Merge pull request #107085 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

articles/active-directory-b2c/saml-issuer-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/09/2020
+ms.date: 03/10/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -67,6 +67,12 @@ The CryptographicKeys element contains the following attributes:
 
 To configure the Azure AD B2C SAML sessions between a relying party application, the attribute of the `UseTechnicalProfileForSessionManagement` element, reference to [SamlSSOSessionProvider](custom-policy-reference-sso.md#samlssosessionprovider) SSO session.
 
+## Next steps
+
+See the following article for example of using a SAML issuer technical profile:
+
+- [Register a SAML application in Azure AD B2C](connect-with-saml-service-providers.md)
+
 
 
 

articles/active-directory/authentication/concept-authentication-methods.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 08/16/2019
+ms.date: 03/09/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -153,25 +153,25 @@ Users may have a combination of up to five OATH hardware tokens or authenticator
 
 ## OATH hardware tokens (public preview)
 
-OATH is an open standard that specifies how one-time password (OTP) codes are generated. Azure AD will support the use of OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety. Customers can procure these tokens from the vendor of their choice. Secret keys are limited to 128 characters, which may not be compatible with all tokens. The secret keys need to be encoded in Base32.
+OATH is an open standard that specifies how one-time password (OTP) codes are generated. Azure AD will support the use of OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety. Customers can procure these tokens from the vendor of their choice. Secret keys are limited to 128 characters, which may not be compatible with all tokens. The secret key can only contain the characters *a-z* or *A-Z* and digits *1-7*, and must be encoded in Base32.
 
-![Uploading OATH tokens to the MFA Server OATH tokens blade](media/concept-authentication-methods/mfa-server-oath-tokens-azure-ad.png)
+![Uploading OATH tokens to the MFA OATH tokens blade](media/concept-authentication-methods/mfa-server-oath-tokens-azure-ad.png)
 
-OATH hardware tokens are being supported as part of a public preview. For more information about previews, see  [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
+OATH hardware tokens are supported as part of a public preview. For more information about previews, see  [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
 
-Once tokens are acquired they must be uploaded in a comma-separated values (CSV) file format including the UPN, serial number, secret key, time interval, manufacturer, and model as the example below shows.
+Once tokens are acquired they must be uploaded in a comma-separated values (CSV) file format including the UPN, serial number, secret key, time interval, manufacturer, and model as shown in the following example:
 
 ```csv
 upn,serial number,secret key,time interval,manufacturer,model
-[email protected],1234567,1234567890abcdef1234567890abcdef,60,Contoso,HardwareKey
+[email protected],1234567,1234567abcdef1234567abcdef,60,Contoso,HardwareKey
 ```
 
 > [!NOTE]
-> Make sure you include the header row in your CSV file as shown above.
+> Make sure you include the header row in your CSV file.
 
-Once properly formatted as a CSV file, an administrator can then sign in to the Azure portal and navigate to **Azure Active Directory**, **MFA Server**, **OATH tokens**, and upload the resulting CSV file.
+Once properly formatted as a CSV file, an administrator can then sign in to the Azure portal, navigate to **Azure Active Directory** > **Security** > **MFA** > **OATH tokens**, and upload the resulting CSV file.
 
-Depending on the size of the CSV file, it may take a few minutes to process. Click the **Refresh** button to get the current status. If there are any errors in the file, you will have the option to download a CSV file listing any errors for you to resolve.
+Depending on the size of the CSV file, it may take a few minutes to process. Click the **Refresh** button to get the current status. If there are any errors in the file, you will have the option to download a CSV file listing any errors for you to resolve. The field names in the downloaded CSV file are different than the uploaded version.
 
 Once any errors have been addressed, the administrator then can activate each key by clicking **Activate** for the token to be activated and entering the OTP displayed on the token.
 

articles/active-directory/authentication/tutorial-enable-sspr-writeback.md

@@ -41,6 +41,7 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [complete the previous tutorial to enable Azure AD SSPR](tutorial-enable-sspr.md).
 * An existing on-premises AD DS environment configured with a current version of Azure AD Connect.
     * If needed, configure Azure AD Connect using the [Express](../hybrid/how-to-connect-install-express.md) or [Custom](../hybrid/how-to-connect-install-custom.md) settings.
+    * To use Password Writeback, your Domain Controllers must be Windows Server 2008 R2 or later.
 
 ## Configure account permissions for Azure AD Connect
 

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -64,7 +64,7 @@ Organizations can choose to use the device identity as part of their Conditional
 
 Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client apps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile-device management (MDM) solution.
 
-This setting applies to the following client apps:
+This setting applies to the following iOS and Android apps:
 
 - Microsoft Azure Information Protection
 - Microsoft Bookings
@@ -77,6 +77,7 @@ This setting applies to the following client apps:
 - Microsoft Invoicing
 - Microsoft Kaizala
 - Microsoft Launcher
+- Microsoft Office
 - Microsoft OneDrive
 - Microsoft OneNote
 - Microsoft Outlook

articles/active-directory/governance/entitlement-management-access-package-settings.md

@@ -39,7 +39,7 @@ As long as the catalog for the access package is [enabled for external users](en
 
     ![Access package overview - My Access portal link](./media/entitlement-management-shared/my-access-portal-link.png)
 
-    It is important that you copy the entire My Access portal link when sending it to an internal business partner. This ensures that the partner will get access to your directory's portal to make their request. The link starts with `myaccess`, includes a directory hint, and ends with an access package ID.
+    It is important that you copy the entire My Access portal link when sending it to an internal business partner. This ensures that the partner will get access to your directory's portal to make their request. The link starts with `myaccess`, includes a directory hint, and ends with an access package ID.  (For US Government, the domain in the My Access portal link will be `myaccess.microsoft.us`.)
 
     `https://myaccess.microsoft.com/@<directory_hint>#/access-packages/<access_package_id>`
 

articles/active-directory/governance/entitlement-management-access-reviews-review-access.md

@@ -45,7 +45,7 @@ Use the following steps to find and open the access review:
 
 1. Click the **Review user access** link to open the access review. 
 
-1. If you don’t have the email, you can find your pending access reviews by navigating directly to https://myaccess.microsoft.com.
+1. If you don’t have the email, you can find your pending access reviews by navigating directly to https://myaccess.microsoft.com.  (For US Government, use `https://myaccess.microsoft.us` instead.)
 
 1. Click **Access reviews** on the left navigation bar to see a list of pending access reviews assigned to you.
 

articles/active-directory/governance/entitlement-management-access-reviews-self-review.md

@@ -35,7 +35,7 @@ To do an access review, you must first open the access review. Use the following
 
 1. Click the **Review access** link.
 
-1. You can also go directly to https://myaccess.microsoft.com to find your pending access reviews if you don't receive an email.
+1. You can also go directly to https://myaccess.microsoft.com to find your pending access reviews if you don't receive an email.  (For US Government, use `https://myaccess.microsoft.us` instead.)
 
 1. Click **Access reviews** on the left navigation bar to see a list of pending access reviews assigned to you.
 

articles/active-directory/governance/entitlement-management-request-access.md

@@ -33,7 +33,7 @@ The first step is to sign in to the My Access portal where you can request acces
 
 **Prerequisite role:** Requestor
 
-1. Look for an email or a message from the project or business manager you are working with. The email should include a link to the access package you will need access to. The link starts with `myaccess`, includes a directory hint, and ends with an access package ID.
+1. Look for an email or a message from the project or business manager you are working with. The email should include a link to the access package you will need access to. The link starts with `myaccess`, includes a directory hint, and ends with an access package ID.  (For US Government, the domain may be `https://myaccess.microsoft.us` instead.)
 
     `https://myaccess.microsoft.com/@<directory_hint>#/access-packages/<access_package_id>`
 

articles/active-directory/governance/entitlement-management-request-approve.md

@@ -41,7 +41,7 @@ The first step to approve or deny access requests is to find and open the access
 
 If you don't have the email, you can find the access requests pending your approval by following these steps.
 
-1. Sign in to the My Access portal at [https://myaccess.microsoft.com](https://myaccess.microsoft.com).
+1. Sign in to the My Access portal at [https://myaccess.microsoft.com](https://myaccess.microsoft.com).  (For US Government, the domain in the My Access portal link will be `myaccess.microsoft.us`.)
 
 1. In the left menu, click **Approvals** to see a list of access requests pending approval.
 

articles/active-directory/identity-protection/howto-identity-protection-configure-notifications.md

@@ -24,9 +24,6 @@ Azure AD Identity Protection sends two types of automated notification emails to
 
 This article provides you with an overview of both notification emails.
 
->[!NOTE]
->Email notifications are available only in the public cloud and are not currently available in the US Government cloud.
-
 ## Users at risk detected email
 
 In response to a detected account at risk, Azure AD Identity Protection generates an email alert with **Users at risk detected** as subject. The email includes a link to the **[Users flagged for risk](../reports-monitoring/concept-user-at-risk.md)** report. As a best practice, you should immediately investigate the users at risk.