Merge pull request #97262 from MicrosoftDocs/master

11/26 PM Publish

Author: huypub

articles/active-directory-domain-services/create-gmsa.md

@@ -10,15 +10,17 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/09/2019
+ms.date: 11/26/2019
 ms.author: iainfou
 
 ---
 # Create a group managed service account (gMSA) in Azure AD Domain Services
 
-Applications and services often need an identity to authenticate themselves with other resources. For example, a web service may need to authenticate with a database service. If an application or service has multiple instances, such as a web server farm, manually creating and configuring the identities for those resources gets time consuming. Instead, a group managed service account (gMSA) can be created in the Azure Active Directory Domain Services (Azure AD DS) managed domain. The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources.
+Applications and services often need an identity to authenticate themselves with other resources. For example, a web service may need to authenticate with a database service. If an application or service has multiple instances, such as a web server farm, manually creating and configuring the identities for those resources gets time consuming.
 
-This article shows you how to create a gMSA in an Azure AD DS managed domain.
+Instead, a group managed service account (gMSA) can be created in the Azure Active Directory Domain Services (Azure AD DS) managed domain. The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources.
+
+This article shows you how to create a gMSA in an Azure AD DS managed domain using Azure PowerShell.
 
 ## Before you begin
 
@@ -56,6 +58,9 @@ As Azure AD DS managed domains are locked down and managed by Microsoft, there a
 
 First, create a custom OU using the [New-ADOrganizationalUnit][New-AdOrganizationalUnit] cmdlet. For more information on creating and managing custom OUs, see [Custom OUs in Azure AD DS][create-custom-ou].
 
+> [!TIP]
+> To complete these steps to create a gMSA, [use your management VM][tutorial-create-management-vm]. This management VM should already have the required AD PowerShell cmdlets and connection to the managed domain.
+
 The following example creates a custom OU named *myNewOU* in the Azure AD DS managed domain named *contoso.com*. Use your own OU and managed domain name:
 
 ```powershell

articles/active-directory-domain-services/delete-aadds.md

@@ -1,6 +1,6 @@
 ---
-title: Disable Azure Active Directory Domain Services | Microsoft Docs'
-description: Learn how to disable Azure Active Directory Domain Services using the Azure portal
+title: Delete Azure Active Directory Domain Services | Microsoft Docs
+description: Learn how to disable, or delete, an Azure Active Directory Domain Services managed domain using the Azure portal
 services: active-directory-ds
 author: iainfoulds
 manager: daveba
@@ -10,11 +10,11 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/04/2019
+ms.date: 11/26/2019
 ms.author: iainfou
 
 ---
-# Disable Azure Active Directory Domain Services using the Azure portal
+# Delete an Azure Active Directory Domain Services managed domain using the Azure portal
 
 If you no longer need a managed domain, you can delete an Azure Active Directory Domain Services (Azure AD DS) instance. There's no option to turn off or temporarily disable an Azure AD DS managed domain. Deleting the Azure AD DS managed domain doesn't delete or otherwise adversely impact the Azure AD tenant. This article shows you how to use the Azure portal to delete an Azure AD DS managed domain.
 

articles/active-directory-domain-services/deploy-kcd.md

@@ -10,15 +10,15 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/04/2019
+ms.date: 11/26/2019
 ms.author: iainfou
 
 ---
 # Configure Kerberos constrained delegation (KCD) in Azure Active Directory Domain Services
 
 As you run applications, there may be a need for those applications to access resources in the context of a different user. Active Directory Domain Services (AD DS) supports a mechanism called *Kerberos delegation* that enables this use-case. Kerberos *constrained* delegation (KCD) then builds on this mechanism to define specific resources that can be accessed in the context of the user. Azure Active Directory Domain Services (Azure AD DS) managed domains are more securely locked down that traditional on-premises AD DS environments, so use a more secure *resource-based* KCD.
 
-This article shows you how to configure resource-basd Kerberos constrained delegation in an Azure AD DS managed domain.
+This article shows you how to configure resource-based Kerberos constrained delegation in an Azure AD DS managed domain.
 
 ## Prerequisites
 
@@ -38,7 +38,9 @@ To complete this article, you need the following resources:
 
 Kerberos delegation lets one account impersonate another account to access resources. For example, a web application that accesses a back-end web component can impersonate itself as a different user account when it makes the back-end connection. Kerberos delegation is insecure as it doesn't limit what resources the impersonating account can access.
 
-Kerberos constrained delegation (KCD) restricts the services or resources that a specified server or application can connect when impersonating another identity. Traditional KCD requires domain administrator privileges to configure a domain account for a service, and it restricts the account to run on a single domain. Traditional KCD also has a few issues. For example, in earlier operating systems, the service administrator had no useful way to know which front-end services delegated to the resource services they owned. Any front-end service that could delegate to a resource service was a potential attack point. If a server that hosted a front-end service configured to delegate to resource services was compromised, the resource services could also be compromised.
+Kerberos constrained delegation (KCD) restricts the services or resources that a specified server or application can connect when impersonating another identity. Traditional KCD requires domain administrator privileges to configure a domain account for a service, and it restricts the account to run on a single domain.
+
+Traditional KCD also has a few issues. For example, in earlier operating systems, the service administrator had no useful way to know which front-end services delegated to the resource services they owned. Any front-end service that could delegate to a resource service was a potential attack point. If a server that hosted a front-end service configured to delegate to resource services was compromised, the resource services could also be compromised.
 
 In an Azure AD DS managed domain, you don't have domain administrator privileges. As a result, traditional account-based KCD can't be configured in an Azure AD DS a managed domain. Resource-based KCD can instead be used, which is also more secure.
 

articles/active-directory-domain-services/notifications.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: article
-ms.date: 09/12/2019
+ms.date: 11/26/2019
 ms.author: iainfou
 
 ---

articles/active-directory-domain-services/scoped-synchronization.md

@@ -10,13 +10,15 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: article
-ms.date: 09/06/2019
+ms.date: 11/26/2019
 ms.author: iainfou
 
 ---
 # Configure scoped synchronization from Azure AD to Azure Active Directory Domain Services
 
-To provide authentication services, Azure Active Directory Domain Services (Azure AD DS) synchronizes users and groups from Azure AD. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Azure AD using Azure AD Connect, and then synchronized to Azure AD DS. By default, all users and groups from an Azure AD directory are synchronized to an Azure AD DS managed domain. If you have specific needs, you can instead choose to synchronize only a defined set of users.
+To provide authentication services, Azure Active Directory Domain Services (Azure AD DS) synchronizes users and groups from Azure AD. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Azure AD using Azure AD Connect, and then synchronized to Azure AD DS.
+
+By default, all users and groups from an Azure AD directory are synchronized to an Azure AD DS managed domain. If you have specific needs, you can instead choose to synchronize only a defined set of users.
 
 This article shows you how to create an Azure AD DS managed domain that uses scoped synchronization and then change or disable the set of scoped users.
 
@@ -49,7 +51,7 @@ You use the Azure portal or PowerShell to configure the scoped synchronization s
 
 ## Enable scoped synchronization using the Azure portal
 
-1. Follow the [tutorial to create and configure an Azure AD DS instance](tutorial-create-instance.md). Complete all prerequisites and deployment steps other than for synchronization scope.
+1. Follow the [tutorial to create and configure an Azure AD DS instance](tutorial-create-instance-advanced.md). Complete all prerequisites and deployment steps other than for synchronization scope.
 1. Choose **Scoped** at the synchronization step, then select the Azure AD groups to synchronize to the Azure AD DS instance.
 
 The Azure AD DS managed domain can take up to an hour to complete the deployment. In the Azure portal, the **Overview** page for your Azure AD DS managed domain shows the current status throughout this deployment stage.
@@ -58,13 +60,13 @@ When the Azure portal shows that the Azure AD DS managed domain has finished pro
 
 * Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
     * To configure DNS, select your Azure AD DS managed domain in the portal. On the **Overview** window, you are prompted to automatically configure these DNS settings.
-* [Enable password synchronization to Azure AD Domain Services](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.
+* [Enable password synchronization to Azure AD Domain Services](tutorial-create-instance-advanced.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.
 
 ## Modify scoped synchronization using the Azure portal
 
 To modify the list of groups whose users should be synchronized to the Azure AD DS managed domain, complete the following steps:
 
-1. In the Azure portal, select your Azure AD DS instance, such as *contoso.com*.
+1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your instance, such as *contoso.com*.
 1. Select **Synchronization** from the menu on the left-hand side.
 1. To add a group, choose **+ Select groups** at the top, then choose the groups to add.
 1. To remove a group from the synchronization scope, select it from the list of currently synchronized groups and choose **Remove groups**.
@@ -76,7 +78,7 @@ Changing the scope of synchronization causes the Azure AD DS managed domain to r
 
 To disable group-based scoped synchronization for an Azure AD DS managed domain, complete the following steps:
 
-1. In the Azure portal, select your Azure AD DS instance, such as *contoso.com*.
+1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your instance, such as *contoso.com*.
 1. Select **Synchronization** from the menu on the left-hand side.
 1. Set the synchronization scope from **Scoped** to **All**, then select **Save synchronization scope**.
 
@@ -211,7 +213,9 @@ When the Azure portal shows that the Azure AD DS managed domain has finished pro
 
 * Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
     * To configure DNS, select your Azure AD DS managed domain in the portal. On the **Overview** window, you are prompted to automatically configure these DNS settings.
-* [Enable password synchronization to Azure AD Domain Services](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.
+* If you created an Azure AD DS managed domain in a region that supports Availability Zones, create a network security group to restrict traffic in the virtual network for the Azure AD DS managed domain. An Azure standard load balancer is created that requires these rules to be place. This network security group secures Azure AD DS and is required for the managed domain to work correctly.
+    * To create the network security group and required rules, select your Azure AD DS managed domain in the portal. On the **Overview** window, you are prompted to automatically create and configure the network security group.
+* [Enable password synchronization to Azure AD Domain Services](tutorial-create-instance-advanced.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.
 
 ## Modify scoped synchronization using Powershell
 

articles/active-directory-domain-services/secure-your-domain.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: article
-ms.date: 09/09/2019
+ms.date: 11/26/2019
 ms.author: iainfou
 
 ---

articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md

@@ -39,12 +39,8 @@ These application roles are defined in the [Azure portal](https://portal.azure.c
 1. On the top bar, select your account, and then **Switch Directory**.
 1. Once the **Directory + subscription** pane opens, choose the Active Directory tenant where you wish to register your application, from the **Favorites** or **All Directories** list.
 1. Select **All services** in the left-hand nav, and choose **Azure Active Directory**.
-1. In the  **Azure Active Directory** pane, select **App registrations (Legacy)** to view a list of all your applications.
-
-     If you do not see the application you want show up here, use the various filters at the top of the **App registrations (Legacy)** list to restrict the list or scroll down the list to locate your application.
-
-1. Select the application you want to define app roles in.
-1. In the blade for your application, select **Manifest**.
+1. In the  **Azure Active Directory** pane, select **App registrations** to view a list of all your applications.
+1. Select the application you want to define app roles in. Then select **Manifest**.
 1. Edit the app manifest by locating the `appRoles` setting and adding all your Application Roles.
 
      > [!NOTE]

articles/active-directory/fundamentals/media/active-directory-ops-guide/active-directory-ops-img5.png

@@ -32,7 +32,7 @@ It is not possible to list and delete a user-assigned managed identity using an
 - [Delete user-assigned managed identity](how-to-manage-ua-identity-cli.md#delete-a-user-assigned-managed-identity)
   ## Prerequisites
 
-- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#how-does-it-work)**.
+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#how-does-the-managed-identities-for-azure-resources-work)**.
 - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing.
 
 ## Template creation and editing

articles/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-arm.md

@@ -27,7 +27,7 @@ In this article, you learn how to create, list and delete a user-assigned manage
 
 ## Prerequisites
 
-- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#how-does-it-work)**.
+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#how-does-the-managed-identities-for-azure-resources-work)**.
 - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing.
 - To run the CLI script examples, you have three options:
     - Use [Azure Cloud Shell](../../cloud-shell/overview.md) from the Azure portal (see next section).