Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into v-dele-1555061

Author: DennisLee-DennisLee

.markdownlint.json

@@ -0,0 +1,42 @@
+{
+    "default": true,
+    "MD001": false,
+    "MD002": false,
+    "MD003": false,
+    "MD004": false,
+    "MD005": false,
+    "MD006": false,
+    "MD007": false,
+    "MD009": false,
+    "MD010": false,
+    "MD011": false,
+    "MD012": false,
+    "MD013": false,
+    "MD014": false,
+    "MD018": false,
+    "MD019": false,
+    "MD020": false,
+    "MD021": false,
+    "MD022": false,
+    "MD023": false,
+    "MD024": false,
+    "MD025": false,
+    "MD026": false,
+    "MD027": false,
+    "MD028": false,
+    "MD029": false,
+    "MD030": false,
+    "MD031": false,
+    "MD032": false,
+    "MD033": false,
+    "MD034": false,
+    "MD035": false,
+    "MD036": false,
+    "MD037": false,
+    "MD038": false,
+    "MD039": false,
+    "MD040": false,
+    "MD041": false,
+    "MD042": false,
+    "MD045": false
+}

.openpublishing.redirection.json

@@ -94,7 +94,7 @@ A web API can receive tokens from many types of clients, including web applicati
 6. The `access_token` and `refresh_token` are returned to the web server.
 7. The web API is called with the `access_token` in an authorization header.
 8. The web API validates the token.
-9. Secure data is returned to the web server.
+9. Secure data is returned to the web application.
 
 To learn more about authorization codes, refresh tokens, and the steps for getting tokens, read about the [OAuth 2.0 protocol](active-directory-b2c-reference-oauth-code.md).
 

articles/active-directory-b2c/active-directory-b2c-apps.md

@@ -23,7 +23,7 @@ There are two common reasons for why the Azure AD extension is not working for y
 Azure AD and Azure AD B2C are separate product offerings and cannot coexist in the same tenant.  An Azure AD tenant represents an organization.  An Azure AD B2C tenant represents a collection of identities to be used with relying party applications.  With custom policies (in public preview), Azure AD B2C can federate to Azure AD allowing authentication of employees in an organization.
 
 ### Can I use Azure AD B2C to provide social login (Facebook and Google+) into Office 365?
-Azure AD B2C can't be used to authenticate users for Microsoft Office 365.  Azure AD is Microsoft's solution for managing employee access to SaaS apps and it has features designed for this purpose such as licensing and conditional access.  Azure AD B2C provides an identity and access management platform for building web and mobile applications.  When Azure AD B2C is configured to federate to an Azure AD tenant, the Azure AD tenant manages employee access to applications that rely on Azure AD B2C.
+Azure AD B2C can't be used to authenticate users for Microsoft Office 365.  Azure AD is Microsoft's solution for managing employee access to SaaS apps and it has features designed for this purpose such as licensing and Conditional Access.  Azure AD B2C provides an identity and access management platform for building web and mobile applications.  When Azure AD B2C is configured to federate to an Azure AD tenant, the Azure AD tenant manages employee access to applications that rely on Azure AD B2C.
 
 ### What are local accounts in Azure AD B2C? How are they different from work or school accounts in Azure AD?
 In an Azure AD tenant, users that belong to the tenant sign-in with an email address of the form `<xyz>@<tenant domain>`.  The `<tenant domain>` is one of the verified domains in the tenant or the initial `<...>.onmicrosoft.com` domain. This type of account is a work or school account.

articles/active-directory-b2c/active-directory-b2c-faqs.md

@@ -1,5 +1,5 @@
 ---
-title: Set up sign-up and sign-in with a Microsoft account - Azure Active Directory B2C | Microsoft Docs
+title: Set up sign-up and sign-in with a Microsoft account - Azure Active Directory B2C
 description: Provide sign-up and sign-in to customers with Microsoft accounts in your applications using Azure Active Directory B2C.
 services: active-directory-b2c
 author: mmacy
@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/21/2018
+ms.date: 06/11/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -19,22 +19,28 @@ ms.subservice: B2C
 
 To use a Microsoft account as an [identity provider](active-directory-b2c-reference-oidc.md) in Azure Active Directory (Azure AD) B2C, you need to create an application in your tenant that represents it. If you don’t already have a Microsoft account, you can get it at [https://www.live.com/](https://www.live.com/).
 
-1. Sign in to the [Microsoft Application Registration Portal](https://apps.dev.microsoft.com/?referrer=https://azure.microsoft.com/documentation/articles&deeplink=/appList) with your Microsoft account credentials.
-2. In the upper-right corner, select **Add an app**.
-3. Enter a **Name** for your application. For example, *MSAapp1*.
-4. Select **Generate New Password** and make sure that you copy the password to use when you configure the identity provider. Also copy the **Application Id**. 
-5. Select **Add platform**, and then and choose **Web**.
-4. Enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp` in **Redirect URLs**. Replace `your-tenant-name` with the name of your tenant.
-5. Select **Save**.
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Select **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**.
+1. Select **New registration**
+1. Enter a **Name** for your application. For example, *MSAapp1*.
+1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)**. This option targets the widest set of Microsoft identities.
+
+   For more information on the different account type selections, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
+1. Under **Redirect URI (optional)**, select **Web** and enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp` in the text box. Replace `your-tenant-name` with your Azure AD B2C tenant name.
+1. Select **Register**
+1. Record the **Application (client) ID** shown on the application Overview page. You need this when you configure the identity provider in the next section.
+1. Select **Certificates & secrets**
+1. Click **New client secret**
+1. Enter a **Description** for the secret, for example *Application password 1*, and then click **Add**.
+1. Record the application password shown in the **VALUE** column. You need this when you configure the identity provider in the next section.
 
 ## Configure a Microsoft account as an identity provider
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
-2. Make sure you're using the directory that contains your Azure AD B2C tenant by clicking the **Directory and subscription filter** in the top menu and choosing the directory that contains your tenant.
-3. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
-4. Select **Identity providers**, and then select **Add**.
-5. Provide a **Name**. For example, enter *MSA*.
-6. Select **Identity provider type**, select **Microsoft Account**, and click **OK**.
-7. Select **Set up this identity provider** and enter the Application Id that you recorded earlier as the **Client ID** and enter the password that you recorded as the **Client secret** of the Microsoft account application that you created earlier.
-8. Click **OK** and then click **Create** to save your Microsoft account configuration.
-
+1. Make sure you're using the directory that contains your Azure AD B2C tenant by clicking the **Directory and subscription filter** in the top menu and choosing the directory that contains your tenant.
+1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
+1. Select **Identity providers**, and then select **Add**.
+1. Provide a **Name**. For example, enter *MSA*.
+1. Select **Identity provider type**, select **Microsoft Account**, and click **OK**.
+1. Select **Set up this identity provider** and enter the Application (client) ID that you recorded earlier in the **Client ID** text box, and enter the client secret that you recorded in the **Client secret** text box.
+1. Click **OK** and then click **Create** to save your Microsoft account configuration.

articles/active-directory-b2c/active-directory-b2c-setup-msa-app.md

@@ -102,7 +102,7 @@ After you create the application for the identity provider that you want to add,
     For example, `https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration`.
 
 8. For **Client ID**, enter the application ID that you previously recorded and for **Client secret**, enter the key value that you previously recorded.
-9. Optionally, enter a value for **Domain_hint**. For example, `ContosoAD`. Domain hints(https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal) are directives that are included in the authentication request from an application. They can be used to accelerate the user to their federated IdP sign-in page. Or they can be used by a multi-tenant application to accelerate the user straight to the branded Azure AD sign-in page for their tenant.
+9. Optionally, enter a value for **Domain_hint**. For example, `ContosoAD`. Domain hints(https://docs.microsoft.com/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal) are directives that are included in the authentication request from an application. They can be used to accelerate the user to their federated IdP sign-in page. Or they can be used by a multi-tenant application to accelerate the user straight to the branded Azure AD sign-in page for their tenant.
 10. Click **OK**.
 11. Select **Map this identity provider's claims** and set the following claims:
     

articles/active-directory-b2c/tutorial-add-identity-providers.md

@@ -47,7 +47,7 @@ Multi-Factor Authentication comes as part of the following offerings:
 Since most users are accustomed to using only passwords to authenticate, it is important that your organization communicates to all users regarding this process. Awareness can reduce the likelihood that users call your help desk for minor issues related to MFA. However, there are some scenarios where temporarily disabling MFA is necessary. Use the following guidelines to understand how to handle those scenarios:
 
 * Train your support staff to handle scenarios where the user can't sign in because they do not have access to their authentication methods or they are not working correctly.
-   * Using conditional access policies for Azure MFA Service, your support staff can add a user to a group that is excluded from a policy requiring MFA.
+   * Using Conditional Access policies for Azure MFA Service, your support staff can add a user to a group that is excluded from a policy requiring MFA.
 * Consider using Conditional Access named locations as a way to minimize two-step verification prompts. With this functionality, administrators can bypass two-step verification for users that are signing in from a secure trusted network location such as a network segment used for new user onboarding.
 * Deploy [Azure AD Identity Protection](../active-directory-identityprotection.md) and trigger two-step verification based on risk events.
 

articles/active-directory/authentication/concept-mfa-howitworks.md

@@ -54,7 +54,7 @@ Combined registration supports the following authentication methods and actions:
 | App passwords | Yes | No | Yes |
 
 > [!NOTE]
-> App passwords are available only to users who have been enforced for Multi-Factor Authentication. App passwords are not available to users who are enabled for Multi-Factor Authentication via a conditional access policy.
+> App passwords are available only to users who have been enforced for Multi-Factor Authentication. App passwords are not available to users who are enabled for Multi-Factor Authentication via a Conditional Access policy.
 
 Users can set one of the following options as the default Multi-Factor Authentication method:
 
@@ -83,7 +83,7 @@ Here are several scenarios in which users might be prompted to register or refre
 
 - Multi-Factor Authentication registration enforced through Identity Protection: Users are asked to register during sign-in. They register Multi-Factor Authentication methods and SSPR methods (if the user is enabled for SSPR).
 - Multi-Factor Authentication registration enforced through per-user Multi-Factor Authentication: Users are asked to register during sign-in. They register Multi-Factor Authentication methods and SSPR methods (if the user is enabled for SSPR).
-- Multi-Factor Authentication registration enforced through conditional access or other policies: Users are asked to register when they use a resource that requires Multi-Factor Authentication. They register Multi-Factor Authentication methods and SSPR methods (if the user is enabled for SSPR).
+- Multi-Factor Authentication registration enforced through Conditional Access or other policies: Users are asked to register when they use a resource that requires Multi-Factor Authentication. They register Multi-Factor Authentication methods and SSPR methods (if the user is enabled for SSPR).
 - SSPR registration enforced: Users are asked to register during sign-in. They register only SSPR methods.
 - SSPR refresh enforced: Users are required to review their security info at an interval set by the admin. Users are shown their info and can confirm the current info or make changes if needed.
 

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -31,8 +31,8 @@ This document provides guidance on strategies an organization should adopt to pr
 There are four key takeaways in this document:
 
 * Avoid administrator lockout by using emergency access accounts.
-* Implement MFA using conditional access (CA) rather than per-user MFA.
-* Mitigate user lockout by using multiple conditional access (CA) controls.
+* Implement MFA using Conditional Access (CA) rather than per-user MFA.
+* Mitigate user lockout by using multiple Conditional Access (CA) controls.
 * Mitigate user lockout by provisioning multiple authentication methods or equivalents for each user.
 
 ## Before a disruption
@@ -52,11 +52,11 @@ To unlock admin access to your tenant, you should create emergency access accoun
 
 ### Mitigating user lockout
 
- To mitigate the risk of user lockout, use conditional access policies with multiple controls to give users a choice of how they will access apps and resources. By giving a user the choice between, for example, signing in with MFA **or** signing in from a managed device **or** signing in from the corporate network, if one of the access controls is unavailable the user has other options to continue to work.
+ To mitigate the risk of user lockout, use Conditional Access policies with multiple controls to give users a choice of how they will access apps and resources. By giving a user the choice between, for example, signing in with MFA **or** signing in from a managed device **or** signing in from the corporate network, if one of the access controls is unavailable the user has other options to continue to work.
 
 #### Microsoft recommendations
 
-Incorporate the following access controls in your existing conditional access policies for organization:
+Incorporate the following access controls in your existing Conditional Access policies for organization:
 
 1. Provision multiple authentication methods for each user that rely on different communication channels, for example the Microsoft Authenticator app (internet-based), OATH token (generated on-device), and SMS (telephonic).
 2. Deploy Windows Hello for Business on Windows 10 devices to satisfy MFA requirements directly from device sign-in.
@@ -103,7 +103,7 @@ Alternatively, your organization can also create contingency policies. To create
 
 #### Microsoft recommendations
 
-A contingency conditional access policy is a **disabled policy** that omits Azure MFA, third-party MFA, risk-based or device-based controls. Then, when your organization decides to activate your contingency plan, administrators can enable the policy and disable the regular control-based policies.
+A contingency Conditional Access policy is a **disabled policy** that omits Azure MFA, third-party MFA, risk-based or device-based controls. Then, when your organization decides to activate your contingency plan, administrators can enable the policy and disable the regular control-based policies.
 
 >[!IMPORTANT]
 > Disabling policies that enforce security on your users, even temporarily, will reduce your security posture while the contingency plan is in place.
@@ -241,7 +241,7 @@ Undo the changes you made as part of the activated contingency plan once the ser
 
 ## Emergency options
 
- In case of an emergency and your organization did not previously implement a mitigation or contingency plan, then follow the recommendations in the [Contingencies for user lockout](#contingencies-for-user-lockout) section if they already use conditional access policies to enforce MFA.
+ In case of an emergency and your organization did not previously implement a mitigation or contingency plan, then follow the recommendations in the [Contingencies for user lockout](#contingencies-for-user-lockout) section if they already use Conditional Access policies to enforce MFA.
  If your organization is using per-user MFA legacy policies, then you can consider the following alternative:
 
 1. If you have the corporate network outbound IP address, you can add them as trusted IPs to enable authentication only to the corporate network.
@@ -262,5 +262,5 @@ Undo the changes you made as part of the activated contingency plan once the ser
 * [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan)
 * [Windows Hello for Business Deployment Guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-deployment-guide)
   * [Password Guidance - Microsoft Research](https://research.microsoft.com/pubs/265143/microsoft_password_guidance.pdf)
-* [What are conditions in Azure Active Directory conditional access?](https://docs.microsoft.com/azure/active-directory/conditional-access/conditions)
-* [What are access controls in Azure Active Directory conditional access?](https://docs.microsoft.com/azure/active-directory/conditional-access/controls)
+* [What are conditions in Azure Active Directory Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/conditions)
+* [What are access controls in Azure Active Directory Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/controls)

articles/active-directory/authentication/concept-resilient-controls.md

@@ -148,7 +148,6 @@ Passwords are written back in all the following situations:
    * Any administrator self-service force change password operation, for example, password expiration
    * Any administrator self-service password reset that originates from the [password reset portal](https://passwordreset.microsoftonline.com)
    * Any administrator-initiated end-user password reset from the [Azure portal](https://portal.azure.com)
-   * Any administrator-initiated end-user password reset from the [Microsoft 365 admin center](https://admin.microsoft.com)
 
 ## Unsupported writeback operations
 
@@ -158,6 +157,7 @@ Passwords are *not* written back in any of the following situations:
    * Any end user resetting their own password by using PowerShell version 1, version 2, or the Azure AD Graph API
 * **Unsupported administrator operations**
    * Any administrator-initiated end-user password reset from PowerShell version 1, version 2, or the Azure AD Graph API
+   * Any administrator-initiated end-user password reset from the [Microsoft 365 admin center](https://admin.microsoft.com)
 
 > [!WARNING]
 > Use of the checkbox "User must change password at next logon" in on-premises Active Directory administrative tools like Active Directory Users and Computers or the Active Directory Administrative Center is not supported. When changing a password on-premises do not check this option.