Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into us1645361g

Author: TimShererWithAquent

articles/active-directory/develop/service-to-service.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 09/24/2018
+ms.date: 11/20/2019
 ms.author: ryanwi
 ms.reviewer: saeeda, jmprieur, andret
 ms.custom: aaddev
@@ -36,7 +36,7 @@ Service-to-service applications can be a daemon or server application that needs
 
 ![Daemon or Server Application to Web API diagram](./media/authentication-scenarios/daemon_server_app_to_web_api.png)
 
-## DProtocol flow
+## Protocol flow
 
 ### Application identity with OAuth 2.0 client credentials grant
 
@@ -55,11 +55,11 @@ The flow discussed below assumes that a user has been authenticated on another a
 
 ## Code samples
 
-See the code samples for Daemon or Server Application to Web API scenarios. And, check back frequently as new samples are added frequently. [Server or Daemon Application to Web API](sample-v1-code.md#daemon-applications-accessing-web-apis-with-the-applications-identity)
+See the code samples for Daemon or Server Application to Web API scenarios: [Server or Daemon Application to Web API](sample-v1-code.md#daemon-applications-accessing-web-apis-with-the-applications-identity)
 
 ## App registration
 
-* Single tenant - For both the application identity and delegated user identity cases, the daemon or server application must be registered in the same directory in Azure AD. The web API can be configured to expose a set of permissions, which are used to limit the daemon or server’s access to its resources. If a delegated user identity type is being used, the server application needs to select the desired permissions from the “Permissions to Other Applications” drop-down menu in the Azure portal. This step is not required if the application identity type is being used.
+* Single tenant - For both the application identity and delegated user identity cases, the daemon or server application must be registered in the same directory in Azure AD. The web API can be configured to expose a set of permissions, which are used to limit the daemon or server’s access to its resources. If a delegated user identity type is being used, the server application needs to select the desired permissions. In the **API Permission** page for the application registration, after you've selected **Add a permission** and chosen the API family, choose **Delegated permissions**, and then select your permissions. This step is not required if the application identity type is being used.
 * Multi-tenant - First, the daemon or server application is configured to indicate the permissions it requires to be functional. This list of required permissions is shown in a dialog when a user or administrator in the destination directory gives consent to the application, which makes it available to their organization. Some applications only require user-level permissions, which any user in the organization can consent to. Other applications require administrator-level permissions, which a user in the organization cannot consent to. Only a directory administrator can give consent to applications that require this level of permissions. When the user or administrator consents, both of the web APIs are registered in their directory.
 
 ## Token expiration

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -190,7 +190,7 @@ You can enforce Conditional Access policies such as multi-factor authentication
 require multi-factor authentication as a grant access control. 
 
 > [!NOTE]
-> If you use "Require multi-factor authentication" as a grant access control for requesting access to "Azure Windows VM Sign-In" app, then you must supply multi-factor authentication claim as part of the client that initiates the RDP session to the target Windows VM in Azure. The only way to achieve this on a Windows 10 client is to use Windows Hello for Business PIN or biometric auth during RDP. Biometric auth for RDP is supported starting Windows 10 1809. Using Windows Hello for Business auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
+> If you use "Require multi-factor authentication" as a grant access control for requesting access to "Azure Windows VM Sign-In" app, then you must supply multi-factor authentication claim as part of the client that initiates the RDP session to the target Windows VM in Azure. The only way to achieve this on a Windows 10 client is to use Windows Hello for Business PIN or biometric auth during RDP. Support for biometric auth during RDP was added in Windows 10 1809. Using Windows Hello for Business auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
 
 ## Log in using Azure AD credentials to a Windows VM
 
@@ -342,10 +342,12 @@ If you see the following error message when you initiate a remote desktop connec
 
 ![The sign-in method you're trying to use isn't allowed.](./media/howto-vm-sign-in-azure-ad-windows/mfa-sign-in-method-required.png)
 
-If you have configured a Conditional Access policy that requires MFA to be done before you can access the RBAC resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see the following error. If you have not deployed Windows Hello for Business and if that is not an option for now, you can exlcude MFA requirement by configuring Conditional Access policy that excludes "Azure Windows VM Sign-In" app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see [Windows Hello for Business Overview] (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification).
+If you have configured a Conditional Access policy that requires MFA to be done before you can access the RBAC resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see the following error. 
+
+If you have not deployed Windows Hello for Business and if that is not an option for now, you can exlcude MFA requirement by configuring Conditional Access policy that excludes "Azure Windows VM Sign-In" app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see [Windows Hello for Business Overview](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification).
 
 > [!NOTE]
-> Windows Hello for Business PIN auth during RDP has been supported for long now, however using Biometric auth for RDP is supported starting Windows 10 1809. Using Windows Hello for Business auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
+> Windows Hello for Business PIN auth during RDP has been supported on Windows 10 for a while now. Support for biometric auth during RDP was added in Windows 10 1809. Using Windows Hello for Business auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
  
 ## Preview feedback
 

articles/active-directory/fundamentals/whats-new.md

@@ -78,7 +78,7 @@ For more information about the Application Proxy cookie settings, see [Cookie se
 
 In the near future, users with Azure AD accounts will no longer be able to register and manage converged applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage applications in the App registrations (legacy) experience in the Azure portal.
 
-To learn more about the new App registrations experience, see the [App registrations in the Azure portal training guide](https://docs.microsoft.com/azure/active-directory/develop/app-registrations-training-guide).
+To learn more about the new App registrations experience, see the [App registrations in the Azure portal training guide](../develop/app-registrations-training-guide-for-app-registrations-legacy-users.md).
 
 ---
 

articles/active-directory/manage-apps/application-provisioning-configure-api.md

@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 
 # Configure provisioning using Microsoft Graph APIs
 
-The Azure portal is a convenient way to configure provisioning for individual apps one at a time. But if you're creating several—or even hundreds—of instances of an application, it can be easier to automate app creation and configuration with Microsoft Graph APIs. This article outlines how to automate provisioning configuration through APIs. This method is commonly used for applications like [Amazon Web Services](https://docs.microsoft.com/azure/active-directory/saas-apps/amazon-web-service-tutorial#configure-azure-ad-single-sign-on).
+The Azure portal is a convenient way to configure provisioning for individual apps one at a time. But if you're creating several—or even hundreds—of instances of an application, it can be easier to automate app creation and configuration with Microsoft Graph APIs. This article outlines how to automate provisioning configuration through APIs. This method is commonly used for applications like [Amazon Web Services](https://docs.microsoft.com/azure/active-directory/saas-apps/amazon-web-service-tutorial#configure-azure-ad-sso).
 
 **Overview of steps for using Microsoft Graph APIs to automate provisioning configuration**
 

articles/active-directory/manage-apps/configure-automatic-user-provisioning-portal.md

@@ -81,9 +81,4 @@ If provisioning is being enabled for the first time for an application, turn on
 
 Change the **Provisioning Status** to **Off**  to pause the provisioning service. In this state, Azure doesn't create, update, or remove any user or group objects in the app. Change the state back to **On** and the service picks up where it left off.
 
-Select the **Clear current state and restart synchronization** checkbox and select **Save** to:
-
-* Stop the provisioning service
-* Restart the services and run the initial cycle again
-
-This option lets admins start the provisioning deployment process over again.
+**Clear current state and restart synchronization** triggers an initial cycle. The service will then evaluate all the users in the source system again and determine if they are in scope for provisioning. This can be useful when your application is currently in quarantine or you need to make a change to your attribute mappings. This should not be used to trigger a delete or disable request as these events can be dropped when triggering a clear state and restart. The initial cycle also takes longer to complete than the typical incremental cycle due to the number of objects that need to be evaluated. You can learn more about the performance of initial and incremental cycles [here.](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-when-will-provisioning-finish-specific-user). 

articles/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications-problems.md

@@ -1,5 +1,5 @@
 ---
-title: Problems configuring password SSO for a non-gallery application | Microsoft Docs
+title: Problems configuring password SSO for a non-gallery apps
 description: Common problems that occur when you configure password single sign-on (SSO) for custom apps that aren't in the Azure AD application gallery.
 services: active-directory
 documentationcenter: ''

articles/active-directory/saas-apps/asana-provisioning-tutorial.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Configure Asana for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+title: 'Tutorial: User provisioning for Asana - Azure AD'
 description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Asana.
 services: active-directory
 documentationcenter: ''

articles/active-directory/saas-apps/cernercentral-provisioning-tutorial.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Configure Cerner Central for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+title: 'Tutorial: User provisioning for Cerner Central - Azure AD'
 description: Learn how to configure Azure Active Directory to automatically provision users to a roster in Cerner Central.
 services: active-directory
 documentationcenter: ''

articles/active-directory/saas-apps/github-provisioning-tutorial.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Configure GitHub for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+title: 'Tutorial: User provisioning for GitHub - Azure AD'
 description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to GitHub.
 services: active-directory
 documentationcenter: ''

articles/active-directory/saas-apps/linkedinelevate-provisioning-tutorial.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Configure LinkedIn Elevate for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+title: 'Tutorial: User provisioning for LinkedIn Elevate - Azure AD'
 description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to LinkedIn Elevate.
 services: active-directory
 documentationcenter: ''