Merge branch 'master' of https://github.com/microsoftdocs/azure-docs-pr into akv-reorg-working-branch

Author: msmbaldwin

articles/active-directory/authentication/TOC.yml

@@ -22,11 +22,7 @@
   items:
   - name: Authentication methods
     href: concept-authentication-methods.md
-  - name: Passwordless authentication
-    href: concept-authentication-passwordless.md
-  - name: Security information registration
-    href: concept-registration-mfa-sspr-combined.md
-  - name: Password reset
+  - name: Self-service password reset
     items:
     - name: How password reset works
       href: concept-sspr-howitworks.md
@@ -48,12 +44,16 @@
       href: https://docs.microsoft.com/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
     - name: FAQ
       href: multi-factor-authentication-faq.md
-  - name: Azure AD password protection
+  - name: Passwordless authentication
+    href: concept-authentication-passwordless.md
+  - name: Password protection
     items:
     - name: Eliminate weak passwords in the cloud
       href: concept-password-ban-bad.md
     - name: Eliminate weak passwords on-premises
       href: concept-password-ban-bad-on-premises.md
+  - name: Security information registration
+    href: concept-registration-mfa-sspr-combined.md
   - name: Resilient access controls
     href: concept-resilient-controls.md
 - name: How-to guides
@@ -100,28 +100,6 @@
         href: howto-mfa-nps-extension-rdg.md
       - name: VPN
         href: howto-mfa-nps-extension-vpn.md
-  - name: Security info registration
-    items:
-    - name: Enable combined registration
-      href: howto-registration-mfa-sspr-combined.md
-    - name: Troubleshoot combined registration
-      href: howto-registration-mfa-sspr-combined-troubleshoot.md
-  - name: Azure AD password protection
-    items:
-    - name: Plan and deploy on-premises
-      href: howto-password-ban-bad-on-premises-deploy.md
-    - name: Enable and configure on-premises
-      href: howto-password-ban-bad-on-premises-operations.md
-    - name: Monitor on-premises deployments
-      href: howto-password-ban-bad-on-premises-monitor.md
-    - name: Troubleshoot on-premises deployments
-      href: howto-password-ban-bad-on-premises-troubleshoot.md
-    - name: On-premises FAQs
-      href: howto-password-ban-bad-on-premises-faq.md
-    - name: On-premises agent version history
-      href: howto-password-ban-bad-on-premises-agent-versions.md
-  - name: Azure AD smart lockout
-    href: howto-password-smart-lockout.md
   - name: Passwordless
     items: 
       - name: Deploying passwordless
@@ -138,16 +116,38 @@
         href: howto-authentication-passwordless-phone.md
       - name: Windows Hello for Business
         href: https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification
+  - name: Security info registration
+    items:
+    - name: Enable combined registration
+      href: howto-registration-mfa-sspr-combined.md
+    - name: Troubleshoot combined registration
+      href: howto-registration-mfa-sspr-combined-troubleshoot.md
+  - name: On-premises password protection
+    items:
+    - name: Plan and deploy
+      href: howto-password-ban-bad-on-premises-deploy.md
+    - name: Enable and configure
+      href: howto-password-ban-bad-on-premises-operations.md
+    - name: Monitor
+      href: howto-password-ban-bad-on-premises-monitor.md
+    - name: Troubleshoot
+      href: howto-password-ban-bad-on-premises-troubleshoot.md
+    - name: FAQs
+      href: howto-password-ban-bad-on-premises-faq.md
+    - name: Agent version history
+      href: howto-password-ban-bad-on-premises-agent-versions.md
   - name: Use SMS-based authentication (preview)
     href: howto-authentication-sms-signin.md
+  - name: Azure AD smart lockout
+    href: howto-password-smart-lockout.md
   - name: Certificate-based authentication
     items:
     - name: Get started with certificate auth
       href: active-directory-certificate-based-authentication-get-started.md
       items:
-      - name: CBA on Android Devices
+      - name: Use on Android Devices
         href: active-directory-certificate-based-authentication-android.md
-      - name: CBA on iOS Devices
+      - name: Use on iOS Devices
         href: active-directory-certificate-based-authentication-ios.md
   - name: Reporting
     items:

articles/active-directory/azuread-dev/azure-ad-endpoint-comparison.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: azuread-dev
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 11/26/2019
+ms.date: 3/20/2020
 ms.author: ryanwi
 ms.reviewer: saeeda, hirsin, jmprieur, sureshja, jesakowi, lenalepa, kkrishna, negoe
 ms.custom: aaddev
@@ -33,7 +33,7 @@ When developing a new application, it's important to know the differences betwee
 
 The Microsoft identity platform endpoint allows you to write apps that accept sign-ins from personal Microsoft accounts, and work and school accounts. This gives you the ability to write your app completely account-agnostic. For example, if your app calls the [Microsoft Graph](https://graph.microsoft.io), some additional functionality and data will be available to work accounts, such as their SharePoint sites or directory data. But for many actions, such as [Reading a user's mail](https://docs.microsoft.com/graph/api/user-list-messages?view=graph-rest-1.0), the same code can access the email for both personal and work and school accounts.
 
-For Microsoft identity platform endpoint, you can use the Microsoft Authentication Library (MSAL) to gain access to the consumer, educational, and enterprise worlds. The Azure AD v1.0 endpoint accepts sign-ins from work and school accounts only.
+For the Microsoft identity platform endpoint ("v2.0"), you can use the Microsoft Authentication Library (MSAL) to gain access to the consumer, educational, and enterprise worlds. The Azure AD v1.0 endpoint accepts sign-ins from work and school accounts only.
 
 ## Incremental and dynamic consent
 
@@ -114,16 +114,16 @@ The Microsoft identity platform endpoint issues a smaller set of claims in its t
 
 ## Limitations
 
-There are a few restrictions to be aware of when using Microsoft identity platform.
+There are a few restrictions and improved security practices to be aware of when using Microsoft identity platform.
 
-When you build applications that integrate with the Microsoft identity platform, you need to decide whether the Microsoft identity platform endpoint and authentication protocols meet your needs. The v1.0 endpoint and platform is still fully supported and, in some respects, is more feature rich than Microsoft identity platform. However, Microsoft identity platform [introduces significant benefits](azure-ad-endpoint-comparison.md) for developers.
+When you build applications that integrate with the Microsoft identity platform, you need to decide whether the Microsoft identity platform endpoint and authentication protocols meet your needs. The v1.0 endpoint and platform is still fully supported and, in some respects, is more permissive and interoperable than Microsoft identity platform. However, Microsoft identity platform [introduces significant benefits](azure-ad-endpoint-comparison.md) for developers.
 
 Here's a simplified recommendation for developers now:
 
 * If you want or need to support personal Microsoft accounts in your application, or you're writing a new application, use Microsoft identity platform. But before you do, make sure you understand the limitations discussed in this article.
 * If you're migrating or updating an application that relies on SAML, you can't use Microsoft identity platform. Instead, refer to the [Azure AD v1.0 guide](v1-overview.md).
 
-The Microsoft identity platform endpoint will evolve to eliminate the restrictions listed here, so that you'll only ever need to use the Microsoft identity platform endpoint. In the meantime, use this article to determine whether the Microsoft identity platform endpoint is right for you. We'll continue to update this article to reflect the current state of the Microsoft identity platform endpoint. Check back to reevaluate your requirements against Microsoft identity platform capabilities.
+The Microsoft identity platform endpoint will evolve to eliminate the limitations listed here, so that you'll only ever need to use the Microsoft identity platform endpoint.  Your app may need to update to conform to best security practices however - those will not be relaxed on the Microsoft identity platform.  In the meantime, use this article to determine whether the Microsoft identity platform endpoint is right for you. We'll continue to update this article to reflect the current state of the Microsoft identity platform endpoint. Check back to reevaluate your requirements against Microsoft identity platform capabilities.
 
 ### Restrictions on app registrations
 
@@ -170,7 +170,7 @@ To learn how to register an app for use with Microsoft identity platform, see [R
 
 ### Restrictions on libraries and SDKs
 
-Currently, library support for the Microsoft identity platform endpoint is limited. If you want to use the Microsoft identity platform endpoint in a production application, you have these options:
+Currently, Microsoft-provided library support for the Microsoft identity platform endpoint is limited compared to the Azure AD v1.0 endpoint. If you want to use the Microsoft identity platform endpoint in a production application, you have these options:
 
 * If you're building a web application, you can safely use the generally available server-side middleware to do sign-in and token validation. These include the OWIN OpenID Connect middleware for ASP.NET and the Node.js Passport plug-in. For code samples that use Microsoft middleware, see the [Microsoft identity platform getting started](../develop/v2-overview.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json#getting-started) section.
 * If you're building a desktop or mobile application, you can use one of the Microsoft Authentication Libraries (MSAL). These libraries are generally available or in a production-supported preview, so it is safe to use them in production applications. You can read more about the terms of the preview and the available libraries in [authentication libraries reference](../develop/reference-v2-libraries.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json).
@@ -191,3 +191,7 @@ To better understand the scope of protocol functionality supported in the Micros
 #### SAML restrictions
 
 If you've used Active Directory Authentication Library (ADAL) in Windows applications, you might have taken advantage of Windows Integrated authentication, which uses the Security Assertion Markup Language (SAML) assertion grant. With this grant, users of federated Azure AD tenants can silently authenticate with their on-premises Active Directory instance without entering credentials. The SAML assertion grant isn't supported on the Microsoft identity platform endpoint.
+
+### Symmetric key security requirements
+
+While the Azure AD v1.0 endpoint supports the use of symmetric keys as custom signing keys and encryption keys, this is not a best practice and is discouraged.  The Microsoft identity platform enforces this best practice, and only allows the use of asymmetric keys. If your application is migrating to Microsoft identity platform from Azure AD v1.0, you should update your code to use asymmetric keys, upload proper keys for your application, and delete the symmetric keys on your application registration.  Only then should your application migrate to using Microsoft identity platform.

articles/active-directory/develop/quickstart-v2-aspnet-core-webapp.md

@@ -11,7 +11,7 @@ ms.topic: quickstart
 ms.workload: identity
 ms.date: 04/11/2019
 ms.author: jmprieur
-ms.custom: aaddev, identityplatformtop40 
+ms.custom: aaddev, identityplatformtop40, scenarios:getting-started, languages:aspnet-core
 #Customer intent: As an application developer, I want to know how to write an ASP.NET Core web app that can sign in personal accounts, as well as work and school accounts from any Azure Active Directory instance.
 ---
 

articles/active-directory/develop/quickstart-v2-netcore-daemon.md

@@ -12,7 +12,7 @@ ms.topic: quickstart
 ms.workload: identity
 ms.date: 07/16/2019
 ms.author: jmprieur
-ms.custom: aaddev, identityplatformtop40 
+ms.custom: aaddev, identityplatformtop40, scenarios:getting-started, languages:aspnet-core
 #Customer intent: As an application developer, I want to learn how my .NET Core app can get an access token and call an API that's protected by an Microsoft identity platform endpoint using client credentials flow.
 ---
 

articles/active-directory/manage-apps/application-proxy-connectors.md

@@ -148,12 +148,17 @@ To provide a secure service, connectors have to authenticate toward the service,
 
 The certificates used are specific to the Application Proxy service. They get created during the initial registration and are automatically renewed by the connectors every couple of months.
 
+After the first successful certificate renewal the Azure AD Application Proxy Connector service (Network Service) has no permission to remove the old certificate from the local machine store. If the certificate has expired or it won't be used by the service anymore, you can delete it safely.
+
+To avoid problems with the certificate renewal, ensure that the network communication from the connector towards the [documented destinations](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-add-on-premises-application#prepare-your-on-premises-environment) is enabled.
+
 If a connector is not connected to the service for several months, its certificates may be outdated. In this case, uninstall and reinstall the connector to trigger registration. You can run the following PowerShell commands:
 
 ```
 Import-module AppProxyPSModule
 Register-AppProxyConnector
 ```
+To learn more about how to verify the certificate and troubleshoot problems see [Verify Machine and backend components support for Application Proxy trust certificate](application-proxy-connector-installation-problem.md#verify-machine-and-backend-components-support-for-application-proxy-trust-certificate).
 
 ## Under the hood
 

articles/active-directory/saas-apps/toc.yml

@@ -1532,6 +1532,8 @@
         href: trakstar-tutorial.md
       - name: Trello
         href: trello-tutorial.md
+      - name: Trend Micro Web Security(TMWS)
+        href: trend-micro-tutorial.md
       - name: TripActions
         href: tripactions-tutorial.md
       - name: Trisotech Digital Enterprise Server