Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into heidist-python

Author: HeidiSteen

.openpublishing.redirection.json

@@ -39,7 +39,7 @@ Conditional Access policies are powerful tools, we recommend excluding the follo
 
 * **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
    * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
-* **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
+* **Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
    * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
 
 ## Create a Conditional Access policy

articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md

@@ -104,7 +104,7 @@ To configure Azure AD single sign-on with HackerOne, perform the following steps
     ![HackerOne Domain and URLs single sign-on information](common/sp-identifier.png)
 
 	a. In the **Sign on URL** text box, enter the following:
-    `https://hackerone.com/users/saml/auth`
+    `https://hackerone.com/users/saml/sign_in?email=<configured domain>`
 
     b. In the **Identifier (Entity ID)** text box, enter the following:
     `hackerone.com`
@@ -153,7 +153,13 @@ To configure Azure AD single sign-on with HackerOne, perform the following steps
 
     a. Click **Run test**.
 
-    b. If the value of the **Status** field equals **Last test status: created**, contact your [HackerOne support team](mailto:[email protected]) to request a review of your configuration.
+6. When the test finishes successfully and the **Status** field shows **Last test status: success**, select the **Request Verification** button to submit to HackerOne for approval.
+
+    ![Submit to HackerOne for approval](./media/hackerone-tutorial/tutorial-hackerone-006.png)
+
+7. After HackerOne approves the settings, you can select the **Migrate Users** button to require SSO authentication for all users.
+
+    ![Enable SAML](./media/hackerone-tutorial/tutorial-hackerone-007.png)
 
 ### Create an Azure AD test user
 
@@ -172,7 +178,7 @@ The objective of this section is to create a test user in the Azure portal calle
     ![The User dialog box](common/user-properties.png)
 
     a. In the **Name** field enter **BrittaSimon**.
-  
+
     b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**  
     For example, [email protected]
 

articles/active-directory/develop/media/v2-shared-device-mode/lifecycle.png

@@ -138,6 +138,7 @@ Once you've configured provisioning, use the following resources to monitor your
 * **EntryJoiningPropertyValueIsMissing:** Review your [attribute mappings](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes) to identify the matching attribute. This value must be present on the user or group you're attempting to provision. 
 * Review the [ServiceNow SOAP API](https://docs.servicenow.com/bundle/newyork-application-development/page/integrate/web-services-apis/reference/r_DirectWebServiceAPIFunctions.html) to understand any requirements or limitations (for example, format to specify country code for a user)
 * Some ServiceNow deployments require permitting IP ranges for the Azure AD provisioning service. The reserved IP ranges for the Azure AD provisioning service can be found [here](https://www.microsoft.com/download/details.aspx?id=56519) under "AzureActiveDirectoryDomainServices".
+* Provisioning users to the ServiceNow government cloud is not supported currently.
 
 ## Additional resources
 

articles/active-directory/saas-apps/hackerone-tutorial.md

@@ -35,7 +35,7 @@ This article describes the differences between self-hosted and managed versions
 You can build your developer portal in two ways:
 
 - **Managed version** - by editing and customizing the portal, which is built into your API Management instance and is accessible through the URL `<your-api-management-instance-name>.developer.azure-api.net`. Refer to [this documentation article](api-management-howto-developer-portal-customize.md) to learn how to access and customize the managed portal.
-- **Self-hosted version** - by deploying and self-hosting your portal outside of an API Management instance. This approach allows you to edit the portal's codebase and extend the provided core functionality. You also need to upgrade the portal to the latest version yourself. For details and instructions, refer to the [GitHub repository with the source code of the portal][1]. The [tutorial for the managed version](api-management-howto-developer-portal-customize.md) walks through the portal's administrative panel, which is also featured in the self-hosted version.
+- **Self-hosted version** - by deploying and self-hosting your portal outside of an API Management instance. This approach allows you to edit the portal's codebase and extend the provided core functionality. You also need to upgrade the portal to the latest version yourself. For details and instructions, refer to the [GitHub repository with the source code of the portal][1] and [the tutorial on implementing a widget][4]. The [tutorial for the managed version](api-management-howto-developer-portal-customize.md) walks through the portal's administrative panel, which is also featured in the self-hosted version.
 
 ## Portal architectural concepts
 
@@ -98,6 +98,10 @@ The old developer and publisher portals are now *legacy* features - they will be
 
 Deprecation of the legacy portals will be announced separately. If you have questions, concerns, or comments, raise them [in a dedicated GitHub issue](https://github.com/Azure/api-management-developer-portal/issues/121).
 
+### Functionality I need isn't supported in the portal
+
+Use the self-hosted version and [implement your own widget][4].
+
 ### How can I automate portal deployments?
 
 You can programmatically access and manage the developer portal's content through the REST API, regardless if you're using a managed or a self-hosted version.
@@ -212,6 +216,7 @@ Learn more about the new developer portal:
 
 - [Access and customize the managed developer portal](api-management-howto-developer-portal-customize.md)
 - [Set up self-hosted version of the portal][2]
+- [Implement your own widget][4]
 
 Browse other resources:
 
@@ -220,4 +225,5 @@ Browse other resources:
 
 [1]: https://aka.ms/apimdevportal
 [2]: https://github.com/Azure/api-management-developer-portal/wiki
-[3]: https://github.com/Azure/api-management-developer-portal/projects
+[3]: https://github.com/Azure/api-management-developer-portal/projects
+[4]: https://aka.ms/apimdevportal/extend

articles/active-directory/saas-apps/media/hackerone-tutorial/tutorial-hackerone-006.png

@@ -56,7 +56,7 @@ Below policies can be configured to check the thumbprint of a client certificate
 
 ```xml
 <choose>
-    <when condition="@(context.Request.Certificate == null || !context.Request.Certificate.Verify() || context.Request.Certificate.Thumbprint != "desired-thumbprint")" >
+    <when condition="@(context.Request.Certificate == null || !context.Request.Certificate.Verify() || context.Request.Certificate.Thumbprint != "DESIRED-THUMBPRINT-IN-UPPER-CASE")" >
         <return-response>
             <set-status code="403" reason="Invalid client certificate" />
         </return-response>

articles/active-directory/saas-apps/media/hackerone-tutorial/tutorial-hackerone-007.png

@@ -22,7 +22,7 @@ This article uses the [Azure portal](https://portal.azure.com) and Azure CLI to
 |-|-|-|-|
 | Application logging | Windows, Linux | App Service file system and/or Azure Storage blobs | Logs messages generated by your application code. The messages can be generated by the web framework you choose, or from your application code directly using the standard logging pattern of your language. Each message is assigned one of the following categories: **Critical**, **Error**, **Warning**, **Info**, **Debug**, and **Trace**. You can select how verbose you want the logging to be by setting the severity level when you enable application logging.|
 | Web server logging| Windows | App Service file system or Azure Storage blobs| Raw HTTP request data in the [W3C extended log file format](/windows/desktop/Http/w3c-logging). Each log message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code, and so on. |
-| Detailed error logging | Windows | App Service file system | Copies of the *.htm* error pages that would have been sent to the client browser. For security reasons, detailed error pages shouldn't be sent to clients in production, but App Service can save the error page each time an application error occurs that has HTTP code 400 or greater. The page may contain information that can help determine why the server returns the error code. |
+| Detailed Error Messages| Windows | App Service file system | Copies of the *.htm* error pages that would have been sent to the client browser. For security reasons, detailed error pages shouldn't be sent to clients in production, but App Service can save the error page each time an application error occurs that has HTTP code 400 or greater. The page may contain information that can help determine why the server returns the error code. |
 | Failed request tracing | Windows | App Service file system | Detailed tracing information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. It's useful if you want to improve site performance or isolate a specific HTTP error. One folder is generated for each failed request, which contains the XML log file, and the XSL stylesheet to view the log file with. |
 | Deployment logging | Windows, Linux | App Service file system | Logs for when you publish content to an app. Deployment logging happens automatically and there are no configurable settings for deployment logging. It helps you determine why a deployment failed. For example, if you use a [custom deployment script](https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script), you might use deployment logging to determine why the script is failing. |