Merge pull request #103466 from MicrosoftDocs/master

2/05 PM Publish

Author: huypub

articles/active-directory-b2c/custom-email.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 12/18/2019
+ms.date: 02/05/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -387,6 +387,36 @@ For more information, see [Self-asserted technical profile](restful-technical-pr
 </ClaimsProvider>
 ```
 
+## [Optional] Localize your email
+
+To localize the email, you must send localized strings to SendGrid, or your email provider. For example to localize the email subject, body, your code message, or signature of the email. To do so, you can use the [GetLocalizedStringsTransformation](string-transformations.md) claims transformation to copy localized strings into claim types. In the `GenerateSendGridRequestBody` claims transformation, which generates the JSON payload, uses input claims that contain the localized strings.
+
+1. In your policy define the following string claims: subject, message, codeIntro and signature.
+1. Define a [GetLocalizedStringsTransformation](string-transformations.md) claims transformation to substitute localized string values into the claims from step 1.
+1. Change the `GenerateSendGridRequestBody` claims transformation to use input claims with the following XML snippet.
+1. Update your SendGrind template to use dynamic parameters in place of all the strings which will be localized by Azure AD B2C.
+
+```XML
+<ClaimsTransformation Id="GenerateSendGridRequestBody" TransformationMethod="GenerateJson">
+  <InputClaims>
+    <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="personalizations.0.to.0.email" />
+    <InputClaim ClaimTypeReferenceId="subject" TransformationClaimType="personalizations.0.dynamic_template_data.subject" />
+    <InputClaim ClaimTypeReferenceId="otp" TransformationClaimType="personalizations.0.dynamic_template_data.otp" />
+    <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="personalizations.0.dynamic_template_data.email" />
+    <InputClaim ClaimTypeReferenceId="message" TransformationClaimType="personalizations.0.dynamic_template_data.message" />
+    <InputClaim ClaimTypeReferenceId="codeIntro" TransformationClaimType="personalizations.0.dynamic_template_data.codeIntro" />
+    <InputClaim ClaimTypeReferenceId="signature" TransformationClaimType="personalizations.0.dynamic_template_data.signature" />
+  </InputClaims>
+  <InputParameters>
+    <InputParameter Id="template_id" DataType="string" Value="d-1234567890" />
+    <InputParameter Id="from.email" DataType="string" Value="[email protected]" />
+  </InputParameters>
+  <OutputClaims>
+    <OutputClaim ClaimTypeReferenceId="sendGridReqBody" TransformationClaimType="outputClaim" />
+  </OutputClaims>
+</ClaimsTransformation>
+```
+
 ## Next steps
 
 You can find an example of a custom email verification policy on GitHub:

articles/active-directory/manage-apps/functions-for-customizing-application-data.md

@@ -11,7 +11,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 07/31/2019
+ms.date: 02/05/2020
 ms.author: mimart
 
 ms.collection: M365-identity-device-management
@@ -34,7 +34,7 @@ The syntax for Expressions for Attribute Mappings is reminiscent of Visual Basic
 * For string constants, if you need a backslash ( \ ) or quotation mark ( " ) in the string, it must be escaped with the backslash ( \ ) symbol. For example: "Company name: \\"Contoso\\""
 
 ## List of Functions
-[Append](#append)      [BitAnd](#bitand)      [CBool](#cbool)      [Coalesce](#coalesce)      [ConvertToBase64](#converttobase64)      [ConvertToUTF8Hex](#converttoutf8hex)      [Count](#count)      [CStr](#cstr)      [DateFromNum](#datefromnum)  [FormatDateTime](#formatdatetime)      [Guid](#guid)      [InStr](#instr)      [IsNull](#isnull)      [IsNullOrEmpty](#isnullorempty)      [IsPresent](#ispresent)      [IsString](#isstring)      [Item](#item)      [Join](#join)      [Left](#left)      [Mid](#mid)         [NormalizeDiacritics](#normalizediacritics) [Not](#not)      [RemoveDuplicates](#removeduplicates)      [Replace](#replace)      [SelectUniqueValue](#selectuniquevalue)     [SingleAppRoleAssignment](#singleapproleassignment)     [Split](#split)    [StripSpaces](#stripspaces)      [Switch](#switch)     [ToLower](#tolower)     [ToUpper](#toupper)     [Word](#word)
+[Append](#append)      [BitAnd](#bitand)      [CBool](#cbool)      [Coalesce](#coalesce)      [ConvertToBase64](#converttobase64)      [ConvertToUTF8Hex](#converttoutf8hex)      [Count](#count)      [CStr](#cstr)      [DateFromNum](#datefromnum)  [FormatDateTime](#formatdatetime)      [Guid](#guid)      [InStr](#instr)      [IsNull](#isnull)      [IsNullOrEmpty](#isnullorempty)      [IsPresent](#ispresent)      [IsString](#isstring)      [Item](#item)      [Join](#join)      [Left](#left)      [Mid](#mid)         [NormalizeDiacritics](#normalizediacritics) [Not](#not)      [NumFromDate](#numfromdate)     [RemoveDuplicates](#removeduplicates)      [Replace](#replace)      [SelectUniqueValue](#selectuniquevalue)     [SingleAppRoleAssignment](#singleapproleassignment)     [Split](#split)    [StripSpaces](#stripspaces)      [Switch](#switch)     [ToLower](#tolower)     [ToUpper](#toupper)     [Word](#word)
 
 ---
 ### Append
@@ -283,7 +283,7 @@ Returns True if the attribute is not present or is an empty string
 ---
 ### IsPresent
 **Function:**<br> 
-IsNullOrEmpty(Expression)
+IsPresent(Expression)
 
 **Description:**<br> 
 If the expression evaluates to a string that is not Null and is not empty, then the IsPresent function returns true. The inverse of this function is named IsNullOrEmpty.
@@ -413,6 +413,30 @@ Flips the boolean value of the **source**. If **source** value is "*True*", retu
 | --- | --- | --- | --- |
 | **source** |Required |Boolean String |Expected **source** values are "True" or "False". |
 
+---
+### NumFromDate
+**Function:**<br> 
+NumFromDate(value)
+
+**Description:**<br> 
+The NumFromDate function converts a DateTime value to Active Directory format that is required to set attributes like [accountExpires](https://docs.microsoft.com/windows/win32/adschema/a-accountexpires). Use this function to convert DateTime values received from cloud HR apps like Workday and SuccessFactors to their equivalent AD representation. 
+
+**Parameters:**<br> 
+
+| Name | Required/ Repeating | Type | Notes |
+| --- | --- | --- | --- |
+| **value** |Required | String | Date time string in the supported format. For supported formats, see https://msdn.microsoft.com/library/8kb3ddd4%28v=vs.110%29.aspx. |
+
+**Example:**<br>
+* Workday example <br>
+  Assuming you want to map the attribute *ContractEndDate* from Workday which is in the format *2020-12-31-08:00* to *accountExpires* field in AD, here is how you can use this function and change the timezone offset to match your locale. 
+  `NumFromDate(Join("", FormatDateTime([ContractEndDate], "yyyy-MM-ddzzz", "yyyy-MM-dd"), "T23:59:59-08:00"))`
+
+* SuccessFactors example <br>
+  Assuming you want to map the attribute *endDate* from SuccessFactors which is in the format *M/d/yyyy hh:mm:ss tt* to *accountExpires* field in AD, here is how you can use this function and change the time zone offset to match your locale.
+  `NumFromDate(Join("",FormatDateTime([endDate],"M/d/yyyy hh:mm:ss tt","yyyy-MM-dd"),"T23:59:59-08:00"))`
+
+
 ---
 ### RemoveDuplicates
 **Function:**<br> 

articles/active-directory/privileged-identity-management/TOC.yml

@@ -67,7 +67,7 @@
         href: azure-ad-custom-roles-configure.md
     - name: View audit history
       href: pim-how-to-use-audit-log.md
-  - name: Manage Azure resource roles
+  - name: Manage Azure roles
     items:
     - name: Assign roles
       href: pim-resource-roles-assign-roles.md
@@ -97,7 +97,7 @@
         href: pim-how-to-perform-security-review.md
       - name: Complete an access review
         href: pim-how-to-complete-review.md
-    - name: Azure resource roles
+    - name: Azure roles
       items:
       - name: Create an access review
         href: pim-resource-roles-start-access-review.md

articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-membership-settings-type.png

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: pim
-ms.date: 09/17/2019
+ms.date: 01/05/2020
 ms.author: curtand
 ms.collection: M365-identity-device-management
 ---
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 With Azure Active Directory (Azure AD), a Global administrator can make **permanent** Azure AD admin role assignments. These role assignments can be created using the [Azure portal](../users-groups-roles/directory-assign-admin-roles.md) or using [PowerShell commands](/powershell/module/azuread#directory_roles).
 
-The Azure AD Privileged Identity Management (PIM) service also allows Privileged Role Administrators to make permanent admin role assignments. Additionally, Privileged Role Administrators can make users **eligible** for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.
+The Azure AD Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. Additionally, Privileged role administrators can make users **eligible** for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.
 
 ## Determine your version of PIM
 
@@ -56,19 +56,9 @@ Follow these steps to make a user eligible for an Azure AD admin role.
 
 1. Select a role you want to assign and then click **Select**.
 
-    The **Select a member or group** page opens.
+1. Select a member to whom you want to assign to the role and then select **Select**.
 
-1. Select a member or group you want to assign to the role and then select **Select**.
-
-    ![Select a member or group pane](./media/pim-resource-roles-assign-roles/resources-select-member-or-group.png)
-
-    The Membership settings pane opens.
-
-1. In the **Assignment type** list, select **Eligible** or **Active**.
-
-    ![Memberships settings pane](./media/pim-resource-roles-assign-roles/resources-membership-settings-type.png)
-
-    Privileged Identity Management for Azure resources provides two distinct assignment types:
+1. In the **Assignment type** list on the **Membership settings** pane, select **Eligible** or **Active**.
 
     - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
 
@@ -78,14 +68,10 @@ Follow these steps to make a user eligible for an Azure AD admin role.
 
     Depending on the role settings, the check box might not appear or might be unmodifiable.
 
-1. To specify a specific assignment duration, clear the check box and modify the start and/or end date and time boxes.
+1. To specify a specific assignment duration, clear the check box and modify the start and/or end date and time boxes. When finished, select **Done**.
 
     ![Memberships settings - date and time](./media/pim-resource-roles-assign-roles/resources-membership-settings-date.png)
 
-1. When finished, select **Done**.
-
-    ![New assignment - Add](./media/pim-resource-roles-assign-roles/resources-new-assignment-add.png)
-
 1. To create the new role assignment, select **Add**. A notification of the status is displayed.
 
     ![New assignment - Notification](./media/pim-resource-roles-assign-roles/resources-new-assignment-notification.png)

articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: pim
-ms.date: 11/13/2019
+ms.date: 02/05/2020
 ms.author: curtand
 ms.custom: pim
 ms.collection: M365-identity-device-management
@@ -38,12 +38,8 @@ Follow the steps in this article to approve or deny requests for Azure AD roles.
 Follow these steps to open the settings for an Azure AD role.
 
 1. Sign in to [Azure portal](https://portal.azure.com/) with a user in the [Privileged Role Administrator](../users-groups-roles/directory-assign-admin-roles.md#privileged-role-administrator) role.
-
-1. Open **Azure AD Privileged Identity Management**.
-
-1. Select **Azure AD roles**.
-
-1. Select **Role settings**.
+gt
+1. Open **Azure AD Privileged Identity Management** > **Azure AD roles** > **Role settings**.
 
     ![Role settings page listing Azure resource roles](./media/pim-resource-roles-configure-role-settings/resources-role-settings.png)
 
@@ -84,7 +80,7 @@ Privileged Identity Management provides optional enforcement of Azure Multi-Fact
 
 ### Require Multi-Factor Authentication on active assignment
 
-In some cases, you might want to assign a user or group to a role for a short duration (one day, for example). In this case, the assigned users don't need to request activation. In this scenario, Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.
+In some cases, you might want to assign a user to a role for a short duration (one day, for example). In this case, the assigned users don't need to request activation. In this scenario, Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.
 
 To ensure that the resource administrator fulfilling the assignment is who they say they are, you can enforce multi-factor authentication on active assignment by checking the **Require Multi-Factor Authentication on active assignment** box.
 
@@ -110,11 +106,11 @@ If you want to require approval to activate a role, follow these steps.
 
 1. Check the **Require approval to activate** check box.
 
-1. Select **Select approvers** to open the **Select a member or group** page.
+1. Select **Select approvers**.
 
     ![Select a user or group pane to select approvers](./media/pim-resource-roles-configure-role-settings/resources-role-settings-select-approvers.png)
 
-1. Select at least one user or group and then click **Select**. You can add any combination of users and groups. You must select at least one approver. There are no default approvers.
+1. Select at least one user and then click **Select**. You must select at least one approver. There are no default approvers.
 
     Your selections will appear in the list of selected approvers.
 
@@ -203,7 +199,7 @@ If you want to delegate the required approval to activate a role, follow these s
 
     ![Azure AD roles - Settings - Require approval](./media/pim-how-to-change-default-settings/pim-directory-roles-settings-require-approval-select-approvers.png)
 
-1. Select one or more approvers in addition to the Privileged role administrator and then click **Select**. You can select users or groups. We recommend that you add at least two approvers. Even if you add yourself as an approver, you can't self-approve a role activation. Your selections will appear in the list of selected approvers.
+1. Select one or more approvers in addition to the Privileged role administrator and then click **Select**. We recommend that you add at least two approvers. Even if you add yourself as an approver, you can't self-approve a role activation. Your selections will appear in the list of selected approvers.
 
 1. After you have specified your all your role settings, select **Save** to save your changes.
 

articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md

@@ -13,7 +13,7 @@ ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: tutorial
-ms.date: 01/16/2020
+ms.date: 01/31/2020
 ms.author: jeedes
 
 ms.collection: M365-identity-device-management
@@ -62,7 +62,7 @@ To get started, you need the following items:
 In this tutorial, you configure and test Azure AD SSO in a test environment.
 
 * Amazon Web Services (AWS) supports **SP and IDP** initiated SSO
-* Once you configure the Amazon Web Services (AWS) you can enforce session controls, which protect exfiltration and infiltration of your organization’s sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad)
+* Once you configure Amazon Web Services (AWS) you can enforce Session Control, which protect exfiltration and infiltration of your organization’s sensitive data in real-time. Session Control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad)
 
 > [!NOTE]
 > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
@@ -372,9 +372,9 @@ When you click the Amazon Web Services (AWS) tile in the Access Panel, you shoul
 
 - [Try Amazon Web Services (AWS) with Azure AD](https://aad.portal.azure.com/)
 
-- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/protect-aws)
+- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
 
-- [How to protect Amazon Web Services (AWS) with advanced visibility and controls](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+- [How to protect Amazon Web Services (AWS) with advanced visibility and controls](https://docs.microsoft.com/cloud-app-security/protect-aws)
 
 [11]: ./media/amazon-web-service-tutorial/ic795031.png
 [12]: ./media/amazon-web-service-tutorial/ic795032.png
@@ -394,4 +394,4 @@ When you click the Amazon Web Services (AWS) tile in the Access Panel, you shoul
 [38]: ./media/amazon-web-service-tutorial/tutorial_amazonwebservices_createnewaccesskey.png
 [39]: ./media/amazon-web-service-tutorial/tutorial_amazonwebservices_provisioning_automatic.png
 [40]: ./media/amazon-web-service-tutorial/tutorial_amazonwebservices_provisioning_testconnection.png
-[41]: ./media/amazon-web-service-tutorial/tutorial_amazonwebservices_provisioning_on.png
+[41]: ./media/amazon-web-service-tutorial/tutorial_amazonwebservices_provisioning_on.png