Merge pull request #101999 from MicrosoftDocs/master

1/22 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -4248,7 +4248,7 @@
     },
     {
       "source_path": "articles/billing-how-to-create-billing-support-ticket.md",
-      "redirect_url": "/azure/azure-supportability/how-to-create-azure-support-request",
+      "redirect_url": "/azure/azure-portal/supportability/how-to-create-azure-support-request",
       "redirect_document_id": false
     },
     {
@@ -4258,7 +4258,7 @@
     },
     {
       "source_path": "articles/billing-how-to-use-file-uploader.md",
-      "redirect_url": "/azure/azure-supportability/how-to-use-file-uploader",
+      "redirect_url": "/azure/azure-portal/supportability/how-to-use-file-uploader",
       "redirect_document_id": false
     },
     {
@@ -17349,7 +17349,7 @@
     },
     {
       "source_path": "articles/virtual-machine-scale-sets/virtual-machine-scale-sets-use-low-priority.md",
-      "redirect_url": "/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-spot",
+      "redirect_url": "/azure/virtual-machine-scale-sets/use-spot",
       "redirect_document_id": true
     },
     {
@@ -46619,6 +46619,16 @@
       "source_path": "articles/load-balancer/load-balancer-arm.md",
       "redirect_url": "/azure/load-balancer/load-balancer-overview",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/healthcare-apis/tutorial-2-setup-environment.md",
+      "redirect_url": "/azure/healthcare-apis/tutorial-web-app-fhir-server",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/healthcare-apis/tutorial-3-connect-to-endpoint.md",
+      "redirect_url": "/azure/healthcare-apis/tutorial-web-app-fhir-server",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/tutorial-create-tenant.md

@@ -64,6 +64,8 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
     For **Resource group**, select **Create new**. Enter a **Name** for the resource group that will contain the tenant, select the **Resource group location**, and then select **Create**.
 
     ![Link subscription settings form in Azure portal](media/tutorial-create-tenant/portal-06-link-subscription-settings.png)
+    
+    You can link multiple Azure AD B2C tenants to a single Azure subscription for billing purposes. 
 
 ## Select your B2C tenant directory
 

articles/active-directory-domain-services/compare-identity-solutions.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: overview
-ms.date: 10/30/2019
+ms.date: 01/22/2020
 ms.author: iainfou
 
 #Customer intent: As an IT administrator or decision maker, I want to understand the differences between Active Directory Domain Services (AD DS), Azure AD, and Azure AD DS so I can choose the most appropriate identity solution for my organization.
@@ -25,8 +25,8 @@ Although the three Active Directory-based identity solutions share a common name
     * AD DS is a central component in many organizations with an on-premises IT environment, and provides core user account authentication and computer management features.
 * **Azure Active Directory (Azure AD)** - Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Office 365, the Azure portal, or SaaS applications.
     * Azure AD can be synchronized with an on-premises AD DS environment to provide a single identity to users that works natively in the cloud.
-* **Azure Active Directory Domain Services (Azure AD DS)** - Provides managed domain services with a subset of fully compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.
-    * Azure AD DS integrates with Azure AD, which itself can synchronize with an on-premises AD DS environment, to extend central identity use cases to traditional web applications that run in Azure as part of a lift-and-shift strategy.
+* **Azure Active Directory Domain Services (Azure AD DS)** - Provides managed domain services with a subset of fully-compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.
+    * Azure AD DS integrates with Azure AD, which itself can synchronize with an on-premises AD DS environment. This ability extends central identity use cases to traditional web applications that run in Azure as part of a lift-and-shift strategy.
 
 This overview article compares and contrasts how these identity solutions can work together, or would be used independently, depending on the needs of your organization.
 
@@ -45,8 +45,8 @@ When you deploy and run a self-managed AD DS environment, you have to maintain a
 
 Common deployment models for a self-managed AD DS environment that provides identity to applications and services in the cloud include the following:
 
-* **Standalone cloud-only AD DS** - Azure VMs are configured as domain controllers and a separate cloud-only AD DS environment is created. This AD DS environment doesn't integrate with an on-premises AD DS environment. A different set of credentials is used to sign in to and administer VMs in the cloud.
-* **Resource forest deployment** - Azure VMs are configured as domain controllers and an AD DS domain as part of an existing forest is created. A trust relationship is then configured to an on-premises AD DS environment. Other Azure VMs can domain-join to this resource forest in the cloud. User authentication runs over a VPN / ExpressRoute connection to the on-premises AD DS environment.
+* **Standalone cloud-only AD DS** - Azure VMs are configured as domain controllers and a separate, cloud-only AD DS environment is created. This AD DS environment doesn't integrate with an on-premises AD DS environment. A different set of credentials is used to sign in and administer VMs in the cloud.
+* **Resource forest deployment** - Azure VMs are configured as domain controllers and an AD DS domain that's part of an existing forest is created. A trust relationship is then configured to an on-premises AD DS environment. Other Azure VMs can domain-join to this resource forest in the cloud. User authentication runs over a VPN / ExpressRoute connection to the on-premises AD DS environment.
 * **Extend on-premises domain to Azure** - An Azure virtual network connects to an on-premises network using a VPN / ExpressRoute connection. Azure VMs connect to this Azure virtual network, which lets them domain-join to the on-premises AD DS environment.
     * An alternative is to create Azure VMs and promote them as replica domain controllers from the on-premises AD DS domain. These domain controllers replicate over a VPN / ExpressRoute connection to the on-premises AD DS environment. The on-premises AD DS domain is effectively extended into Azure.
 
@@ -64,15 +64,15 @@ The following table outlines some of the features you may need for your organiza
 | **Custom OU structure**                           | **✓** | **✓** |
 | **Group Policy**                                  | **✓** | **✓** |
 | **Schema extensions**                             | **✕** | **✓** |
-| **AD domain / forest trusts**                     | **✕** | **✓** |
+| **AD domain / forest trusts**                     | **✓** (one-way outbound forest trusts only) | **✓** |
 | **Secure LDAP (LDAPS)**                           | **✓** | **✓** |
 | **LDAP read**                                     | **✓** | **✓** |
 | **LDAP write**                                    | **✓** (within the managed domain) | **✓** |
 | **Geo-distributed deployments**                   | **✕** | **✓** |
 
 ## Azure AD DS and Azure AD
 
-Azure AD lets you manage the identity of devices used by the organization and control access to corporate resources from those devices. Users can also register their personal device (a bring-your-own, or BYO, model) with Azure AD, which provides the device with an identity. Azure AD then authenticates the device when a user signs in to Azure AD and uses the device to access secured resources. The device can be managed using Mobile Device Management (MDM) software like Microsoft Intune. This management ability lets you restrict access to sensitive resources to managed and policy-compliant devices.
+Azure AD lets you manage the identity of devices used by the organization and control access to corporate resources from those devices. Users can also register their personal device (a bring-your-own (BYO) model) with Azure AD, which provides the device with an identity. Azure AD then authenticates the device when a user signs in to Azure AD and uses the device to access secured resources. The device can be managed using Mobile Device Management (MDM) software like Microsoft Intune. This management ability lets you restrict access to sensitive resources to managed and policy-compliant devices.
 
 Traditional computers and laptops can also join to Azure AD. This mechanism offers the same benefits of registering a personal device with Azure AD, such as to allow users to sign in to the device using their corporate credentials.
 
@@ -89,8 +89,8 @@ Devices can be joined to Azure AD with or without a hybrid deployment that inclu
 | **Type of device**                                        | **Device platforms**             | **Mechanism**          |
 |:----------------------------------------------------------| -------------------------------- | ---------------------- |
 | Personal devices                                          | Windows 10, iOS, Android, Mac OS | Azure AD registered    |
-| Organization owned device not joined to on-premises AD DS | Windows 10                       | Azure AD joined        |
-| Organization owned device joined to an on-premises AD DS  | Windows 10                       | Hybrid Azure AD joined |
+| Organization-owned device not joined to on-premises AD DS | Windows 10                       | Azure AD joined        |
+| Organization-owned device joined to an on-premises AD DS  | Windows 10                       | Hybrid Azure AD joined |
 
 On an Azure AD-joined or registered device, user authentication happens using modern OAuth / OpenID Connect based protocols. These protocols are designed to work over the internet, so are great for mobile scenarios where users access corporate resources from anywhere.
 

articles/active-directory-domain-services/migrate-from-classic-vnet.md

@@ -8,16 +8,16 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 10/15/2019
+ms.date: 01/22/2020
 ms.author: iainfou
 
 ---
 
 # Preview - Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager
 
-Azure Active Directory Domain Services (AD DS) supports a one-time move for customers currently using the Classic virtual network model to the Resource Manager virtual network model.
+Azure Active Directory Domain Services (AD DS) supports a one-time move for customers currently using the Classic virtual network model to the Resource Manager virtual network model. Azure AD DS managed domains that use the Resource Manager deployment model provide additional features such as fine-grained password policy, audit logs, and account lockout protection.
 
-This article outlines the benefits and considerations for migration, then the required steps to successfully migrate an existing Azure AD DS instance. This feature is currently in preview.
+This article outlines the benefits and considerations for migration, then the required steps to successfully migrate an existing Azure AD DS instance. This migration feature is currently in preview.
 
 ## Overview of the migration process
 
@@ -103,7 +103,7 @@ As you prepare and then migrate an Azure AD DS managed domain, there are some co
 
 ### IP addresses
 
-The domain controller IP addresses for an Azure AD DS managed domain change after migration. This includes the public IP address for the secure LDAP endpoint. The new IP addresses are inside the address range for the new subnet in the Resource Manager virtual network.
+The domain controller IP addresses for an Azure AD DS managed domain change after migration. This change includes the public IP address for the secure LDAP endpoint. The new IP addresses are inside the address range for the new subnet in the Resource Manager virtual network.
 
 In the case of rollback, the IP addresses may change after rolling back.
 
@@ -119,13 +119,13 @@ Azure AD DS managed domains that run on Classic virtual networks don't have AD a
 
 By default, 5 bad password attempts in 2 minutes lock out an account for 30 minutes.
 
-A locked out account can't be signed in to, which may interfere with the ability to manage the Azure AD DS managed domain or applications managed by the account. After an Azure AD DS managed domain is migrated, accounts can experience what feels like a permanent lockout due to repeated failed attempts to sign in. Two common scenarios after migration include the following:
+A locked out account can't be used to sign in, which may interfere with the ability to manage the Azure AD DS managed domain or applications managed by the account. After an Azure AD DS managed domain is migrated, accounts can experience what feels like a permanent lockout due to repeated failed attempts to sign in. Two common scenarios after migration include the following:
 
 * A service account that's using an expired password.
     * The service account repeatedly tries to sign in with an expired password, which locks out the account. To fix this, locate the application or VM with expired credentials and update the password.
 * A malicious entity is using brute-force attempts to sign in to accounts.
     * When VMs are exposed to the internet, attackers often try common username and password combinations as they attempt to sign. These repeated failed sign-in attempts can lock out the accounts. It's not recommended to use administrator accounts with generic names such as *admin* or *administrator*, for example, to minimize administrative accounts from being locked out.
-    * Minimize the number of VMs that are exposed to the internet. You can use [Azure Bastion (currently in preview)][azure-bastion] to securely connect to VMs using the Azure portal.
+    * Minimize the number of VMs that are exposed to the internet. You can use [Azure Bastion][azure-bastion] to securely connect to VMs using the Azure portal.
 
 If you suspect that some accounts may be locked out after migration, the final migration steps outline how to enable auditing or change the fine-grained password policy settings.
 
@@ -161,11 +161,11 @@ The migration to the Resource Manager deployment model and virtual network is sp
 
 ## Update and verify virtual network settings
 
-Before you begin the migration, complete the following initial checks and updates. These steps can happen at any time before the migration and don't affect the operation of the Azure AD DS managed domain.
+Before you begin the migration process, complete the following initial checks and updates. These steps can happen at any time before the migration and don't affect the operation of the Azure AD DS managed domain.
 
 1. Update your local Azure PowerShell environment to the latest version. To complete the migration steps, you need at least version *2.3.2*.
 
-    For information on how to check and update, see [Azure PowerShell overview][azure-powershell].
+    For information on how to check and update your PowerShell version, see [Azure PowerShell overview][azure-powershell].
 
 1. Create, or choose an existing, Resource Manager virtual network.
 
@@ -207,7 +207,8 @@ To prepare the Azure AD DS managed domain for migration, complete the following
 
     ```powershell
     Migrate-Aadds `
-        -Prepare -ManagedDomainFqdn contoso.com `
+        -Prepare `
+        -ManagedDomainFqdn contoso.com `
         -Credentials $creds​
     ```
 
@@ -270,27 +271,27 @@ The second domain controller should be available 1-2 hours after the migration c
 
 When the migration process is successfully complete, some optional configuration steps include enabling audit logs or e-mail notifications, or updating the fine-grained password policy.
 
-#### Subscribe to audit logs using Azure Monitor
+### Subscribe to audit logs using Azure Monitor
 
 Azure AD DS exposes audit logs to help troubleshoot and view events on the domain controllers. For more information, see [Enable and use audit logs][security-audits].
 
 You can use templates to monitor important information exposed in the logs. For example, the audit log workbook template can monitor possible account lockouts on the Azure AD DS managed domain.
 
-#### Configure Azure AD Domain Services email notifications
+### Configure Azure AD Domain Services email notifications
 
 To be notified when a problem is detected on the Azure AD DS managed domain, update the email notification settings in the Azure portal. For more information, see [Configure notification settings][notifications].
 
-#### Update fine-grained password policy
+### Update fine-grained password policy
 
 If needed, you can update the fine-grained password policy to be less restrictive than the default configuration. You can use the audit logs to determine if a less restrictive setting makes sense, then configure the policy as needed. Use the following high-level steps to review and update the policy settings for accounts that are repeatedly locked out after migration:
 
 1. [Configure password policy][password-policy] for fewer restrictions on the Azure AD DS managed domain and observe the events in the audit logs.
 1. If any service accounts are using expired passwords as identified in the audit logs, update those accounts with the correct password.
-1. If VM is exposed to the internet, review for generic account names like *administrator*, *user*, or *guest* with high sign-in attempts. Where possible, update those VMs to use less generically named accounts.
-1. Use a network trace on the VM to locate the source of the attacks and block those IP addresses for being able to attempt sign-ins.
+1. If a VM is exposed to the internet, review for generic account names like *administrator*, *user*, or *guest* with high sign-in attempts. Where possible, update those VMs to use less generically named accounts.
+1. Use a network trace on the VM to locate the source of the attacks and block those IP addresses from being able to attempt sign-ins.
 1. When there are minimal lockout issues, update the fine-grained password policy to be as restrictive as necessary.
 
-#### Creating a network security group
+### Creating a network security group
 
 Azure AD DS needs a network security group to secure the ports needed for the managed domain and block all other incoming traffic. This network security group acts as an extra layer of protection to lock down access to the managed domain, and isn't automatically created. To create the network security group and open the required ports, review the following steps:
 
@@ -299,6 +300,8 @@ Azure AD DS needs a network security group to secure the ports needed for the ma
 
 ## Roll back and restore from migration
 
+Up to a certain point in the migration process, you can choose to roll back or restore the Azure AD DS managed domain.
+
 ### Roll back
 
 If there's an error when you run the PowerShell cmdlet to prepare for migration in step 2 or for the migration itself in step 3, the Azure AD DS managed domain can roll back to the original configuration. This roll back requires the original Classic virtual network. Note that the IP addresses may still change after rollback.