Merge remote-tracking branch 'upstream/master' into v-miegge/hd-insight-faq

Author: v-miegge

articles/active-directory/authentication/concept-password-ban-bad-on-premises.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 
 # Enforce Azure AD password protection for Windows Server Active Directory
 
-Azure AD password protection is a feature that enhances password policies in an organization. On-premises deployment of password protection uses both the global and custom banned-password lists that are stored in Azure AD. It does the same checks on-premises as Azure AD for cloud-based changes.
+Azure AD password protection is a feature that enhances password policies in an organization. On-premises deployment of password protection uses both the global and custom banned-password lists that are stored in Azure AD. It does the same checks on-premises as Azure AD does for cloud-based changes. These checks are performed during password changes and password reset scenarios.
 
 ## Design principles
 

articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md

@@ -21,7 +21,7 @@ Due to the increased risk associated with legacy authentication protocols, Micro
 
 ## Create a Conditional Access policy
 
-The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multi-factor authentication.
+The following steps will help create a Conditional Access policy to block legacy authentication requests.
 
 1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
 1. Browse to **Azure Active Directory** > **Conditional Access**.

articles/active-directory/develop/howto-app-gallery-listing.md

@@ -77,7 +77,7 @@ To list an application in the Azure AD app gallery, you first need to implement
     ![TimeLine of listing OpenID Connect application into the gallery](./media/howto-app-gallery-listing/openid.png)
 
     * If you want to add your application to list in the gallery using OpenID Connect, select **OpenID Connect & OAuth 2.0** as above.
-    * If you have any issues regarding access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>). 
+    * If you have any issues regarding access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>).
 
 - **SAML 2.0** or **WS-Fed**: If your app supports SAML 2.0, you can integrate it directly with an Azure AD tenant by using the [instructions to add a custom application](../active-directory-saas-custom-apps.md).
 
@@ -95,6 +95,12 @@ Create a web application that has an HTML sign-in page to configure [password-ba
 * If you want to add your application to list in the gallery using Password SSO, select **Password SSO** as above.
 * If you have any issues regarding access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>).
 
+## Requesting for User Provisioning
+
+Follow the below process to request for user provisioning-
+
+   ![TimeLine of listing saml application into the gallery](./media/howto-app-gallery-listing/user-provisioning.png)
+
 ## Update/Remove existing listing
 
 To update or remove an existing application in the Azure AD app gallery, you first need to submit the request in the [Application Network Portal](https://microsoft.sharepoint.com/teams/apponboarding/Apps). If you have an Office 365 account, use that to sign in to this portal. If not, use your Microsoft account (such as Outlook or Hotmail) to sign in.
@@ -103,9 +109,9 @@ To update or remove an existing application in the Azure AD app gallery, you fir
 
     ![TimeLine of listing saml application into the gallery](./media/howto-app-gallery-listing/updateorremove.png)
 
-    * If you want to update an existing application, select **Update existing application listing**.
-    * If you want to remove an existing application from the Azure AD gallery, select **Remove existing application listing**.
-    * If you have any issues regarding access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>). 
+    * If you want to update an existing application, select appropriate option as per your requirement.
+    * If you want to remove an existing application from the Azure AD gallery, select **Remove my application listing from the gallery**.
+    * If you have any issues regarding access, contact the [Azure AD SSO Integration Team](<mailto:[email protected]>).
 
 ## Listing requests by customers
 
@@ -121,11 +127,11 @@ Below is the flow of customer requested applications-
 
 The timeline for the process of listing a SAML 2.0 or WS-Fed application in the gallery is 7-10 business days.
 
-   ![TimeLine of listing SAML application into the gallery](./media/howto-app-gallery-listing/timeline.png)
+  ![TimeLine of listing SAML application into the gallery](./media/howto-app-gallery-listing/timeline.png)
 
 The timeline for the process of listing an OpenID Connect application in the gallery is 2-5 business days.
 
-   ![TimeLine of listing SAML application into the gallery](./media/howto-app-gallery-listing/timeline2.png)
+  ![TimeLine of listing SAML application into the gallery](./media/howto-app-gallery-listing/timeline2.png)
 
 ## Escalations
 

articles/active-directory/develop/media/howto-app-gallery-listing/customer-request.png

@@ -22,19 +22,19 @@ ms.collection: M365-identity-device-management
 
 In this article, we address frequently asked questions about Azure Active Directory Seamless Single Sign-On (Seamless SSO). Keep checking back for new content.
 
-## What sign-in methods do Seamless SSO work with?
+**Q: What sign-in methods do Seamless SSO work with**
 
 Seamless SSO can be combined with either the [Password Hash Synchronization](how-to-connect-password-hash-synchronization.md) or [Pass-through Authentication](how-to-connect-pta.md) sign-in methods. However this feature cannot be used with Active Directory Federation Services (ADFS).
 
-## Is Seamless SSO a free feature?
+**Q: Is Seamless SSO a free feature?**
 
 Seamless SSO is a free feature and you don't need any paid editions of Azure AD to use it.
 
-## Is Seamless SSO available in the [Microsoft Azure Germany cloud](https://www.microsoft.de/cloud-deutschland) and the [Microsoft Azure Government cloud](https://azure.microsoft.com/features/gov/)?
+**Q: Is Seamless SSO available in the [Microsoft Azure Germany cloud](https://www.microsoft.de/cloud-deutschland) and the [Microsoft Azure Government cloud](https://azure.microsoft.com/features/gov/)?**
 
 No. Seamless SSO is only available in the worldwide instance of Azure AD.
 
-## What applications take advantage of `domain_hint` or `login_hint` parameter capability of Seamless SSO?
+**Q: What applications take advantage of `domain_hint` or `login_hint` parameter capability of Seamless SSO?**
 
 Listed below is a non-exhaustive list of applications that can send these parameters to Azure AD, and therefore provides users a silent sign-on experience using Seamless SSO (i.e., no need for your users to input their usernames or passwords):
 
@@ -55,21 +55,21 @@ In the above tables, replace "contoso.com" with your domain name to get to the r
 
 If you want other applications using our silent sign-on experience, let us know in the feedback section.
 
-## Does Seamless SSO support `Alternate ID` as the username, instead of `userPrincipalName`?
+**Q: Does Seamless SSO support `Alternate ID` as the username, instead of `userPrincipalName`?**
 
 Yes. Seamless SSO supports `Alternate ID` as the username when configured in Azure AD Connect as shown [here](how-to-connect-install-custom.md). Not all Office 365 applications support `Alternate ID`. Refer to the specific application's documentation for the support statement.
 
-## What is the difference between the single sign-on experience provided by [Azure AD Join](../active-directory-azureadjoin-overview.md) and Seamless SSO?
+**Q: What is the difference between the single sign-on experience provided by [Azure AD Join](../active-directory-azureadjoin-overview.md) and Seamless SSO?**
 
 [Azure AD Join](../active-directory-azureadjoin-overview.md) provides SSO to users if their devices are registered with Azure AD. These devices don't necessarily have to be domain-joined. SSO is provided using *primary refresh tokens* or *PRTs*, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge browser. It also works on Chrome with the use of a browser extension.
 
 You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
 
-## I want to register non-Windows 10 devices with Azure AD, without using AD FS. Can I use Seamless SSO instead?
+**Q: I want to register non-Windows 10 devices with Azure AD, without using AD FS. Can I use Seamless SSO instead?**
 
 Yes, this scenario needs version 2.1 or later of the [workplace-join client](https://www.microsoft.com/download/details.aspx?id=53554).
 
-## How can I roll over the Kerberos decryption key of the `AZUREADSSOACC` computer account?
+**Q: How can I roll over the Kerberos decryption key of the `AZUREADSSOACC` computer account?**
 
 It is important to frequently roll over the Kerberos decryption key of the `AZUREADSSOACC` computer account (which represents Azure AD) created in your on-premises AD forest.
 
@@ -78,66 +78,66 @@ It is important to frequently roll over the Kerberos decryption key of the `AZUR
 
 Follow these steps on the on-premises server where you are running Azure AD Connect:
 
-### Step 1. Get list of AD forests where Seamless SSO has been enabled
+    **Step 1. Get list of AD forests where Seamless SSO has been enabled**
 
-1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
-2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
-3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
-5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
+    1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
+    2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
+    3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
+    4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
+    5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
 
-### Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on
+    **Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on**
 
-1. Call `$creds = Get-Credential`. When prompted, enter the Domain Administrator credentials for the intended AD forest.
+    1. Call `$creds = Get-Credential`. When prompted, enter the Domain Administrator credentials for the intended AD forest.
 
-   > [!NOTE]
-   > We use the Domain Administrator's username, provided in the User Principal Names (UPN) ([email protected]) format or the domain qualified sam-account name (contoso\johndoe or contoso.com\johndoe) format, to find the intended AD forest. If you use domain qualified sam-account name, we use the domain portion of the username to [locate the Domain Controller of the Domain Administrator using DNS](https://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx). If you use UPN instead, we [translate it to a domain qualified sam-account name](https://docs.microsoft.com/windows/desktop/api/ntdsapi/nf-ntdsapi-dscracknamesa) before locating the appropriate Domain Controller.
+    > [!NOTE]
+    > We use the Domain Administrator's username, provided in the User Principal Names (UPN) ([email protected]) format or the domain qualified sam-account name (contoso\johndoe or contoso.com\johndoe) format, to find the intended AD forest. If you use domain qualified sam-account name, we use the domain portion of the username to [locate the Domain Controller of the Domain Administrator using DNS](https://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx). If you use UPN instead, we [translate it to a domain qualified sam-account name](https://docs.microsoft.com/windows/desktop/api/ntdsapi/nf-ntdsapi-dscracknamesa) before locating the appropriate Domain Controller.
 
-2. Call `Update-AzureADSSOForest -OnPremCredentials $creds`. This command updates the Kerberos decryption key for the `AZUREADSSOACC` computer account in this specific AD forest and updates it in Azure AD.
-3. Repeat the preceding steps for each AD forest that you’ve set up the feature on.
+    2. Call `Update-AzureADSSOForest -OnPremCredentials $creds`. This command updates the Kerberos decryption key for the `AZUREADSSOACC` computer account in this specific AD forest and updates it in Azure AD.
+    3. Repeat the preceding steps for each AD forest that you’ve set up the feature on.
 
->[!IMPORTANT]
->Ensure that you _don't_ run the `Update-AzureADSSOForest` command more than once. Otherwise, the feature stops working until the time your users' Kerberos tickets expire and are reissued by your on-premises Active Directory.
+    >[!IMPORTANT]
+    >Ensure that you _don't_ run the `Update-AzureADSSOForest` command more than once. Otherwise, the feature stops working until the time your users' Kerberos tickets expire and are reissued by your on-premises Active Directory.
 
-## How can I disable Seamless SSO?
+**Q: How can I disable Seamless SSO?**
 
-### Step 1. Disable the feature on your tenant
+    **Step 1. Disable the feature on your tenant**
 
-#### Option A: Disable using Azure AD Connect
+        **Option A: Disable using Azure AD Connect**
 
-1. Run Azure AD Connect, choose **Change user sign-in page** and click **Next**.
-2. Uncheck the **Enable single sign on** option. Continue through the wizard.
+        1. Run Azure AD Connect, choose **Change user sign-in page** and click **Next**.
+        2. Uncheck the **Enable single sign on** option. Continue through the wizard.
 
-After completing the wizard, Seamless SSO will be disabled on your tenant. However, you will see a message on screen that reads as follows:
+        After completing the wizard, Seamless SSO will be disabled on your tenant. However, you will see a message on screen that reads as follows:
 
-"Single sign-on is now disabled, but there are additional manual steps to perform in order to complete clean-up. Learn more"
+        "Single sign-on is now disabled, but there are additional manual steps to perform in order to complete clean-up. Learn more"
 
-To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you are running Azure AD Connect.
+        To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you are running Azure AD Connect.
 
-#### Option B: Disable using PowerShell
+        **Option B: Disable using PowerShell**
 
-Run the following steps on the on-premises server where you are running Azure AD Connect:
+        Run the following steps on the on-premises server where you are running Azure AD Connect:
 
-1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
-2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
-3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
-5. Call `Enable-AzureADSSO -Enable $false`.
+        1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
+        2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
+        3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
+        4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
+        5. Call `Enable-AzureADSSO -Enable $false`.
 
->[!IMPORTANT]
->Disabling Seamless SSO using PowerShell will not change the state in Azure AD Connect. Seamless SSO will show as enabled in the **Change user sign-in** page.
+        >[!IMPORTANT]
+        >Disabling Seamless SSO using PowerShell will not change the state in Azure AD Connect. Seamless SSO will show as enabled in the **Change user sign-in** page.
 
-### Step 2. Get list of AD forests where Seamless SSO has been enabled
+    **Step 2. Get list of AD forests where Seamless SSO has been enabled**
 
-Follow tasks 1 through 4 below if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5 below.
+    Follow tasks 1 through 4 below if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5 below.
 
-1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
-2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
-3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
-5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
+    1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
+    2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
+    3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
+    4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
+    5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
 
-### Step 3. Manually delete the `AZUREADSSOACCT` computer account from each AD forest that you see listed.
+    **Step 3. Manually delete the `AZUREADSSOACCT` computer account from each AD forest that you see listed.**
 
 ## Next steps