Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-marmalade

Author: v-alje

.openpublishing.redirection.json

@@ -51475,16 +51475,6 @@
       "redirect_url": "/azure/sql-database/sql-database-security-best-practice",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/healthcare-apis/configure-azure-rbac.md",
-      "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir-additional-settings",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "articles/healthcare-apis/configure-local-rbac.md",
-      "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir-additional-settings",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/media-services/previous/media-services-configure-tricaster-live-encoder.md",
       "redirect_url": "/azure/media-services",

articles/active-directory/app-provisioning/scim-graph-scenarios.md

@@ -99,8 +99,8 @@ My application is built into Microsoft Teams and relies on message data. In addi
 I need to be able to track changes to Teams and Outlook messages and react to them in real time. How can I get these changes pushed to my application?
 
 **Recommendation:** The Microsoft Graph provides [change notifications](https://docs.microsoft.com/graph/webhooks) and [change tracking](https://docs.microsoft.com/graph/delta-query-overview) for various resources. Note the following limitations of change notifications:
-- If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
-- If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
+- If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost.
+- The order in which changes are received are not guaranteed to be chronological.
 - Change notifications don't always contain the [resource data](https://docs.microsoft.com/graph/webhooks-with-resource-data)
 For the reasons above, developers often use change notifications along with change tracking for synchronization scenarios. 
 

articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md

@@ -14,6 +14,7 @@ manager: daveba
 ms.reviewer: annaba
 
 ms.collection: M365-identity-device-management
+ms.custom: has-adal-ref
 ---
 # Get started with certificate-based authentication in Azure Active Directory
 
@@ -42,7 +43,7 @@ To configure certificate-based authentication, the following statements must be
 - A client certificate for client authentication must have been issued to your client.
 
 >[!IMPORTANT]
->The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds.  If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates. 
+>The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds.  If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.
 
 ## Step 1: Select your device platform
 

articles/active-directory/authentication/howto-mfa-nps-extension-errors.md

@@ -14,6 +14,7 @@ manager: daveba
 ms.reviewer: michmcla
 
 ms.collection: M365-identity-device-management
+ms.custom: has-adal-ref
 ---
 # Resolve error messages from the NPS extension for Azure Multi-Factor Authentication
 
@@ -63,9 +64,9 @@ If you encounter errors with the NPS extension for Azure Multi-Factor Authentica
 
 Sometimes, your users may get messages from Multi-Factor Authentication because their authentication request failed. These aren't errors in the product of configuration, but are intentional warnings explaining why an authentication request was denied.
 
-| Error code | Error message | Recommended steps | 
+| Error code | Error message | Recommended steps |
 | ---------- | ------------- | ----------------- |
-| **OathCodeIncorrect** | Wrong code entered\OATH Code Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. | 
+| **OathCodeIncorrect** | Wrong code entered\OATH Code Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. |
 | **SMSAuthFailedMaxAllowedCodeRetryReached** | Maximum allowed code retry reached | The user failed the verification challenge too many times. Depending on your settings, they may need to be unblocked by an admin now.  |
 | **SMSAuthFailedWrongCodeEntered** | Wrong code entered/Text Message OTP Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. |
 

articles/active-directory/b2b/code-samples.md

@@ -12,7 +12,7 @@ ms.author: mimart
 author: msmimart
 manager: celestedg
 ms.reviewer: elisolMS
-ms.custom: "it-pro, seo-update-azuread-jan"
+ms.custom: it-pro, seo-update-azuread-jan, has-adal-ref
 ms.collection: M365-identity-device-management
 ---
 
@@ -23,7 +23,7 @@ You can bulk-invite external users to an organization from email addresses that
 
 1. Prepare the .CSV file
    Create a new CSV file and name it invitations.csv. In this example, the file is saved in C:\data, and contains the following information:
-  
+
    Name                  |  InvitedUserEmailAddress
    --------------------- | --------------------------
    Gmail B2B Invitee     | [email protected]
@@ -72,44 +72,44 @@ namespace SampleInviteApp
         /// Microsoft Graph resource.
         /// </summary>
         static readonly string GraphResource = "https://graph.microsoft.com";
- 
+
         /// <summary>
         /// Microsoft Graph invite endpoint.
         /// </summary>
         static readonly string InviteEndPoint = "https://graph.microsoft.com/v1.0/invitations";
- 
+
         /// <summary>
         ///  Authentication endpoint to get token.
         /// </summary>
         static readonly string EstsLoginEndpoint = "https://login.microsoftonline.com";
- 
+
         /// <summary>
         /// This is the tenantid of the tenant you want to invite users to.
         /// </summary>
         private static readonly string TenantID = "";
- 
+
         /// <summary>
         /// This is the application id of the application that is registered in the above tenant.
         /// The required scopes are available in the below link.
         /// https://developer.microsoft.com/graph/docs/api-reference/v1.0/api/invitation_post
         /// </summary>
         private static readonly string TestAppClientId = "";
- 
+
         /// <summary>
         /// Client secret of the application.
         /// </summary>
         private static readonly string TestAppClientSecret = @"";
- 
+
         /// <summary>
         /// This is the email address of the user you want to invite.
         /// </summary>
         private static readonly string InvitedUserEmailAddress = @"";
- 
+
         /// <summary>
         /// This is the display name of the user you want to invite.
         /// </summary>
         private static readonly string InvitedUserDisplayName = @"";
- 
+
         /// <summary>
         /// Main method.
         /// </summary>
@@ -119,7 +119,7 @@ namespace SampleInviteApp
             Invitation invitation = CreateInvitation();
             SendInvitation(invitation);
         }
- 
+
         /// <summary>
         /// Create the invitation object.
         /// </summary>
@@ -134,25 +134,25 @@ namespace SampleInviteApp
             invitation.SendInvitationMessage = true;
             return invitation;
         }
- 
+
         /// <summary>
         /// Send the guest user invite request.
         /// </summary>
         /// <param name="invitation">Invitation object.</param>
         private static void SendInvitation(Invitation invitation)
         {
             string accessToken = GetAccessToken();
- 
+
             HttpClient httpClient = GetHttpClient(accessToken);
- 
-            // Make the invite call. 
+
+            // Make the invite call.
             HttpContent content = new StringContent(JsonConvert.SerializeObject(invitation));
             content.Headers.Add("ContentType", "application/json");
             var postResponse = httpClient.PostAsync(InviteEndPoint, content).Result;
             string serverResponse = postResponse.Content.ReadAsStringAsync().Result;
             Console.WriteLine(serverResponse);
         }
- 
+
         /// <summary>
         /// Get the HTTP client.
         /// </summary>
@@ -170,15 +170,15 @@ namespace SampleInviteApp
                 httpClient.DefaultRequestHeaders.GetValues("client-request-id").Single());
             return httpClient;
         }
- 
+
         /// <summary>
         /// Get the access token for our application to talk to Microsoft Graph.
         /// </summary>
         /// <returns>Returns the access token for our application to talk to Microsoft Graph.</returns>
         private static string GetAccessToken()
         {
             string accessToken = null;
- 
+
             // Get the access token for our application to talk to Microsoft Graph.
             try
             {
@@ -194,10 +194,10 @@ namespace SampleInviteApp
                 Console.WriteLine("An exception was thrown while fetching the token: {0}.", ex);
                 throw;
             }
- 
+
             return accessToken;
         }
- 
+
         /// <summary>
         /// Invitation class.
         /// </summary>
@@ -207,17 +207,17 @@ namespace SampleInviteApp
             /// Gets or sets display name.
             /// </summary>
             public string InvitedUserDisplayName { get; set; }
- 
+
             /// <summary>
             /// Gets or sets display name.
             /// </summary>
             public string InvitedUserEmailAddress { get; set; }
- 
+
             /// <summary>
             /// Gets or sets a value indicating whether Invitation Manager should send the email to InvitedUser.
             /// </summary>
             public bool SendInvitationMessage { get; set; }
- 
+
             /// <summary>
             /// Gets or sets invitation redirect URL
             /// </summary>
@@ -231,4 +231,3 @@ namespace SampleInviteApp
 ## Next steps
 
 - [What is Azure AD B2B collaboration?](what-is-b2b.md)
-

articles/active-directory/conditional-access/TOC.yml

@@ -35,6 +35,8 @@
        href: concept-conditional-access-grant.md
      - name: Session
        href: concept-conditional-access-session.md
+  - name: Insights and reporting
+    href: howto-conditional-access-insights-reporting.md
   - name: Report-only mode
     href: concept-conditional-access-report-only.md
   - name: Service dependencies

articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md

@@ -0,0 +1,120 @@
+---
+title: Conditional Access insights and reporting workbook - Azure Active Directory
+description: Using the Azure AD Conditional Access insights and reporting workbook to troubleshoot policies
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: article
+ms.date: 04/30/2020
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: dawoo
+
+ms.collection: M365-identity-device-management
+---
+# Conditional Access insights and reporting
+
+The Conditional Access insights and reporting workbook enables you to understand the impact of Conditional Access policies in your organization over time. During sign-in, one or more Conditional Access policies may apply, granting access if certain grant controls are satisfied or denying access otherwise. Because multiple Conditional Access policies may be evaluated during each sign-in, the insights and reporting workbook lets you examine the impact of an individual policy or a subset of all policies.  
+
+## Prerequisites
+
+To enable the insights and reporting workbook, your tenant must have a Log Analytics workspace to retain sign-in logs data. Users must have Azure AD Premium P1 or P2 licenses to use Conditional Access.
+
+The following roles can access insights and reporting:  
+
+- Conditional Access administrator 
+- Security reader 
+- Security administrator 
+- Global reader 
+- Global administrator 
+
+Users also need one of the following Log Analytics workspace roles:  
+
+- Reader 
+- Monitoring reader 
+- Log Analytics reader 
+- Contributor  
+- Owner 
+
+### Stream sign-in logs from Azure AD to Azure Monitor logs 
+
+If you have not integrated Azure AD logs with Azure Monitor logs, you will need to take the following steps before the workbook will load:  
+
+1. [Create a Log Analytics workspace in Azure Monitor](../../azure-monitor/learn/quick-create-workspace.md).
+1. [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
+
+## How it works 
+
+To access the insights and reporting workbook:  
+
+1. Sign in to the **Azure portal**.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Insights and reporting**.
+
+### Get started: Select parameters 
+
+The insights and reporting dashboard lets you see the impact of one or more Conditional Access policies over a specified period. Start by setting each of the parameters at the top of the workbook. 
+
+![Conditional Access Insights and Reporting dashboard in the Azure portal](./media/howto-conditional-access-insights-reporting/conditional-access-insights-and-reporting-dashboard.png)
+
+**Conditional Access policy**: Select one or more Conditional Access policies to view their combined impact. Policies are separated into two groups: Enabled and Report-only policies. By default, all Enabled policies are selected. These enabled policies are the policies currently enforced in your tenant.  
+
+**Time range**: Select a time range from 4 hours to as far back as 90 days. If you select a time range further back than when you integrated the Azure AD logs with Azure Monitor, only sign-ins after the time of integration will appear.  
+
+**User**: By default, the dashboard shows the impact of the selected policies for all users. To filter by an individual user, type the name of the user into the text field. To filter by all users, type “All users” into the text field or leave the parameter empty. 
+
+**App**: By default, the dashboard shows the impact of the selected policies for all apps. To filter by an individual app, type the name of the app into the text field. To filter by all apps, type “All apps” into the text field or leave the parameter empty. 
+
+**Data view**: Select whether you want the dashboard to show results in terms of the number of users or number of sign-ins. An individual user may have hundreds of sign-ins to many apps with many different outcomes during a given time range. If you select the data view to be users, a user could be included in both the Success and Failure counts (for example, if there are 10 users, 8 of them could have had a result of success in the past 30 days and 9 of them could have had a result of failure in the past 30 days).
+
+## Impact summary 
+
+Once the parameters have been set, the impact summary loads. The summary shows how many users or sign-ins during the time range resulted in “Success”, “Failure”, ”User action required” or “Not applied” when the selected policies were evaluated.  
+
+![Impact summary in the Conditional Access workbook](./media/howto-conditional-access-insights-reporting/workbook-impact-summary.png)
+
+**Total**: The number of users or sign-ins during the time period where at least one of the selected policies was evaluated.
+
+**Success**: The number of users or sign-ins during the time period where the combined result of the selected policies was “Success” or “Report-only: Success”.
+
+**Failure**: The number of users or sign-ins during the time period where the result of at least one of the selected policies was “Failure” or “Report-only: Failure”.
+
+**User action required**: The number of users or sign-ins during the time period where the combined result of the selected policies was “Report-only: User action required”. User action is required when an interactive grant control, such as multi-factor authentication is required by a report-only Conditional Access policy. Since interactive grant controls are not enforced by report-only policies, success or failure cannot be determined.  
+
+**Not applied**: The number of users or sign-ins during the time period where none of the selected policies applied.
+
+### Understanding the impact 
+
+![Workbook breakdown per condition and status](./media/howto-conditional-access-insights-reporting/workbook-breakdown-condition-and-status.png)
+
+View the breakdown of users or sign-ins for each of the conditions. You can filter the sign-ins of a particular result (for example, Success or Failure) by selecting on of the summary tiles at the top of the workbook. You can see the breakdown of sign-ins for each of the Conditional Access conditions: device state, device platform, client app, location, application, and sign-in risk.  
+
+## Sign-in details 
+
+![Workbook sign-in details](./media/howto-conditional-access-insights-reporting/workbook-sign-in-details.png)
+
+You can also investigate the sign-ins of a specific user by searching for sign-ins at the bottom of the dashboard. The query on the left displays the most frequent users. Selecting a user will filter the query to the right.  
+
+## Troubleshooting
+
+### Why is the workbook taking a long time to load?  
+
+Depending on the time range selected and the size of your tenant, the workbook may be evaluating an extraordinarily large number of sign-in events. For large tenants, the volume of sign-ins may exceed the query capacity of Log Analytics. Try shortening the time range to 4 hours to see if the workbook loads.  
+
+### After loading for a few minutes, why is the workbook returning zero results? 
+
+When the volume of sign-ins exceeds the query capacity of Log Analytics, the workbook will return zero results. Try shortening the time range to 4 hours to see if the workbook loads.  
+
+### Can I save my parameter selections?  
+
+You can save your parameter selections at the top of the workbook by going to **Azure Active Directory** > **Workbooks** > **Conditional Access Insights and reporting**. Here you will find the workbook template, where you can edit the workbook and save a copy to your workspace, including the parameter selections, in **My reports** or **Shared reports**. 
+
+### Can I edit and customize the workbook with additional queries? 
+
+You can edit and customize the workbook by going to **Azure Active Directory** > **Workbooks** > **Conditional Access Insights and reporting**. Here you will find the workbook template, where you can edit the workbook and save a copy to your workspace, including the parameter selections, in **My reports** or **Shared reports**. To start editing the queries, click **Edit** at the top of the workbook.  
+ 
+## Next steps
+
+[Conditional Access report-only mode](concept-conditional-access-report-only.md)