Merge pull request #41893 from MicrosoftDocs/master

5/22 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -21739,6 +21739,11 @@
             "source_path": "articles/active-directory/active-directory-appssoaccess-whatis.md",
             "redirect_url": "/azure/active-directory/manage-apps/what-is-single-sign-on",
             "redirect_document_id": true
+        },
+        {
+            "source_path": "articles/azure-maps/search-categories.md",
+            "redirect_url": "/azure/azure-maps/supported-search-categories",
+            "redirect_document_id": true
         }
 
     ]

articles/active-directory-b2c/TOC.yml

@@ -58,10 +58,10 @@
         href: https://github.com/Azure-Samples/active-directory-b2c-android-native-msal
       - name: Android using App Auth
         href: active-directory-b2c-devquickstarts-android.md
-      - name: .NET
-        href: https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop
-      - name: Xamarin
-        href: https://github.com/Azure-Samples/active-directory-b2c-xamarin-native
+    - name: .NET
+      href: https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop
+    - name: Xamarin
+      href: https://github.com/Azure-Samples/active-directory-b2c-xamarin-native
     - name: Resource owner password credentials
       href: configure-ropc.md
   - name: Web apps

articles/active-directory-b2c/active-directory-b2c-setup-li-app.md

@@ -32,7 +32,7 @@ To use LinkedIn as an identity provider in Azure Active Directory (Azure AD) B2C
    > **Client Secret** is an important security credential.
    > 
    > 
-6. Enter `https://login.microsoftonline.com/te/{tenant}/oauth2/authresp` in the **Authorized Redirect URLs** field (under **OAuth 2.0**). Replace **{tenant}** with your tenant's name (for example, contoso.onmicrosoft.com). Click **Add**, and then click **Update**. The **{tenant}** value is case-sensitive.
+6. Enter `https://login.microsoftonline.com/te/{tenant}/oauth2/authresp` in the **Authorized Redirect URLs** field (under **OAuth 2.0**). Replace **{tenant}** with your tenant's name (for example, contoso.onmicrosoft.com). Click **Add**, and then click **Update**. The **{tenant}** value should be lowercase.
 
     ![LinkedIn - Setup app](./media/active-directory-b2c-setup-li-app/linkedin-setup.png)
 

articles/active-directory-b2c/active-directory-b2c-tutorials-spa-webapi.md

@@ -152,21 +152,23 @@ To allow your single page app to call the ASP.NET Core web API, you need to enab
         builder.WithOrigins("http://localhost:6420").AllowAnyHeader().AllowAnyMethod());
     ```
 
+3. Open the **launchSettings.json** file under **Properties**, locate the *applicationURL* setting, and record the value for use in the next section.
+
 ### Configure the single page app
 
 The single page app uses Azure AD B2C for user sign-up, sign-in, and calls the protected ASP.NET Core web API. You need to update the single page app call the .NET Core web api.
 To change the app settings:
 
 1. Open the `index.html` file in the Node.js single page app sample.
-2. Configure the sample with the Azure AD B2C tenant registration information. Change the **b2cScopes** and **webApi** values in following lines of code:
+2. Configure the sample with the Azure AD B2C tenant registration information. In the following code, add your tenant name to **b2cScopes** and change the **webApi** value to the *applicationURL* value that you previously recorded:
 
     ```javascript
     // The current application coordinates were pre-registered in a B2C tenant.
     var applicationConfig = {
         clientID: '<Application ID for your SPA obtained from portal app registration>',
         authority: "https://login.microsoftonline.com/tfp/<your-tenant-name>.onmicrosoft.com/B2C_1_SiUpIn",
         b2cScopes: ["https://<Your tenant name>.onmicrosoft.com/HelloCoreAPI/demo.read"],
-        webApi: 'http://localhost:58553/api/values',
+        webApi: 'http://localhost:64791/api/values',
     };
     ```
 

articles/active-directory/active-directory-licensing-whatis-azure-portal.md

@@ -13,7 +13,7 @@
   ms.component: users-groups-roles
   ms.topic: article
   ms.workload: identity
-  ms.date: 03/29/2018
+  ms.date: 05/21/2018
   ms.author: curtand
   ms.reviewer: piotrci
 
@@ -23,7 +23,7 @@
 
 # Group-based licensing basics in Azure Active Directory
 
-Using Microsoft paid cloud services, such as Office 365, Enterprise Mobility + Security, Dynamics CRM, and other similar products, requires licenses. These licenses are assigned to each user who needs access to these services. To manage licenses, administrators use one of the management portals (Office or Azure) and PowerShell cmdlets. Azure Active Directory (Azure AD) is the underlying infrastructure that supports identity management for all Microsoft cloud services. Azure AD stores information about license assignment states for users.
+Microsoft paid cloud services, such as Office 365, Enterprise Mobility + Security, Dynamics 365, and other similar products, require licenses. These licenses are assigned to each user who needs access to these services. To manage licenses, administrators use one of the management portals (Office or Azure) and PowerShell cmdlets. Azure Active Directory (Azure AD) is the underlying infrastructure that supports identity management for all Microsoft cloud services. Azure AD stores information about license assignment states for users.
 
 Until now, licenses could only be assigned at the individual user level, which can make large-scale management difficult. For example, to add or remove user licenses based on organizational changes, such as users joining or leaving the organization or a department, an administrator often must write a complex PowerShell script. This script makes individual calls to the cloud service.
 
@@ -40,7 +40,7 @@ Here are the main features of group-based licensing:
 
 - When a product license is assigned to a group, the administrator can disable one or more service plans in the product. Typically, this is done when the organization is not yet ready to start using a service included in a product. For example, the administrator might assign Office 365 to a department, but temporarily disable the Yammer service.
 
-- All Microsoft cloud services that require user-level licensing are supported. This includes all Office 365 products, Enterprise Mobility + Security, and Dynamics CRM.
+- All Microsoft cloud services that require user-level licensing are supported. This includes all Office 365 products, Enterprise Mobility + Security, and Dynamics 365.
 
 - Group-based licensing is currently available only through [the Azure portal](https://portal.azure.com). If you primarily use other management portals for user and group management, such as the Office 365 portal, you can continue to do so. But you should use the Azure portal to manage licenses at group level.
 
@@ -54,7 +54,7 @@ Here are the main features of group-based licensing:
 
 ## Your feedback is welcome!
 
-If you have feedback or feature requests, please share them with us using [this forum](https://feedback.azure.com/forums/169401-azure-active-directory/category/317677-group-based-licensing).
+If you have feedback or feature requests, please share them with us using [the Azure AD admin forum](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=162510).
 
 ## Next steps
 

articles/active-directory/active-directory-reporting-activity-sign-ins-errors.md

@@ -13,7 +13,7 @@ ms.devlang: na
 ms.topic: get-started-article
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 05/02/2018
+ms.date: 05/22/2018
 ms.author: markvi
 ms.reviewer: dhanyahk
 
@@ -52,15 +52,18 @@ The following section provides you with a complete overview of all possible erro
 
 ## Error codes
 
+
 |Error|Description|
 |---|---|
 |50001|The service principal named X was not found in the tenant named Y. This can happen if the application has not been installed by the administrator of the tenant. Or Resource principal was not found in the directory or is invalid.|
 |50008|SAML assertion are missing or misconfigured in the token.|
 |50011|The reply address is missing, misconfigured or does not match reply addresses configured for the application.|
 |50012|User reported fraud during Multi-Factor authentication.|
+|50027|Invalid JWT token - doesn't contain nonce claim/ sub claim/ subject identifier mismatch / duplicate claim in idToken claims/ unexpected issuer/ unexpected audience/ not within its valid time range/ token format is not proper/External ID token from issuer failed signiture verifcation.|
 |50053|Account is locked because user tried to sign in too many times with an incorrect user ID or password.|
 |50054|Old password is used for authentication.|
 |50055|Invalid password, entered expired password.|
+|50056|Invalid or null password/Password does not exist in store for this user|
 |50057|User account is disabled.|
 |50058|No information about user's identity is found among provided credentials or User was not found in tenant or A silent sign-in request was sent but no user is signed in or Service was unable to authenticate the user.|
 |50072|Users' needs to enroll for second factor authentication (interactive)|
@@ -78,8 +81,11 @@ The following section provides you with a complete overview of all possible erro
 |50133|Session is invalid due to expiration or recent password change.|
 |50140|User prompted for consent to keep them signed-in on the device|
 |50144|User's Active Directory password has expired.|
+|50158|External security challenge not satisfied|
+|51005|Temporary Redirect|
 |53000|Conditional Access policy requires a compliant device, and the device is not compliant.|
 |53003|Access has been blocked due to conditional access policies.|
+|53004|User needs to complete Multi-factor authentication registration process before accessing this content.|
 |65001|Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.|
 |65005|The application required resource access list does not contain applications discoverable by the resource or The client application has requested access to resource which was not specified in its required resource access list or Graph service returned bad request or resource not found.|
 |70001|The application named X was not found in the tenant named Y. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.|
@@ -104,6 +110,8 @@ The following section provides you with a complete overview of all possible erro
 |90014|Used in various cases when an expected field is not present in the credential.|
 |90093|Graph returned with forbidden error code for the request.|
 |90094|Admin consent is needed.|
+
+
 ## Next steps
 
 For more details, see the [Sign-in activity reports in the Azure Active Directory portal](active-directory-reporting-activity-sign-ins.md).

articles/active-directory/active-directory-saas-cernercentral-tutorial.md

@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 04/16/2018
+ms.date: 05/10/2018
 ms.author: jeedes
 
 ---
@@ -62,7 +62,7 @@ To configure the integration of Cerner Central into Azure AD, you need to add Ce
 2. Navigate to **Enterprise applications**. Then go to **All applications**.
 
 	![Applications][2]
-	
+
 3. To add new application, click **New application** button on top of the dialog.
 
 	![Applications][3]
@@ -107,7 +107,7 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf
 	![Configure Single Sign-On](./media/active-directory-saas-cernercentral-tutorial/tutorial_cernercentral_url.png)
 
     a. In the **Identifier** textbox, type the value using the following patterns:
-	
+
 	| |
 	|--|
 	| `https://<instancename>.cernercentral.com/session-api/protocol/saml2/metadata` |
@@ -118,22 +118,22 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf
 	|--|
 	| `https://<instancename>.cernercentral.com/session-api/protocol/saml2/sso` |
 	| `https://<instancename>.sandboxcernercentral.com/session-api/protocol/saml2/sso` |
-	
+
 	> [!NOTE]
 	> These values are not the real. Update these values with the actual Identifier and Reply URL. Contact [Cerner Central support team](https://wiki.ucern.com/display/CernerCentral/Contacting+Cloud+Operations) to get these values.
 
-4. On the **SAML Signing Certificate** section, click the copy button to copy **App Federation Metadata Url** and paste it into notepad.
-    
+4. On the **SAML Signing Certificate** section, click the copy button to copy **App Federation Metadata Url** and paste it into notepad.
+
     ![Configure Single Sign-On](./media/active-directory-saas-cernercentral-tutorial/tutorial_metadataurl.png)
-     
+
 5. Click **Save** button.
 
 	![Configure Single Sign-On](./media/active-directory-saas-cernercentral-tutorial/tutorial_general_400.png)
 
 6. To configure single sign-on on **Cerner Central** side, you need to send the **App Federation Metadata Url** to [Cerner Central support](https://wiki.ucern.com/display/CernerCentral/Contacting+Cloud+Operations). They configure the SSO on application side to complete the integration.
 
 ### Creating an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon. 
+The objective of this section is to create a test user in the Azure portal called Britta Simon.
 
 ![Create Azure AD User][100]
 
@@ -144,15 +144,15 @@ The objective of this section is to create a test user in the Azure portal calle
 	![Creating an Azure AD test user](./media/active-directory-saas-cernercentral-tutorial/create_aaduser_01.png) 
 
 2. To display the list of users, go to **Users and groups** and click **All users**.
-	
+
 	![Creating an Azure AD test user](./media/active-directory-saas-cernercentral-tutorial/create_aaduser_02.png) 
 
 3. To open the **User** dialog, click **Add**.
- 
+
 	![Creating an Azure AD test user](./media/active-directory-saas-cernercentral-tutorial/create_aaduser_03.png) 
 
 4. On the **User** dialog page, perform the following steps:
- 
+
 	![Creating an Azure AD test user](./media/active-directory-saas-cernercentral-tutorial/create_aaduser_04.png) 
 
     a. In the **Name** textbox, type **BrittaSimon**.
@@ -162,30 +162,30 @@ The objective of this section is to create a test user in the Azure portal calle
 	c. Select **Show Password** and write down the value of the **Password**.
 
     d. Click **Create**.
- 
+
 ### Creating a Cerner Central test user
 
-**Cerner Central** application allows authentication from any federated identity provider. If a user is able to log in to the application home page, they are federated and have no need for any manual provisioning.
+**Cerner Central** application allows authentication from any federated identity provider. If a user is able to log in to the application home page, they are federated and have no need for any manual provisioning. You can find more details [here](active-directory-saas-cernercentral-provisioning-tutorial.md) on how to configure automatic user provisioning.
 
 ### Assigning the Azure AD test user
 
 In this section, you enable Britta Simon to use Azure single sign-on by granting access to Cerner Central.
 
-![Assign User][200] 
+![Assign User][200]
 
 **To assign Britta Simon to Cerner Central, perform the following steps:**
 
 1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**.
 
-	![Assign User][201] 
+	![Assign User][201]
 
 2. In the applications list, select **Cerner Central**.
 
-	![Configure Single Sign-On](./media/active-directory-saas-cernercentral-tutorial/tutorial_cernercentral_app.png) 
+	![Configure Single Sign-On](./media/active-directory-saas-cernercentral-tutorial/tutorial_cernercentral_app.png)
 
 3. In the menu on the left, click **Users and groups**.
 
-	![Assign User][202] 
+	![Assign User][202]
 
 4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog.
 
@@ -196,7 +196,7 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
 6. Click **Select** button on **Users and groups** dialog.
 
 7. Click **Assign** button on **Add Assignment** dialog.
-	
+
 ### Testing single sign-on
 
 In this section, you test your Azure AD single sign-on configuration using the Access Panel.
@@ -207,8 +207,7 @@ When you click the Cerner Central tile in the Access Panel, you should get autom
 
 * [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](active-directory-saas-tutorial-list.md)
 * [What is application access and single sign-on with Azure Active Directory?](manage-apps/what-is-single-sign-on.md)
-
-
+* [Configure User Provisioning](active-directory-saas-cernercentral-provisioning-tutorial.md)
 
 <!--Image references-->
 
@@ -222,4 +221,4 @@ When you click the Cerner Central tile in the Access Panel, you should get autom
 [200]: ./media/active-directory-saas-cernercentral-tutorial/tutorial_general_200.png
 [201]: ./media/active-directory-saas-cernercentral-tutorial/tutorial_general_201.png
 [202]: ./media/active-directory-saas-cernercentral-tutorial/tutorial_general_202.png
-[203]: ./media/active-directory-saas-cernercentral-tutorial/tutorial_general_203.png
+[203]: ./media/active-directory-saas-cernercentral-tutorial/tutorial_general_203.png

articles/active-directory/b2b/add-user-without-invite.md

@@ -28,7 +28,9 @@ Before this new method was available, you could invite guest users without requi
 2. The administrator in the host organization [sets up policies](delegate-invitations.md) that allow Sam to identify and add other users from the partner organization (Litware). (Sam must be added to the **Guest inviter** role.)
 3. Now, Sam can add other users from Litware to the WoodGrove directory, groups, or applications without needing invitations to be redeemed. If Sam has the appropriate enumeration privileges in Litware, it happens automatically.
 
-This  original method still works. However, there's a small difference in behavior. If you use PowerShell, you'll notice that an invited guest account now has a **PendingAcceptance** status instead of immediately showing **Accepted**. Although the status is pending, the guest user can still sign in and access the app without clicking an email invitation link. The pending status means that the user has not yet gone through the [consent experience](redemption-experience.md#privacy-policy-agreement), where they accept the privacy terms of the inviting organization. The guest user sees this consent screen when they sign in for the first time.
+This  original method still works. However, there's a small difference in behavior. If you use PowerShell, you'll notice that an invited guest account now has a **PendingAcceptance** status instead of immediately showing **Accepted**. Although the status is pending, the guest user can still sign in and access the app without clicking an email invitation link. The pending status means that the user has not yet gone through the [consent experience](redemption-experience.md#privacy-policy-agreement), where they accept the privacy terms of the inviting organization. The guest user sees this consent screen when they sign in for the first time. 
+
+If you invite a user to the directory, the guest user must access the resource tenant-specific Azure portal URL directly (such as https://portal.azure.com/*resourcetenant*.onmicrosoft.com) to view and agree to the privacy terms.
 
 ### Next steps