Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-aadroles-role-windows-admin

Author: rolyon

.openpublishing.redirection.json

@@ -46507,6 +46507,11 @@
       "source_path_from_root": "/articles/virtual-desktop/diagnostics-role-service.md",
       "redirect_url": "/azure/virtual-desktop/troubleshoot-set-up-overview",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/azure-monitor/app/how-do-i.md",
+      "redirect_url": "/azure/azure-monitor/faq",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/partner-f5.md

@@ -2,15 +2,14 @@
 title: Tutorial to configure Azure Active Directory B2C with F5 BIG-IP  
 titleSuffix: Azure AD B2C
 description: Learn how to integrate Azure AD B2C authentication with F5 BIG-IP for secure hybrid access 
-services: active-directory-b2c
 author: gargi-sinha
+ms.author: gasinh
 manager: martinco
 ms.service: active-directory
+ms.subservice: B2C
 ms.workload: identity
 ms.topic: how-to
 ms.date: 10/15/2021
-ms.author: gasinh
-ms.subservice: B2C
 ---
 
 # Tutorial: Extend Azure Active Directory B2C to protect on-premises applications using F5 BIG-IP
@@ -26,9 +25,9 @@ It provides an abundance of features including application-level inspection and
 
 To get started, you'll need:
 
-- An [Azure AD B2C tenant](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-tenant) linked to your Azure subscription
+- An [Azure AD B2C tenant](tutorial-create-tenant.md) linked to your Azure subscription
 
-- An existing BIG-IP or deploy a trial [BIG-IP Virtual Environment (VE) on Azure](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-bigip-deployment-guide)
+- An existing BIG-IP or deploy a trial [BIG-IP Virtual Environment (VE) on Azure](../active-directory/manage-apps/f5-bigip-deployment-guide.md)
 
 - Any of the following F5 BIG-IP license SKUs
 
@@ -40,9 +39,9 @@ To get started, you'll need:
 
   - 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php)
 
-- An existing header-based web application or [setup an IIS app](https://docs.microsoft.com/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing
+- An existing header-based web application or [setup an IIS app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing
 
-- [SSL certificate](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-bigip-deployment-guide#ssl-profile) for publishing services over HTTPS or use default while testing.
+- [SSL certificate](../active-directory/manage-apps/f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS or use default while testing.
 
 ## Scenario description
 
@@ -81,7 +80,7 @@ For increased security, organizations using this pattern could also consider blo
 
 ## Azure AD B2C Configuration
 
-Enabling a BIG-IP with Azure AD B2C authentication requires an Azure AD B2C tenant with a suitable user flow or custom policy. [Set up an Azure AD B2C user flow](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-user-flows).
+Enabling a BIG-IP with Azure AD B2C authentication requires an Azure AD B2C tenant with a suitable user flow or custom policy. [Set up an Azure AD B2C user flow](tutorial-create-user-flows.md).
 
 ### Create custom attributes
 
@@ -108,7 +107,7 @@ displays them all.
 
 4. Select **Application claims** and add both custom attributes plus also the **Display Name**. These are the attributes that will be sent to the BIG-IP.
 
-You can use the [Run user flow](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-user-flows) feature
+You can use the [Run user flow](tutorial-create-user-flows.md) feature
 in the user flow menu on the left navigation bar to verify it prompts for all defined attributes.
 
 ### Azure AD B2C federation
@@ -132,7 +131,7 @@ federating, so the BIG-IP must be registered in the Azure AD B2C tenant as an OI
 
 8. Note down the client secret, you'll need this later for configuring the BIG-IP.
 
-The redirect URI is the BIG-IP endpoint to which a user is sent back to by the authorization server - Azure AD B2C, after authenticating. [Register an application](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-register-applications) for Azure AD B2C.
+The redirect URI is the BIG-IP endpoint to which a user is sent back to by the authorization server - Azure AD B2C, after authenticating. [Register an application](tutorial-register-applications.md) for Azure AD B2C.
 
 ## BIG-IP configuration
 
@@ -328,7 +327,7 @@ Here, we'll configure Azure AD B2C as the OAuth2 IdP. You’ll notice that the G
 ## Related information
 
 The last step provides an overview of configurations. Hitting Deploy will commit your settings and create all necessary BIG-IP and APM objects to enable secure hybrid access to the application.
-The application should also be visible as a target resource in CA. See the [guidance for building CA policies for Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/conditional-access-identity-protection-overview).
+The application should also be visible as a target resource in CA. See the [guidance for building CA policies for Azure AD B2C](conditional-access-identity-protection-overview.md).
 For increased security, organizations using this pattern could also consider blocking all direct access to the application, thereby forcing a strict path through the BIG-IP.
 
 ## Next steps
@@ -345,14 +344,14 @@ You will then be redirected to sign up and authenticate against your Azure AD B2
 
 **Single Log-Out (SLO)**
 
-Azure AD B2C fully supports IdP and application sign out through various [mechanisms](https://docs.microsoft.com/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out).
+Azure AD B2C fully supports IdP and application sign out through various [mechanisms](session-behavior.md?pivots=b2c-custom-policy#single-sign-out).
 Having your application’s sign-out function call the Azure AD B2C log-out endpoint would be one way of achieving SLO. That way we can be sure Azure AD B2C issues a final redirect to the BIG-IP to ensure the APM session between the user and the application has also been terminated.
 Another alternative is to have the BIG-IP listen for the request when selecting the applications sign out button, and upon detecting the request it makes a simultaneous call to the Azure AD B2C logoff endpoint. This approach would avoid having to make any changes to the application itself yet achieves SLO. More details on using BIG-IP iRules to implement this are [available](https://support.f5.com/csp/article/K42052145).
 In either case your Azure AD B2C tenant would need to know the APM’s logout endpoint. 
 
 1. Navigate to **Manage** > **Manifest** in your Azure AD B2C portal and locate the logoutUrl property. It should read null.
 
-2. Add the APM’s post logout URI: https://<mysite.com>/my.logout.php3, where <mysite.com> is the BIG-IP FQDN for your own header-based application.
+2. Add the APM’s post logout URI: `https://<mysite.com>/my.logout.php3`, where `<mysite.com>` is the BIG-IP FQDN for your own header-based application.
 
 **Optimized login flow**
 

articles/active-directory/external-identities/one-time-passcode.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 10/13/2021
+ms.date: 10/15/2021
 
 ms.author: mimart
 author: msmimart
@@ -148,3 +148,55 @@ To enable the email one-time passcode feature in Azure US Government cloud:
 5. Select **Save**.
 
 For more information about current limitations, see [Azure US Government clouds](current-limitations.md#azure-us-government-clouds).
+
+## Frequently asked questions
+
+**Why do I still see “Automatically enable email one-time passcode for guests starting October 2021” selected in my email one-time passcode settings?**
+
+Due to our deployment schedules, we will start rolling out the change to enable email one-time passcode by default globally on November 1, 2021. Until then, you might still see “Automatically enable email one-time passcode for guests starting October 2021” selected in my email one-time passcode settings.
+
+**What is the user experience for guests during global rollout?**
+
+During global rollout, the user experience for guests depends on your email one-time passcode configuration and your guest's scenario. 
+
+Before the change is rolled out to your region, guests will see the following behavior.
+
+- With email one-time passcode enabled:
+
+  - If a guest has an existing unmanaged Azure AD account, they'll continue signing in with their unmanaged Azure AD account.
+  - If a guest previously redeemed an invitation to your tenant using an unmanaged Azure AD account, and you reset their redemption status and reinvite them, they'll continue signing in with their unmanaged Azure AD account.
+  - If a guest doesn't have an existing unmanaged Azure AD account, they'll redeem using email one-time passcode authentication.
+
+- With email one-time passcode disabled:
+
+  - If a guest has an existing unmanaged Azure AD account, they'll continue signing in with their unmanaged Azure AD account.
+  - If a guest previously redeemed an invitation to your tenant using an unmanaged Azure AD account, and you reset their redemption status and reinvite them, they'll continue signing in with their unmanaged Azure AD account.
+  - If a guest doesn't have an existing unmanaged Azure AD account, they'll redeem using an email one-time passcode link, but they may get a sign-in error if they're not added to the Azure portal in advance.
+
+After the change is rolled out to your region, guests will see the following behavior.
+
+- With email one-time passcode enabled:
+
+  - If a guest has an existing unmanaged Azure AD account, they'll use email one-time passcode to redeem and sign in going forward.
+  - If a guest previously redeemed an invitation to your tenant using an unmanaged Azure AD account, and you reset their redemption status and reinvite them, they'll use email one-time passcode to redeem and sign in going forward.
+  - If a guest doesn't have an unmanaged Azure AD account, they'll use email one-time passcode to redeem and sign in going forward.
+
+- With email one-time passcode disabled:
+
+  - If a guest has an existing unmanaged Azure AD account, they'll use a Microsoft account to redeem. They'll end up with two accounts (the unmanaged Azure AD account and the Microsoft account). To prevent this from happening, we strongly encourage you to enable email one-time passcode.
+  - If a guest previously redeemed an invitation to your tenant using an unmanaged Azure AD account, and you reset their redemption status and reinvite them, they'll use a Microsoft account to redeem. They'll end up with two accounts (the unmanaged Azure AD account and the Microsoft account). To prevent this from happening, we strongly encourage you to enable email one-time passcode.
+  - If a guest doesn't have an unmanaged Azure AD account, they'll use a Microsoft account to redeem and sign in going forward.
+
+For more information about the different redemption pathways, see [B2B collaboration invitation redemption](redemption-experience.md).
+
+**Does this mean the “No account? Create one!” option for self-service sign-up is going away?**
+
+It’s easy to get [self-service sign-up in the context of External Identities](self-service-sign-up-overview.md) confused with self-service sign-up for email-verified users, but they are two different features. The feature that's going away is [self-service sign-up with email-verified users](../enterprise-users/directory-self-service-signup.md), which results in your guests creating an unmanaged Azure AD account. However, self-service sign-up for External Identities will continue to be available, which results in your guests signing up to your organization with a [variety of identity providers](identity-providers.md).  
+
+**What does Microsoft recommend we do with existing Microsoft accounts (MSA)?**
+
+When we support the ability to disable Microsoft Account in the Identity providers settings (not available today), we strongly recommend you disable Microsoft Account and enable email one-time passcode. Then you should reset the redemption status of existing guests with Microsoft accounts so that they can re-redeem using email one-time passcode authentication and use email one-time passcode to sign in going forward.
+
+**Does this change include SharePoint and OneDrive integration with Azure AD B2B?**
+
+No, the global rollout of the change to enable email one-time passcode by default that begins on November 1, 2021 doesn't include SharePoint and OneDrive integration with Azure AD B2B. To learn how to enable integration so that collaboration on SharePoint and OneDrive uses B2B capabilities, or how to disable this integration, see [SharePoint and OneDrive Integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration).

articles/active-directory/managed-identities-azure-resources/tutorial-vm-managed-identities-cosmos.md

@@ -1,21 +1,16 @@
 ---
 title: Use managed identities from a virtual machine to access Cosmos DB  | Microsoft Docs 
 description: Learn how to use managed identities with Windows VMs using the Azure portal, CLI, PowerShell, Azure Resource Manager template  
-services: active-directory
 author: barclayn
 manager: karenh444
-editor: ''
-
 ms.service: active-directory
 ms.subservice: msi
 ms.workload: integration
 ms.topic: tutorial
 ms.date: 10/14/2021
 ms.author: barclayn
 ms.custom: ep-miar
-
 #Customer intent: As an administrator I want to know how to access Cosmos DB from a virtual machine using a managed identity
-
 ---
 
 # How to use managed identities to connect to Cosmos DB from an Azure virtual machine
@@ -297,7 +292,7 @@ az cosmosdb sql role assignment create --account-name $accountName --resource-gr
 
 ## Access data
 
-Getting access to Cosmos using managed identities may be achieved using the Azure.identity library to enable authentication in your application. You can call [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential?view=azure-dotnet) directly or use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet).
+Getting access to Cosmos using managed identities may be achieved using the Azure.identity library to enable authentication in your application. You can call [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential) directly or use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential).
 
 The ManagedIdentityCredential class attempts to authentication using a managed identity assigned to the deployment environment. The [DefaultAzureCredential](/dotnet/api/overview/azure/identity-readme) class goes through different authentication options in order. The second authentication option that DefaultAzureCredential attempts is Managed identities. 
 
@@ -387,7 +382,7 @@ Initialize your Cosmos DB client:
 CosmosClient client = new CosmosClient("<account-endpoint>", new ManagedIdentityCredential());
 ```
 
-Then [read and write data](https://docs.microsoft.com/azure/cosmos-db/sql-api-dotnet-v3sdk-samples).
+Then [read and write data](../../cosmos-db/sql/sql-api-dotnet-v3sdk-samples.md).
 
 ### Java
 
@@ -397,7 +392,7 @@ Initialize your Cosmos DB client:
 CosmosAsyncClient Client = new CosmosClientBuilder().endpoint("<account-endpoint>") .credential(new ManagedIdentityCredential()) .build();
 ```
 
-Then read and write data as described in [these samples](https://docs.microsoft.com/azure/cosmos-db/sql-api-java-sdk-samples)
+Then read and write data as described in [these samples](../../cosmos-db/sql/sql-api-java-sdk-samples.md)
 
 ### JavaScript
 
@@ -407,7 +402,7 @@ Initialize your Cosmos DB client:
 const client = new CosmosClient({ "<account-endpoint>", aadCredentials: new ManagedIdentityCredential() });
 ```
 
-Then read and write data as described in [these samples](https://docs.microsoft.com/azure/cosmos-db/sql-api-nodejs-samples)
+Then read and write data as described in [these samples](../../cosmos-db/sql/sql-api-nodejs-samples.md)
 
 ## Clean up steps
 
@@ -453,4 +448,4 @@ Learn more about managed identities for Azure resources:
 Learn more about Azure Cosmos
 
 - [Azure Cosmos DB resource model](../../cosmos-db/account-databases-containers-items.md)
-- [Tutorial: Build a .NET console app to manage data in Azure Cosmos DB SQL API account](../../cosmos-db/sql/sql-api-get-started.md)
+- [Tutorial: Build a .NET console app to manage data in Azure Cosmos DB SQL API account](../../cosmos-db/sql/sql-api-get-started.md)