MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 10 additions & 0 deletions
diff --git a/‎articles/active-directory-domain-services/migrate-from-classic-vnet.md
Lines changed: 4 additions & 3 deletions b/‎articles/active-directory-domain-services/migrate-from-classic-vnet.md
Lines changed: 4 additions & 3 deletions
diff --git a/‎articles/active-directory/conditional-access/TOC.yml
Lines changed: 0 additions & 2 deletions b/‎articles/active-directory/conditional-access/TOC.yml
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/active-directory/conditional-access/howto-conditional-access-policy-registration.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/conditional-access/howto-conditional-access-policy-registration.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md
Lines changed: 35 additions & 5 deletions b/‎articles/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md
Lines changed: 35 additions & 5 deletions
@@ -567,6 +567,11 @@
       "redirect_url": "/azure/cognitive-services//QnAMaker/Quickstarts/get-answer-from-knowledge-base-using-url-tool",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/cognitive-services/LUIS/luis-quickstart-primary-and-secondary-data.md",
+      "redirect_url": "/azure/cognitive-services/LUIS/tutorial-machine-learned-entity",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cognitive-services/LUIS/luis-quickstart-intent-and-list-entity.md",
       "redirect_url": "/azure/cognitive-services/LUIS/tutorial-list-entity",
@@ -10032,6 +10037,11 @@
       "redirect_url": "/azure-stack/user/azure-stack-vpn-gateway-about-vpn-gateways",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/virtual-wan/virtual-wan-office365-overview.md",
+      "redirect_url": "/azure/virtual-wan/virtual-wan-about",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/azure-stack/azure-stack-vpn-gateway-settings.md",
       "redirect_url": "/azure-stack/user/azure-stack-vpn-gateway-settings",
 
@@ -303,13 +303,14 @@ Azure AD DS needs a network security group to secure the ports needed for the ma
 
 If there's an error when you run the PowerShell cmdlet to prepare for migration in step 2 or for the migration itself in step 3, the Azure AD DS managed domain can roll back to the original configuration. This roll back requires the original Classic virtual network. Note that the IP addresses may still change after rollback.
 
-Run the `Migrate-Aadds` cmdlet using the *-Abort* parameter. Provide the *-ManagedDomainFqdn* for your own Azure AD DS managed domain prepared in a previous section, such as *contoso.com*:
+Run the `Migrate-Aadds` cmdlet using the *-Abort* parameter. Provide the *-ManagedDomainFqdn* for your own Azure AD DS managed domain prepared in a previous section, such as *contoso.com*, and the Classic virtual network name, such as *myClassicVnet*:
 
 ```powershell
 Migrate-Aadds `
     -Abort `
     -ManagedDomainFqdn contoso.com `
-    -Credentials $creds
+    -ClassicVirtualNetworkName myClassicVnet `
+    -Credentials $creds
 ```
 
 ### Restore
@@ -357,4 +358,4 @@ With your Azure AD DS managed domain migrated to the Resource Manager deployment
 [get-credential]: /powershell/module/microsoft.powershell.security/get-credential
 
 <!-- EXTERNAL LINKS -->
-[powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/1.0
+[powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/
@@ -64,8 +64,6 @@
       href: howto-conditional-access-policy-compliant-device.md
   - name: Block legacy authentication
     href: block-legacy-authentication.md
-  - name: Conditional Access for MFA registration
-    href: ../authentication/howto-registration-mfa-sspr-combined.md#conditional-access-policies-for-combined-registration
   - name: Require approved client apps
     href: app-based-conditional-access.md
   - name: Require app protection policy
 
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Conditional Access: Require trusted location for MFA registration
 
-Securing when and how users register for Azure Multi-Factor Authentication and self-service password reset is now possible with user actions in Conditional Access policy. This preview feature is available to organizations who have enabled the [combined registration preview](../authentication/concept-registration-mfa-sspr-combined.md). This functionality may be enabled in organizations where they want users to register for Azure Multi-Factor Authentication and SSPR from a central location such as a trusted network location during HR onboarding. For more information about creating trusted locations in Conditional Access, see the article [What is the location condition in Azure Active Directory Conditional Access?](../conditional-access/location-condition.md#named-locations)
+Securing when and how users register for Azure Multi-Factor Authentication and self-service password reset is now possible with user actions in Conditional Access policy. This preview feature is available to organizations who have enabled the [combined registration preview](../authentication/concept-registration-mfa-sspr-combined.md). This functionality may be enabled in organizations where they want to use conditions like trusted network location to restrict access to register for Azure Multi-Factor Authentication and SSPR. For more information about creating trusted locations in Conditional Access, see the article [What is the location condition in Azure Active Directory Conditional Access?](../conditional-access/location-condition.md#named-locations)
 
 ## Create a policy to require registration from a trusted location
 
 
@@ -43,10 +43,11 @@ Before configuring device identities in Azure AD for your VDI environment, famil
 | Device identity type | Identity infrastructure | Windows devices | VDI platform version | Supported |
 | --- | --- | --- | --- | --- |
 | Hybrid Azure AD joined | Federated* | Windows current*** and Windows down-level**** | Persistent | Yes |
-|   |   |   | Non-Persistent | Yes |
-|   | Managed** | Windows current and Windows down-level | Persistent | Yes |
+|   |   | Windows current | Non-Persistent | No |
 |   |   | Windows down-level | Non-Persistent | Yes |
+|   | Managed** | Windows current and Windows down-level | Persistent | Yes |
 |   |   | Windows current | Non-Persistent | No |
+|   |   | Windows down-level | Non-Persistent | Yes |
 | Azure AD joined | Federated | Windows current | Persistent | No |
 |   |   |   | Non-Persistent | No |
 |   | Managed | Windows current | Persistent | No |
@@ -79,7 +80,6 @@ When deploying non-persistent VDI, IT administrators should pay close attention
 
 - Create and use a prefix for the display name of the computer that indicates the desktop as VDI-based.
 - Implement the following commands as part of logoff script. These commands will trigger a best effort call to Azure AD to delete the device.
-   - For Windows current devices – dsregcmd.exe /leave
    - For Windows down-level devices – autoworkplace.exe /leave
 - Define and implement process for [managing stale devices](manage-stale-devices.md).
    - Once you have a strategy to identify your non-persistent Hybrid Azure AD joined devices, you can be more aggressive on the clean-up of these devices to ensure your directory does not get consumed with lots of stale devices.
 
@@ -13,17 +13,19 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 10/05/2018
+ms.date: 11/12/2019
 ms.subservice: hybrid
 ms.author: billmath
 
 ms.collection: M365-identity-device-management
 ---
 # Azure AD Connect sync: Directory extensions
-You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises. These attributes can be consumed through [Azure AD Graph API directory extensions](https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-directory-schema-extensions) or [Microsoft Graph](https://developer.microsoft.com/graph/). You can see the available attributes by using [Azure AD Graph Explorer](https://graphexplorer.azurewebsites.net/) and [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), respectively.
+You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises. These attributes can be consumed through [Azure AD Graph API directory extensions](https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-directory-schema-extensions) or [Microsoft Graph](https://developer.microsoft.com/graph/). You can see the available attributes by using [Azure AD Graph Explorer](https://graphexplorer.azurewebsites.net/) and [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), respectively. You can also use this feature to create dynamic groups in Azure AD.
 
 At present, no Office 365 workload consumes these attributes.
 
+## Customize which attributes to synchronize with Azure AD
+
 You configure which additional attributes you want to synchronize in the custom settings path in the installation wizard.
 
 >[!NOTE]
@@ -45,11 +47,17 @@ The list of attributes is read from the schema cache that's created during insta
 
 An object in Azure AD can have up to 100 attributes for directory extensions. The maximum length is 250 characters. If an attribute value is longer, the sync engine truncates it.
 
-During installation of Azure AD Connect, an application is registered where these attributes are available. You can see this application in the Azure portal.
+## Configuration changes in Azure AD made by the wizard
+
+During installation of Azure AD Connect, an application is registered where these attributes are available. You can see this application in the Azure portal. Its name is always **Tenant Schema Extension App**.
 
 ![Schema extension app](./media/how-to-connect-sync-feature-directory-extensions/extension3new.png)
 
-The attributes are prefixed with the extension \_{AppClientId}\_. AppClientId has the same value for all attributes in your Azure AD tenant.
+Make sure you select **All applications** to see this app.
+
+The attributes are prefixed with **extension \_{ApplicationId}\_**. ApplicationId has the same value for all attributes in your Azure AD tenant. You will need this value for all other scenarios in this topic.
+
+## Viewing attributes using Graph
 
 These attributes are now available through the Azure AD Graph API. You can query them by using [Azure AD Graph Explorer](https://graphexplorer.azurewebsites.net/).
 
@@ -58,10 +66,32 @@ These attributes are now available through the Azure AD Graph API. You can query
 Or you can query the attributes through the Microsoft Graph API, by using [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer#).
 
 >[!NOTE]
-> You need to ask for the attributes to be returned. Explicitly select the attributes like this: https\://graph.microsoft.com/beta/users/abbie.[email protected]?$select=extension_9d98ed114c4840d298fad781915f27e4_employeeID,extension_9d98ed114c4840d298fad781915f27e4_division. 
+> In Microsoft Graph, you need to ask for the attributes to be returned. Explicitly select the attributes like this: https\://graph.microsoft.com/beta/users/abbie.[email protected]?$select=extension_9d98ed114c4840d298fad781915f27e4_employeeID,extension_9d98ed114c4840d298fad781915f27e4_division.
 >
 > For more information, see [Microsoft Graph: Use query parameters](https://developer.microsoft.com/graph/docs/concepts/query_parameters#select-parameter).
 
+## Use the attributes in dynamic groups
+
+One of the more useful scenarios is to use these attributes in dynamic security or Office 365 groups.
+
+1. Create a new group in Azure AD. Give it a good name and make sure the **Membership type** is **Dynamic User**.
+
+   ![Screenshot with a new group](./media/how-to-connect-sync-feature-directory-extensions/dynamicgroup1.png)
+
+2. Select to **Add dynamic query**. If you look at the properties, then you will not see these extended attributes. You need to add them first. Click **Get custom extension properties**, enter the Application ID, and click **Refresh properties**.
+
+   ![Screenshot where directory extensions have been added](./media/how-to-connect-sync-feature-directory-extensions/dynamicgroup2.png) 
+
+3. Open the property drop-down and note that the attributes you added are now visible.
+
+   ![Screenshot with new attributes showing up in the UI](./media/how-to-connect-sync-feature-directory-extensions/dynamicgroup3.png)
+
+   Complete the expression to suit your requirements. In our example, the rule is set to **(user.extension_9d98ed114c4840d298fad781915f27e4_division -eq "Sales and marketing")**.
+
+4. After the group has been created, give Azure AD some time to populate the members and then review the members.
+
+   ![Screenshot with members in the dynamic group](./media/how-to-connect-sync-feature-directory-extensions/dynamicgroup4.png)  
+
 ## Next steps
 Learn more about the [Azure AD Connect sync](how-to-connect-sync-whatis.md) configuration.