Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into heidist-bugfix

Author: HeidiSteen

articles/active-directory-domain-services/secure-remote-vm-access.md

@@ -57,6 +57,7 @@ The RD environment deployment contains a number of steps. The existing RD deploy
 
 1. Sign in to VMs created for the RD environment with an account that's part of the *Azure AD DC Administrators* group, such as *contosoadmin*.
 1. To create and configure RDS, use the existing [Remote Desktop environment deployment guide][deploy-remote-desktop]. Distribute the RD server components across your Azure VMs as desired.
+    * Specific to Azure AD DS - when you configure RD licensing, set it to **Per Device** mode, not **Per User** as noted in the deployment guide.
 1. If you want to provide access using a web browser, [set up the Remote Desktop web client for your users][rd-web-client].
 
 With RD deployed into the Azure AD DS managed domain, you can manage and use the service as you would with an on-premises AD DS domain.

articles/active-directory/app-provisioning/workday-attribute-reference.md

@@ -18,7 +18,7 @@ ms.author: chmutali
 # Workday attribute reference
 This section provides a list of attributes that you can fetch from Workday using XPATH queries. Based on the Workday Web Services API version, you plan to use, refer to the appropriate section. 
 
-## XPATH values for Workday Web Services version 21.1
+## XPATH values for Workday Web Services (WWS) API v21.1
 
 
 The table below captures the list of Workday attributes and corresponding XPATH expressions that are shipped out of the box with the Workday inbound provisioning app connector. 
@@ -106,7 +106,9 @@ The table below captures the list of Workday attributes and corresponding XPATH
 | 79 | WorkerType                            | wd:Worker/wd:Worker\_Data/wd:Employment\_Data/wd:Position\_Data/wd:Worker\_Type\_Reference/@wd:Descriptor                                                                                                                                                                                                                                                                                                    |
 | 80 | WorkSpaceReference                    | wd:Worker/wd:Worker\_Data/wd:Employment\_Data/wd:Position\_Data/wd:Work\_Space\_\_Reference/@wd:Descriptor                                                                                                                                                                                                                                                                                                   |
 
-## XPATH values for Workday Web Services version 30+
+## XPATH values for Workday Web Services (WWS) API v30+
+
+If you are using a WWS API v30.0 and above, before turning on the provisioning job, please update the **XPATH API expressions** under **Attribute Mapping -> Advanced Options -> Edit attribute list for Workday** to use the values listed below. To configure additional XPATHs, refer to the section [Tutorial: Managing your configuration](../saas-apps/workday-inbound-tutorial.md#managing-your-configuration). 
 
 
 | \# | Name                                  | Workday XPATH API expression                                                                                                                                                                                                                                                                                                                                                |

articles/active-directory/authentication/howto-mfa-mfasettings.md

@@ -95,11 +95,11 @@ Configure the _fraud alert_ feature so that your users can report fraudulent att
 ### View fraud reports
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Azure Active Directory** > **Sign-ins**. The fraud report is now part of the standard Azure AD Sign-ins report.
-
+2. Select **Azure Active Directory** > **Sign-ins** > **Authentication Details**. The fraud report is now part of the standard Azure AD Sign-ins report and it will show in the **"Result Detail"** as MFA denied, Fraud Code Entered.
+ 
 ## Notifications
 
-Configure email addresses here for users who will receive fraud alert emails.
+Configure email addresses here for users who will receive fraud alert emails in **Azure Active Directory** > **Security** > **Multi-Factor Authentication** > **Notifications**.
 
 ![Notification fraud alert email sample](./media/howto-mfa-mfasettings/multi-factor-authentication-fraud-alert-email.png)
 

articles/active-directory/develop/quickstart-v2-aspnet-core-webapp.md

@@ -152,6 +152,19 @@ The line containing `.AddAzureAd` adds the Microsoft identity platform authentic
 > [!NOTE]
 > Setting `ValidateIssuer = false` is a simplification for this quickstart. In real applications you need to validate the issuer.
 > See the samples to understand how to do that.
+>
+> Also note the `Configure` method which contains two important methods: `app.UserCookiePolicy()` and `app.UseAuthentication()`
+
+```csharp
+// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+{
+    // more core
+    app.UseCookiePolicy();
+    app.UseAuthentication();
+    // more core
+}
+```
 
 ### Protect a controller or a controller's method
 

articles/active-directory/develop/scenario-web-app-sign-user-production.md

@@ -23,6 +23,15 @@ Now that you know how to get a token to call web APIs, learn how to move it to p
 
 ## Next steps
 
+### Troubleshooting
+
+> [!NOTE]
+> When users sign-in to the web application for the first time, they will need to consent. However, in some organizations, users can see a message like the following:
+>
+> *AppName needs permissions to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.*
+>
+> This is because your tenant administrator has **disabled** the ability for users to consent. In that case, you need to contact your tenant administrators so that they do an admin-consent for the scopes required by the application.
+
 ### Same site
 
 Make sure you understand possible issues with new versions of the Chrome browser

articles/active-directory/saas-apps/media/workday-inbound-tutorial/wd_isu_13.png

@@ -13,7 +13,7 @@ ms.devlang: na
 ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 05/16/2019
+ms.date: 04/23/2020
 ms.author: chmutali
 
 ms.collection: M365-identity-device-management
@@ -325,18 +325,19 @@ In this step, you'll grant "business process security" policy permissions for th
 
     ![Business Process Security Policies](./media/workday-inbound-tutorial/wd_isu_12.png "Business Process Security Policies")  
 
-2. In the **Business Process Type** textbox, search for *Contact* and select **Contact Change** business process and click **OK**.
+2. In the **Business Process Type** textbox, search for *Contact* and select **Work Contact Change** business process and click **OK**.
 
     ![Business Process Security Policies](./media/workday-inbound-tutorial/wd_isu_13.png "Business Process Security Policies")  
 
-3. On the **Edit Business Process Security Policy** page, scroll to the **Maintain Contact Information (Web Service)** section.
+3. On the **Edit Business Process Security Policy** page, scroll to the **Change Work Contact Information (Web Service)** section.
+    
 
-    ![Business Process Security Policies](./media/workday-inbound-tutorial/wd_isu_14.png "Business Process Security Policies")  
-
-4. Select and add the new integration system security group to the list of security groups that can initiate the web services request. Click on **Done**. 
+4. Select and add the new integration system security group to the list of security groups that can initiate the web services request. 
 
     ![Business Process Security Policies](./media/workday-inbound-tutorial/wd_isu_15.png "Business Process Security Policies")  
 
+5. Click on **Done**. 
+
 ### Activating security policy changes
 
 **To activate security policy changes:**
@@ -457,8 +458,11 @@ In this step, we establish connectivity with Workday and Active Directory in the
         https://wd3-impl-services1.workday.com/ccx/service/contoso4, where *contoso4* is replaced with your correct tenant name and *wd3-impl* is replaced with the correct environment string.
 
      > [!NOTE]
-     > By default the app uses Workday Web Services v21.1 if no version information is specified in the URL. To use a specific Workday Web Services API version, please use the URL format: https://####.workday.com/ccx/service/tenantName/Human_Resources/v##.# <br>
-     > Example: https://wd3-impl-services1.workday.com/ccx/service/contoso4/Human_Resources/v31.0
+     > By default, the app uses Workday Web Services (WWS) v21.1 if no version information is specified in the URL. To use a specific WWS API version, please use the URL format: https://####.workday.com/ccx/service/tenantName/Human_Resources/v##.# <br>
+     > Example: https://wd3-impl-services1.workday.com/ccx/service/contoso4/Human_Resources/v31.0 <br>
+     
+     > [!NOTE]
+     > If you are using a WWS API v30.0 and above, before turning on the provisioning job, please update the **XPATH API expressions** under **Attribute Mapping -> Advanced Options -> Edit attribute list for Workday** referring to the section [Managing your configuration](#managing-your-configuration) and [Workday attribute reference](../app-provisioning/workday-attribute-reference.md#xpath-values-for-workday-web-services-wws-api-v30).  
 
    * **Active Directory Forest -** The "Name" of your Active Directory domain, as registered with the agent. Use the dropdown to select the target domain for provisioning. This value is typically a string like: *contoso.com*
 
@@ -838,7 +842,7 @@ The solution currently uses the following Workday APIs:
   * If the URL format is: https://\#\#\#\#\.workday\.com/ccx/service/tenantName/Human\_Resources , then API v21.1 is used 
   * If the URL format is: https://\#\#\#\#\.workday\.com/ccx/service/tenantName/Human\_Resources/v\#\#\.\# , then the specified API version is used. (Example: if v34.0 is specified, then it is used.)  
 
-* Workday Email Writeback feature uses Maintain_Contact_Information (v26.1) 
+* Workday Email Writeback feature uses Change_Work_Contact_Information (v30.0) 
 * Workday Username Writeback feature uses Update_Workday_Account (v31.2) 
 
 #### Can I configure my Workday HCM tenant with two Azure AD tenants?
@@ -1272,7 +1276,7 @@ To do this change, you must use [Workday Studio](https://community.workday.com/s
 
 1. Download and install [Workday Studio](https://community.workday.com/studio-download). You will need a Workday community account to access the installer.
 
-2. Download the Workday Human_Resources WSDL file from this URL: https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v21.1/Human_Resources.wsdl
+2. Download the Workday **Human_Resources** WSDL file specific to the WWS API version you plan to use from the [Workday Web Services Directory](https://community.workday.com/sites/default/files/file-hosting/productionapi/index.html)
 
 3. Launch Workday Studio.
 
@@ -1292,7 +1296,7 @@ To do this change, you must use [Workday Studio](https://community.workday.com/s
 
 9. Select **OK**.
 
-10. In the **Request** pane, paste in the XML below and set **Employee_ID** to the employee ID of a real user in your Workday tenant. Select a user that has the attribute populated that you wish to extract.
+10. In the **Request** pane, paste in the XML below. Set **Employee_ID** to the employee ID of a real user in your Workday tenant. Set **wd:version** to the version of WWS that you plan to use. Select a user that has the attribute populated that you wish to extract.
 
     ```xml
     <?xml version="1.0" encoding="UTF-8"?>

articles/active-directory/saas-apps/media/workday-inbound-tutorial/wd_isu_15.png

@@ -93,6 +93,25 @@ AKS supports the following [admission controllers][admission-controllers]:
 
 Currently, you can't modify the list of admission controllers in AKS.
 
+## Can I use admission controller webhooks on AKS?
+
+Yes, you may use admission controller webhooks on AKS. It is recommended you exclude internal AKS namespaces which are marked with the **control-plane label.** For example, by adding the below to the webhook configuration:
+
+```
+namespaceSelector:
+    matchExpressions:
+    - key: control-plane
+      operator: DoesNotExist
+```
+
+## Can admission controller webhooks impact kube-system and internal AKS namespaces?
+
+To protect the stability of the system and prevent custom admission controllers from impacting internal services in the kube-system, namespace AKS has an **Admissions Enforcer**, which automatically excludes kube-system and AKS internal namespaces. This service ensures the custom admission controllers don't affect the services running in kube-system.
+
+If you have a critical use case for having something deployed on kube-system (not recommended) which you require to be covered by your custom admission webhook, you may add the below label or annotation so that Admissions Enforcer ignores it.
+
+Label: ```"admissions.enforcer/disabled": "true"``` or Annotation: ```"admissions.enforcer/disabled": true```
+
 ## Is Azure Key Vault integrated with AKS?
 
 AKS isn't currently natively integrated with Azure Key Vault. However, the [Azure Key Vault FlexVolume for Kubernetes project][keyvault-flexvolume] enables direct integration from Kubernetes pods to Key Vault secrets.

articles/active-directory/saas-apps/workday-inbound-tutorial.md

@@ -26,6 +26,8 @@
       href: learn/automation-tutorial-runbook-textual-python2.md
 - name: Concepts
   items:
+    - name: Automation account authentication overview
+      href: automation-security-overview.md
     - name: Runbook execution overview
       href: automation-runbook-execution.md
     - name: Hybrid Runbook Worker overview
@@ -48,6 +50,8 @@
           href: automation-create-standalone-account.md
         - name: Create Automation account with Resource Manager template
           href: automation-create-account-template.md
+        - name: Configure authentication with Amazon Web Services
+          href: automation-config-aws-account.md
         - name: Manage an Automation Run As account
           href: manage-runas-account.md
         - name: Manage role permissions and security
@@ -248,8 +252,6 @@
           href: automation-create-alert-triggered-runbook.md
         - name: Manage Office 365 services
           href: manage-office-365.md
-        - name: Authenticate runbooks with Amazon Web Services
-          href: automation-config-aws-account.md
         - name: Deploy AWS VM with Automation runbook
           href: automation-scenario-aws-deployment.md
         - name: Deploy Resource Manager template with runbook