Merge pull request #105601 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

.openpublishing.redirection.json

@@ -27188,8 +27188,8 @@
     },
     {
       "source_path": "articles/storage/storage-java-jenkins-continuous-integration-solution.md",
-      "redirect_url": "/azure/storage/common/storage-java-jenkins-continuous-integration-solution",
-      "redirect_document_id": true
+      "redirect_url": "/azure/jenkins/storage-java-jenkins-continuous-integration-solution",
+      "redirect_document_id": false
     },
     {
       "source_path": "articles/storage/storage-manage-access-to-resources.md",
@@ -48931,6 +48931,16 @@
       "source_path": "articles/container-instances/container-instances-jenkins.md",
       "redirect_url": "/azure/jenkins/container-instances-jenkins",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/aks/jenkins-continuous-deployment.md",
+      "redirect_url": "/azure/jenkins/jenkins-continuous-deployment",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/storage/common/storage-java-jenkins-continuous-integration-solution.md",
+      "redirect_url": "/azure/jenkins/storage-java-jenkins-continuous-integration-solution",
+      "redirect_document_id": false
     }
   ]
 }

.vscode/settings.json

@@ -54,5 +54,8 @@
         "XAML",
         "XML",
         "YAML"
+    ],
+    "cSpell.words": [
+        "auditd"
     ]
 }

articles/active-directory-b2c/boolean-transformations.md

@@ -116,9 +116,9 @@ Checks that boolean value of a claims is equal to `true` or `false`, and return
 
 | Item | TransformationClaimType  | Data Type  | Notes |
 | ---- | ------------------------ | ---------- | ----- |
-| inputClaim | inputClaim | boolean | The ClaimType to be asserted. |
+| InputClaim | inputClaim | boolean | The ClaimType to be asserted. |
 | InputParameter |valueToCompareTo | boolean | The value to compare (true or false). |
-| OutputClaim | inputClaim | boolean | The ClaimType that is produced after this ClaimsTransformation has been invoked. |
+| OutputClaim | compareResult | boolean | The ClaimType that is produced after this ClaimsTransformation has been invoked. |
 
 
 The following claims transformation demonstrates how to check the value of a boolean ClaimType with a `true` value. If the value of the `IsAgeOver21Years` ClaimType is equal to `true`, the claims transformation returns `true`, otherwise `false`.

articles/active-directory/conditional-access/TOC.yml

@@ -43,7 +43,7 @@
     href: location-condition.md
   - name: What if tool
     href: what-if-tool.md
-  - name: Controls
+  - name: Custom controls
     href: controls.md
   - name: Classic policy migrations
     href: policy-migration.md

articles/active-directory/conditional-access/block-legacy-authentication.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 11/21/2019
+ms.date: 02/25/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -45,13 +45,30 @@ Conditional Access policies are enforced after the first-factor authentication h
 
 This section explains how to configure a Conditional Access policy to block legacy authentication. 
 
+### Legacy authentication protocols
+
+The following options are considered legacy authentication protocols
+
+- Authenticated SMTP - Used by POP and IMAP client's to send email messages.
+- Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
+- Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see [Connect to Exchange Online PowerShell using multi-factor authentication](https://docs.microsoft.com/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell).
+- Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
+- IMAP4 - Used by IMAP email clients.
+- MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later.
+- Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.
+- Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier.
+- Outlook Service - Used by the Mail and Calendar app for Windows 10.
+- POP3 - Used by POP email clients.
+- Reporting Web Services - Used to retrieve report data in Exchange Online.
+- Other clients - Other protocols identified as utilizing legacy authentication.
+
 ### Identify legacy authentication use
 
 Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. Azure AD sign-in logs can be used to understand if you’re using legacy authentication.
 
 1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
 1. Add the Client App column if it is not shown by clicking on **Columns** > **Client App**.
-1. **Add filters** > **Client App** > select all of the options for **Other clients** and click **Apply**.
+1. **Add filters** > **Client App** > select all of the legacy authentication protocols, and click **Apply**.
 
 Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you additional details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
 

articles/active-directory/conditional-access/concept-conditional-access-conditions.md

@@ -49,7 +49,9 @@ When configuring location as a condition, organizations can choose to include or
 
 When including **any location**, this option includes any IP address on the internet not just configured named locations. When selecting **any location**, administrators can choose to exclude **all trusted** or **selected locations**.
 
-For example, some organizations may choose to not require multi-factor authentication when their users are connected to the network in a trusted location such as their physical headquarters. Administrators could create a policy that includes any location but excludes the selected locations for their headquarters networks
+For example, some organizations may choose to not require multi-factor authentication when their users are connected to the network in a trusted location such as their physical headquarters. Administrators could create a policy that includes any location but excludes the selected locations for their headquarters networks.
+
+More information about locations can be found in the article, [What is the location condition in Azure Active Directory Conditional Access](location-condition.md).
 
 ## Client apps (preview)
 
@@ -64,7 +66,18 @@ Conditional Access policies by default apply to browser-based applications and a
       - By default this includes all use of the Exchange ActiveSync (EAS) protocol. Choosing **Apply policy only to supported platforms** will limit to supported platforms like iOS, Android, and Windows.
       - When policy blocks the use of Exchange ActiveSync the affected user will receive a single quarantine email. This email with provide information on why they are blocked and include remediation instructions if able.
    - Other clients
-      - This option includes clients that use basic/legacy authentication protocols including IMAP, MAPI, POP, SMTP, and legacy Office applications that do not support modern authentication.
+      - This option includes clients that use basic/legacy authentication protocols that do not support modern authentication.
+         - Authenticated SMTP - Used by POP and IMAP client's to send email messages.
+         - Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
+         - Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see [Connect to Exchange Online PowerShell using multi-factor authentication](https://docs.microsoft.com/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell).
+         - Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
+         - IMAP4 - Used by IMAP email clients.
+         - MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later.
+         - Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.
+         - Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier.
+         - Outlook Service - Used by the Mail and Calendar app for Windows 10.
+         - POP3 - Used by POP email clients.
+         - Reporting Web Services - Used to retrieve report data in Exchange Online.
 
 These conditions are commonly used when requiring a managed device, blocking legacy authentication, and blocking web applications but allowing mobile or desktop apps.
 
@@ -137,7 +150,7 @@ This setting has an impact on access attempts made from the following mobile app
 | Outlook 2016, Outlook 2013 (with modern authentication), Skype for Business (with modern authentication) | Office 365 Exchange Online | Windows 8.1, Windows 7 |
 | Outlook mobile app | Office 365 Exchange Online | Android, iOS |
 | Power BI app | Power BI service | Windows 10, Windows 8.1, Windows 7, Android, and iOS |
-| Skype for Business | Office 365 Exchange Online| Android, IOS |
+| Skype for Business | Office 365 Exchange Online| Android, iOS |
 | Visual Studio Team Services app | Visual Studio Team Services | Windows 10, Windows 8.1, Windows 7, iOS, and Android |
 
 ### Exchange ActiveSync clients

articles/active-directory/conditional-access/controls.md

@@ -1,106 +1,21 @@
 ---
-title: Access controls in Azure Active Directory Conditional Access
-description: Learn how access controls in Azure Active Directory Conditional Access work.
+title: Custom controls in Azure AD Conditional Access
+description: Learn how custom controls in Azure Active Directory Conditional Access work.
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 12/20/2019
+ms.date: 02/25/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: daveba
 ms.reviewer: calebb
 
-#Customer intent: As an IT admin, I need to understand the controls in Conditional Access so that I can set them according to my business needs
 ms.collection: M365-identity-device-management
 ---
-# What are access controls in Azure Active Directory Conditional Access?
-
-With [Azure Active Directory (Azure AD) Conditional Access](../active-directory-conditional-access-azure-portal.md), you can control how authorized users access your cloud apps. In a Conditional Access policy, you define the response ("do this") to the reason for triggering your policy ("when this happens").
-
-![Control](./media/controls/10.png)
-
-In the context of Conditional Access,
-
-- "**When this happens**" is called **conditions**
-- "**Then do this**" is called **access controls**
-
-The combination of a condition statement with your controls represents a Conditional Access policy.
-
-![Control](./media/controls/61.png)
-
-Each control is either a requirement that must be fulfilled by the person or system signing in, or a restriction on what the user can do after signing in.
-
-There are two types of controls:
-
-- **Grant controls** - To gate access
-- **Session controls** - To restrict access within a session
-
-This topic explains the various controls that are available in Azure AD Conditional Access. 
-
-## Grant controls
-
-With grant controls, you can either block access altogether or allow access with additional requirements by selecting the desired controls. For multiple controls, you can require:
-
-- All selected controls to be fulfilled (*AND*)
-- One selected control to be fulfilled (*OR*)
-
-![Control](./media/controls/18.png)
-
-### Multi-factor authentication
-
-You can use this control to require multi-factor authentication to access the specified cloud app. This control supports the following multi-factor providers:
-
-- Azure Multi-Factor Authentication
-- An on-premises multi-factor authentication provider, combined with Active Directory Federation Services (AD FS).
-
-Using multi-factor authentication helps protect resources from being accessed by an unauthorized user who might have gained access to the primary credentials of a valid user.
-
-### Compliant device
-
-You can configure Conditional Access policies that are device-based. The objective of a device-based Conditional Access policy is to only grant access to the selected cloud apps from [managed devices](require-managed-devices.md). Requiring a device to be marked as compliant is one option you have to limit access to managed devices. A device can be marked as compliant by Intune (for any device OS) or by your third-party MDM system for Windows 10 devices. Third-party MDM systems for device OS types other than Windows 10 are not supported. 
-
-Your device needs to be registered to Azure AD before it can be marked as compliant. To register a device, you have three options: 
-
-- Azure AD registered devices
-- Azure AD joined devices  
-- Hybrid Azure AD joined devices
-
-These three options are discussed in the article [What is a device identity?](../devices/overview.md)
-
-For more information, see [how to require managed devices for cloud app access with Conditional Access](require-managed-devices.md).
-
-### Hybrid Azure AD joined device
-
-Requiring a hybrid Azure AD joined device is another option you have to configure device-based Conditional Access policies. This requirement refers to Windows desktops, laptops, and enterprise tablets that are joined to an on-premises Active Directory. If this option is selected, your Conditional Access policy grants access to access attempts made with devices that are joined to your on-premises Active Directory and your Azure Active Directory. Mac devices do not support hybrid Azure AD join.
-
-For more information, see [set up Azure Active Directory device-based Conditional Access policies](require-managed-devices.md).
-
-### Approved client app
-
-Because your employees use mobile devices for both personal and work tasks, you might want to have the ability to protect company data accessed using devices even in the case where they are not managed by you.
-You can use [Intune app protection policies](https://docs.microsoft.com/intune/app-protection-policy) to help protect your company’s data independent of any mobile-device management (MDM) solution.
-
-With approved client apps, you can require a client app that attempts to access your cloud apps to support [Intune app protection policies](https://docs.microsoft.com/intune/app-protection-policy). For example, you can restrict access to Exchange Online to the Outlook app. A Conditional Access policy that requires approved client apps is  also known as [app-based Conditional Access policy](app-based-conditional-access.md). For a list of supported approved client apps, see [approved client app requirement](concept-conditional-access-grant.md#require-approved-client-app).
-
-### App protection policy (preview)
-
-Because your employees use mobile devices for both personal and work tasks, you might want to have the ability to protect company data accessed using devices even in the case where they are not managed by you.
-You can use [Intune app protection policies](https://docs.microsoft.com/intune/app-protection-policy) to help protect your company’s data independent of any mobile-device management (MDM) solution.
-
-With app protection policy, you can limit access to client applications that have reported to Azure AD has having received [Intune app protection policies](https://docs.microsoft.com/intune/app-protection-policy). For example, you can restrict access to Exchange Online to the Outlook app that has an Intune app protection policy. A Conditional Access policy that requires app protection policy is also known as [app protection-based Conditional Access policy](concept-conditional-access-session.md#application-enforced-restrictions). 
-
-Your device must be registered to Azure AD before an application can be marked as policy protected.
-
-For a list of supported policy protected client apps, see [app protection policy requirement](concept-conditional-access-session.md#application-enforced-restrictions).
-
-### Terms of use
-
-You can require a user in your tenant to consent to the terms of use before being granted access to a resource. As an administrator, you can configure and customize terms of use by uploading a PDF document. If a user falls in scope of this control access to an application is only granted if the terms of use have been agreed.
-
-## Custom controls (preview)
+# Custom controls (preview)
 
 Custom controls are a capability of the Azure Active Directory Premium P1 edition. When using custom controls, your users are redirected to a compatible service to satisfy further requirements outside of Azure Active Directory. To satisfy this control, a user’s browser is redirected to the external service, performs any required authentication or validation activities, and is then redirected back to Azure Active Directory. Azure Active Directory verifies the response and, if the user was successfully authenticated or validated, the user continues in the Conditional Access flow.
 
@@ -121,7 +36,7 @@ Providers currently offering a compatible service include:
 
 For more information on those services, contact the providers directly.
 
-### Creating custom controls
+## Creating custom controls
 
 To create a custom control, you should first contact the provider that you wish to utilize. Each non-Microsoft provider has its own process and requirements to sign up, subscribe, or otherwise become a part of the service, and to indicate that you wish to integrate with Conditional Access. At that point, the provider will provide you with a block of data in JSON format. This data allows the provider and Conditional Access to work together for your tenant, creates the new control and defines how Conditional Access can tell if your users have successfully performed verification with the provider.
 
@@ -137,15 +52,15 @@ Clicking **New custom control**, opens a blade with a textbox for the JSON data
 
 ![Control](./media/controls/81.png)
 
-### Deleting custom controls
+## Deleting custom controls
 
 To delete a custom control, you must first ensure that it isn’t being used in any Conditional Access policy. Once complete:
 
 1. Go to the Custom controls list
 1. Click …  
 1. Select **Delete**.
 
-### Editing custom controls
+## Editing custom controls
 
 To edit a custom control, you must delete the current control and create a new control with the updated information.
 

articles/active-directory/conditional-access/what-if-tool.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 11/21/2019
+ms.date: 02/25/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -96,7 +96,7 @@ You start an evaluation by clicking **What If**. The evaluation result provides
 
 If [classic policies](policy-migration.md#classic-policies) exist for the selected cloud apps, an indicator is presented to you. By clicking the indicator, you are redirected to the classic policies page. On the classic policies page, you can migrate a classic policy or just disable it. You can return to your evaluation result by closing this page.
 
-On the list of policies that apply to your selected user, you can also find a list of [grant controls](controls.md#grant-controls) and [session](controls.md#session-controls) controls your user must satisfy.
+On the list of policies that apply to your selected user, you can also find a list of [grant controls](concept-conditional-access-grant.md) and [session controls](concept-conditional-access-session.md) your user must satisfy.
 
 On the list of policies that don't apply to your user, you can and also find the reasons why these policies don't apply. For each listed policy, the reason represents the first condition that was not satisfied. A possible reason for a policy that is not applied is a disabled policy because they are not further evaluated.