Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into PrivateLinks

Author: SnehaGunda

articles/active-directory-b2c/saml-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/13/2020
+ms.date: 03/30/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -86,11 +86,32 @@ The **Name** attribute of the Protocol element needs to be set to `SAML2`.
 
 The **OutputClaims** element contains a list of claims returned by the SAML identity provider under the `AttributeStatement` section. You may need to map the name of the claim defined in your policy to the name defined in the identity provider. You can also include claims that aren't returned by the identity provider as long as you set the `DefaultValue` attribute.
 
-To read the SAML assertion **NamedId** in **Subject** as a normalized claim, set the claim **PartnerClaimType** to `assertionSubjectName`. Make sure the **NameId** is the first value in assertion XML. When you define more than one assertion, Azure AD B2C picks the subject value from the last assertion.
+### Subject name output claim
+
+To read the SAML assertion **NameId** in the **Subject** as a normalized claim, set the claim **PartnerClaimType** to value of the `SPNameQualifier` attribute. If the `SPNameQualifier`attribute is not presented, set the claim **PartnerClaimType** to value of the `NameQualifier` attribute. 
 
-The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
 
-The following example shows the claims returned by the Facebook identity provider:
+SAML assertion: 
+
+```XML
+<saml:Subject>
+  <saml:NameID SPNameQualifier="http://your-idp.com/unique-identifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[email protected]</saml:NameID>
+	<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+	  <SubjectConfirmationData InResponseTo="_cd37c3f2-6875-4308-a9db-ce2cf187f4d1" NotOnOrAfter="2020-02-15T16:23:23.137Z" Recipient="https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer" />
+    </SubjectConfirmation>
+  </saml:SubjectConfirmation>
+</saml:Subject>
+```
+
+Output claim:
+
+```XML
+<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="http://your-idp.com/unique-identifier" />
+```
+
+If both `SPNameQualifier` or `NameQualifier` attributes are not presented in the SAML assertion, set the claim **PartnerClaimType** to `assertionSubjectName`. Make sure the **NameId** is the first value in assertion XML. When you define more than one assertion, Azure AD B2C picks the subject value from the last assertion.
+
+The following example shows the claims returned by a SAML identity provider:
 
 - The **issuerUserId** claim is mapped to the **assertionSubjectName** claim.
 - The **first_name** claim is mapped to the **givenName** claim.
@@ -115,6 +136,8 @@ The technical profile also returns claims that aren't returned by the identity p
 </OutputClaims>
 ```
 
+The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
+
 ## Metadata
 
 | Attribute | Required | Description |

articles/active-directory-domain-services/network-considerations.md

@@ -5,12 +5,11 @@ services: active-directory-ds
 author: iainfoulds
 manager: daveba
 
-ms.assetid: 23a857a5-2720-400a-ab9b-1ba61e7b145a
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 01/21/2020
+ms.date: 03/30/2020
 ms.author: iainfou
 
 ---
@@ -72,7 +71,7 @@ You can connect a virtual network to another virtual network (VNet-to-VNet) in t
 
 ![Virtual network connectivity using a VPN Gateway](./media/active-directory-domain-services-design-guide/vnet-connection-vpn-gateway.jpg)
 
-For more information on using virtual private networking, read [Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal).
+For more information on using virtual private networking, read [Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md).
 
 ## Name resolution when connecting virtual networks
 
@@ -93,11 +92,11 @@ An Azure AD DS managed domain creates some networking resources during deploymen
 | Load balancer rules                     | When an Azure AD DS managed domain is configured for secure LDAP on TCP port 636, three rules are created and used on a load balancer to distribute the traffic. |
 
 > [!WARNING]
-> Don't delete any of the network resource created by Azure AD DS. If you delete any of the network resources, an Azure AD DS service outage occurs.
+> Don't delete or modify any of the network resource created by Azure AD DS, such as manually configuring the load balancer or rules. If you delete or modify any of the network resources, an Azure AD DS service outage may occur.
 
 ## Network security groups and required ports
 
-A [network security group (NSG)](https://docs.microsoft.com/azure/virtual-network/virtual-networks-nsg) contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. A network security group is created when you deploy Azure AD DS that contains a set of rules that let the service provide authentication and management functions. This default network security group is associated with the virtual network subnet your Azure AD DS managed domain is deployed into.
+A [network security group (NSG)](../virtual-network/virtual-networks-nsg.md) contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. A network security group is created when you deploy Azure AD DS that contains a set of rules that let the service provide authentication and management functions. This default network security group is associated with the virtual network subnet your Azure AD DS managed domain is deployed into.
 
 The following network security group rules are required for Azure AD DS to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet your Azure AD DS managed domain is deployed into.
 

articles/active-directory/governance/entitlement-management-access-package-first.md

@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: tutorial
 ms.subservice: compliance
-ms.date: 10/22/2019
+ms.date: 03/30/2020
 ms.author: ajburnle
 ms.reviewer: markwahl-msft
 ms.collection: M365-identity-device-management
@@ -82,79 +82,83 @@ An *access package* is a bundle of resources that a team or project needs and is
 
 1. In the Azure portal, in the left navigation, click **Azure Active Directory**.
 
-1. In the left menu, click **Identity Governance**
+2. In the left menu, click **Identity Governance**
 
-1. In the left menu, click **Access packages**.  If you see **Access denied**, ensure that an Azure AD Premium P2 license is present in your directory.
+3. In the left menu, click **Access packages**.  If you see **Access denied**, ensure that an Azure AD Premium P2 license is present in your directory.
 
-1. Click **New access package**.
+4. Click **New access package**.
 
     ![Entitlement management in the Azure portal](./media/entitlement-management-shared/access-packages-list.png)
 
-1. On the **Basics** tab, type the name **Marketing Campaign** access package and description **Access to resources for the campaign**.
+5. On the **Basics** tab, type the name **Marketing Campaign** access package and description **Access to resources for the campaign**.
 
-1. Leave the **Catalog** drop-down list set to **General**.
+6. Leave the **Catalog** drop-down list set to **General**.
 
     ![New access package - Basics tab](./media/entitlement-management-access-package-first/basics.png)
 
-1. Click **Next** to open the **Resource roles** tab.
+7. Click **Next** to open the **Resource roles** tab.
 
     On this tab, you select the resources and the resource role to include in the access package.
 
-1. Click **Groups and Teams**.
+8. Click **Groups and Teams**.
 
-1. In the Select groups pane, find and select the **Marketing resources** group you created earlier.
+9. In the Select groups pane, find and select the **Marketing resources** group you created earlier.
 
     By default, you see groups inside and outside the **General** catalog. When you select a group outside of the **General** catalog, it will be added to the **General** catalog.
 
     ![New access package - Resource roles tab](./media/entitlement-management-access-package-first/resource-roles-select-groups.png)
 
-1. Click **Select** to add the group to the list.
+10. Click **Select** to add the group to the list.
 
-1. In the **Role** drop-down list, select **Member**.
+11. In the **Role** drop-down list, select **Member**.
 
     ![New access package - Resource roles tab](./media/entitlement-management-access-package-first/resource-roles.png)
 
-1. Click **Next** to open the **Requests** tab.
+    >[!NOTE]
+    > When using [dynamic groups](../users-groups-roles/groups-create-rule.md) you will not see any other roles available besides owner. This is by design.
+    > ![Scenario overview](./media/entitlement-management-access-package-first/dynamic-group-warning.png)
+
+12. Click **Next** to open the **Requests** tab.
 
     On this tab, you create a request policy. A *policy* defines the rules or guardrails to access an access package. You create a policy that allows a specific user in the resource directory to request this access package.
 
-1. In the **Users who can request access** section, click **For users in your directory** and then click **Specific users and groups**.
+13. In the **Users who can request access** section, click **For users in your directory** and then click **Specific users and groups**.
 
     ![New access package - Requests tab](./media/entitlement-management-access-package-first/requests.png)
 
-1. Click **Add users and groups**.
+14. Click **Add users and groups**.
 
-1. In the Select users and groups pane, select the **Requestor1** user you created earlier.
+15. In the Select users and groups pane, select the **Requestor1** user you created earlier.
 
     ![New access package - Requests tab - Select users and groups](./media/entitlement-management-access-package-first/requests-select-users-groups.png)
 
-1. Click **Select**.
+16. Click **Select**.
 
-1. Scroll down to the **Approval** and **Enable requests** sections.
+17. Scroll down to the **Approval** and **Enable requests** sections.
 
-1. Leave **Require approval** set to **No**.
+18. Leave **Require approval** set to **No**.
 
-1. For **Enable requests**, click **Yes** to enable this access package to be requested as soon as it is created.
+19. For **Enable requests**, click **Yes** to enable this access package to be requested as soon as it is created.
 
     ![New access package - Requests tab - Approval and Enable requests](./media/entitlement-management-access-package-first/requests-approval-enable.png)
 
-1. Click **Next** to open the **Lifecycle** tab.
+20. Click **Next** to open the **Lifecycle** tab.
 
-1. In the **Expiration** section, set **Access package assignments expire** to **Number of days**.
+21. In the **Expiration** section, set **Access package assignments expire** to **Number of days**.
 
-1. Set **Assignments expire after** to **30** days.
+22. Set **Assignments expire after** to **30** days.
 
     ![New access package - Lifecycle tab](./media/entitlement-management-access-package-first/lifecycle.png)
 
-1. Click **Next** to open the **Review + Create** tab.
+23. Click **Next** to open the **Review + Create** tab.
 
     ![New access package - Review + Create tab](./media/entitlement-management-access-package-first/review-create.png)
 
     After a few moments, you should see a notification that the access package was successfully created.
 
-1. In left menu of the Marketing Campaign access package, click **Overview**.
+24. In left menu of the Marketing Campaign access package, click **Overview**.
 
-1. Copy the **My Access portal link**.
+25. Copy the **My Access portal link**.
 
     You'll use this link for the next step.
 

articles/active-directory/governance/media/entitlement-management-access-package-first/dynamic-group-warning.png

@@ -109,15 +109,15 @@ No, this scenario isn't supported because Application Proxy will terminate TLS t
 
 Refer to [Publish Remote Desktop with Azure AD Application Proxy](application-proxy-integrate-with-remote-desktop-services.md).
 
-### Can I use Kerberos Constrained Delegation in the Remote Desktop Gateway publishing scenario?
+### Can I use Kerberos Constrained Delegation (Single Sign-On - Windows Integrated Authentication) in the Remote Desktop Gateway publishing scenario?
 
 No, this scenario isn't supported.  
 
 ### My users don't use Internet Explorer 11 and the pre-authentication scenario doesn’t work for them. Is this expected?
 
 Yes, it’s expected. The pre-authentication scenario requires an ActiveX control, which isn't supported in third-party browsers.
 
-### Is the Remote Desktop Web Client supported?
+### Is the Remote Desktop Web Client (HTML5) supported?
 
 No, this scenario isn't currently supported. Follow our [UserVoice](https://aka.ms/aadapuservoice) feedback forum for updates on this feature.
 
@@ -131,6 +131,10 @@ Yes, it's expected. If the user’s computer is Azure AD joined, the user signs
 
 Refer to [Enable remote access to SharePoint with Azure AD Application Proxy](application-proxy-integrate-with-sharepoint-server.md).
 
+### Can I use the SharePoint mobile app (iOS/ Android) to access a published SharePoint server?
+
+The [SharePoint mobile app](https://docs.microsoft.com/sharepoint/administration/supporting-the-sharepoint-mobile-apps-online-and-on-premises) does not support Azure Active Directory pre-authentication currently.
+
 ## Active Directory Federation Services (AD FS) publishing 
 
 ### Can I use Azure AD Application Proxy as AD FS proxy (like Web Application Proxy)?
@@ -143,7 +147,7 @@ No. Azure AD Application Proxy is designed to work with Azure AD and doesn’t f
 
 Currently, WebSocket protocol support is still in public preview and it may not work for other applications. Some customers have had mixed success using WebSocket protocol with other applications. If you test such scenarios, we would love to hear your results. Please send us your feedback at [email protected].
 
-Features (Eventlogs, PowerShell and Remote Desktop Services) in Windows Admin Center (WAC) or Remote Desktop Web Client do not work through Azure AD Application Proxy presently.
+Features (Eventlogs, PowerShell and Remote Desktop Services) in Windows Admin Center (WAC) or Remote Desktop Web Client (HTML5) do not work through Azure AD Application Proxy presently.
 
 ## Link translation
 

articles/active-directory/manage-apps/application-proxy-faq.md

@@ -4,7 +4,7 @@ description: Learn how to add an automation service principal to the Azure Analy
 author: minewiskan
 ms.service: azure-analysis-services
 ms.topic: conceptual
-ms.date: 10/29/2019
+ms.date: 03/30/2020
 ms.author: owend
 ms.reviewer: minewiskan
 ms.custom: fasttrack-edit

articles/analysis-services/analysis-services-addservprinc-admins.md

@@ -4,7 +4,7 @@ description: This article describes how to backup and restore model metadata and
 author: minewiskan
 ms.service: azure-analysis-services
 ms.topic: conceptual
-ms.date: 10/30/2019
+ms.date: 03/30/2020
 ms.author: owend
 ms.reviewer: minewiskan
 

articles/analysis-services/analysis-services-backup.md

@@ -4,7 +4,7 @@ description: This article describes how Azure Analysis Services provides high av
 author: minewiskan
 ms.service: azure-analysis-services
 ms.topic: conceptual
-ms.date: 10/30/2019
+ms.date: 03/30/2020
 ms.author: owend
 ms.reviewer: minewiskan
 

articles/analysis-services/analysis-services-bcdr.md

@@ -4,7 +4,7 @@ description: Learn how to connect to an Azure Analysis Services server by using
 author: minewiskan
 ms.service: azure-analysis-services
 ms.topic: conceptual
-ms.date: 10/30/2019
+ms.date: 03/30/2020
 ms.author: owend
 ms.reviewer: minewiskan
 

articles/analysis-services/analysis-services-connect-excel.md

@@ -4,7 +4,7 @@ description: Learn how to connect to an Azure Analysis Services server by using
 author: minewiskan
 ms.service: azure-analysis-services
 ms.topic: conceptual
-ms.date: 10/30/2019
+ms.date: 03/30/2020
 ms.author: owend
 ms.reviewer: minewiskan