Merge pull request #111320 from MicrosoftDocs/master

4/14 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -1697,6 +1697,11 @@
       "redirect_url": "/azure/architecture/reference-architectures/enterprise-integration/queues-events",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/azure-arc/servers/azcmagent-reference.md",
+      "redirect_url": "/azure/azure-arc/servers/manage-agent",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cognitive-services/bing-web-search/computer-vision-web-search-tutorial.md",
       "redirect_url": "/azure/cognitive-services/bing-web-search/index",

articles/active-directory/develop/quickstart-register-app.md

@@ -25,7 +25,7 @@ Your app is integrated with the Microsoft identity platform by registering it wi
 ## Prerequisites
 
 * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).
-* An [Azure AD tentant](quickstart-create-new-tenant.md).
+* An [Azure AD tenant](quickstart-create-new-tenant.md).
 
 ## Register a new application using the Azure portal
 

articles/active-directory/hybrid/TOC.yml

@@ -340,6 +340,8 @@
     href: reference-connect-faq.md
   - name: Azure AD Connect Health FAQ
     href: reference-connect-health-faq.md
+  - name: Hybrid identity considerations for Azure Government 
+    href: reference-connect-government-cloud.md
   - name: Azure AD Connect user privacy
     href: reference-connect-user-privacy.md
   - name: Azure AD Connect Health user privacy

articles/active-directory/hybrid/how-to-connect-pta-quick-start.md

@@ -1,5 +1,5 @@
 ---
-title: 'Azure AD Pass-through Authentication - Quick start | Microsoft Docs'
+title: 'Azure AD Pass-through Authentication - Quickstart | Microsoft Docs'
 description: This article describes how to get started with Azure Active Directory (Azure AD) Pass-through Authentication.
 services: active-directory
 keywords: Azure AD Connect Pass-through Authentication, install Active Directory, required components for Azure AD, SSO, Single Sign-on
@@ -12,13 +12,13 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 04/15/2019
+ms.date: 04/13/2020
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
-# Azure Active Directory Pass-through Authentication: Quick start
+# Azure Active Directory Pass-through Authentication: Quickstart
 
 ## Deploy Azure AD Pass-through Authentication
 
@@ -61,10 +61,15 @@ Ensure that the following prerequisites are in place.
      | **8080** (optional) | Authentication Agents report their status every ten minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal. Port 8080 is _not_ used for user sign-ins. |
      
      If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
-   - If your firewall or proxy allows DNS whitelisting, whitelist connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+   - If your firewall or proxy allows DNS whitelisting, add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
    - Your Authentication Agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
    - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products you may already have these URLs unblocked.
 
+### Azure Government cloud prerequisite
+Prior to enabling Pass-through Authentication through Azure AD Connect with Step 2, download the latest release of the PTA agent from the Azure portal.  You need to ensure that your agent is versions **x.x.xxx.x** or later.  To verify your agent see [Upgrade authentication agents](how-to-connect-pta-upgrade-preview-authentication-agents.md)
+
+After downloading the latest release of the agent, proceed with the below instructions to configure Pass-Through Authentication through Azure AD Connect.
+
 ## Step 2: Enable the feature
 
 Enable Pass-through Authentication through [Azure AD Connect](whatis-hybrid-identity.md).
@@ -109,8 +114,8 @@ If you plan to deploy Pass-through Authentication in a production environment, y
 Installing multiple Pass-through Authentication Agents ensures high availability, but not deterministic load balancing between the Authentication Agents. To determine how many Authentication Agents you need for your tenant, consider the peak and average load of sign-in requests that you expect to see on your tenant. As a benchmark, a single Authentication Agent can handle 300 to 400 authentications per second on a standard 4-core CPU, 16-GB RAM server.
 
 To estimate network traffic, use the following sizing guidance:
-- Each request has a payload size of (0.5K + 1K * num_of_agents) bytes; i.e., data from Azure AD to the Authentication Agent. Here, "num_of_agents" indicates the number of Authentication Agents registered on your tenant.
-- Each response has a payload size of 1K bytes; i.e., data from the Authentication Agent to Azure AD.
+- Each request has a payload size of (0.5K + 1K * num_of_agents) bytes, that is, data from Azure AD to the Authentication Agent. Here, "num_of_agents" indicates the number of Authentication Agents registered on your tenant.
+- Each response has a payload size of 1K bytes, that is, data from the Authentication Agent to Azure AD.
 
 For most customers, three Authentication Agents in total are sufficient for high availability and capacity. You should install Authentication Agents close to your domain controllers to improve sign-in latency.
 

articles/active-directory/hybrid/reference-connect-government-cloud.md

@@ -0,0 +1,80 @@
+---
+title: 'Azure AD Connect: Hybrid identity considerations for Azure Government'
+description: Special considerations for deploying Azure AD Connect with the government cloud.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: article
+ms.date: 04/14/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Hybrid identity considerations for Azure Government 
+The following document describes the considerations for implementing a hybrid environment with the Azure Government cloud.  This information is provided as reference for administrators and architects who are working with the Azure Government cloud.  
+> [!NOTE] 
+> In order to integrate an on-premises AD environment with the Azure Governemnt cloud, you need to upgrade to the latest release of [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594). 
+
+> [!NOTE] 
+> For a full list of U.S. Government DoD Endpoints, refer to the [documentation](https://docs.microsoft.com/office365/enterprise/office-365-u-s-government-dod-endpoints) 
+
+## Pass-Through Authentication 
+The following information is provided for implementation of pass-through authentication (PTA) and the Azure Government cloud.
+
+### Allow access to URLs  
+Before deploying the pass-through authentication agent, verify if there is a firewall between your servers and Azure AD. If your firewall or proxy allows DNS whitelisting, add the following connections: 
+> [!NOTE]
+> The following guidance also applies to installing the [Application Proxy connector](https://aka.ms/whyappproxy) for Azure Government environments.
+
+|URL |How it's used|
+|-----|-----| 
+|*.msappproxy.us *.servicebus.usgovcloudapi.net|Communication between the agent and the Azure AD cloud service |
+|mscrl.microsoft.us:80 crl.microsoft.us:80 </br>ocsp.msocsp.us:80 www.microsoft.us:80| The agent uses these URLs to verify certificates.| 
+|login.windows.us secure.aadcdn.microsoftonline-p.com *.microsoftonline.us </br>*.microsoftonline-p.us </br>*.msauth.net </br>*.msauthimages.net </br>*.msecnd.net</br>*.msftauth.net </br>*.msftauthimages.net</br>*.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctdl.windowsupdate.us:80| The agent uses these URLs during the registration process.| 
+
+### Install the agent for the Azure Government cloud 
+In order to install the agent for the Azure Government cloud, you must follow these specific steps: 
+In the command line terminal, navigate to folder where the executable for installing the agent is located. 
+Run the following command which specifies the installation is for Azure Government. 
+
+For Passthrough Authentication: 
+```
+AADConnectAuthAgentSetup.exe ENVIRONMENTNAME="AzureUSGovernment"
+```
+
+For Application Proxy:
+```
+AADApplicationProxyConnectorInstaller.exe ENVIRONMENTNAME="AzureUSGovernment" 
+```
+
+## Single sign on 
+Set up your Azure AD Connect server: If you use Pass-through Authentication as your sign-in method, no additional prerequisite check is required. If you use password hash synchronization as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that:
+- You use version 1.1.644.0 or later of Azure AD Connect. 
+- If your firewall or proxy allows DNS whitelisting, add the connections to the *.msapproxy.us URLs over port 443. If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins. 
+
+### Rolling out seamless SSO 
+You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: 
+https://autologon.microsoft.us 
+
+In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy. 
+Browser considerations 
+Mozilla Firefox (all platforms) 
+Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps: 
+1. Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see. 
+2. Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox's trusted sites for Kerberos authentication. 
+3. Right-click and select Modify. 
+4. Enter https://autologon.microsoft.us in the field.
+5. Select OK and then reopen the browser. 
+
+### Microsoft Edge based on Chromium (all platforms) 
+If you have overridden the `AuthNegotiateDelegateAllowlist` or the `AuthServerAllowlist` policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoft.us) to them as well. 
+
+### Google Chrome (all platforms) 
+If you have overridden the `AuthNegotiateDelegateWhitelist` or the `AuthServerWhitelist` policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoft.us) to them as well. 
+
+## Next steps
+[Pass-through Authentication](how-to-connect-pta-quick-start.md#step-1-check-the-prerequisites)
+[Single Sign-on](how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites) 

articles/active-directory/user-help/sms-sign-in-explainer.md

@@ -8,21 +8,19 @@ ms.service: active-directory
 ms.subservice: user-help
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/25/2020
+ms.date: 04/14/2020
 ms.author: curtand
 ms.reviewer: kasimpso
 ms.custom: "user-help, seo-update-azuread-jan"
 ---
 
 # Use your phone number as a user name (preview)
 
-Registering your device gives your phone access to your organization's services and doesn't allow your organization access to your phone.
-
-## User registers a number
+Registering a device gives your phone access to your organization's services and doesn't allow your organization access to your phone. If you're an administrator, you can find more information in [Configure and enable users for SMS-based authentication](../authentication/howto-authentication-sms-signin.md).
 
 If your organization hasn't made SMS sign-in available, you won't see an option for it when registering a phone with your account.  
 
-## User with new phone number
+## When you have a new phone number
 
 If you get a new phone or new number and you register it with an organization for which SMS sign-in is available, you experience the normal phone registration process:
 
@@ -35,15 +33,15 @@ If you get a new phone or new number and you register it with an organization fo
 > [!Important]
 > Due to a known issue in the preview, for a short time adding phone number will not register the number for SMS sign-in. You'll have to sign in with the added number and then follow the prompts to register the number for SMS sign-in.
 
-### The phone number is in use
+### When the phone number is in use
 
 If you try to use a phone number that someone else in your organization is using, you'll see the following message:
 
 ![Error message when your phone number is already used](media/sms-sign-in-explainer/sms-sign-in-error.png)
 
 Reach out to your admin to remediate the problem.
 
-## User with an existing number
+## When you have an existing number
 
 If you are already using a phone number with an organization, and using your phone number as a user name becomes available, the following steps can help you sign in.
 
@@ -61,7 +59,7 @@ If you are already using a phone number with an organization, and using your pho
 
 1. Select **Enable**.
 
-## Delete phone number
+## When you remove your phone number
 
 1. To delete the phone number, select the delete button on the SMS sign-in phone method tile.