Merge pull request #57689 from MicrosoftDocs/master

11/9 PM Publish

Author: huypub

articles/active-directory/devices/device-management-azure-portal.md

@@ -150,7 +150,7 @@ To enable / disable a device, you have two options:
 **Remarks:**
 
 - You need to be a global administrator in Azure  AD to enable / disable a device. 
-- Disabling a device prevents a device from accessing your Azure AD resources. 
+- Disabling a device prevents a device from successfully authenticating with Azure AD, therby preventing the device from accessing your Azure AD resources that are guarded by device CA or using your WH4B credentials. 
 
 
 

articles/active-directory/devices/faq.md

@@ -18,29 +18,10 @@ ms.author: markvi
 ms.reviewer: jairoc
 
 ---
-# Azure Active Directory device management FAQ
-
-**Q: Can I register Android or iOS BYOD devices?**
-
-**A:** Yes, but only with Azure device registration service and for hybrid customers. It is not supported with on-premises device registration service in AD FS.
-
-**Q: How can I register a macOS device?**
-
-**A:** To register macOS device:
-
-1.	[Create a compliance policy](https://docs.microsoft.com/intune/compliance-policy-create-mac-os)
-2.	[Define a conditional access policy for macOS devices](../active-directory-conditional-access-azure-portal.md) 
 
-**Remarks:**
-
-- The users that are included in your conditional access policy need a [supported version of Office for macOS](../conditional-access/technical-reference.md#client-apps-condition) to access resources. 
-
-- During the first access attempt, your users are prompted to enroll the device using the company portal.
-
----
-
-**Q: I registered the device recently. Why can’t I see the device under my user info in the Azure portal?**
+# Azure Active Directory device management FAQ
 
+**Q: I registered the device recently. Why can’t I see the device under my user info in the Azure portal? Or Why is device owner marked as N/A for hybrid Azure AD joined devices?**
 **A:** Windows 10 devices that are hybrid Azure AD joined do not show up under the USER devices.
 You need to use All devices view in Azure portal. You can also use PowerShell [Get-MsolDevice](/powershell/module/msonline/get-msoldevice?view=azureadps-1.0) cmdlet.
 
@@ -54,15 +35,20 @@ Only the following devices are listed under the USER devices:
 
 **Q: How do I know what the device registration state of the client is?**
 
-**A:** You can use the Azure portal, go to All devices and search for the device using device ID. Check the value under the join type column.
-
-If you want to check the local device registration state from a registered device:
+**A:** You can use the Azure portal, go to All devices and search for the device using device ID. Check the value under the join type column. Sometimes, the device could have been reset or re-imaged. So, it is essential to also check device registration state on the device too:
 
 - For Windows 10 and Windows Server 2016 or later devices, run dsregcmd.exe /status.
 - For down-level OS versions, run "%programFiles%\Microsoft Workplace Join\autoworkplace.exe"
 
 ---
 
+**Q: I see the device record under the USER info in the Azure portal and can see the state as registered on the device. Am I setup correctly for using conditional access?**
+
+**A:** The device join state, reflected by deviceID, must match with that on Azure AD and meet any evaluation criteria for conditional access. 
+For more information, see [Require managed devices for cloud app access with conditional access](../conditional-access/require-managed-devices.md).
+
+---
+
 **Q: I have deleted in the Azure portal or using Windows PowerShell, but the local state on the device says that it is still registered?**
 
 **A:** This is by design. The device will not have access to resources in the cloud. 
@@ -83,25 +69,6 @@ For down-level Windows OS versions that are on-premises AD domain-joined:
 2.	Type `"%programFiles%\Microsoft Workplace Join\autoworkplace.exe /l"`.
 3.	Type `"%programFiles%\Microsoft Workplace Join\autoworkplace.exe /j"`.
 
----
-**Q: How do I unjoin an Azure AD Joined device locally on the device?**
-
-**A:** 
-- For hybrid Azure AD Joined devices, make sure to turn off auto registration so that the scheduled task does not register the device again. Next, open command prompt as an administrator and type `dsregcmd.exe /debug /leave`. Alternatively, this command can be run as a script across multiple devices to unjoin in bulk.
-
-- For pure Azure AD Joined devices, make sure you have an offline local administrator account or create one, as you won't be able to sign in with any Azure AD user credentials. Next, go to **Settings** > **Accounts** > **Access Work or School**. Select your account and click on **Disconnect**. Follow the prompts and provide the local administrator credentials when prompted. Reboot the device to complete the unjoin process.
-
----
-
-**Q: My users cannot search printers from Azure AD Joined devices. How can I enable printing from Azure AD Joined devices ?**
-
-**A:** For deploying printers for Azure AD Joined devices, see [Hybrid cloud print](https://docs.microsoft.com/windows-server/administration/hybrid-cloud-print/hybrid-cloud-print-deploy). You will need an on-premises Windows Server to deploy hybrid cloud print. Currently, cloud-based print service is not available. 
-
----
-
-**Q: How do I connect to a remote Azure AD joined device?**
-**A:** Refer to the article https://docs.microsoft.com/windows/client-management/connect-to-remote-aadj-pc for details.
-
 ---
 
 **Q: Why do I see duplicate device entries in Azure portal?**
@@ -124,7 +91,27 @@ For down-level Windows OS versions that are on-premises AD domain-joined:
 
 >[!Note] 
 >For enrolled devices, we recommend wiping the device to ensure that users cannot access the resources. For more information, see [Enroll devices for management in Intune](https://docs.microsoft.com/intune/deploy-use/enroll-devices-in-microsoft-intune). 
+---
+
+# Azure AD Join FAQ
+
+**Q: How do I unjoin an Azure AD Joined device locally on the device?**
+
+**A:** 
+- For hybrid Azure AD Joined devices, make sure to turn off auto registration so that the scheduled task does not register the device again. Next, open command prompt as an administrator and type `dsregcmd.exe /debug /leave`. Alternatively, this command can be run as a script across multiple devices to unjoin in bulk.
+
+- For pure Azure AD Joined devices, make sure you have an offline local administrator account or create one, as you won't be able to sign in with any Azure AD user credentials. Next, go to **Settings** > **Accounts** > **Access Work or School**. Select your account and click on **Disconnect**. Follow the prompts and provide the local administrator credentials when prompted. Reboot the device to complete the unjoin process.
+
+---
+
+**Q: My users cannot search printers from Azure AD Joined devices. How can I enable printing from Azure AD Joined devices ?**
+
+**A:** For deploying printers for Azure AD Joined devices, see [Hybrid cloud print](https://docs.microsoft.com/windows-server/administration/hybrid-cloud-print/hybrid-cloud-print-deploy). You will need an on-premises Windows Server to deploy hybrid cloud print. Currently, cloud-based print service is not available. 
 
+---
+
+**Q: How do I connect to a remote Azure AD joined device?**
+**A:** Refer to the article https://docs.microsoft.com/windows/client-management/connect-to-remote-aadj-pc for details.
 
 ---
 
@@ -141,13 +128,6 @@ Please evaluate the conditional access policy rules and ensure that the device i
 
 ---
 
-**Q: I see the device record under the USER info in the Azure portal and can see the state as registered on the device. Am I setup correctly for using conditional access?**
-
-**A:** The device join state, reflected by deviceID, must match with that on Azure AD and meet any evaluation criteria for conditional access. 
-For more information, see [Require managed devices for cloud app access with conditional access](../conditional-access/require-managed-devices.md).
-
----
-
 **Q: Why do I get a "username or password is incorrect" message for a device I have just joined to Azure AD?**
 
 **A:** Common reasons for this scenario are:
@@ -156,7 +136,7 @@ For more information, see [Require managed devices for cloud app access with con
 
 - Your computer is unable to communicate with Azure Active Directory. Check for any network connectivity issues.
 
-- Federated logins requires your federation server to support a WS-Trust active endpoint. 
+- Federated logins requires your federation server to support WS-Trust endpoints enabled and accessible. 
 
 - You have enabled Pass through Authentication and the user has a temporary password that needs to be changed on logon.
 
@@ -168,15 +148,16 @@ For more information, see [Require managed devices for cloud app access with con
 
 ---
 
-**Q: Why did my attempt to join a PC fail although I didn't get any error information?**
+**Q: Why did my attempt to Azure AD join a PC fail although I didn't get any error information?**
 
 **A:** A likely cause is that the user is logged in to the device using the local built-in administrator account. 
 Please create a different local account before using Azure Active Directory Join to complete the setup. 
 
-
 ---
 
-**Q: Where can I find troubleshooting information about the automatic device registration?**
+# Hybrid Azure AD Join FAQ
+
+**Q: Where can I find troubleshooting information for diagnosing hybrid Azure AD join failures?**
 
 **A:** For troubleshooting information, see:
 
@@ -187,3 +168,23 @@ Please create a different local account before using Azure Active Directory Join
 
 ---
 
+# Azure AD Register FAQ
+
+**Q: Can I register Android or iOS BYOD devices?**
+
+**A:** Yes, but only with Azure device registration service and for hybrid customers. It is not supported with on-premises device registration service in AD FS.
+
+**Q: How can I register a macOS device?**
+
+**A:** To register macOS device:
+
+1.	[Create a compliance policy](https://docs.microsoft.com/intune/compliance-policy-create-mac-os)
+2.	[Define a conditional access policy for macOS devices](../active-directory-conditional-access-azure-portal.md) 
+
+**Remarks:**
+
+- The users that are included in your conditional access policy need a [supported version of Office for macOS](../conditional-access/technical-reference.md#client-apps-condition) to access resources. 
+
+- During the first access attempt, your users are prompted to enroll the device using the company portal.
+
+---

articles/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md

@@ -13,7 +13,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 09/19/2017
+ms.date: 11/10/2018
 ms.author: daveba
 ---
 
@@ -29,20 +29,16 @@ In this article, you learn how to enable and disable system and user-assigned ma
 
 - If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md).
 - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing.
-- To perform the management operations in this article, your account needs the following Azure role based access control assignments:
-
-    > [!NOTE]
-    > No additional Azure AD directory role assignments required.
-
-    - [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) to enable and remove system-assigned managed identity from an Azure VM.
 
 ## System-assigned managed identity
 
 In this section, you learn how to enable and disable the system-assigned managed identity for VM using the Azure portal.
 
 ### Enable system-assigned managed identity during creation of a VM
 
-To enable system-assigned managed identity during the creation of a VM, under the **Management** tab in the **Identity** section, switch **Managed service identity** to **On**.  
+To enable system-assigned managed identity on a VM during its creation, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment.  No additional Azure AD directory role assignments are required.
+
+- Under the **Management** tab in the **Identity** section, switch **Managed service identity** to **On**.  
 
 ![Enable system-assigned identity during VM creation](./media/msi-qs-configure-portal-windows-vm/enable-system-assigned-identity-vm-creation.png)
 
@@ -54,7 +50,7 @@ Refer to the following Quickstarts to create a VM:
 
 ### Enable system-assigned managed identity on an existing VM
 
-To enable the system-assigned managed identity on a VM that was originally provisioned without it:
+To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment.  No additional Azure AD directory role assignments are required.
 
 1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
 
@@ -66,6 +62,8 @@ To enable the system-assigned managed identity on a VM that was originally provi
 
 ### Remove system-assigned managed identity from a VM
 
+To remove system-assigned managed identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment.  No additional Azure AD directory role assignments are required.
+
 If you have a Virtual Machine that no longer needs system-assigned managed identity:
 
 1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM. 
@@ -82,13 +80,17 @@ If you have a Virtual Machine that no longer needs system-assigned managed ident
 
 ### Assign a user-assigned identity during the creation of a VM
 
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No additional Azure AD directory role assignments are required.
+
 Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a VM. Instead, refer to one of the following VM creation Quickstart articles to first create a VM, and then proceed to the next section for details on assigning a user-assigned managed identity to the VM:
 
 - [Create a Windows virtual machine with the Azure portal](../../virtual-machines/windows/quick-create-portal.md#create-virtual-machine)
 - [Create a Linux virtual machine with the Azure portal](../../virtual-machines/linux/quick-create-portal.md#create-virtual-machine)
 
 ### Assign a user-assigned managed identity to an existing VM
 
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No additional Azure AD directory role assignments are required.
+
 1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
 2. Navigate to the desired VM and click **Identity**, **User assigned** and then **\+Add**.
 
@@ -100,6 +102,8 @@ Currently, the Azure portal does not support assigning a user-assigned managed i
 
 ### Remove a user-assigned managed identity from a VM
 
+To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No additional Azure AD directory role assignments are required.
+
 1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
 2. Navigate to the desired VM and click **Identity**, **User assigned**, the name of the user-assigned managed identity you want to delete and then click **Remove** (click **Yes** in the confirmation pane).
 

articles/active-directory/users-groups-roles/TOC.yml

@@ -128,6 +128,8 @@
       href: directory-assign-admin-roles.md
     - name: View and assign roles   
       href: directory-manage-roles-portal.md
+    - name: Least-privileged roles by task   
+      href: roles-delegate-by-task.md
     - name: Administrator role security    
       items:   
       - name: Role security planning