Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into PrivateLink1

Author: SnehaGunda

.openpublishing.redirection.json

@@ -992,6 +992,11 @@
       "redirect_url": "/azure/machine-learning/service/how-to-configure-environment",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/firewall/public-preview.md",
+      "redirect_url": "/azure/firewall/overview",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/frontdoor/waf-faq.md",
       "redirect_url": "/azure/web-application-firewall/afds/waf-faq",
@@ -12367,6 +12372,21 @@
       "redirect_url": "/azure/cosmos-db/sql-api-sdk-java",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/cosmos-db/logging.md",
+      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cosmos-db/cosmos-db-azure-monitor-metrics.md",
+      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cosmos-db/monitor-accounts.md",
+      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db.md",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/iot-suite/iot-suite-v1-connecting-devices-linux.md",
       "redirect_url": "https://docs.microsoft.com/previous-versions/azure/iot-suite/iot-suite-v1-connecting-devices-linux",

articles/active-directory/authentication/concept-password-ban-bad.md

@@ -165,7 +165,7 @@ Since this password is at least five (5) points, it is accepted.
 | Users synchronized from on-premises Windows Server Active Directory | Azure AD Premium P1 or P2 | Azure AD Premium P1 or P2 |
 
 > [!NOTE]
-> On-premises Windows Server Active Directory users that not synchronized to Azure Active Directory also avail the benefits of Azure AD password protection based on existing licensing for synchronized users.
+> On-premises Windows Server Active Directory users that are not synchronized to Azure Active Directory also benefits from Azure AD password protection based on existing licensing for synchronized users.
 
 Additional licensing information, including costs, can be found on the [Azure Active Directory pricing site](https://azure.microsoft.com/pricing/details/active-directory/).
 

articles/active-directory/develop/v2-oauth-ropc.md

@@ -20,9 +20,12 @@ ms.custom: aaddev
 ms.collection: M365-identity-device-management
 ---
 
-# Microsoft identity platform and the OAuth 2.0 resource owner password credential
+# Microsoft identity platform and the OAuth 2.0 Resource Owner Password Credentials
 
-Microsoft identity platform supports the [resource owner password credential (ROPC) grant](https://tools.ietf.org/html/rfc6749#section-4.3), which allows an application to sign in the user by directly handling their password. The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.
+Microsoft identity platform supports the [OAuth 2.0 Resource Owner Password Credentials (ROPC) grant](https://tools.ietf.org/html/rfc6749#section-4.3), which allows an application to sign in the user by directly handling their password.
+
+> [!WARNING]
+> Microsoft recommends you do _not_ use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.
 
 > [!IMPORTANT]
 >

articles/active-directory/devices/faq.md

@@ -117,7 +117,7 @@ See below on how these actions can be rectified.
 
 ### Q: Does Windows 10 device registration in Azure AD support TPMs in FIPS mode?
 
-**A:** No, currently device registration on Windows 10 for all device states - Hybrid Azure AD join, Azure AD join, and Azure AD registered - does not support TPMs in FIPS mode. To successfully join or register to Azure AD, FIPS mode needs to be turned off for the TPMs on those devices
+**A:** Windows 10 device registration only supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Azure AD join or Hybrid Azure AD join. Note that Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Please contact your hardware OEM for support. 
 
 ---
 

articles/active-directory/devices/hybrid-azuread-join-plan.md

@@ -90,7 +90,8 @@ If your Windows 10 domain joined devices are [Azure AD registered](overview.md#g
 - You can prevent your domain joined device from being Azure AD registered by adding this registry key - HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001.
 - In Windows 10 1803, if you have Windows Hello for Business configured, the user needs to re-setup Windows Hello for Business after the dual state clean up.This issue has been addressed with KB4512509
 
-
+> [!NOTE]
+> The Azure AD registered device will not be automatically removed if it is managed by Intune.
 
 ## Review controlled validation of hybrid Azure AD join
 

articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md

@@ -1308,6 +1308,24 @@ Once the initial cycle has started, you can select **Provisioning logs** in the
 
 If you're building an application that will be used by more than one tenant, you can make it available in the Azure AD application gallery. This will make it easy for organizations to discover the application and configure provisioning. Publishing your app in the Azure AD gallery and making provisioning available to others is easy. Check out the steps [here](https://docs.microsoft.com/azure/active-directory/develop/howto-app-gallery-listing). Microsoft will work with you to integrate your application into our gallery, test your endpoint, and release onboarding [documentation](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list) for customers to use. 
 
+
+### Authorization for provisioning connectors in the application gallery
+The SCIM spec does not define a SCIM-specific scheme for authentication and authorization. It relies on the use of existing industry standards. The Azure AD provisioning client supports two authorization methods for applications in the gallery. 
+
+**OAuth authorization code grant flow:** The provisioning service supports the [authorization code grant](https://tools.ietf.org/html/rfc6749#page-24). After submitting your request for publishing your app in the gallery, our team will work with you to collect the following information:
+*  Authorization URL: A URL by the client to obtain authorization from the resource owner via user-agent redirection. The user is redirected to this URL to authorize access. 
+*  Token exchange URL: A URL by the client to exchange an authorization grant for an access token, typically with client authentication.
+*  Client ID: The authorization server issues the registered client a client identifier, which is a unique string representing the registration information provided by the client.  The client identifier is not a secret; it is exposed to the resource owner and **must not** be used alone for client authentication.  
+*  Client secret: The client secret is a secret generated by the authorization server. It should be a unique value known only to the authorization server. 
+
+Best practices (recommended but not required):
+* Support multiple redirect URLs. Administrators can configure provisioning from both "portal.azure.com" and "aad.portal.azure.com". Supporting multiple redirect URLs will ensure that users can authorize access from either portal.
+* Support multiple secrets to ensure smooth secret renewal, without downtime. 
+
+**Long lived OAuth bearer tokens:** If your application does not support the OAuth authorization code grant flow, you can also generate a long lived OAuth bearer token than that an administrator can use to setup the provisioning integration. The token should be perpetual, or else the provisioning job will be [quarantined](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status) when the token expires. This token must be below 1KB in size.  
+
+For additional authentication and authorization methods, let us know on [UserVoice](https://aka.ms/appprovisioningfeaturerequest).
+
 ### Allow IP addresses used by the Azure AD provisioning service to make SCIM requests
 
 Certain apps allow inbound traffic to their app. In order for the Azure AD provisioning service to function as expected, the IP addresses used must be allowed. For a list of IP addresses for each service tag/region, see the JSON file - [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). You can download and program these IPs into your firewall as needed. The reserved IP ranges for Azure AD provisioning can be found under "AzureActiveDirectoryDomainServices."

articles/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-arm.md

@@ -1,5 +1,5 @@
 ---
-title: How to create and delete a user-assigned managed identity using Azure Resource Manager
+title: Create & delete a user-assigned managed identity using Azure Resource Manager
 description: Step by step instructions on how to create and delete user-assigned managed identities using Azure Resource Manager.
 services: active-directory
 documentationcenter: 

articles/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli.md

@@ -1,5 +1,5 @@
 ---
-title: How to manage a user-assigned managed identity using Azure CLI
+title: Manage user-assigned managed identity - Azure CLI - Azure AD
 description: Step by step instructions on how to create, list and delete a user-assigned managed identity using the Azure CLI.
 services: active-directory
 documentationcenter: 

articles/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md

@@ -1,5 +1,5 @@
 ---
-title: How to manage a user-assigned managed identity using the Azure portal
+title: Manage a user-assigned managed identity in the Azure portal - Azure AD
 description: Step by step instructions on how to create, list, delete and assign a role to a user-assigned managed identity.
 services: active-directory
 documentationcenter: 

articles/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-powershell.md

@@ -1,5 +1,5 @@
 ---
-title: How to create, list and delete a user-assigned managed identity using Azure PowerShell
+title: Create, list & delete user-assigned managed identity using Azure PowerShell - Azure AD
 description: Step by step instructions on how to create, list and delete user-assigned managed identity using Azure PowerShell.
 services: active-directory
 documentationcenter: