Merge pull request #110374 from MicrosoftDocs/master

4/06 AM Publish

Author: huypub

articles/active-directory-b2c/secure-rest-api.md

@@ -268,7 +268,7 @@ To support bearer token authentication in your custom policy, modify the REST AP
 1. Ensure you add the claim used above as an input claim:
 
     ```xml
-    <InputClaim ClaimTyeReferenceId="bearerToken"/>
+    <InputClaim ClaimTypeReferenceId="bearerToken"/>
     ```    
 
 After you add the above snippets, your technical profile should look like the following XML code:
@@ -288,7 +288,7 @@ After you add the above snippets, your technical profile should look like the fo
         <Item Key="AllowInsecureAuthInProduction">false</Item>
       </Metadata>
       <InputClaims>
-        <InputClaim ClaimTyeReferenceId="bearerToken"/>
+        <InputClaim ClaimTypeReferenceId="bearerToken"/>
       </InputClaims>
       ...
     </TechnicalProfile>

articles/active-directory-domain-services/troubleshoot-account-lockout.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: troubleshooting
-ms.date: 10/02/2019
+ms.date: 04/06/2020
 ms.author: iainfou
 
 #Customer intent: As a directory administrator, I want to troubleshoot why user accounts are locked out in an Azure Active Directory Domain Services managed domain.
@@ -31,11 +31,11 @@ The default account lockout thresholds are configured using fine-grained passwor
 
 ### Fine-grained password policy
 
-Fine-grained password policies (FGPPs) let you apply specific restrictions for password and account lockout policies to different users in a domain. FGPP only affects users created in Azure AD DS. Cloud users and domain users synchronized into the Azure AD DS managed domain from Azure AD aren't affected by the password policies.
+Fine-grained password policies (FGPPs) let you apply specific restrictions for password and account lockout policies to different users in a domain. FGPP only affects users within an Azure AD DS managed domain. Cloud users and domain users synchronized into the Azure AD DS managed domain from Azure AD are only affected by the password policies within Azure AD DS. Their accounts in Azure AD or an on-premises directory aren't impacted.
 
 Policies are distributed through group association in the Azure AD DS managed domain, and any changes you make are applied at the next user sign-in. Changing the policy doesn't unlock a user account that's already locked out.
 
-For more information on fine-grained password policies, see [Configure password and account lockout policies][configure-fgpp].
+For more information on fine-grained password policies, and the differences between users created directly in Azure AD DS versus synchronized in from Azure AD, see [Configure password and account lockout policies][configure-fgpp].
 
 ## Common account lockout reasons
 

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -159,7 +159,7 @@ Use the following table to choose which method will support your requirements an
 
 ## Next steps
 
-[Enable FIDO2 security key passwordlesss options in your organization](howto-authentication-passwordless-security-key.md)
+[Enable FIDO2 security key passwordless options in your organization](howto-authentication-passwordless-security-key.md)
 
 [Enable phone-based passwordless options in your organization](howto-authentication-passwordless-phone.md)
 

articles/active-directory/authentication/howto-sspr-windows.md

@@ -40,7 +40,7 @@ For machines running Windows 7, 8, 8.1, and 10 you can enable users to reset the
 - The combination of the following specific three settings can cause this feature to not work.
     - Interactive logon: Do not require CTRL+ALT+DEL = Disabled
     - DisableLockScreenAppNotifications = 1 or Enabled
-    - IsContentDeliveryPolicyEnforced = 1 or True
+    - Windows SKU isn't Home or Professional edition
 
 ## Windows 10 password reset
 

articles/active-directory/hybrid/howto-troubleshoot-upn-changes.md

@@ -55,11 +55,11 @@ You can change a UPN by changing the prefix, suffix, or both.
 
    * [email protected] to [email protected] <br>
      Or<br>
-    *   [email protected] to [email protected] 
+    * [email protected] to [email protected] 
 
 Change the user's UPN every time the primary email address for a user is updated. No matter the reason for the email change, the UPN must always be updated to match.
 
-During the initial synchronization from Active Directory to Azure AD, ensure the users' emails  are identical to their UPNs
+During the initial synchronization from Active Directory to Azure AD, ensure the users' emails  are identical to their UPNs.
 
 ### UPNs in Active Directory
 
@@ -97,15 +97,15 @@ If the value of the userPrincipalName attribute doesn't correspond to a verified
 
 ### Roll-out bulk UPN changes
 
-Follow the[best practices for a pilot](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-deployment-plans) for bulk UPN changes. Also have a tested rollback plan for reverting UPNs if you find issues that can't be quickly resolved. Once your pilot is running, you can start targeting small sets of users with various organizational roles and their specific sets of apps or devices.
+Follow the [best practices for a pilot](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-deployment-plans) for bulk UPN changes. Also have a tested rollback plan for reverting UPNs if you find issues that can't be quickly resolved. Once your pilot is running, you can start targeting small sets of users with various organizational roles and their specific sets of apps or devices.
 
 Going through this first subset of users will give you a good idea of what users should expect as part of the change. Include this information on your user communications.
 
 Create a defined procedure for changing UPNs on individual users as part of normal operations. We recommend having a tested procedure that includes documentation about known issues and workarounds.
 
 The following sections detail potential known issues and workarounds when UPNs are changed.
 
-## user provisioning known issues and workarounds
+## Apps known issues and workarounds
 
 [Software as a service (SaaS)](https://azure.microsoft.com/overview/what-is-saas/) and Line of Business (LoB) applications often rely on UPNs to find users and store user profile information, including roles. Applications that use [Just in Time provisioning](https://docs.microsoft.com/azure/active-directory/app-provisioning/user-provisioning) to create a user profile when users sign in to the app for the first time can be affected by UPN changes.
 
@@ -114,6 +114,7 @@ Changing a user's UPN could break the relationship between the Azure AD user and
 
 **Workaround**<br>
 [Azure AD Automated User Provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning) lets you automatically create, maintain, and remove your user identities in supported cloud applications. Configuring automated user provisioning on your applications automatically updates UPNs on the applications. Test the applications as part of the progressive rollout to validate that they are not impacted by UPN changes.
+If you are a developer, consider [adding SCIM support to your application](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) to enable automatic user provisioning from Azure Active Directory. 
 
 ## Managed devices known issues and workarounds
 
@@ -127,7 +128,7 @@ By [bringing your devices to Azure AD](https://docs.microsoft.com/azure/active-d
 Users may experience single sign-on issues with applications that depend on Azure AD for authentication.
 
 **Workaround** <br>
-Allow enough time for the UPN change to sync to Azure AD. Once you verify that the new UPN is reflected on the Azure AD Portal, ask the user to select the "Other user" tile to sign in with their new UPN. you can also verify through [PowerShell](https://docs.microsoft.com/powershell/module/azuread/get-azureaduser?view=azureadps-2.0). After signing in with their new UPN, references to the old UPN might still appear on "Access work or school" Windows setting.
+Allow enough time for the UPN change to sync to Azure AD. Once you verify that the new UPN is reflected on the Azure AD Portal, ask the user to select the "Other user" tile to sign in with their new UPN. You can also verify through [PowerShell](https://docs.microsoft.com/powershell/module/azuread/get-azureaduser?view=azureadps-2.0). After signing in with their new UPN, references to the old UPN might still appear on the "Access work or school" Windows setting.
 
 ![Screenshot of verified domains](./media/howto-troubleshoot-upn-changes/other-user.png)
 
@@ -152,7 +153,8 @@ To unjoin a device from Azure AD, run the following command at a command prompt:
 
 **dsregcmd /leave**
 
-The user will need to [re-enroll](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision) for Windows Hello for Business if it's being used. Windows 7 and 8.1 devices are not affected by this issue after UPN changes.
+The user will need to [re-enroll](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision) for Windows Hello for Business if it's being used. 
+Windows 7 and 8.1 devices are not affected by this issue after UPN changes.
 
 ## Microsoft Authenticator known issues and workarounds
 
@@ -164,23 +166,21 @@ The [Microsoft Authenticator app](https://docs.microsoft.com/azure/active-direct
 
 * Act as an Authentication Broker on iOS and Android devices to provide single sign-on for applications that use [Brokered authentication](https://docs.microsoft.com/azure/active-directory/develop/brokered-auth)
 
-* Device registration (also known as Workplace Joined) to Azure AD, which is a requirement for other features like Intune App Protection and Device Enrolment/Management,
+* Device registration (also known as Workplace Join) to Azure AD, which is a requirement for other features like Intune App Protection and Device Enrolment/Management,
 
 * Phone sign in, which requires MFA and device registration.
 
 ### Multi-Factor Authentication with Android devices
 
 The Microsoft Authenticator app offers an out-of-band verification option. Instead of placing an automated phone call or SMS to the user during sign-in, [Multi-Factor Authentication (MFA)](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks) pushes a notification to the Microsoft Authenticator app on the user's smartphone or tablet. The user simply taps Approve (or enters a PIN or biometric and taps "Authenticate") in the app to complete their sign-in.
 
-When you change a user's UPN, mobile devices can experience the following issues:
-
 **Known issues** 
 
-The old UPN still displays on the user account and a notification might not be received. [Verification codes](https://docs.microsoft.com/azure/active-directory/user-help/user-help-auth-app-faq) continue to work.
+When you change a user's UPN, the old UPN still displays on the user account and a notification might not be received. [Verification codes](https://docs.microsoft.com/azure/active-directory/user-help/user-help-auth-app-faq) continue to work.
 
 **Workaround**
 
-If a notification is received, instruct the user to dismiss the notification, open the Authenticator app, tap the "Check for notifications" option and approve the MFA prompt. After this, the UPN displayed on the account will be updated. Note the updated UPN might be displayed as a new account, this is due to other Authenticator functionality being used. For more information additional known issues in this article.
+If a notification is received, instruct the user to dismiss the notification, open the Authenticator app, tap the "Check for notifications" option and approve the MFA prompt. After this, the UPN displayed on the account will be updated. Note the updated UPN might be displayed as a new account, this is due to other Authenticator functionality being used. For more information refer to the additional known issues in this article.
 
 ### Brokered authentication