Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into metadataupdatesept18

Author: KumudD

articles/active-directory-domain-services/join-windows-vm-template.md

@@ -103,11 +103,11 @@ The policy **Baseline policy: Block legacy authentication (preview)** comes pre-
 
 To enable this policy and protect your organization:
 
-1. Sign in to the **Azure portal** as Global Administrator, Security Administrator, or Conditional Access Administrator.
+1. Sign in to the **Azure portal** as Global Administrator, Security Administrator, or Conditional Access Administrator.
 1. Browse to **Azure Active Directory** > **Conditional Access**.
 1. In the list of policies, select **Baseline policy: Block legacy authentication (preview)**.
 1. Set **Enable policy** to **Use policy immediately**.
-1. Click **Save**.
+1. Click **Save**.
 
 ## Next steps
 

articles/active-directory/conditional-access/howto-baseline-protect-legacy-auth.md

@@ -25,24 +25,24 @@ This article discusses how to use Azure AD Application Proxy to enable the Power
 
 ## Prerequisites
 
-This article assumes you've already deployed Report Services and [enabled Application Proxy](application-proxy-add-on-premises-application.md).
+This article assumes you've already deployed Report Services and [enabled Application Proxy](application-proxy-add-on-premises-application.md).
 
 - Enabling Application Proxy requires installing a connector on a Windows server and completing the [prerequisites](application-proxy-add-on-premises-application.md#prepare-your-on-premises-environment) so that the connector can communicate with Azure AD services.  
 - When publishing Power BI, we recommended you use the same internal and external domains. To learn more about custom domains, see [Working with custom domains in Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-configure-custom-domain).
 - This integration is available for the **Power BI Mobile iOS and Android** application.
 
 ## Step 1: Configure Kerberos Constrained Delegation (KCD)
 
-For on-premises applications that use Windows authentication, you can achieve single sign-on (SSO) with the Kerberos authentication protocol and a feature called Kerberos constrained delegation (KCD). When configured, KCD allows the Application Proxy connector to obtain a Windows token for a user, even if the user hasn’t signed into Windows directly. To learn more about KCD, see [Kerberos Constrained Delegation Overview](https://technet.microsoft.com/library/jj553400.aspx) and [Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md).
+For on-premises applications that use Windows authentication, you can achieve single sign-on (SSO) with the Kerberos authentication protocol and a feature called Kerberos constrained delegation (KCD). When configured, KCD allows the Application Proxy connector to obtain a Windows token for a user, even if the user hasn’t signed into Windows directly. To learn more about KCD, see [Kerberos Constrained Delegation Overview](https://technet.microsoft.com/library/jj553400.aspx) and [Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md).
 
 There isn’t much to configure on the Reporting Services side. Just be sure to have a valid Service Principal Name (SPN) to enable the proper Kerberos authentication to occur. Also make sure the Reporting Services server is enabled for Negotiate authentication.
 
 To set up KCD for Reporting services, continue with the following steps.
 
 ### Configure the Service Principal Name (SPN)
 
-The SPN is a unique identifier for a service that uses Kerberos authentication. You'll need to make sure you have a proper HTTP SPN present for your report server. For information on how to configure the proper Service Principal Name (SPN) for your report server, see [Register a Service Principal Name (SPN) for a Report Server](https://msdn.microsoft.com/library/cc281382.aspx).
-You can verify that the SPN was added by running the Setspn command with the -L option. To learn more about this command, see [Setspn](https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx).
+The SPN is a unique identifier for a service that uses Kerberos authentication. You'll need to make sure you have a proper HTTP SPN present for your report server. For information on how to configure the proper Service Principal Name (SPN) for your report server, see [Register a Service Principal Name (SPN) for a Report Server](https://msdn.microsoft.com/library/cc281382.aspx).
+You can verify that the SPN was added by running the Setspn command with the -L option. To learn more about this command, see [Setspn](https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx).
 
 ### Enable Negotiate authentication
 
@@ -56,28 +56,28 @@ To enable a report server to use Kerberos authentication, configure the Authenti
 </AuthenticationTypes>
 ```
 
-For more information, see [Modify a Reporting Services Configuration File](https://msdn.microsoft.com/library/bb630448.aspx) and [Configure Windows Authentication on a Report Server](https://msdn.microsoft.com/library/cc281253.aspx).
+For more information, see [Modify a Reporting Services Configuration File](https://msdn.microsoft.com/library/bb630448.aspx) and [Configure Windows Authentication on a Report Server](https://msdn.microsoft.com/library/cc281253.aspx).
 
 ### Ensure the Connector is trusted for delegation to the SPN added to the Reporting Services application pool account
 Configure KCD so that the Azure AD Application Proxy service can delegate user identities to the Reporting Services application pool account. Configure KCD by enabling the Application Proxy connector to retrieve Kerberos tickets for your users who have been authenticated in Azure AD. Then that server passes the context to the target application, or Reporting Services in this case.
 
 To configure KCD, repeat the following steps for each connector machine:
 
-1. Sign in to a domain controller as a domain administrator, and then open **Active Directory Users and Computers**.
+1. Sign in to a domain controller as a domain administrator, and then open **Active Directory Users and Computers**.
 2. Find the computer that the connector is running on.  
-3. Double-click the computer, and then select the **Delegation** tab.
-4. Set the delegation settings to **Trust this computer for delegation to the specified services only**. Then, select **Use any authentication protocol**.
+3. Double-click the computer, and then select the **Delegation** tab.
+4. Set the delegation settings to **Trust this computer for delegation to the specified services only**. Then, select **Use any authentication protocol**.
 5. Select **Add**, and then select **Users or Computers**.
 6. Enter the service account that you're using for Reporting Services. This is the account you added the SPN to within the Reporting Services configuration.
-7. Click **OK**. To save the changes, click **OK** again.
+7. Click **OK**. To save the changes, click **OK** again.
 
 For more information, see [Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md).
 
 ## Step 2: Publish Report Services through Azure AD Application Proxy
 
 Now you're ready to configure Azure AD Application Proxy.
 
-1. Publish Report Services through Application Proxy with the following settings. For step-by-step instructions on how to publish an application through Application Proxy, see [Publishing applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad).
+1. Publish Report Services through Application Proxy with the following settings. For step-by-step instructions on how to publish an application through Application Proxy, see [Publishing applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad).
    - **Internal URL**: Enter the URL to the Report Server that the connector can reach in the corporate network. Make sure this URL is reachable from the server the connector is installed on. A best practice is using a top-level domain such as `https://servername/` to avoid issues with subpaths (for example, `https://servername/reports/` and `https://servername/reportserver/`) not published through Application Proxy.
      > [!NOTE]
      > We recommend using a secure HTTPS connection to the Report Server. See [Configure SSL connections on a native mode report server](https://docs.microsoft.com/sql/reporting-services/security/configure-ssl-connections-on-a-native-mode-report-server?view=sql-server-2017) for information how to.
@@ -87,17 +87,17 @@ Now you're ready to configure Azure AD Application Proxy.
 
 2. Once your app is published, configure the single sign-on settings with the following steps:
 
-   a. On the application page in the portal, select **Single sign-on**.
+   a. On the application page in the portal, select **Single sign-on**.
 
-   b. For **Single Sign-on Mode**, select **Integrated Windows Authentication**.
+   b. For **Single Sign-on Mode**, select **Integrated Windows Authentication**.
 
    c. Set **Internal Application SPN** to the value that you set earlier.  
 
-   d. Choose the **Delegated Login Identity** for the connector to use on behalf of your users. For more information, see [Working with different on-premises and cloud identities](application-proxy-configure-single-sign-on-with-kcd.md#working-with-different-on-premises-and-cloud-identities).
+   d. Choose the **Delegated Login Identity** for the connector to use on behalf of your users. For more information, see [Working with different on-premises and cloud identities](application-proxy-configure-single-sign-on-with-kcd.md#working-with-different-on-premises-and-cloud-identities).
 
    e. Click **Save** to save your changes.
 
-To finish setting up your application, go to **the Users and groups** section and assign users to access this application.
+To finish setting up your application, go to **the Users and groups** section and assign users to access this application.
 
 ## Step 3: Modify the Reply URI's for the application
 
@@ -123,13 +123,13 @@ Before the Power BI mobile app can connect and access Report Services, you must
 
 ## Step 4: Connect from the Power BI Mobile App
 
-1. In the Power BI mobile app, connect to your Reporting Services instance. To do this, enter the **External URL** for the application you published through Application Proxy.
+1. In the Power BI mobile app, connect to your Reporting Services instance. To do this, enter the **External URL** for the application you published through Application Proxy.
 
    ![Power BI mobile app with External URL](media/application-proxy-integrate-with-power-bi/app-proxy-power-bi-mobile-app.png)
 
 2. Select **Connect**. You'll be directed to the Azure Active Directory sign in page.
 
-3. Enter valid credentials for your user and select **Sign in**. You'll see the elements from your Reporting Services server.
+3. Enter valid credentials for your user and select **Sign in**. You'll see the elements from your Reporting Services server.
 
 ## Step 5: Configure Intune policy for managed devices (optional)
 
@@ -138,7 +138,7 @@ Before the Power BI mobile app can connect and access Report Services, you must
 
 You can use Microsoft Intune to manage the client apps that your company's workforce uses. Intune allows you to use capabilities such as data encryption and additional access requirements. To learn more about app management through Intune, see Intune App Management. To enable the Power BI mobile application to work with the Intune policy, use the following steps.
 
-1. Go to **Azure Active Directory** and then **App Registrations**.
+1. Go to **Azure Active Directory** and then **App Registrations**.
 2. Select the application configured in Step 3 when registering your native client application.
 3. On the application’s page, select **API Permissions**.
 4. Click **Add a permission**. 

articles/active-directory/manage-apps/application-proxy-integrate-with-power-bi.md

@@ -83,14 +83,14 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
     In the **Identifier** text box,  type the value:
     `urn:federation:apptio`
 
-5. Apptio application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
+5. Apptio application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
 
 	![image](common/edit-attribute.png)
 
 	> [!NOTE]
 	> Please click [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-enterprise-app-role-management) to know how to configure **Role** in Azure AD
 
-6. In addition to above, Apptio application expects few more attributes to be passed back in SAML response. In the User Claims section on the User Attributes dialog, perform the following steps to add SAML token attribute as shown in the below table: 
+6. In addition to above, Apptio application expects few more attributes to be passed back in SAML response. In the User Claims section on the User Attributes dialog, perform the following steps to add SAML token attribute as shown in the below table: 
 
 	| Name |  Source Attribute|
 	| -------------- | -------------------- |
@@ -154,7 +154,7 @@ To configure single sign-on on **Apptio** side, you need to send the downloaded
 
 ### Create Apptio test user
 
-In this section, you create a user called B.Simon in Apptio. Work with [Apptio support team](https://www.apptio.com/about/contact) to add the users in the Apptio platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called B.Simon in Apptio. Work with [Apptio support team](https://www.apptio.com/about/contact) to add the users in the Apptio platform. Users must be created and activated before you use single sign-on.
 
 ## Test SSO 
 

articles/active-directory/saas-apps/apptio-tutorial.md

@@ -88,7 +88,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
 	In the **Sign on URL** textbox, paste the value of **Reply URL**, which gets autofilled by SP metadata file upload.
 
-5. Cisco Webex  application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
+5. Cisco Webex  application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
 
 	![image](common/edit-attribute.png)