Merge pull request #95949 from MicrosoftDocs/master

Merge Master to Live, 3 AM

Author: PMEds28

.openpublishing.redirection.json

@@ -2961,6 +2961,11 @@
       "redirect_url": "/azure/sql-database/scripts/sql-database-add-single-db-to-failover-group-powershell",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/sql-database/sql-database-develop-error-messages.md",
+      "redirect_url": "/azure/sql-database/troubleshoot-connectivity-issues-microsoft-azure-sql-database",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/sql-database/sql-database-customer-implementations.md",
       "redirect_url": "http://customers.microsoft.com",
@@ -4771,6 +4776,11 @@
       "redirect_url": "/azure/app-service-mobile",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/application-gateway/application-gateway-crs-rulegroups-rules.md",
+      "redirect_url": "/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/application-gateway/application-gateway-web-application-firewall-portal.md",
       "redirect_url": "/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal",

articles/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.md

@@ -273,10 +273,11 @@ Inspect the `B2CGraphClient.SendGraphPatchRequest()` method for details on how t
 
 ### Search users
 
-You can search for users in your B2C tenant in two ways:
+You can search for users in your B2C tenant in following ways:
 
 * Reference the user's **object ID**.
 * Reference their sign-in identifer, the `signInNames` property.
+* Reference any of the valid OData parameters, e.g. givenName, surname, displayName etc.
 
 Run one of the following commands to search for a user:
 
@@ -290,6 +291,9 @@ For example:
 ```cmd
 B2C Get-User 2bcf1067-90b6-4253-9991-7f16449c2d91
 B2C Get-User $filter=signInNames/any(x:x/value%20eq%20%27consumer@fabrikam.com%27)
+B2C get-user $filter=givenName%20eq%20%27John%27
+B2C get-user $filter=surname%20eq%20%27Doe%27
+B2C get-user $filter=displayName%20eq%20%27John%20Doe%27
 ```
 
 ### Delete users

articles/active-directory-domain-services/faqs.md

@@ -58,7 +58,7 @@ The service itself doesn't directly support this scenario. Your managed domain i
 Yes. For more information, see [how to enable Azure AD Domain Services using PowerShell](powershell-create-instance.md).
 
 ### Can I enable Azure AD Domain Services using a Resource Manager Template?
-No, it's not currently possible to enable Azure AD Domain Services using a template. For a scripted approach, see [how to enable Azure AD Domain Services using PowerShell](powershell-create-instance.md).
+Yes, you can create an Azure AD Domain Services managed domain using a Resource Manager template. A service principal and Azure AD group for administration must be created using the Azure portal or Azure PowerShell before the template is deployed. When you create an Azure AD Domain Services managed domain in the Azure portal, there's an option to export the template for use with additional deployments. There's also an [example template in the GitHub templates sample repo](https://github.com/Azure/azure-quickstart-templates/tree/master/101-AAD-DomainServices).
 
 ### Can I add domain controllers to an Azure AD Domain Services managed domain?
 No. The domain provided by Azure AD Domain Services is a managed domain. You don't need to provision, configure, or otherwise manage domain controllers for this domain. These management activities are provided as a service by Microsoft. Therefore, you can't add additional domain controllers (read-write or read-only) for the managed domain.

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -72,7 +72,7 @@ The following providers offer FIDO2 security keys of different form factors that
 | Feitian | [https://www.ftsafe.com/about/Contact_Us](https://www.ftsafe.com/about/Contact_Us) |
 | HID | [https://www.hidglobal.com/contact-us](https://www.hidglobal.com/contact-us) |
 | Ensurity | [https://www.ensurity.com/contact](https://www.ensurity.com/contact) |
-| eWBM | [https://www.ewbm.com/page/sub1_5](https://www.ewbm.com/page/sub1_5) |
+| eWBM | [https://www.ewbm.com/support](https://www.ewbm.com/support) |
 | AuthenTrend | [https://authentrend.com/about-us/#pg-35-3](https://authentrend.com/about-us/#pg-35-3) |
 
 > [!NOTE]

articles/active-directory/authentication/howto-authentication-passwordless-security-key-windows.md

@@ -85,7 +85,7 @@ To target specific device groups to enable the credential provider, use the foll
 
 ### Enable with a provisioning package
 
-For devices not managed by Intune, a provisioning package can be installed to enable the functionality. The Windows Configuration Designer app can be installed from the [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
+For devices not managed by Intune, a provisioning package can be installed to enable the functionality. The Windows Configuration Designer app can be installed from the [Microsoft Store](https://www.microsoft.com/en-us/p/windows-configuration-designer/9nblggh4tx22).
 
 1. Launch the Windows Configuration Designer.
 1. Select **File** > **New project**.

articles/active-directory/authentication/howto-sspr-deployment.md

@@ -17,6 +17,9 @@ ms.collection: M365-identity-device-management
 ---
 # Deploy Azure AD self-service password reset
 
+> [!NOTE]
+> This guide explains self-service password reset and how to deploy it. If you are looking for the self service password reset tool to get back into your account, go to [https://aka.ms/sspr](https://aka.ms/sspr). 
+
 Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff. Employees must register for or be registered for self-service password reset before using the service. During registration, the employee chooses one or more authentication methods enabled by their organization.
 
 SSPR enables employees to quickly get unblocked and continue working no matter where they are or the time of day. By allowing users to unblock themselves, your organization can reduce the non-productive time and high support costs for most common password-related issues.

articles/active-directory/authentication/multi-factor-authentication-faq.md

@@ -216,7 +216,7 @@ A workaround for this error is to have separate user accounts for admin-related
 
 If your question isn't answered here, please leave it in the comments at the bottom of the page. Or, here are some additional options for getting help:
 
-* Search the [Microsoft Support Knowledge Base](https://www.microsoft.com/en-us/search?form=mssupport&q=phonefactor&rtc=1) for solutions to common technical issues.
+* Search the [Microsoft Support Knowledge Base](https://support.microsoft.com) for solutions to common technical issues.
 * Search for and browse technical questions and answers from the community, or ask your own question in the [Azure Active Directory forums](https://social.msdn.microsoft.com/Forums/azure/newthread?category=windowsazureplatform&forum=WindowsAzureAD&prof=required).
 * If you're a legacy PhoneFactor customer and you have questions or need help resetting a password, use the [password reset](mailto:[email protected]) link to open a support case.
 * Contact a support professional through [Azure Multi-Factor Authentication Server (PhoneFactor) support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, and the ID of the user who saw the error.

articles/active-directory/manage-apps/access-panel-extension-problem-installing.md

@@ -59,7 +59,7 @@ To install the access panel browser extension, do the following:
 You can also download the extension for Chrome and Microsoft Edge directly from following sites:
 
 - [Chrome extension](https://chrome.google.com/webstore/detail/access-panel-extension/ggjhpefgjjfobnfoldnjipclpcfbgbhl)
-- [Microsoft Edge extension](https://www.microsoft.com/store/apps/9pc9sckkzk84)
+- [Microsoft Edge extension](https://www.microsoft.com/en-us/p/my-apps-secure-sign-in-extension/9pc9sckkzk84)
 - [Firefox extension](https://addons.mozilla.org/en-US/firefox/addon/access-panel-extension/)
 
 ## Use the My Apps Secure Sign-in Extension

articles/active-directory/manage-apps/application-management-fundamentals.md

@@ -0,0 +1,55 @@
+---
+title: 'Application management: Best practices and recommendations | Microsoft Docs'
+description: Learn best practices and recommendations for managing applications in Azure Active Directory. Learn about using automatic provisioning and publishing on-premises apps with Application Proxy.
+
+services: active-directory
+documentationcenter: ''
+author: msmimart
+manager: CelesteDG
+editor: ''
+ms.assetid: 
+ms.service: active-directory
+ms.devlang: na
+ms.topic: reference
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 11/13/2019
+ms.subservice: app-mgmt
+ms.author: mimart
+
+ms.collection: M365-identity-device-management
+---
+# Application management best practices
+This article contains recommendations and best practices for managing applications in Azure Active Directory (Azure AD), using automatic provisioning, and publishing on-premises apps with Application Proxy.
+
+## Cloud app and single sign-on recommendations
+| Recommendation | Comments |
+| --- | --- |
+| Check the Azure AD application gallery for apps  | Azure AD has a gallery that contains thousands of pre-integrated applications that are enabled with Enterprise single sign-on (SSO). For app-specific setup guidance, see the [List of SaaS app tutorials](https://azure.microsoft.com/documentation/articles/active-directory-saas-tutorial-list/).  | 
+| Use federated SAML-based SSO  | When an application supports it, use Federated, SAML-based SSO with Azure AD instead of password-based SSO and ADFS.  | 
+| Use SHA-256 for certificate signing  | Azure AD uses the SHA-256 algorithm by default to sign the SAML response. Use SHA-256 unless the application requires SHA-1 (see [Certificate signing options](certificate-signing-options.md) and [Application sign-in problem](application-sign-in-problem-application-error.md).)  | 
+| Require user assignment  | By default, users can access to your enterprise applications without being assigned to them. However, if the application exposes roles, or if you want the application to appear on a user’s access panel, require user assignment. (See [Developer guidance for integrating applications](developer-guidance-for-integrating-applications.md).)  | 
+| Deploy the My Apps access panel to your users | The [access panel](end-user-experiences.md) at `https://myapps.microsoft.com` is a web-based portal that provides users with a single point of entry for their assigned cloud-based applications. As additional capabilities like group management and self-service password reset are added, users can find them in the access panel. See [Plan an access panel deployment](access-panel-deployment-plan.md).
+| Use group assignment  | If included in your subscription, assign groups to an application so you can delegate ongoing access management to the group owner. (See [Developer guidance for integrating applications](developer-guidance-for-integrating-applications.md).)   | 
+| Establish a process for managing certificates | The maximum lifetime of a signing certificate is three years. To prevent or minimize outage due to a certificate expiring, use roles and email distribution lists to ensure that certificate-related change notifications are closely monitored. |
+
+## Provisioning recommendations
+| Recommendation | Comments |
+| --- | --- |
+| Use tutorials to set up provisioning with cloud apps | Check the [List of SaaS app tutorials](https://azure.microsoft.com/documentation/articles/active-directory-saas-tutorial-list/) for step-by-step guidance on configuring provisioning for the gallery app you want to add. |
+| Use provisioning logs (preview) to monitor status | The [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) give details about all actions performed by the provisioning service, including status for individual users. |
+| Assign a distribution group to the provisioning notification email | To increase the visibility of critical alerts sent by the provisioning service, assign a distribution group to the Notification Emails setting. |
+
+
+## Application Proxy recommendations
+| Recommendation | Comments |
+| --- | --- |
+| Use Application Proxy for remote access to internal resources | Application Proxy is recommended for giving remote users access to internal resources, replacing the need for a VPN or reverse proxy. It is not intended for accessing resources from within the corporate network because it could add latency.
+| Use custom domains | Set up custom domains for your applications (see [Configure custom domains](application-proxy-configure-custom-domain.md)) so that URLs for users and between applications will work from either inside or outside of your network. You'll also be able to control your branding and customize your URLs.  When using custom domain names, plan to acquire a public certificate from a non-Microsoft trusted certificate authority. Azure Application Proxy supports standard, ([wildcard](application-proxy-wildcard.md)), or SAN-based certificates. (See [Application Proxy planning](application-proxy-deployment-plan.md).) |
+| Synchronize users before deploying Application Proxy | Before deploying application proxy, synchronize user identities from an on-premises directory or create them directly in Azure AD. Identity synchronization allows Azure AD to pre-authenticate users before granting them access to App Proxy published applications. It also provides the necessary user identifier information to perform single sign-on (SSO). (See [Application Proxy planning](application-proxy-deployment-plan.md).) |
+| Follow our tips for high availability and load balancing | To learn how traffic flows among users, Application Proxy connectors, and back-end app servers, and to get tips for optimizing performance and load balancing, see [High availability and load balancing of your Application Proxy connectors and applications](application-proxy-high-availability-load-balancing.md). |
+| Use multiple connectors | Use two or more Application Proxy connectors for greater resiliency, availability, and scale (see [Application Proxy connectors](application-proxy-connectors.md)). Create connector groups and ensure each connector group has at least two connectors (three connectors is optimal). |
+| Locate connector servers close to application servers, and make sure they're in the same domain | To optimize performance, physically locate the connector server close to the application servers (see [Network topology considerations](application-proxy-network-topology.md)). Also, the connector server and web applications servers should belong to the same Active Directory domain, or they should span trusting domains. This configuration is required for SSO with Integrated Windows Authentication (IWA) and Kerberos Constrained Delegation (KCD). If the servers are in different domains, you'll need to use resource-based delegation for SSO (see [KCD for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md)). |
+| Enable auto-updates for connectors | Enable auto-updates for your connectors for the latest features and bug fixes. Microsoft provides direct support for the latest connector version and one version before. (See [Application Proxy release version history](application-proxy-release-version-history.md).) |
+| Bypass your on-premises proxy | For easier maintenance, configure the connector to bypass your on-premises proxy so it directly connects to the Azure services. (See [Application Proxy connectors and proxy servers](application-proxy-configure-connectors-with-proxy-servers.md).) |
+| Use Azure AD Application Proxy over Web Application Proxy | Use Azure AD Application Proxy for most on-premises scenarios. Web Application Proxy is only preferred in scenarios that require a proxy server for AD FS and where you can't use custom domains in Azure Active Directory. (See [Application Proxy migration](application-proxy-migration.md).) |

articles/active-directory/manage-apps/application-sign-in-other-problem-access-panel.md

@@ -93,7 +93,7 @@ You may also download the extension for Chrome and Microsoft Edge from the direc
 
 -   [Chrome Access Panel Extension](https://chrome.google.com/webstore/detail/access-panel-extension/ggjhpefgjjfobnfoldnjipclpcfbgbhl)
 
--   [Microsoft Edge Access Panel Extension](https://www.microsoft.com/store/apps/9pc9sckkzk84)
+-   [Microsoft Edge Access Panel Extension](https://www.microsoft.com/p/my-apps-secure-sign-in-extension/9pc9sckkzk84)
 
 ## How to configure federated single sign-on for an Azure AD gallery application