Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into heidist-skills

Author: HeidiSteen

.openpublishing.redirection.json

@@ -8,6 +8,9 @@ articles/chef/ @TomArcherMsft
 articles/jenkins/ @TomArcherMsft
 articles/terraform/ @TomArcherMsft
 
+# Requires Internal Review
+articles/best-practices-availability-paired-regions.md @jpconnock @arob98 @syntaxc4 @tysonn @snoviking
+
 # Governance
 articles/governance/ @DCtheGeek
 

CODEOWNERS

@@ -26,7 +26,10 @@ To safeguard access to sites, web browsers will introduce a new secure-by-defaul
 
 Developers must use the new cookie setting, `SameSite=None`, to designate cookies for cross-site access. When the `SameSite=None` attribute is present, an additional `Secure` attribute must be used so cross-site cookies can only be accessed over HTTPS connections. Validate and test all your applications, including those applications that use Azure AD B2C.
 
-For more information, see [Effect on customer websites and Microsoft services and products in Chrome version 80 or later](https://support.microsoft.com/help/4522904/potential-disruption-to-customer-websites-in-latest-chrome).
+For more information, see:
+
+* [Handle SameSite cookie changes in Chrome browser](../active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser.md)
+* [Effect on customer websites and Microsoft services and products in Chrome version 80 or later](https://support.microsoft.com/help/4522904/potential-disruption-to-customer-websites-in-latest-chrome)
 
 ## Cookies
 

articles/active-directory-b2c/cookie-definitions.md

@@ -190,6 +190,23 @@ If your previous computer certificate has expired, and a new certificate has bee
 > [!NOTE]
 > If you use your own certificates instead of generating certificates with the PowerShell script, make sure that they align to the NPS naming convention. The subject name must be **CN=\<TenantID\>,OU=Microsoft NPS Extension**. 
 
+### Microsoft Azure Government additional steps
+
+For customers that use Azure Government cloud, the following additional configuration steps are required on each NPS server:
+
+1. Open **Registry Editor** on the NPS server.
+1. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa`. Set the following key values:
+
+    | Registry key       | Value |
+    |--------------------|-----------------------------------|
+    | AZURE_MFA_HOSTNAME | adnotifications.windowsazure.us   |
+    | STS_URL            | https://login.microsoftonline.us/ |
+
+1. Repeat the previous two steps to set the registry key values for each NPS server.
+1. Restart the NPS service for each NPS server.
+
+    For minimal impact, take each NPS server out of the NLB rotation one at a time and wait for all connections to drain.
+
 ### Certificate rollover
 
 With release 1.0.1.32 of the NPS extension, reading multiple certificates is now supported. This capability will help facilitate rolling certificate updates prior to their expiration. If your organization is running a previous version of the NPS extension, you should upgrade to version 1.0.1.32 or higher.

articles/active-directory/authentication/howto-mfa-nps-extension.md

@@ -740,18 +740,18 @@
   items:
   - name: Glossary
     href: developer-glossary.md
-  - name: Azure roadmap
-    href: https://azure.microsoft.com/roadmap/?category=security-identity
+  - name: Videos
+    href: identity-videos.md
   - name: Azure AD blog
     href: https://cloudblogs.microsoft.com/enterprisemobility/?product=azure-active-directory
   - name: Microsoft identity platform developer blog
     href: https://developer.microsoft.com/en-us/identity/blogs/
+  - name: Azure roadmap
+    href: https://azure.microsoft.com/roadmap/?category=security-identity
   - name: Try Sign in with Microsoft
     href: https://azure.microsoft.com/develop/identity/signin/
+  - name: Managed identities for Azure resources
+    href: https://docs.microsoft.com/azure/active-directory/managed-service-identity/overview
   - name: Getting help
     displayName: support, help options
     href: developer-support-help-options.md
-  - name: Managed identities for Azure resources
-    href: https://docs.microsoft.com/azure/active-directory/managed-service-identity/overview
-  - name: Microsoft identity platform videos
-    href: identity-videos.md

articles/active-directory/develop/TOC.yml

@@ -44,7 +44,7 @@ The bearer token that's set in the header when the app is called holds informati
 Here's a C# code example that shows a client calling the API after it acquires a token with Microsoft Authentication Library for .NET (MSAL.NET):
 
 ```csharp
-var scopes = new[] {$"api://.../access_as_user}";
+var scopes = new[] {$"api://.../access_as_user"};
 var result = await app.AcquireToken(scopes)
                       .ExecuteAsync();
 

articles/active-directory/develop/scenario-protected-web-api-app-configuration.md

@@ -68,7 +68,7 @@ To view logs related to the Pass-through Authentication Agent, open the **Event
 
 ### Delete Authentication Agent trace log files
 
-You should regularly check the contents of <strong>%ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace\</strong> and delete the contents of this folder every 48 hours. 
+You should regularly check the contents of **%ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace** and delete the contents of this folder every 48 hours. 
 
 >[!IMPORTANT]
 >If the Authentication Agent service is running, you'll not be able to delete the current log file in the folder. Stop the service before trying again. To avoid user sign-in failures, you should have already configured Pass-through Authentication for [high availability](how-to-connect-pta-quick-start.md#step-4-ensure-high-availability).

articles/active-directory/hybrid/how-to-connect-pta-user-privacy.md

@@ -0,0 +1,147 @@
+---
+title: 'Tutorial: Configure Mixpanel for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Mixpanel.
+services: active-directory
+documentationcenter: ''
+author: Zhchia
+writer: Zhchia
+manager: beatrizd
+
+ms.assetid: 565cdc45-4377-4b70-870b-64edf3dcc92c
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: article
+ms.date: 01/24/2020
+ms.author: Zhchia
+---
+
+# Tutorial: Configure Mixpanel for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Mixpanel and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Mixpanel](https://mixpanel.com/pricing/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md). 
+
+
+## Capabilities supported
+> [!div class="checklist"]
+> * Create users in Mixpanel
+> * Remove users in Mixpanel when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Mixpanel
+> * Provision groups and group memberships in Mixpanel
+> * [Single sign-on](https://docs.microsoft.com/azure/active-directory/saas-apps/mixpanel-tutorial) to Mixpanel (recommended)
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant) 
+* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). 
+* An Enterprise level mixpanel organization
+* A mixpanel account with admin privileges on said org
+* SSO enabled within mixpanel with a claimed domain
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Mixpanel](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes). 
+
+## Step 2. Configure Mixpanel to support provisioning with Azure AD
+1. For setting up SSO and claiming a domain refer [this](https://help.mixpanel.com/hc/articles/360036428871-Single-Sign-On).
+2. After that you will need to generate a SCIM token in the SCIM tab of the access security section of your organization settings.
+![Mixpanel token](./media/mixpanel-provisioning-tutorial/mixpanelscim.png)
+
+
+## Step 3. Add Mixpanel from the Azure AD application gallery
+
+Add Mixpanel from the Azure AD application gallery to start managing provisioning to Mixpanel. If you have previously setup Mixpanel for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app). 
+
+## Step 4. Define who will be in scope for provisioning 
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts). 
+
+* When assigning users and groups to Mixpanel, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles. 
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts). 
+
+
+## Step 5. Configure automatic user provisioning to Mixpanel 
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Mixpanel in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+	![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Mixpanel**.
+
+	![The Mixpanel link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+	![Provisioning tab](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+	![Provisioning tab](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input your Mixpanel **Tenant URL** and **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to Mixpanel. If the connection fails, ensure your Mixpanel account has Admin permissions and try again.
+
+ 	![provisioning](./media/mixpanel-provisioning-tutorial/provisioning.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+	![Notification Email](common/provisioning-notification-email.png)
+
+7. Select **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Mixpanel**.
+
+9. Review the user attributes that are synchronized from Azure AD to Mixpanel in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Mixpanel for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Mixpanel API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+   |Attribute|Type|
+   |---|---|
+   |userName|String|
+   |displayName|String|
+
+10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Mixpanel**.
+
+11. Review the group attributes that are synchronized from Azure AD to Mixpanel in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Mixpanel for update operations. Select the **Save** button to commit any changes.
+
+      |Attribute|Type|
+      |---|---|
+      |displayName|String|
+      |members|Reference|
+
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+
+13. To enable the Azure AD provisioning service for Mixpanel, change the **Provisioning Status** to **On** in the **Settings** section.
+
+	![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+14. Define the users and/or groups that you would like to provision to Mixpanel by choosing the desired values in **Scope** in the **Settings** section.
+
+	![Provisioning Scope](common/provisioning-scope.png)
+
+15. When you are ready to provision, click **Save**.
+
+	![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. 
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## Additional resources
+
+* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)