft.com/documentation/articles/active-directory-reporting-api-getting-started/)
+# This script requires the registration of a Web Application in Azure Active Directory (see https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-reporting-api)
 
 # Constants
-$ClientID       = "your-client-application-id-here"       # Insert your application's Client ID, a Globally Unique ID (registered by Global Admin)
-$ClientSecret   = "your-client-application-secret-here"   # Insert your application's Client Key/Secret string
+$ClientID       = "your-client-application-id-here"       # Insert your application's Client ID, a GUID (registered by Global Admin)
+$ClientSecret   = "your-client-application-secret-here"   # Insert your application's Client secret/key
+$tenantdomain   = "your-b2c-tenant.onmicrosoft.com"       # Insert your Azure AD B2C tenant; for example, contoso.onmicrosoft.com
 $loginURL       = "https://login.microsoftonline.com"
-$tenantdomain   = "your-b2c-tenant.onmicrosoft.com"       # AAD B2C Tenant; for example, contoso.onmicrosoft.com
-$resource       = "https://graph.windows.net"             # Azure AD Graph API resource URI
+$resource       = "https://graph.microsoft.com"           # Microsoft Graph API resource URI
 $7daysago       = "{0:s}" -f (get-date).AddDays(-7) + "Z" # Use 'AddMinutes(-5)' to decrement minutes, for example
 Write-Output "Searching for events starting $7daysago"
 
@@ -113,7 +123,7 @@ $oauth      = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2
 if ($oauth.access_token -ne $null) {
     $i=0
     $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
-    $url = 'https://graph.windows.net/' + $tenantdomain + '/activities/audit?api-version=beta&$filter=category eq ''B2C''and activityDate gt ' + $7daysago
+    $url = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=loggedByService eq 'B2C' and activityDateTime gt  " + $7daysago
 
     # loop through each query page (1 through n)
     Do {

articles/active-directory-domain-services/TOC.yml

@@ -89,7 +89,7 @@
       items:
         - name: Deploy Azure AD Application Proxy
           href: deploy-azure-app-proxy.md
-        - name: Configure support for profile synchronization for SharePoint Server
+        - name: Enable profile synchronization for SharePoint Server
           href: deploy-sp-profile-sync.md
     - name: Troubleshoot
       items:

articles/active-directory-domain-services/deploy-sp-profile-sync.md

@@ -1,51 +1,79 @@
 ---
-title: 'Azure Active Directory Domain Services: Enable SharePoint User Profile service | Microsoft Docs'
-description: Configure Azure Active Directory Domain Services managed domains to support profile synchronization for SharePoint Server
+title: Enable SharePoint User Profile service with Azure AD DS | Microsoft Docs
+description: Learn how to configure an Azure Active Directory Domain Services managed domain to support profile synchronization for SharePoint Server
 services: active-directory-ds
-documentationcenter: ''
 author: iainfoulds
 manager: daveba
-editor: curtand
 
 ms.assetid: 938a5fbc-2dd1-4759-bcce-628a6e19ab9d
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
-ms.tgt_pltfrm: na
-ms.devlang: na
 ms.topic: conceptual
-ms.date: 06/22/2018
+ms.date: 09/12/2019
 ms.author: iainfou
 
 ---
+# Configure Azure Active Directory Domain Services to support user profile synchronization for SharePoint Server
 
-# Configure a managed domain to support profile synchronization for SharePoint Server
-SharePoint Server includes a User Profile Service that is used for user profile synchronization. To set up the User Profile Service, appropriate permissions need to be granted on an Active Directory domain. For more information, see [grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013](https://technet.microsoft.com/library/hh296982.aspx).
+SharePoint Server includes a service to synchronize user profiles. This feature lets user profiles be stored in a central location and accessible across multiple SharePoint sites and farms. To configure the SharePoint Server user profile service, the appropriate permissions must be granted in an Azure Active Directory Domain Services (Azure AD DS) managed domain. For more information, see [user profile synchronization in SharePoint Server](https://technet.microsoft.com/library/hh296982.aspx).
 
-This article explains how you can configure Azure AD Domain Services managed domains to deploy the SharePoint Server User Profile Sync service.
+This article shows you how to configure Azure AD DS to allow the SharePoint Server user profile sync service.
 
-[!INCLUDE [active-directory-ds-prerequisites.md](../../includes/active-directory-ds-prerequisites.md)]
+## Before you begin
 
-## The 'AAD DC Service Accounts' group
-A security group called '**AAD DC Service Accounts**' is available within the 'Users' organizational unit on your managed domain. You can see this group in the **Active Directory Users and Computers** MMC snap-in on your managed domain.
+To complete this article, you need the following resources and privileges:
 
-![AAD DC Service Accounts security group](./media/active-directory-domain-services-admin-guide/aad-dc-service-accounts.png)
+* An active Azure subscription.
+    * If you don’t have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
+    * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
+* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
+    * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
+* A Windows Server management VM that is joined to the Azure AD DS managed domain.
+    * If needed, complete the tutorial to [create a management VM][tutorial-create-management-vm].
+* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
+* A SharePoint service account for the user profile synchronization service.
+    * If needed, see [Plan for administrative and service accounts in SharePoint Server][sharepoint-service-account].
 
-Members of this security group are delegated the following privileges:
-- The 'Replicate Directory Changes' privilege on the root DSE of the managed domain.
-- The 'Replicate Directory Changes' privilege on the Configuration naming context (cn=configuration container) of the managed domain.
+## Service accounts overview
 
-This security group is also a member of the built-in group **Pre-Windows 2000 Compatible Access**.
+In an Azure AD DS managed domain, a security group named **AAD DC Service Accounts** exists as part of the *Users* organizational unit (OU). Members of this security group are delegated the following privileges:
 
-![AAD DC Service Accounts security group](./media/active-directory-domain-services-admin-guide/aad-dc-service-accounts-properties.png)
+- **Replicate Directory Changes** privilege on the root DSE.
+- **Replicate Directory Changes** privilege on the *Configuration* naming context (`cn=configuration` container).
 
+The **AAD DC Service Accounts** security group is also a member of the built-in group **Pre-Windows 2000 Compatible Access**.
 
-## Enable your managed domain to support SharePoint Server user profile sync
-You can add the service account used for SharePoint user profile synchronization to the **AAD DC Service Accounts** group. As a result, the synchronization account gets adequate privileges to replicate changes to the directory. This configuration step enables SharePoint Server user profile sync to work correctly.
+When added to this security group, the service account for SharePoint Server user profile synchronization service is granted the required privileges to work correctly.
 
-![AAD DC Service Accounts - add members](./media/active-directory-domain-services-admin-guide/aad-dc-service-accounts-add-member.png)
+## Enable support for SharePoint Server user profile sync
 
-![AAD DC Service Accounts - add members](./media/active-directory-domain-services-admin-guide/aad-dc-service-accounts-add-member2.png)
+The service account for SharePoint Server needs adequate privileges to replicate changes to the directory and let SharePoint Server user profile sync work correctly. To provide these privileges, add the service account used for SharePoint user profile synchronization to the **AAD DC Service Accounts** group.
 
-## Related Content
-* [Technical Reference - Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013](https://technet.microsoft.com/library/hh296982.aspx)
+From your Azure AD DS management VM, complete the following steps:
+
+> [!NOTE]
+> To edit group membership in an Azure AD DS managed domain, you must be signed in to a user account that's a member of the *AAD DC Administrators* group.
+
+1. From the Start screen, select **Administrative Tools**. A list of available management tools is shown that were installed in the tutorial to [create a management VM][tutorial-create-management-vm].
+1. To manage group membership, select **Active Directory Administrative Center** from the list of administrative tools.
+1. In the left pane, choose your Azure AD DS managed domain, such as *contoso.com*. A list of existing OUs and resources is shown.
+1. Select the **Users** OU, then choose the *AAD DC Service Accounts* security group.
+1. Select **Members**, then choose **Add...**.
+1. Enter the name of the SharePoint service account, then select **OK**. In the following example, the SharePoint service account is named *spadmin*:
+
+    ![Add the SharePoint service account to the AAD DC Service Accounts security group](./media/deploy-sp-profile-sync/add-member-to-aad-dc-service-accounts-group.png)
+
+## Next steps
+
+For more information, see [Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server](https://technet.microsoft.com/library/hh296982.aspx)
+
+<!-- INTERNAL LINKS -->
+[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
+[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
+[create-azure-ad-ds-instance]: tutorial-create-instance.md
+[tutorial-create-management-vm]: tutorial-create-management-vm.md
+
+<!-- EXTERNAL LINKS -->
+[sharepoint-service-account]: /sharepoint/security-for-sharepoint-server/plan-for-administrative-and-service-accounts