Merge branch 'master' into vcraic0315

Author: Craig Casey

.openpublishing.redirection.json

@@ -2170,6 +2170,11 @@
       "redirect_url": "/azure/cosmos-db/create-sql-api-python",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/cosmos-db/cosmos-db-security-controls.md",
+      "redirect_url": "/azure/cosmos-db/security-baseline",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cosmos-db/powershell-samples.md",
       "redirect_url": "/azure/cosmos-db/powershell-samples-sql",
@@ -13604,6 +13609,11 @@
       "redirect_url": "/azure/event-hubs/authorize-access-azure-active-directory",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/event-hubs/event-hubs-tutorial-virtual-networks-firewalls.md",
+      "redirect_url": "/azure/event-hubs/event-hubs-service-endpoints",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "articles/active-directory/active-directory-saml-protocol-reference.md",
       "redirect_url": "/azure/active-directory/develop/active-directory-saml-protocol-reference",
@@ -15786,7 +15796,12 @@
     },
     {
       "source_path": "articles/machine-learning/machine-learning-dedicated-capacity-for-bes-jobs.md",
-      "redirect_url": "/azure/machine-learning/studio/dedicated-capacity-for-bes-jobs",
+      "redirect_url": "/azure/machine-learning/studio/consume-web-services",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/machine-learning/studio/dedicated-capacity-for-bes-jobs.md",
+      "redirect_url": "/azure/machine-learning/studio/consume-web-services",
       "redirect_document_id": false
     },
     {
@@ -49284,6 +49299,11 @@
       "redirect_url": "/azure/azure-monitor/overview",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/cli/index.yml",
+      "redirect_url": "/cli/azure",
+      "redirect_document_id": false 
+    },
     {
       "source_path": "articles/virtual-machines/linux/tutorial-build-deploy-jenkins.md",
       "redirect_url": "/azure/jenkins/tutorial-build-deploy-jenkins",
@@ -49383,6 +49403,21 @@
       "source_path": "articles/media-services/latest/create-account-cli-how-to.md",
       "redirect_url": "/azure/media-services/latest/create-account-howto",
       "redirect_document_id": false
+    },
+    { 
+      "source_path": "articles/mariadb/howto-tls-configurations.md", 
+      "redirect_url": "/azure/mariadb/howto-configure-ssl", 
+      "redirect_document_id": false 
+    },
+    {
+      "source_path": "articles/mysql/howto-tls-configurations.md", 
+      "redirect_url": "/azure/mysql/howto-configure-ssl", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/postgresql/howto-tls-configurations.md", 
+      "redirect_url": "/azure/postgresql/concepts-ssl-connection-security", 
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/custom-policy-configure-user-input.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/10/2020
+ms.date: 03/17/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -19,9 +19,12 @@ ms.subservice: B2C
 
 In this article, you collect a new attribute during your sign-up journey in Azure Active Directory B2C (Azure AD B2C). You'll obtain the users' city, configure it as a drop-down, and define whether it's required to be provided.
 
+> [!NOTE]
+> This sample uses the built-in claim 'city'. Instead, you can choose one of the supported [Azure AD B2C built-in attributes](user-profile-attributes.md) or a custom attribute. To use a custom attribute, [enable custom attributes in your policy](custom-policy-custom-attributes.md). To use a different built-in or custom attribute, replace 'city' with the attribute of your choice, for example the built-in attribute *jobTitle* or a custom attribute like *extension_loyaltyId*.  
+
 You can gather initial data from your users by using the sign-up or sign-in user journey. Additional claims can be gathered later by using a profile edit user journey. Anytime Azure AD B2C gathers information directly from the user interactively, the Identity Experience Framework uses its [self-asserted technical profile](self-asserted-technical-profile.md). In this sample, you:
 
-1. Define a "city" claim.
+1. Define a "city" claim. 
 1. Ask the user for their city.
 1. Persist the city to the user profile in the Azure AD B2C directory.
 1. Read the city claim from the Azure AD B2C directory on each sign-in.

articles/active-directory-b2c/custom-policy-custom-attributes.md

@@ -171,7 +171,7 @@ Content-type: application/json
 
 ### Retrieve the template for the provisioning connector
 
-Applications in the gallery that are enabled for provisioning have templates to streamline configuration. Use the request below to [retrieve the template for the provisioning configuration](https://docs.microsoft.com/graph/api/synchronization-synchronizationtemplate-list?view=graph-rest-beta&tabs=http).
+Applications in the gallery that are enabled for provisioning have templates to streamline configuration. Use the request below to [retrieve the template for the provisioning configuration](https://docs.microsoft.com/graph/api/synchronization-synchronizationtemplate-list?view=graph-rest-beta&tabs=http). Note that you will need to provide the ID. The ID refers to the preceding resource, which in this case is the ServicePrincipal. 
 
 #### *Request*
 
@@ -263,10 +263,10 @@ Content-type: application/json
 
 ### Test the connection to the application
 
-Test the connection with the third-party application. The example below is for an application that requires clientSecret and secretToken. Each application has its on requirements. Review the [API documentation](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-validatecredentials?view=graph-rest-beta&tabs=http) to see the available options. 
+Test the connection with the third-party application. The example below is for an application that requires clientSecret and secretToken. Each application has its on requirements. Applications often use BaseAddress in place of ClientSecret. To determine what credentials your app requires, navigate to the provisioning configuration page for your application and in developer mode click test connection. The network traffic will show the parameters used for credentials. The full list of credentials can be found [here](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-validatecredentials?view=graph-rest-beta&tabs=http). 
 
 #### *Request*
-```http
+```msgraph-interactive
 POST https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/{id}/validateCredentials
 { 
     credentials: [ 
@@ -290,7 +290,7 @@ HTTP/1.1 204 No Content
 Configuring provisioning requires establishing a trust between Azure AD and the application. Authorize access to the third-party application. The example below is for an application that requires clientSecret and secretToken. Each application has its on requirements. Review the [API documentation](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-validatecredentials?view=graph-rest-beta&tabs=http) to see the available options. 
 
 #### *Request*
-```json
+```msgraph-interactive
 PUT https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/secrets 
  
 { 

articles/active-directory/app-provisioning/application-provisioning-configure-api.md

@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 
 Automatic provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Before you start a deployment, you can review this article to learn how Azure AD provision works and get configuration recommendations. 
 
-The **Azure AD Provisioning Service** provisions users to SaaS apps and other systems by connecting to a System for Cross-Domain Identity Management (SCIM) 2.0 user management API endpoint provided by the application vendor. This SCIM endpoint allows Azure AD to programmatically create, update, and remove users. For selected applications, the provisioning service can also create, update, and remove additional identity-related objects, such as groups and roles. The channel used for provisioning between Azure AD and the application is encrypted using HTTPS SSL encryption.
+The **Azure AD Provisioning Service** provisions users to SaaS apps and other systems by connecting to a System for Cross-Domain Identity Management (SCIM) 2.0 user management API endpoint provided by the application vendor. This SCIM endpoint allows Azure AD to programmatically create, update, and remove users. For selected applications, the provisioning service can also create, update, and remove additional identity-related objects, such as groups and roles. The channel used for provisioning between Azure AD and the application is encrypted using HTTPS TLS encryption.
 
 
 ![Azure AD Provisioning Service](./media/how-provisioning-works/provisioning0.PNG)

articles/active-directory/app-provisioning/how-provisioning-works.md

@@ -50,7 +50,6 @@ Azure AD Connect lets you synchronize users, groups, and credential between an o
 To correctly work with SSPR writeback, the account specified in Azure AD Connect must have the appropriate permissions and options set. If you're not sure which account is currently in use, open Azure AD Connect and select the **View current configuration** option. The account that you need to add permissions to is listed under **Synchronized Directories**. The following permissions and options must be set on the account:
 
 * **Reset password**
-* **Change password**
 * **Write permissions** on `lockoutTime`
 * **Write permissions** on `pwdLastSet`
 * **Extended rights** on either:
@@ -68,7 +67,6 @@ To set up the appropriate permissions for password writeback to occur, complete
 1. For **Principal**, select the account that permissions should be applied to (the account used by Azure AD Connect).
 1. In the **Applies to** drop-down list, select **Descendant User objects**.
 1. Under *Permissions*, select the boxes for the following options:
-    * **Change password**
     * **Reset password**
 1. Under *Properties*, select the boxes for the following options. You need to scroll through the list to find these options, which may already be set by default:
     * **Write lockoutTime**

articles/active-directory/authentication/tutorial-enable-sspr-writeback.md

@@ -26,6 +26,9 @@ This article presents two scenarios to configure Conditional Access policies for
 
 In Conditional Access, this functionality is known as requiring an approved client app. For a list of approved client apps, see [approved client app requirement](concept-conditional-access-grant.md#require-approved-client-app).
 
+> [!NOTE]
+> In order to require approved client apps for iOS and Android devices, these devices must first register in Azure AD.
+
 ## Scenario 1: Office 365 apps require an approved client app
 
 In this scenario, Contoso has decided that users using mobile devices can access all Office 365 services as long as they use approved client apps, like Outlook mobile, OneDrive, and Microsoft Teams. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

articles/active-directory/conditional-access/app-based-conditional-access.md

@@ -28,6 +28,7 @@ Requiring managed devices for cloud app access ties **Azure AD Conditional Acces
 
 - **[Conditional Access in Azure Active Directory](../active-directory-conditional-access-azure-portal.md)** - This article provides you with a conceptual overview of Conditional Access and the related terminology.
 - **[Introduction to device management in Azure Active Directory](../devices/overview.md)** - This article gives you an overview of the various options you have to get devices under organizational control. 
+- For Chrome support in **Windows 10 Creators Update (version 1703)** or later, install the [Windows 10 Accounts extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji). This extension is required when a Conditional Access policy requires device specific details.
 
 >[!NOTE] 
 > We recommend using Azure AD device based Conditional Access policy to get the best enforcement after initial device authentication. This includes closing sessions if the device falls out of compliance and device code flow.

articles/active-directory/conditional-access/require-managed-devices.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 02/19/2020
+ms.date: 03/17/2020
 ms.author: ryanwi
 ms.reviewer: jmprieur, lenalepa, sureshja, kkrishna
 ms.custom: aaddev
@@ -172,7 +172,7 @@ In this article, you learned how to build an application that can sign in a user
 
 ## Related content
 
-* [Multi-tenant application sample](https://github.com/mspnp/multitenant-saas-guidance)
+* [Multi-tenant application sample](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md)
 * [Branding guidelines for applications][AAD-App-Branding]
 * [Application objects and service principal objects][AAD-App-SP-Objects]
 * [Integrating applications with Azure Active Directory][AAD-Integrating-Apps]

articles/active-directory/develop/howto-convert-app-to-be-multi-tenant.md

@@ -15,22 +15,20 @@ ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
 
-# Identity data storage for Australian customers in Azure Active Directory
+# Identity data storage for Australian and New Zealand customers in Azure Active Directory
 
 Identity data is stored by Azure AD in a geographical location based on the address provided by your organization when subscribing for a Microsoft Online service such as Office 365 and Azure. For information on where your Identity Customer Data is stored, you can use the [Where is your data located?](https://www.microsoft.com/trustcenter/privacy/where-your-data-is-located) section of the Microsoft Trust Center.
 
 > [!NOTE]
 > Services and applications that integrate with Azure AD have access to Identity Customer Data. Evaluate each service and application you use to determine how Identity Customer Data is processed by that specific service and application, and whether they meet your company's data storage requirements. For more information about Microsoft services' data residency, see the Where is your data located? section of the Microsoft Trust Center.
 
-For customers who provided an address in Australia, Azure AD keeps identity data for these services within Australian datacenters: 
-- Azure AD Directory Management 
-- Authentication
+For customers who provided an address in Australia and New Zealand and uses Azure AD free edition, Azure AD keeps PII data at rest within Australian datacenters. 
 
-All other Azure AD services store customer data in global datacenters. To locate the datacenter for a service, see [Azure Active Directory – Where is your data located?](https://www.microsoft.com/trustcenter/privacy/where-your-data-is-located)
+All other Azure AD premium services store customer data in global datacenters. To locate the datacenter for a service, see [Azure Active Directory – Where is your data located?](https://www.microsoft.com/trustcenter/privacy/where-your-data-is-located)
 
 ## Microsoft Azure multi-factor authentication (MFA)
 
-MFA stores Identity Customer Data in global datacenters. To learn more about the user information collected and stored by cloud-based Azure MFA and Azure MFA Server, see [Azure Multi-Factor Authentication user data collection](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-data-residency).
+MFA service in Azure AD stores Identity Customer Data in global datacenters at rest. To learn more about the user information collected and stored by cloud-based Azure MFA and Azure MFA Server, see [Azure Multi-Factor Authentication user data collection](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-data-residency). If customers use MFA their data will be stored outside of Australia datacenters at rest. 
 
 ## Next steps
 For more information about any of the features and functionality described above, see these articles: