Merge pull request #72253 from MicrosoftDocs/master

4/05 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -36870,6 +36870,11 @@
       "source_path": "articles/biztalk-services/integration-hybrid-connection-overview.md",
       "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/QnAMaker/How-To/publish-knowledge-base.md",
+      "redirect_url": "/azure/cognitive-services/QnAMaker/quickstarts/create-publish-knowledge-base",
+      "redirect_document_id": true
     }
   ]
 }

articles/active-directory/authentication/concept-password-ban-bad-on-premises.md

@@ -28,7 +28,8 @@ Azure AD password protection is designed with these principles in mind:
 * No Active Directory schema changes are required. The software uses the existing Active Directory **container** and **serviceConnectionPoint** schema objects.
 * No minimum Active Directory domain or forest functional level (DFL/FFL) is required.
 * The software doesn't create or require accounts in the Active Directory domains that it protects.
-* User clear-text passwords don't leave the domain controller during password validation operations or at any other time.
+* User clear-text passwords never leave the domain controller, either during password validation operations or at any other time.
+* The software is not dependent on other Azure AD features; for example Azure AD password hash sync is not related and is not required in order for Azure AD password protection to function.
 * Incremental deployment is supported, however the password policy is only enforced where the Domain Controller Agent (DC Agent) is installed. See next topic for more details.
 
 ## Incremental deployment
@@ -59,7 +60,7 @@ The DC Agent service is responsible for initiating the download of a new passwor
 
 After the DC Agent service receives a new password policy from Azure AD, the service stores the policy in a dedicated folder at the root of its domain *sysvol* folder share. The DC Agent service also monitors this folder in case newer policies replicate in from other DC Agent services in the domain.
 
-The DC Agent service always requests a new policy at service startup. After the DC Agent service is started, it checks the age of the current locally available policy hourly. If the policy is older than one hour, the DC Agent requests a new policy from Azure AD, as described previously. If the current policy isn't older than one hour, the DC Agent continues to use that policy.
+The DC Agent service always requests a new policy at service startup. After the DC Agent service is started, it checks the age of the current locally available policy hourly. If the policy is older than one hour, the DC Agent requests a new policy from Azure AD via the proxy service, as described previously. If the current policy isn't older than one hour, the DC Agent continues to use that policy.
 
 Whenever an Azure AD password protection password policy is downloaded, that policy is specific to a tenant. In other words, password policies are always a combination of the Microsoft global banned-password list and the per-tenant custom banned-password list.
 
@@ -75,6 +76,8 @@ The DC Agent service always uses the most recent locally available password poli
 
 Azure AD password protection isn't a real-time policy application engine. There can be a delay between when a password policy configuration change is made in Azure AD and when that change reaches and is enforced on all domain controllers.
 
+Azure AD password protection acts as a supplement to the existing Active Directory password policies, not a replacement. This includes any other 3rd-party password filter dlls that may be installed. Active Directory always requires that all password validation components agree before accepting a password.
+
 ## Forest/tenant binding for password protection
 
 Deployment of Azure AD password protection in an Active Directory forest requires registration of that forest with Azure AD. Each proxy service that is deployed must also be registered with Azure AD. These forest and proxy registrations are associated with a specific Azure AD tenant, which is identified implicitly by the credentials that are used during registration.

articles/active-directory/authentication/howto-mfa-getstarted.md

@@ -57,9 +57,15 @@ Azure Multi-factor Authentication is deployed by enforcing policies with conditi
 * Compliant device
 * Hybrid Azure AD joined device
 * Approved client application
+ 
+
+Use the customizable posters and email templates in [multi-factor authentication rollout materials] to roll out multi-factor authentication to your organization. (https://www.microsoft.com/en-us/download/details.aspx?id=57600&WT.mc_id=rss_alldownloads_all)
+
+## Enable Multi-Factor Authentication with Conditional Access
 
 Conditional access policies enforce registration, requiring unregistered users to complete registration at first sign-in, an important security consideration.
 
+
 [Azure AD Identity Protection](../identity-protection/howto-configure-risk-policies.md) contributes both a registration policy for and automated risk detection and remediation policies to the Azure Multi-Factor Authentication story. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign-in is deemed risky by the following [events](../reports-monitoring/concept-risk-events.md):
 
 * Leaked credentials
@@ -304,4 +310,4 @@ Find solutions for common issues with Azure MFA at the [Troubleshooting Azure Mu
 
 * [What are authentication methods?](concept-authentication-methods.md)
 * [Enable converged registration for Azure Multi-Factor Authentication and Azure AD self-service password reset](concept-registration-mfa-sspr-converged.md)
-* Why was a user prompted or not prompted to perform MFA? See the section [Azure AD sign-ins report in the Reports in Azure Multi-Factor Authentication document](howto-mfa-reporting.md#azure-ad-sign-ins-report).
+* Why was a user prompted or not prompted to perform MFA? See the section [Azure AD sign-ins report in the Reports in Azure Multi-Factor Authentication document](howto-mfa-reporting.md#azure-ad-sign-ins-report).

articles/active-directory/b2b/faq.md

@@ -57,7 +57,7 @@ Unless a user is assigned the role of limited administrator or global administra
 Yes! When you configure this policy, be careful to avoid accidentally blocking access to members and admins.
 To block a guest user's access to the [Azure portal](https://portal.azure.com), use a conditional access policy in the Windows Azure classic deployment model API:
 1. Modify the **All Users** group so that it contains only members.
-   ![Screenshot showing All Users group where UserType is not equal Guest ](media/faq/modify-all-users-group.png)
+   ![Screenshot showing All Users group where UserType is not equal Guest](media/faq/modify-all-users-group.png)
 2. Create a dynamic group that contains guest users.
    ![Screenshot showing a new All Guest Users group](media/faq/group-with-guest-users.png)
 3. Set up a conditional access policy to block guest users from accessing the portal, as shown in the following video:

articles/active-directory/develop/reference-aadsts-error-codes.md

@@ -54,7 +54,7 @@ Looking for info about the AADSTS error codes that are returned from the Azure A
 | AADSTS50007 | PartnerEncryptionCertificateMissing - The partner encryption certificate was not found for this app. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) with Microsoft to get this fixed. |
 | AADSTS50008 | InvalidSamlToken - SAML assertion is missing or misconfigured in the token. Contact your federation provider. |
 | AADSTS50010 | AudienceUriValidationFailed - Audience URI validation for the app failed since no token audiences were configured. |
-| AADSTS50011 | InvalidReplyTo - The reply address is missing, misconfigured, or does not match reply addresses configured for the app. Try out the resolution listed at [https://docs.microsoft.com/azure/active-directory/application-sign-in-problem-federated-sso-gallery#the-reply-address-does-not-match-the-reply-addresses-configured-for-the-application](https://docs.microsoft.com/azure/active-directory/application-sign-in-problem-federated-sso-gallery#the-reply-address-does-not-match-the-reply-addresses-configured-for-the-application). If you still see issues, contact the app owner or app admin. |
+| AADSTS50011 | InvalidReplyTo - The reply address is missing, misconfigured, or does not match reply addresses configured for the app.  As a resolution ensure to add this missing reply address to the Azure Active Directory application or have someone with the permissions to manage your application in Active Directory do this for you.|
 | AADSTS50012 | AuthenticationFailed - Authentication failed for one of the following reasons:<ul><li>The subject name of the signing certificate is not authorized</li><li>A matching trusted authority policy was not found for the authorized subject name</li><li>The certificate chain is not valid</li><li>The signing certificate is not valid</li><li>Policy is not configured on the tenant</li><li>Thumbprint of the signing certificate is not authorized</li><li>Client assertion contains an invalid signature</li></ul> |
 | AADSTS50013 | InvalidAssertion - Assertion is invalid because of various reasons - The token issuer doesn't match the api version within its valid time range -expired -malformed - Refresh token in the assertion is not a primary refresh token. |
 | AADSTS50014 | GuestUserInPendingState - The user's redemption is in a pending state. The guest user account is not fully created yet. |

articles/active-directory/develop/v2-oauth-ropc.md

@@ -47,7 +47,6 @@ POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?
 
 client_id=6731de76-14a6-49ae-97bc-6eba6914391e
 &scope=user.read%20openid%20profile%20offline_access
-&client_secret=wkubdywbc2894u
 &[email protected]
 &password=SuperS3cret
 &grant_type=password

articles/active-directory/hybrid/how-to-connect-health-adfs.md

@@ -115,5 +115,5 @@ The report provides the following information:
 ## Related links
 * [Azure AD Connect Health](whatis-hybrid-identity-health.md)
 * [Azure AD Connect Health Agent Installation](how-to-connect-health-agent-install.md)
-* [Risky IP report ](how-to-connect-health-adfs-risky-ip.md)
+* [Risky IP report](how-to-connect-health-adfs-risky-ip.md)
 

articles/active-directory/manage-apps/application-proxy-configure-hard-coded-link-translation.md

@@ -78,6 +78,31 @@ There are two common types of internal links in on-premises applications:
 - **Relative internal links** that point to a shared resource in a local file structure like `/claims/claims.html`. These links automatically work in apps that are published through Application Proxy, and continue to work with or without link translation. 
 - **Hardcoded internal links** to other on-premises apps like `http://expenses` or published files like `http://expenses/logo.jpg`. The link translation feature works on hardcoded internal links, and changes them to point to the external URLs that remote users need to go through.
 
+The complete list of HTML code tags that Application Proxy supports link translation for include:
+* a
+* audio
+* base
+* button
+* div
+* embed
+* form
+* frame
+* head
+* html
+* iframe
+* img
+* input
+* link
+* menuitem
+* meta
+* object
+* script
+* source
+* track
+* video
+
+Additionally, within CSS the URL attribute is also translated.
+
 ### How do apps link to each other?
 
 Link translation is enabled for each application, so that you have control over the user experience at the per-app level. Turn on link translation for an app when you want the links *from* that app to be translated, not links *to* that app.