Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into us1679050ck

Author: TimShererWithAquent

.openpublishing.redirection.json

@@ -50474,6 +50474,14 @@
     {
       "source_path": "articles/sql-database/sql-database-paas-index.yml",
       "redirect_url": "/azure/sql-database/sql-database-technical-overview"
+    },
+    {
+      "source_path": "articles/sql-database/sql-database-scalability-index.yml",
+      "redirect_url": "/azure/sql-database/sql-database-scale-resources"
+    },
+    {
+      "source_path": "articles/sql-database/sql-database-features-index.yml",
+      "redirect_url": "/azure/sql-database/sql-database-features"
     }
   ]
 }

articles/active-directory-b2c/saml-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/13/2020
+ms.date: 03/30/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -86,11 +86,32 @@ The **Name** attribute of the Protocol element needs to be set to `SAML2`.
 
 The **OutputClaims** element contains a list of claims returned by the SAML identity provider under the `AttributeStatement` section. You may need to map the name of the claim defined in your policy to the name defined in the identity provider. You can also include claims that aren't returned by the identity provider as long as you set the `DefaultValue` attribute.
 
-To read the SAML assertion **NamedId** in **Subject** as a normalized claim, set the claim **PartnerClaimType** to `assertionSubjectName`. Make sure the **NameId** is the first value in assertion XML. When you define more than one assertion, Azure AD B2C picks the subject value from the last assertion.
+### Subject name output claim
+
+To read the SAML assertion **NameId** in the **Subject** as a normalized claim, set the claim **PartnerClaimType** to value of the `SPNameQualifier` attribute. If the `SPNameQualifier`attribute is not presented, set the claim **PartnerClaimType** to value of the `NameQualifier` attribute. 
 
-The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
 
-The following example shows the claims returned by the Facebook identity provider:
+SAML assertion: 
+
+```XML
+<saml:Subject>
+  <saml:NameID SPNameQualifier="http://your-idp.com/unique-identifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[email protected]</saml:NameID>
+	<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+	  <SubjectConfirmationData InResponseTo="_cd37c3f2-6875-4308-a9db-ce2cf187f4d1" NotOnOrAfter="2020-02-15T16:23:23.137Z" Recipient="https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer" />
+    </SubjectConfirmation>
+  </saml:SubjectConfirmation>
+</saml:Subject>
+```
+
+Output claim:
+
+```XML
+<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="http://your-idp.com/unique-identifier" />
+```
+
+If both `SPNameQualifier` or `NameQualifier` attributes are not presented in the SAML assertion, set the claim **PartnerClaimType** to `assertionSubjectName`. Make sure the **NameId** is the first value in assertion XML. When you define more than one assertion, Azure AD B2C picks the subject value from the last assertion.
+
+The following example shows the claims returned by a SAML identity provider:
 
 - The **issuerUserId** claim is mapped to the **assertionSubjectName** claim.
 - The **first_name** claim is mapped to the **givenName** claim.
@@ -115,6 +136,8 @@ The technical profile also returns claims that aren't returned by the identity p
 </OutputClaims>
 ```
 
+The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
+
 ## Metadata
 
 | Attribute | Required | Description |

articles/active-directory-domain-services/TOC.yml

@@ -93,6 +93,8 @@
           href: security-audit-events.md
         - name: Analyze audit events with Azure Monitor Workbooks
           href: use-azure-monitor-workbooks.md
+        - name: Secure remote access to VMs
+          href: secure-remote-vm-access.md
     - name: Domain-join VMs
       items:
         - name: Windows Server VM from template

articles/active-directory-domain-services/media/enable-network-policy-server/remote-desktop-services-overview.png

@@ -5,12 +5,11 @@ services: active-directory-ds
 author: iainfoulds
 manager: daveba
 
-ms.assetid: 23a857a5-2720-400a-ab9b-1ba61e7b145a
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 01/21/2020
+ms.date: 03/30/2020
 ms.author: iainfou
 
 ---
@@ -72,7 +71,7 @@ You can connect a virtual network to another virtual network (VNet-to-VNet) in t
 
 ![Virtual network connectivity using a VPN Gateway](./media/active-directory-domain-services-design-guide/vnet-connection-vpn-gateway.jpg)
 
-For more information on using virtual private networking, read [Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal).
+For more information on using virtual private networking, read [Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md).
 
 ## Name resolution when connecting virtual networks
 
@@ -93,11 +92,11 @@ An Azure AD DS managed domain creates some networking resources during deploymen
 | Load balancer rules                     | When an Azure AD DS managed domain is configured for secure LDAP on TCP port 636, three rules are created and used on a load balancer to distribute the traffic. |
 
 > [!WARNING]
-> Don't delete any of the network resource created by Azure AD DS. If you delete any of the network resources, an Azure AD DS service outage occurs.
+> Don't delete or modify any of the network resource created by Azure AD DS, such as manually configuring the load balancer or rules. If you delete or modify any of the network resources, an Azure AD DS service outage may occur.
 
 ## Network security groups and required ports
 
-A [network security group (NSG)](https://docs.microsoft.com/azure/virtual-network/virtual-networks-nsg) contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. A network security group is created when you deploy Azure AD DS that contains a set of rules that let the service provide authentication and management functions. This default network security group is associated with the virtual network subnet your Azure AD DS managed domain is deployed into.
+A [network security group (NSG)](../virtual-network/virtual-networks-nsg.md) contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. A network security group is created when you deploy Azure AD DS that contains a set of rules that let the service provide authentication and management functions. This default network security group is associated with the virtual network subnet your Azure AD DS managed domain is deployed into.
 
 The following network security group rules are required for Azure AD DS to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet your Azure AD DS managed domain is deployed into.
 

articles/active-directory-domain-services/network-considerations.md

@@ -0,0 +1,120 @@
+---
+title: Secure remote VM access in Azure AD Domain Services | Microsoft Docs
+description: Learn how to secure remote access to VMs using Network Policy Server (NPS) and Azure Multi-Factor Authentication with a Remote Desktop Services deployment in an Azure Active Directory Domain Services managed domain.
+services: active-directory-ds
+author: iainfoulds
+manager: daveba
+
+ms.service: active-directory
+ms.subservice: domain-services
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 03/30/2020
+ms.author: iainfou
+
+---
+# Secure remote access to virtual machines in Azure Active Directory Domain Services
+
+To secure remote access to virtual machines (VMs) that run in an Azure Active Directory Domain Services (Azure AD DS) managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS). Azure AD DS authenticates users as they request access through the RDS environment. For enhanced security, you can integrate Azure Multi-Factor Authentication to provide an additional authentication prompt during sign-in events. Azure Multi-Factor Authentication uses an extension for NPS to provide this feature.
+
+> [!IMPORTANT]
+> The recommended way to securely connect to your VMs in an Azure AD DS managed domain is using Azure Bastion, a fully platform-managed PaaS service that you provision inside your virtual network. A bastion host provides secure and seamless Remote Desktop Protocol (RDP) connectivity to your VMs directly in the Azure portal over SSL. When you connect via a bastion host, your VMs don't need a public IP address, and you don't need to use network security groups to expose access to RDP on TCP port 3389.
+>
+> We strongly recommend that you use Azure Bastion in all regions where it's supported. In regions without Azure Bastion availability, follow the steps detailed in this article until Azure Bastion is available. Take care with assigning public IP addresses to VMs joined to Azure AD DS where all incoming RDP traffic is allowed.
+>
+> For more information, see [What is Azure Bastion?][bastion-overview].
+
+This article shows you how to configure RDS in Azure AD DS and optionally use the Azure Multi-Factor Authentication NPS extension.
+
+![Remote Desktop Services (RDS) overview](./media/enable-network-policy-server/remote-desktop-services-overview.png)
+
+## Prerequisites
+
+To complete this article, you need the following resources:
+
+* An active Azure subscription.
+    * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
+    * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
+* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
+    * If needed, [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
+* A *workloads* subnet created in your Azure Active Directory Domain Services virtual network.
+    * If needed, [Configure virtual networking for an Azure Active Directory Domain Services managed domain][configure-azureadds-vnet].
+* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
+
+## Deploy and configure the Remote Desktop environment
+
+To get started, create a minimum of two Azure VMs that run Windows Server 2016 or Windows Server 2019. For redundancy and high availability of your Remote Desktop (RD) environment, you can add and load balance additional hosts later.
+
+A suggested RDS deployment includes the following two VMs:
+
+* *RDGVM01* - Runs the RD Connection Broker server, RD Web Access server, and RD Gateway server.
+* *RDSHVM01* - Runs the RD Session Host server.
+
+Make sure that VMs are deployed into a *workloads* subnet of your Azure AD DS virtual network, then join the VMs to Azure AD DS managed domain. For more information, see how to [create and join a Windows Server VM to an Azure AD DS managed domain][tutorial-create-join-vm].
+
+The RD environment deployment contains a number of steps. The existing RD deployment guide can be used without any specific changes to use in an Azure AD DS managed domain:
+
+1. Sign in to VMs created for the RD environment with an account that's part of the *Azure AD DC Administrators* group, such as *contosoadmin*.
+1. To create and configure RDS, use the existing [Remote Desktop environment deployment guide][deploy-remote-desktop]. Distribute the RD server components across your Azure VMs as desired.
+1. If you want to provide access using a web browser, [set up the Remote Desktop web client for your users][rd-web-client].
+
+With RD deployed into the Azure AD DS managed domain, you can manage and use the service as you would with an on-premises AD DS domain.
+
+## Deploy and configure NPS and the Azure MFA NPS extension
+
+If you want to increase the security of the user sign-in experience, you can optionally integrate the RD environment with Azure Multi-Factor Authentication. With this configuration, users receive an additional prompt during sign-in to confirm their identity.
+
+To provide this capability, an additional Network Policy Server (NPS) is installed in your environment along with the Azure Multi-Factor Authentication NPS extension. This extension integrates with Azure AD to request and return the status of multi-factor authentication prompts.
+
+Users must be [registered to use Azure Multi-Factor Authentication][user-mfa-registration], which may require additional Azure AD licenses.
+
+To integrate Azure Multi-Factor Authentication in to your Azure AD DS Remote Desktop environment, create an NPS Server and install the extension:
+
+1. Create an additional Windows Server 2016 or 2019 VM, such as *NPSVM01*, that's connected to a *workloads* subnet in your Azure AD DS virtual network. Join the VM to the Azure AD DS managed domain.
+1. Sign in to NPS VM as account that's part of the *Azure AD DC Administrators* group, such as *contosoadmin*.
+1. From **Server Manager**, select **Add Roles and Features**, then install the *Network Policy and Access Services* role.
+1. Use the existing how-to article to [install and configure the Azure MFA NPS extension][nps-extension].
+
+With the NPS server and Azure Multi-Factor Authentication NPS extension installed, complete the next section to configure it for use with the RD environment.
+
+## Integrate Remote Desktop Gateway and Azure Multi-Factor Authentication
+
+To integrate the Azure Multi-Factor Authentication NPS extension, use the existing how-to article to [integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD][azure-mfa-nps-integration].
+
+The following additional configuration options are needed to integrate with an Azure AD DS managed domain:
+
+1. Don't [register the NPS server in Active Directory][register-nps-ad]. This step fails in an Azure AD DS managed domain.
+1. In [step 4 to configure network policy][create-nps-policy], also check the box to **Ignore user account dial-in properties**.
+1. If you use Windows Server 2019 for the NPS server and Azure Multi-Factor Authentication NPS extension, run the following command to update the secure channel to allow the NPS server to communicate correctly:
+
+    ```powershell
+    sc sidtype IAS unrestricted
+    ```
+
+Users are now prompted for an additional authentication factor when they sign in, such as a text message or prompt in the Microsoft Authenticator app.
+
+## Next steps
+
+For more information on improving resiliency of your deployment, see [Remote Desktop Services - High availability][rds-high-availability].
+
+For more information about securing user sign-in, see [How it works: Azure Multi-Factor Authentication][concepts-mfa].
+
+<!-- INTERNAL LINKS -->
+[bastion-overview]: ../bastion/bastion-overview.md
+[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
+[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
+[create-azure-ad-ds-instance]: tutorial-create-instance.md
+[configure-azureadds-vnet]: tutorial-configure-networking.md
+[tutorial-create-join-vm]: join-windows-vm.md
+[user-mfa-registration]: ../active-directory/authentication/howto-mfa-nps-extension.md#register-users-for-mfa
+[nps-extension]: ../active-directory/authentication/howto-mfa-nps-extension.md
+[azure-mfa-nps-integration]: ../active-directory/authentication/howto-mfa-nps-extension-rdg.md
+[register-nps-ad]:../active-directory/authentication/howto-mfa-nps-extension-rdg.md#register-server-in-active-directory
+[create-nps-policy]: ../active-directory/authentication/howto-mfa-nps-extension-rdg.md#configure-network-policy
+[concepts-mfa]: ../active-directory/authentication/concept-mfa-howitworks.md
+
+<!-- EXTERNAL LINKS -->
+[deploy-remote-desktop]: https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure
+[rd-web-client]: https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin
+[rds-high-availability]: https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-plan-high-availability

articles/active-directory-domain-services/secure-remote-vm-access.md

@@ -26,6 +26,8 @@
   - name: Single-page apps
     displayName: SPA
     items:
+    - name: Angular
+      href: quickstart-v2-angular.md
     - name: JavaScript
       href: quickstart-v2-javascript.md
   - name: Web apps
@@ -69,6 +71,8 @@
   - name: Single-page apps
     displayName: SPA
     items:
+    - name: Angular
+      href: tutorial-v2-angular.md
     - name: JavaScript
       href: tutorial-v2-javascript-spa.md
   - name: Web apps
@@ -581,4 +585,4 @@
     href: https://docs.microsoft.com/azure/active-directory/managed-service-identity/overview
   - name: Getting help
     displayName: support, help options
-    href: developer-support-help-options.md
+    href: developer-support-help-options.md

articles/active-directory/develop/TOC.yml

@@ -47,6 +47,8 @@ landingContent:
         links:
           - text: JavaScript
             url: quickstart-v2-javascript.md
+          - text: Angular
+            url: quickstart-v2-angular.md
       - linkListType: tutorial
         links:
           - text: JavaScript