Merge pull request #98275 from MicrosoftDocs/master

12/06 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -1942,11 +1942,6 @@
       "redirect_url": "/azure/cosmos-db/sql-api-get-started",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/search/search-traffic-analytics.md",
-      "redirect_url": "/azure/search/search-monitor-usage",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/search/knowledge-store-howto.md",
       "redirect_url": "/azure/search/knowledge-store-create-rest",

articles/active-directory-b2c/b2clogin.md

@@ -1,5 +1,5 @@
 ---
-title: Set redirect URLs to b2clogin.com - Azure Active Directory B2C
+title: Migrate applications and APIs to b2clogin.com - Azure AD B2C
 description: Learn about using b2clogin.com in your redirect URLs for Azure Active Directory B2C.
 services: active-directory-b2c
 author: mmacy
@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 08/17/2019
+ms.date: 12/04/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -17,6 +17,16 @@ ms.subservice: B2C
 
 When you set up an identity provider for sign-up and sign-in in your Azure Active Directory B2C (Azure AD B2C) application, you need to specify a redirect URL. You should no longer reference *login.microsoftonline.com* in your applications and APIs. Instead, use *b2clogin.com* for all new applications, and migrate existing applications from *login.microsoftonline.com* to *b2clogin.com*.
 
+## Deprecation of login.microsoftonline.com
+
+On 04 December 2019, we announced the scheduled retirement of login.microsoftonline.com support in Azure AD B2C on **04 December 2020**:
+
+[Azure Active Directory B2C is deprecating login.microsoftonline.com](https://azure.microsoft.com/updates/b2c-deprecate-msol/)
+
+The deprecation of login.microsoftonline.com goes into effect for all Azure AD B2C tenants on 04 December 2020, providing existing tenants one (1) year to migrate to b2clogin.com. New tenants created after 04 December 2019 will not accept requests from login.microsoftonline.com. All functionality remains the same on the b2clogin.com endpoint.
+
+The deprecation of login.microsoftonline.com does not impact Azure Active Directory tenants. Only Azure Active Directory B2C tenants are affected by this change.
+
 ## Benefits of b2clogin.com
 
 When you use *b2clogin.com* as your redirect URL:
@@ -68,6 +78,10 @@ For example, the authority endpoint for Contoso's sign-up/sign-in policy would n
 https://contosob2c.b2clogin.com/00000000-0000-0000-0000-000000000000/B2C_1_signupsignin1
 ```
 
+For information about migrating OWIN-based web applications to b2clogin.com, see [Migrate an OWIN-based web API to b2clogin.com](multiple-token-endpoints.md).
+
+For migrating Azure API Management APIs protected by Azure AD B2C, see the [Migrate to b2clogin.com](secure-api-management.md#migrate-to-b2clogincom) section of [Secure an Azure API Management API with Azure AD B2C](secure-api-management.md).
+
 ## Microsoft Authentication Library (MSAL)
 
 ### ValidateAuthority property
@@ -92,6 +106,12 @@ this.clientApplication = new UserAgentApplication(
 );
 ```
 
+## Next steps
+
+For information about migrating OWIN-based web applications to b2clogin.com, see [Migrate an OWIN-based web API to b2clogin.com](multiple-token-endpoints.md).
+
+For migrating Azure API Management APIs protected by Azure AD B2C, see the [Migrate to b2clogin.com](secure-api-management.md#migrate-to-b2clogincom) section of [Secure an Azure API Management API with Azure AD B2C](secure-api-management.md).
+
 <!-- LINKS - External -->
 [msal-dotnet]: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
 [msal-dotnet-b2c]: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics

articles/active-directory/authentication/howto-mfa-userstates.md

@@ -49,7 +49,10 @@ User accounts in Azure Multi-Factor Authentication have the following three dist
 
 A user's state reflects whether an admin has enrolled them in Azure MFA, and whether they completed the registration process.
 
-All users start out *Disabled*. When you enroll users in Azure MFA, their state changes to *Enabled*. When enabled users sign in and complete the registration process, their state changes to *Enforced*.  
+All users start out *Disabled*. When you enroll users in Azure MFA, their state changes to *Enabled*. When enabled users sign in and complete the registration process, their state changes to *Enforced*.
+
+> [!NOTE]
+> If MFA is re-enabled on a user object that already has registration details, such as phone or email, then administrators need to have that user re-register MFA via Azure portal or PowerShell. If the user doesn't re-register, their MFA state doesn't transition from *Enabled* to *Enforced* in MFA management UI.
 
 ### View the status for a user
 
@@ -176,6 +179,8 @@ Get-MsolUser -All | Set-MfaState -State Disabled
 
 > [!NOTE]
 > We recently changed the behavior and PowerShell script above accordingly. Previously, the script saved off the MFA methods, disabled MFA, and restored the methods. This is no longer necessary now that the default behavior for disable doesn't clear the methods.
+>
+> If MFA is re-enabled on a user object that already has registration details, such as phone or email, then administrators need to have that user re-register MFA via Azure portal or PowerShell. If the user doesn't re-register, their MFA state doesn't transition from *Enabled* to *Enforced* in MFA management UI.
 
 ## Next steps
 

articles/active-directory/cloud-provisioning/what-is-cloud-provisioning.md

@@ -29,7 +29,7 @@ With Azure AD Connect cloud provisioning, provisioning from AD to Azure AD is or
 
 The following table provides a comparison between Azure AD Connect and Azure AD Connect cloud provisioning:
 
-| Feature | Azure Active Directory Connect synch| Azure Active Directory Connect cloud provisioning |
+| Feature | Azure Active Directory Connect sync| Azure Active Directory Connect cloud provisioning |
 |:--- |:---:|:---:|
 |Connect to single on-premises AD forest|● |● |
 | Connect to multiple on-premises AD forests |● |● |

articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md

@@ -1,5 +1,5 @@
 ---
-title: Add app roles in your Azure Active Directory-registered app and receive them in the token 
+title: Add app roles and get them from a token | Azure
 titleSuffix: Microsoft identity platform
 description: Learn how to add app roles in an application registered in Azure Active Directory, assign users and groups to these roles and receive them in the `roles` claim in the token.
 services: active-directory

articles/active-directory/develop/howto-app-gallery-listing.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/16/2019
+ms.date: 12/06/2019
 ms.author: ryanwi
 ms.reviewer: jeedes
 ms.custom: aaddev, seoapril2019
@@ -39,6 +39,10 @@ This article shows how to list an application in the Azure Active Directory (Azu
 - For password SSO, make sure that your application supports form authentication so that password vaulting can be done to get single sign-on to work as expected.
 - You need a permanent account for testing with at least two users registered.
 
+**How to get Azure AD for developers?**
+
+You can get a free test account with all the premium Azure AD features - 90 days free and can get extended as long as you do dev work with it: https://docs.microsoft.com/office/developer-program/office-365-developer-program
+
 ## Submit the request in the portal
 
 After you've tested that your application integration works with Azure AD, submit your request for access in the [Application Network portal](https://microsoft.sharepoint.com/teams/apponboarding/Apps). If you have an Office 365 account, use that to sign in to this portal. If not, use your Microsoft account, such as Outlook or Hotmail, to sign in.
@@ -57,6 +61,26 @@ Our team reviews the details and gives you access accordingly. After your reques
 
 ![Submit Request (ISV) tile on home page](./media/howto-app-gallery-listing/homepage.png)
 
+## Issues on logging into portal
+
+If you are seeing this error while logging in then here are the detail on the issue and this is how you can fix it.
+
+* If your sign-in was blocked as shown below:
+
+  ![issues resolving application in the gallery](./media/howto-app-gallery-listing/blocked.png)
+
+**What’s happening:**
+
+The guest user is federated to a home tenant which is also an Azure AD. The guest user is at High risk. Microsoft doesn’t allow High risk users to access its resources. All High risk users (employees or guests / vendors) must remediate / close their risk to access Microsoft resources. For guest users, this user risk comes from the home tenant and the policy comes from the resource tenant (Microsoft in this case).
+ 
+**Secure solutions:**
+
+* MFA registered guest users remediate their own user risk. This can be done by the guest user performing a secured password change or reset (https://aka.ms/sspr) at their home tenant (this needs MFA and SSPR at the home tenant). The secured password change or reset must be initiated on Azure AD and not on-prem.
+
+* Guest users have their admins remediate their risk. In this case, the admin will perform a password reset (temporary password generation). This does not need Identity Protection. The guest user’s admin can go to https://aka.ms/RiskyUsers and click on ‘Reset password’.
+
+* Guest users have their admins close / dismiss their risk. Again, this does not need Identity Protection. The admin can go to https://aka.ms/RiskyUsers and click on ‘Dismiss user risk’. However, the admin must do the due diligence to ensure this was a false positive risk assessment before closing the user risk. Otherwise, they are putting their and Microsoft’s resources at risk by suppressing a risk assessment without investigation.
+
 > [!NOTE]
 > If you have any issues with access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>).
 
@@ -76,6 +100,7 @@ To list an application in the Azure AD app gallery, you first need to implement
   ![Listing a SAML 2.0 or WS-Fed application in the gallery](./media/howto-app-gallery-listing/saml.png)
 
   * If you want to add your application to list in the gallery by using **SAML 2.0** or **WS-Fed**, select **SAML 2.0/WS-Fed** as shown.
+
   * If you have any issues with access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>).
 
 ## Implement SSO by using the password SSO

articles/active-directory/develop/media/howto-app-gallery-listing/blocked.png

@@ -1,5 +1,5 @@
 ---
-title: Understand  the Android Microsoft Authentication Library (MSAL) configuration file 
+title: Android Microsoft Authentication Library config file | Azure
 titleSuffix: Microsoft identity platform
 description: An overview of the Android Microsoft Authentication Library (MSAL) configuration file, which represents an application's configuration in Azure Active Directory.
 services: active-directory
@@ -20,9 +20,9 @@ ms.reviewer: shoatman
 ms.collection: M365-identity-device-management
 ---
 
-# Android Microsoft Authentication Library (MSAL) configuration file
+# Android Microsoft Authentication Library configuration file
 
-MSAL ships with a [default configuration JSON file](https://github.com/AzureAD/microsoft-authentication-library-for-android/blob/dev/msal/src/main/res/raw/msal_default_config.json) that you customize to define the behavior of your public client app for things such as the default authority, which authorities you'll use, and so on.
+The Android Microsoft Authentication Library (MSAL) ships with a [default configuration JSON file](https://github.com/AzureAD/microsoft-authentication-library-for-android/blob/dev/msal/src/main/res/raw/msal_default_config.json) that you customize to define the behavior of your public client app for things such as the default authority, which authorities you'll use, and so on.
 
 This article will help you understand the various settings in the configuration file and how to specify the configuration file to use in your MSAL-based app.
 

articles/active-directory/develop/msal-configuration.md

@@ -1,5 +1,5 @@
 ---
-title: Avoid page reloads (Microsoft Authentication Library for JavaScript) 
+title: Avoid page reloads (MSAL.js) | Azure
 titleSuffix: Microsoft identity platform
 description: Learn how to avoid page reloads when acquiring and renewing tokens silently using the Microsoft Authentication Library for JavaScript (MSAL.js).
 services: active-directory

articles/active-directory/develop/msal-js-avoid-page-reloads.md

@@ -1,5 +1,5 @@
 ---
-title: Initialize client applications (Microsoft Authentication Library for JavaScript) 
+title: Initialize MSAL.js client apps | Azure
 titleSuffix: Microsoft identity platform
 description: Learn about initializing client applications using the Microsoft Authentication Library for JavaScript (MSAL.js).
 services: active-directory