Merge branch 'master' into v-ammark-seo-3

Author: erhopf

.openpublishing.redirection.json

@@ -320,6 +320,9 @@
       href: active-directory-b2c-devquickstarts-graph-dotnet.md
   - name: Audit logs
     href: active-directory-b2c-reference-audit-logs.md
+  - name: Manage users - Azure portal
+    href: manage-users-portal.md
+    displayName: create users, add users, delete users
   - name: Secure API Management API
     href: secure-api-management.md
     displayName: apim, api management, migrate, b2clogin.com

articles/active-directory-b2c/TOC.yml

@@ -0,0 +1,60 @@
+---
+title: Create & delete Azure AD B2C consumer user accounts in the Azure portal
+description: Learn how to use the Azure portal to create and delete consumer users in your Azure AD B2C directory.
+services: active-directory-b2c
+author: mmacy
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 11/09/2019
+ms.author: marsma
+ms.subservice: B2C
+---
+
+# Use the Azure portal to create and delete consumer users in Azure AD B2C
+
+There might be scenarios in which you want to manually create consumer accounts in your Azure Active Directory B2C (Azure AD B2C) directory. Although consumer accounts in an Azure AD B2C directory are most commonly created when users sign up to use one of your applications, you can create them programmatically and by using the Azure portal. This article focuses on the Azure portal method of user creation and deletion.
+
+To add or delete users, your account must be assigned the *User administrator* or *Global administrator* role.
+
+[!INCLUDE [active-directory-b2c-public-preview](../../includes/active-directory-b2c-public-preview.md)]
+
+## Types of user accounts
+
+As described in [Overview of user accounts in Azure AD B2C](user-overview.md), there are three types of user accounts that can be created in an Azure AD B2C directory:
+
+* Work
+* Guest
+* Consumer
+
+This article focuses on working with **consumer accounts** in the Azure portal. For information about creating and deleting Work and Guest accounts, see [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md).
+
+## Create a consumer user
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
+1. Under **Manage**, select **Users**.
+1. Select **New user**.
+1. Select **Create Azure AD B2C user**.
+1. Choose a **Sign in method** and enter either an **Email** address or a **Username** for the new user. The sign in method you select here must match the setting you've specified for your Azure AD B2C tenant's *Local account* identity provider (see **Manage** > **Identity providers** in your Azure AD B2C tenant).
+1. Enter a **Name** for the user. This is typically the full name (given and surname) of the user.
+1. (Optional) You can **Block sign in** if you wish to delay the ability for the user to sign in. You can enable sign in later by editing the user's **Profile** in the Azure portal.
+1. Choose **Auto-generate password** or **Let me create password**.
+1. Specify the user's **First name** and **Last name**.
+1. Select **Create**.
+
+Unless you've selected **Block sign in**, the user can now sign in using the sign in method (email or username) that you specified.
+
+## Delete a consumer user
+
+1. In your Azure AD B2C directory, select **Users**, and then select the user you want to delete.
+1. Select **Delete**, and then **Yes** to confirm the deletion.
+
+For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/active-directory-users-restore.md).
+
+## Next steps
+
+For automated user management scenarios, for example migrating users from another identity provider to your Azure AD B2C directory, see [Azure AD B2C: User migration](active-directory-b2c-user-migration.md).

articles/active-directory-b2c/manage-users-portal.md

@@ -206,6 +206,9 @@ function Set-MfaState {
 Get-MsolUser -All | Set-MfaState -State Disabled
 ```
 
+> [!NOTE]
+> We recently changed the behavior and PowerShell script above accordingly. Previously, the script saved off the MFA methods, disabled MFA, and restored the methods. This is no longer necessary now that the default behavior for disable doesn't clear the methods.
+
 ## Plan Conditional Access policies
 
 To plan your Conditional Access policy strategy, which will determine when MFA and other controls are required, refer to [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md).

articles/active-directory/authentication/howto-mfa-getstarted.md

@@ -214,6 +214,8 @@ Settings for app passwords, trusted IPs, verification options, and remember mult
 
 ![Azure Multi-Factor Authentication service settings](./media/howto-mfa-mfasettings/multi-factor-authentication-settings-service-settings.png)
 
+The trusted IP address ranges can be private or public.
+
 ## App passwords
 
 Some applications, like Office 2010 or earlier and Apple Mail before iOS 11, don't support two-step verification. The apps aren't configured to accept a second verification. To use these applications, take advantage of the _app passwords_ feature. You can use an app password in place of your traditional password to allow an app to bypass two-step verification and continue working.

articles/active-directory/authentication/howto-mfa-mfasettings.md

@@ -21,16 +21,16 @@ Azure Multi-Factor Authentication provides several reports that can be used by y
 
 | Report | Location | Description |
 |:--- |:--- |:--- |
-| Blocked User History | Azure AD > MFA Server > Block/unblock users | Shows the history of requests to block or unblock users. |
+| Blocked User History | Azure AD > Security > MFA > Block/unblock users | Shows the history of requests to block or unblock users. |
 | Usage and fraud alerts | Azure AD > Sign-ins | Provides information on overall usage, user summary, and user details; as well as a history of fraud alerts submitted during the date range specified. |
-| Usage for on-premises components | Azure AD > MFA Server > Activity Report | Provides information on overall usage for MFA through the NPS extension, ADFS, and MFA server. |
-| Bypassed User History | Azure AD > MFA Server > One-time bypass | Provides a history of requests to bypass Multi-Factor Authentication for a user. |
-| Server status | Azure AD > MFA Server > Server status | Displays the status of Multi-Factor Authentication Servers associated with your account. |
+| Usage for on-premises components | Azure AD > Security > MFA > Activity Report | Provides information on overall usage for MFA through the NPS extension, ADFS, and MFA server. |
+| Bypassed User History | Azure AD > Security > MFA > One-time bypass | Provides a history of requests to bypass Multi-Factor Authentication for a user. |
+| Server status | Azure AD > Security > MFA > Server status | Displays the status of Multi-Factor Authentication Servers associated with your account. |
 
 ## View MFA reports
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-2. On the left, select **Azure Active Directory** > **MFA Server**.
+2. On the left, select **Azure Active Directory** > **Security** > **MFA**.
 3. Select the report that you wish to view.
 
    ![MFA Server server status report in the Azure portal](./media/howto-mfa-reporting/report.png)

articles/active-directory/authentication/howto-mfa-reporting.md

@@ -96,7 +96,7 @@ To set up the appropriate permissions for password writeback to occur, complete
     * **Write pwdLastSet**
 9. Select **Apply/OK** to apply the changes and exit any open dialog boxes.
 
-Since the source of authority is on premises, the password complexity policies apply from the same connected data source. Make sure you've changed the existing group policies for "Minimum Password Length". The group policy shouldn't be set to 1, which means password should be at least a day old before it can be updated. You need make sure it's set to 0. These settings can be found in `gpmc.msc` under **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies**. Run `gpupdate /force` to ensure that the change takes effect. 
+Since the source of authority is on premises, the password complexity policies apply from the same connected data source. Make sure you've changed the existing group policies for "Minimum password age". The group policy shouldn't be set to 1, which means password should be at least a day old before it can be updated. You need make sure it's set to 0. These settings can be found in `gpmc.msc` under **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies**. Run `gpupdate /force` to ensure that the change takes effect. 
 
 ## Next steps
 

articles/active-directory/authentication/howto-sspr-writeback.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 04/11/2019
+ms.date: 11/12/2019
 
 ms.author: mimart
 author: msmimart
@@ -44,14 +44,18 @@ To add B2B collaboration users to the directory, follow these steps:
    > [!NOTE]
    > The **New guest user** option is also available on the **Organizational relationships** page. In **Azure Active Directory**, under **Manage**, select **Organizational relationships**.
 
-5. Under **User name**, enter the email address of the external user. Optionally, include a welcome message. For example:
-
-   ![Shows where New guest user is in the UI](./media/add-users-administrator/InviteGuest.png) 
+5. On the **New user** page, select **Invite user** and then add the guest user's information. 
 
     > [!NOTE]
     > Group email addresses aren’t supported; enter the email address for an individual. Also, some email providers allow users to add a plus symbol (+) and additional text to their email addresses to help with things like inbox filtering. However, Azure AD doesn’t currently support plus symbols in email addresses. To avoid delivery issues, omit the plus symbol and any characters following it up to the @ symbol.
 
-6. Select **Invite** to automatically send the invitation to the guest user. 
+   - **Name.** The first and last name of the guest user.
+   - **Email address (required)**. The email address of the guest user.
+   - **Personal message (optional)** Include a personal welcome message to the guest user.
+   - **Groups**: You can add the guest user to one or more existing groups, or you can do it later.
+   - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. 
+
+7. Select **Invite** to automatically send the invitation to the guest user. 
 
 After you send the invitation, the user account is automatically added to the directory as a guest.
 

articles/active-directory/b2b/add-users-administrator.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: quickstart
-ms.date: 07/02/2018
+ms.date: 11/12/2019
 
 ms.author: mimart
 author: msmimart
@@ -44,9 +44,13 @@ To complete the scenario in this tutorial, you need:
 
     ![Screenshot showing where to select the New guest user option](media/quickstart-add-users-portal/quickstart-users-portal-user-3.png)
 
-5.	Under **User name**, enter the email address of the external user. Under **Include a personal message with the invitation**, type a welcome message. 
+5. On the **New user** page, select **Invite user** and then add the guest user's information. 
 
-    ![Screenshot showing where to enter the guest user invitation message](media/quickstart-add-users-portal/quickstart-users-portal-user-4.png)
+   - **Name.** The first and last name of the guest user.
+   - **Email address (required)**. The email address of the guest user.
+   - **Personal message (optional)** Include a personal welcome message to the guest user.
+   - **Groups**: You can add the guest user to one or more existing groups, or you can do it later.
+   - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. 
 
 6. Select **Invite** to automatically send the invitation to the guest user. A notification appears in the upper right with the message **Successfully invited user**. 
 7.	After you send the invitation, the user account is automatically added to the directory as a guest.

articles/active-directory/b2b/b2b-quickstart-add-guest-users-portal.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: troubleshooting
-ms.date: 05/25/2017
+ms.date: 11/12/2019
 tags: active-directory
 ms.author: mimart
 author: v-miegge
@@ -90,6 +90,10 @@ To resolve this problem, you must take over the abandoned tenant. Refer to  [Tak
 
 If the identity tenant is a just-in-time (JIT) or viral tenant (meaning it's a separate, unmanaged Azure tenant), only the guest user can reset their password. Sometimes an organization will [take over management of viral tenants](https://docs.microsoft.com/azure/active-directory/users-groups-roles/domains-admin-takeover) that are created when employees use their work email addresses to sign up for services. After the organization takes over a viral tenant, only an administrator in that organization can reset the user's password or enable SSPR. If necessary, as the inviting organization, you can remove the guest user account from your directory and resend an invitation.
 
+## A guest user is unable to use the AzureAD PowerShell V1 module
+
+As of November 18, 2019, guest users in your directory (defined as user accounts where the **userType** property equals **Guest**) are blocked from using the AzureAD PowerShell V1 module. Going forward, a user will need to either be a member user (where **userType** equals **Member**) or use the AzureAD PowerShell V2 module.
+
 ## Next steps
 
 [Get support for B2B collaboration](get-support.md)