Merge branch 'master' into 4me

Author: v-bhgad

.markdownlint.json

@@ -0,0 +1,43 @@
+{
+    "default": true,
+    "MD001": false,
+    "MD002": false,
+    "MD003": false,
+    "MD004": false,
+    "MD005": false,
+    "MD006": false,
+    "MD007": false,
+    "MD009": false,
+    "MD010": false,
+    "MD012": false,
+    "MD013": false,
+    "MD014": false,
+    "MD018": false,
+    "MD019": false,
+    "MD020": false,
+    "MD021": false,
+    "MD022": false,
+    "MD023": false,
+    "MD024": false,
+    "MD025": false,
+    "MD026": false,
+    "MD027": false,
+    "MD028": false,
+    "MD029": false,
+    "MD030": false,
+    "MD031": false,
+    "MD032": false,
+    "MD033": false,
+    "MD034": false,
+    "MD035": false,
+    "MD036": false,
+    "MD037": false,
+    "MD038": false,
+    "MD039": false,
+    "MD040": false,
+    "MD041": false,
+    "MD042": false,
+    "MD045": false,
+    "MD046": false,
+    "MD047": false
+}

.openpublishing.redirection.json

@@ -135,6 +135,11 @@
       "redirect_url": "https://docs.microsoft.com/azure/architecture/topics/high-performance-computing/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/virtual-machines/windows/new-azvm-demo.md",
+      "redirect_url": "/azure/virtual-machines/windows/quick-create-powershell",
+      "redirect_document_id": false
+    },	
     {
       "source_path": "articles/virtual-machines/linux/high-performance-computing.md",
       "redirect_url": "https://docs.microsoft.com/azure/architecture/topics/high-performance-computing/",
@@ -37273,11 +37278,6 @@
       "redirect_url": "/azure/azure-monitor/platform/activity-log-collect-tenants",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/azure-monitor/platform/oms-portal-transition.md",
-      "redirect_url": "/azure/azure-monitor/overview",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/azure-monitor/platform/oms-portal-faq.md",
       "redirect_url": "/azure/azure-monitor/overview",

articles/active-directory-b2c/active-directory-b2c-reference-spa.md

@@ -15,7 +15,7 @@ ms.subservice: B2C
 
 # Single-page sign in using the OAuth 2.0 implicit flow in Azure Active Directory B2C
 
-Many modern applications have a single-page app front end that primarily is written in JavaScript. Often, the app is written by using a framework like AngularJS, Ember.js, or Durandal. Single-page apps and other JavaScript apps that run primarily in a browser have some additional challenges for authentication:
+Many modern applications have a single-page app front end that primarily is written in JavaScript. Often, the app is written by using a framework like React, Angular or Vue.js. Single-page apps and other JavaScript apps that run primarily in a browser have some additional challenges for authentication:
 
 - The security characteristics of these apps are different from traditional server-based web applications.
 - Many authorization servers and identity providers do not support cross-origin resource sharing (CORS) requests.

articles/active-directory/authentication/concept-authentication-methods.md

@@ -1,12 +1,12 @@
 ---
 title: Authentication methods - Azure Active Directory
-description: What authentication methods are available in Azure AD for MFA and SSPR
+description: Authentication methods available in Azure AD for MFA and SSPR
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/20/2019
+ms.date: 06/17/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -177,7 +177,9 @@ Once any errors have been addressed, the administrator then can activate each ke
 
 Users may have a combination of up to five OATH hardware tokens or authenticator applications such as the Microsoft Authenticator app configured for use at any time.
 
-## Mobile phone
+## Phone options
+
+### Mobile phone
 
 Two options are available to users with mobile phones.
 
@@ -190,18 +192,18 @@ To work properly, phone numbers must be in the format *+CountryCode PhoneNumber*
 >
 > Password reset does not support phone extensions. Even in the +1 4255551234X12345 format, extensions are removed before the call is placed.
 
-### Text message
+#### Text message
 
 An SMS is sent to the mobile phone number containing a verification code. Enter the verification code provided in the sign-in interface to continue.
 
-### Phone call
+#### Phone call
 
 An automated voice call is made to the phone number you provide. Answer the call and press # in the phone keypad to authenticate
 
 > [!IMPORTANT]
 > Starting in March of 2019 the phone call options will not be available to MFA and SSPR users in free/trial Azure AD tenants. SMS messages are not impacted by this change. Phone call will continue to be available to users in paid Azure AD tenants. This change only impacts free/trial Azure AD tenants.
 
-## Office phone
+### Office phone
 
 An automated voice call is made to the phone number you provide. Answer the call and presses # in the phone keypad to authenticate.
 
@@ -217,6 +219,25 @@ The office phone attribute is managed by your administrator.
 >
 > Password reset does not support phone extensions. Even in the +1 4255551234X12345 format, extensions are removed before the call is placed.
 
+### Troubleshooting phone options
+
+Common problems related to authentication methods using a phone number:
+
+* Blocked caller ID on a single device
+   * Troubleshoot device
+* Wrong phone number, incorrect country code, home phone number versus work phone number
+   * Troubleshoot user object and configured authentication methods. Ensure correct phone numbers are registered.
+* Wrong PIN entered
+   * Confirm user has used the correct PIN registered in Azure MFA Server.
+* Call forwarded to voicemail
+   * Ensure user has phone turned on and that service is available in their area or use alternate method.
+* User is blocked
+   * Have administrator unblock the user in the Azure portal.
+* SMS is not subscribed on the device
+   * Have the user change methods or activate SMS on the device.
+* Faulty telecom providers (No phone input detected, missing DTMF tones issues, blocked caller ID on multiple devices, or blocked SMS across multiple devices)
+   * Microsoft uses multiple telecom providers to route phone calls and SMS messages for authentication. If you are seeing any of the above issues have a user attempt to use the method at least 5 times within 5 minutes and have that user's information available when contacting Microsoft support.
+
 ## App Passwords
 
 Certain non-browser apps do not support multi-factor authentication, if a user has been enabled for multi-factor authentication and attempt to use non-browser apps, they are unable to authenticate. An app password allows users to continue to authenticate

articles/active-directory/authentication/howto-mfa-userstates.md

@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 You can take one of two approaches for requiring two-step verification, both of which require using a global administrator account. The first option is to enable each user for Azure Multi-Factor Authentication (MFA). When users are enabled individually, they perform two-step verification each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the _remembered devices_ feature is turned on). The second option is to set up a Conditional Access policy that requires two-step verification under certain conditions.
 
 > [!TIP]
-> Choose one of these methods to require two-step verification, not both. Enabling a user for Azure Multi-Factor Authentication overrides any Conditional Access policies.
+> Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended approach. Changing user states is no longer recommended unless your licenses do not include Conditional Access as it will require users to perform MFA every time they sign in.
 
 ## Choose how to enable
 

articles/active-directory/conditional-access/block-legacy-authentication.md

@@ -1,22 +1,16 @@
 ---
 title: How to block legacy authentication to Azure Active Directory (Azure AD) with Conditional Access| Microsoft Docs
 description: Learn how to improve your security posture by blocking legacy authentication using Azure AD Conditional Access.
-services: active-directory
-keywords: Conditional Access to apps, Conditional Access with Azure AD, secure access to company resources, Conditional Access policies
-documentationcenter: ''
-author: MicrosoftGuyJFlo
-manager: daveba
-editor: ''
 
-ms.subservice: conditional-access
-ms.assetid: 8c1d978f-e80b-420e-853a-8bbddc4bcdad
+services: active-directory
 ms.service: active-directory
-ms.devlang: na
-ms.topic: article
-ms.tgt_pltfrm: na
-ms.workload: identity
-ms.date: 03/25/2019
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 06/17/2019
+
 ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
 ms.reviewer: calebb
 
 ms.collection: M365-identity-device-management
@@ -25,20 +19,15 @@ ms.collection: M365-identity-device-management
 
 To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy protocols don’t support multi-factor authentication (MFA). MFA is in many environments a common requirement to address identity theft. 
 
-
 If your environment is ready to block legacy authentication to improve your tenant's protection, you can accomplish this goal with Conditional Access. This article explains how you can configure Conditional Access policies that block legacy authentication for your tenant.
 
-
-
 ## Prerequisites
 
 This article assumes that you are familiar with: 
 
 - The [basic concepts](overview.md) of Azure AD Conditional Access 
 - The [best practices](best-practices.md) for configuring Conditional Access policies in the Azure portal
 
-
-
 ## Scenario description
 
 Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to protocols that use basic authentication. Typically, these protocols can't enforce any type of second factor authentication. Examples for apps that are based on legacy authentication are:
@@ -53,12 +42,21 @@ How can you prevent apps using legacy authentication from accessing your tenant'
 
 Conditional Access policies are enforced after the first-factor authentication has been completed. Therefore, Conditional Access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access.
 
+## Implementation
+
+This section explains how to configure a Conditional Access policy to block legacy authentication. 
 
+### Identify legacy authentication use
 
+Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. Azure AD sign-in logs can be used to understand if you’re using legacy authentication.
 
-## Implementation
+1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
+1. Add the Client App column if it is not shown by clicking on **Columns** > **Client App**.
+1. Filter by **Client App** > **Other Clients** and click **Apply**.
 
-This section explains how to configure a Conditional Access policy to block legacy authentication. 
+Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you additional details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
+
+These logs will indicate which users are still depending on legacy authentication and which applications are using legacy protocols to make authentication requests. For users that do not appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.
 
 ### Block legacy authentication 
 

articles/active-directory/develop/msal-net-instantiate-confidential-client-config-options.md

@@ -59,12 +59,12 @@ An ASP.NET Core application configuration is described in an *appsettings.json*
 }
 ```
 
-Starting in MSAL.NET v3.x, you can configure your confidential client application from the config file. The classes related to the app configuration are located in the `Microsoft.Identity.Client.AppConfig` namespace.
+Starting in MSAL.NET v3.x, you can configure your confidential client application from the config file.
 
-In the class where you want configure and instantiate your application, you need to declare a `ConfidentialClientApplicationOptions` object.  Bind the configuration read from the source (including the appconfig.json file) to the instance of the application options:
+In the class where you want configure and instantiate your application, you need to declare a `ConfidentialClientApplicationOptions` object.  Bind the configuration read from the source (including the appconfig.json file) to the instance of the application options, using the `IConfigurationRoot.Bind()` method from the [Microsoft.Extensions.Configuration.Binder nuget package](https://www.nuget.org/packages/Microsoft.Extensions.Configuration.Binder):
 
 ```csharp
-using Microsoft.Identity.Client.AppConfig;
+using Microsoft.Identity.Client;
 
 private ConfidentialClientApplicationOptions _applicationOptions;
 _applicationOptions = new ConfidentialClientApplicationOptions();

articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md

@@ -45,14 +45,14 @@ If you navigate to this link, you can create bootstrap the creation of your web
 1. If your account gives you access to more than one tenant, select your account in the top-right corner, and set your portal session to the desired Azure AD tenant.
 1. In the left-hand navigation pane, select the **Azure Active Directory** service, and then select **App registrations** > **New registration**.
 1. When the **Register an application** page appears, enter your application's registration information:
-   - choose the supported account types for your application (See [Supported Account types](./v2-supported-account-types.md))
-   - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `AspNetCore-WebApp`.
-   - In **Reply URL**, add the reply URL for your app, for instance `https://localhost:44321/`, and select **Register**.
+   1. choose the supported account types for your application (See [Supported Account types](./v2-supported-account-types.md))
+   1. In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `AspNetCore-WebApp`.
+   1. In **Redirect URI**, add the type of application and the URI destination that will accept returned token responses after successfully authenticating. For example, `https://localhost:44321/`.  Select **Register**.
 1. Select the **Authentication** menu, and then add the following information:
-- In **Reply URL**, add `https://localhost:44321/signin-oidc`,  and select **Register**.
-- In the **Advanced settings** section, set **sign out URL** to `https://localhost:44321/signout-oidc`.
-- Under **Implicit grant**, check **ID tokens**.
-- Select **Save**.
+   1. In **Reply URL**, add `https://localhost:44321/signin-oidc`.
+   1. In the **Advanced settings** section, set **Logout URL** to `https://localhost:44321/signout-oidc`.
+   1. Under **Implicit grant**, check **ID tokens**.
+   1. Select **Save**.
 
 ### Register an app using PowerShell