Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: yegu-ms

.openpublishing.redirection.json

@@ -42587,6 +42587,21 @@
       "source_path": "articles/security/fundamentals/service-fabric-checklist.md",
       "redirect_url": "/azure/service-fabric/service-fabric-best-practices-security",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/fundamentals/white-papers.md",
+      "redirect_url": "https://azure.microsoft.com/resources/whitepapers/search/?term=security&type=WhitePaperResource",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/fundamentals/overviews.md",
+      "redirect_url": "/azure/security/fundamentals/overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/fundamentals/mvp.md",
+      "redirect_url": "https://mvp.microsoft.com/",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory/authentication/active-directory-passwords-troubleshoot.md

@@ -125,16 +125,16 @@ A best practice when you troubleshoot problems with password writeback is to ins
 | 31018| KeyPairCreationSuccess| This event indicates that we successfully created the password encryption key. This key is used to encrypt passwords from the cloud to be sent to your on-premises environment.|
 | 32000| UnknownError| This event indicates an unknown error occurred during a password management operation. Look at the exception text in the event for more details. If you're having problems, try disabling and then re-enabling password writeback. If this does not help, include a copy of your event log along with the tracking ID specified insider to your support engineer.|
 | 32001| ServiceError| This event indicates there was an error connecting to the cloud password reset service. This error generally occurs when the on-premises service was unable to connect to the password-reset web service.|
-| 32002| ServiceBusError| This event indicates there was an error connecting to your tenant’s Service Bus instance. This can happen if you're blocking outbound connections in your on-premises environment. Check your firewall to ensure that you allow connections over TCP 443 and to https://ssprsbprodncu-sb.accesscontrol.windows.net/, and then try again. If you're still having problems, try disabling and then re-enabling password writeback.|
+| 32002| ServiceBusError| This event indicates there was an error connecting to your tenant’s Service Bus instance. This can happen if you're blocking outbound connections in your on-premises environment. Check your firewall to ensure that you allow connections over TCP 443 and to https://ssprdedicatedsbprodncu.servicebus.windows.net, and then try again. If you're still having problems, try disabling and then re-enabling password writeback.|
 | 32003| InPutValidationError| This event indicates that the input passed to our web service API was invalid. Try the operation again.|
 | 32004| DecryptionError| This event indicates that there was an error decrypting the password that arrived from the cloud. This might be due to a decryption key mismatch between the cloud service and your on-premises environment. To resolve this problem, disable and then re-enable password writeback in your on-premises environment.|
 | 32005| ConfigurationError| During onboarding, we save tenant-specific information in a configuration file in your on-premises environment. This event indicates that there was an error saving this file or that when the service was started, there was an error reading the file. To fix this problem, try disabling and then re-enabling password writeback to force a rewrite of the configuration file.|
 | 32007| OnBoardingConfigUpdateError| During onboarding, we send data from the cloud to the on-premises password-reset service. That data is then written to an in-memory file before it is sent to the sync service to be stored securely on disk. This event indicates that there is a problem with writing or updating that data in memory. To fix this problem, try disabling and then re-enabling password writeback to force a rewrite of this configuration file.|
 | 32008| ValidationError| This event indicates we received an invalid response from the password-reset web service. To fix this problem, try disabling and then re-enabling password writeback.|
 | 32009| AuthTokenError| This event indicates that we couldn't get an authorization token for the global administrator account specified during Azure AD Connect setup. This error can be caused by a bad username or password specified for the global admin account. This error can also occur if the global admin account specified is federated. To fix this problem, rerun the configuration with the correct username and password and ensure that the administrator is a managed (cloud-only or password-synchronized) account.|
 | 32010| CryptoError| This event indicates there was an error generating the password encryption key or decrypting a password that arrives from the cloud service. This error likely indicates a problem with your environment. Look at the details of your event log to learn more about how to resolve this problem. You can also try disabling and then re-enabling the password writeback service.|
-| 32011| OnBoardingServiceError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the onboarding process. This can happen as a result of a firewall rule or if there is a problem getting an authentication token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over TCP 443 and TCP 9350-9354 or to https://ssprsbprodncu-sb.accesscontrol.windows.net/. Also ensure that the Azure AD admin account you're using to onboard isn't federated.|
-| 32013| OffBoardingError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the offboarding process. This can happen as a result  of a firewall rule or if there is a problem getting an authorization token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over 443 or to https://ssprsbprodncu-sb.accesscontrol.windows.net/, and that the Azure Active Directory admin account you're using to offboard isn't federated.|
+| 32011| OnBoardingServiceError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the onboarding process. This can happen as a result of a firewall rule or if there is a problem getting an authentication token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over TCP 443 and TCP 9350-9354 or to https://ssprdedicatedsbprodncu.servicebus.windows.net. Also ensure that the Azure AD admin account you're using to onboard isn't federated.|
+| 32013| OffBoardingError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the offboarding process. This can happen as a result  of a firewall rule or if there is a problem getting an authorization token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over 443 or to https://ssprdedicatedsbprodncu.servicebus.windows.net, and that the Azure Active Directory admin account you're using to offboard isn't federated.|
 | 32014| ServiceBusWarning| This event indicates that we had to retry to connect to your tenant’s Service Bus instance. Under normal conditions, this should not be a concern, but if you see this event many times, consider checking your network connection to Service Bus, especially if it’s a high-latency or low-bandwidth connection.|
 | 32015| ReportServiceHealthError| In order to monitor the health of your password writeback service, we send heartbeat data to our password-reset web service every five minutes. This event indicates that there was an error when sending this health information back to the cloud web service. This health information does not include an object identifiable information (OII) or personally identifiable information (PII) data, and is purely a heartbeat and basic service statistics so that we can provide service status information in the cloud.|
 | 33001| ADUnKnownError| This event indicates that there was an unknown error returned by Active Directory. Check the Azure AD Connect server event log for events from the ADSync source for more information.|
@@ -173,7 +173,7 @@ For more granularity, reference the updated list of [Microsoft Azure Datacenter
 For more information, review the connectivity prerequisites in the [Prerequisites for Azure AD Connect](../hybrid/how-to-connect-install-prerequisites.md) article.
 
 > [!NOTE]
-> SSPR can also fail if the account if the "Password never expires" or "User cannot change password" settings are configured on the account in AD DS on-premises. 
+> SSPR can also fail if the "Password never expires" or "User cannot change password" settings are configured on the account in AD DS on-premises. 
 
 ### Restart the Azure AD Connect Sync service
 

articles/active-directory/authentication/concept-sspr-howitworks.md

@@ -94,6 +94,12 @@ Users do not have the option to register their mobile app when registering for s
 > [!WARNING]
 > You must enable the [Converged registration for self-service password reset and Azure Multi-Factor Authentication (Public preview)](concept-registration-mfa-sspr-converged.md) before users will be able to access the new experience at [https://aka.ms/setupsecurityinfo](https://aka.ms/setupsecurityinfo).
 
+> [!IMPORTANT]
+> The authenticator app cannot be selected as the only authentication method when configuring a 1-gate policy. Similarly, the authenticator app and only one additional method cannot be selected when configuring a 2-gates policy.
+> Then, when configuring SSPR policies that include the authenticator app as a method, at least an additional method should be selected when configuring a 1-gate policy, and at least two additional methods should be selected when configuring a 2-gates policy.
+> The reason for this requirement is because the current SSPR registration experience does not include the option to register the authenticator app. The option to register the authenticator app is included with the new [Converged registration for self-service password reset and Azure Multi-Factor Authentication (Public preview)](concept-registration-mfa-sspr-converged.md).
+> Allowing policies that only use the authenticator app (for 1-gate policies), or the authenticator app and only one additional method (for 2-gates policies), could lead to users being blocked from registering for  SSPR until they have been configured to use the new registration experience.
+
 ### Change authentication methods
 
 If you start with a policy that has only one required authentication method for reset or unlock registered and you change that to two methods, what happens?

articles/active-directory/authentication/howto-sspr-reporting.md

@@ -36,10 +36,6 @@ The following questions can be answered by the reports that exist in the [Azure
 * What admins are resetting their own passwords frequently?
 * Is there any suspicious activity going on with password reset?
 
-## Power BI content pack
-
-If you're a Power BI user, there is a content pack for Azure AD that includes easy-to-use reporting for SSPR. For more information on how to use and deploy the content pack, see [How to use the Azure Active Directory Power BI content pack](../reports-monitoring/howto-power-bi-content-pack.md). With the content pack, you can create your own dashboards and share them with others in your organization.
-
 ## How to view password management reports in the Azure portal
 
 In the Azure portal experience, we have improved the way that you can view password reset and password reset registration activity. Use the following the steps to find the password reset and password reset registration events:

articles/active-directory/develop/identity-platform-integration-checklist.md

@@ -71,7 +71,7 @@ Use the following checklist to ensure that your application is effectively integ
 |---|---|
 | ![checkbox](./media/active-directory-integration-checklist/checkbox-two.svg) | Use modern authentication solutions (OAuth 2.0, [OpenID Connect](v2-protocols-oidc.md)) to securely sign in users. |
 | ![checkbox](./media/active-directory-integration-checklist/checkbox-two.svg) |  Don't program directly against protocols such as OAuth 2.0 and Open ID. Instead, leverage the [Microsoft Authentication Library (MSAL)](msal-overview.md). The MSAL libraries securely wrap security protocols in an easy-to-use library, and you get built-in support for [Conditional Access](/azure/active-directory/conditional-access/overview) scenarios, device-wide [single sign-on (SSO)](/azure/active-directory/manage-apps/what-is-single-sign-on), and built-in token caching support. For more info, see the list of Microsoft supported [client libraries](reference-v2-libraries.md#microsoft-supported-client-libraries) and [middleware libraries](reference-v2-libraries.md#microsoft-supported-server-middleware-libraries) and the list of [compatible third-party client libraries](reference-v2-libraries.md#compatible-client-libraries).<br/><br/>If you must hand code for the authentication protocols, you should follow a methodology such as [Microsoft SDL](https://www.microsoft.com/sdl/default.aspx). Pay close attention to the security considerations in the standards specifications for each protocol.|
-| ![checkbox](./media/active-directory-integration-checklist/checkbox-two.svg) |  Migrate existing apps from [Azure Active Directory Authentication Library (ADAL)](active-directory-authentication-libraries.md) to [Microsoft Authentication Library](msal-overview.md). MSAL is Microsoft’s latest identity platform solution and is preferred to ADAL. It is available on .NET and JavaScript and is also in public preview for Android, iOS, Python, and Java. Read more about migrating [ADAL.NET](msal-net-migration.md), [ADAL.js](msal-compare-msal-js-and-adal-js.md), and [ADAL.NET and iOS broker](msal-net-migration-ios-broker.md) apps.|
+| ![checkbox](./media/active-directory-integration-checklist/checkbox-two.svg) |  Migrate existing apps from [Azure Active Directory Authentication Library (ADAL)](active-directory-authentication-libraries.md) to [Microsoft Authentication Library](msal-overview.md). MSAL is Microsoft’s latest identity platform solution and is preferred to ADAL. It is available on .NET, JavaScript, Android, iOS, macOS and is also in public preview for Python and Java. Read more about migrating [ADAL.NET](msal-net-migration.md), [ADAL.js](msal-compare-msal-js-and-adal-js.md), and [ADAL.NET and iOS broker](msal-net-migration-ios-broker.md) apps.|
 | ![checkbox](./media/active-directory-integration-checklist/checkbox-two.svg) |  For mobile apps, configure each platform using the application registration experience. In order for your application to take advantage of the Microsoft Authenticator or Microsoft Company Portal for single sign-in, your app needs a “broker redirect URI” configured. This allows Microsoft to return control to your application after authentication. When configuring each platform, the app registration experience will guide you through the process. Use the quickstart to download a working example. On iOS, use brokers and system webview whenever possible.|
 | ![checkbox](./media/active-directory-integration-checklist/checkbox-two.svg) |  In web apps or web APIs, keep one token cache per account.  For web apps, the token cache should be keyed by the account ID.  For web APIs, the account should be keyed by the hash of the token used to call the API. MSAL.NET provides custom token cache serialization in the .NET Framework and .NET Core subplatforms. For security and performance reasons, our recommendation is to serialize one cache per user. For more information, read about [token cache serialization](msal-net-token-cache-serialization.md#token-cache-for-a-web-app-confidential-client-application).|
 | ![checkbox](./media/active-directory-integration-checklist/checkbox-two.svg) | If the data your app requires is available through [Microsoft Graph](https://developer.microsoft.com/graph), request permissions for this data using the Microsoft Graph endpoint rather than the individual API. |

articles/active-directory/devices/faq.md

@@ -130,11 +130,11 @@ See below on how these actions can be rectified.
 
 ### Q: Why are there devices marked as "Pending" under the REGISTERED column in the Azure portal?
 
-**A**:  Pending indicates the device is not registered. This state indicates that a device has been synchronized using Azure AD connect from on-premises AD and is ready for device registration. These device have the JOIN TYPE set to "Hybrid Azure AD joined". Learn more on [how to plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md).
+**A**:  Pending indicates that the device is not registered. This state indicates that a device has been synchronized using Azure AD connect from an on-premises AD and is ready for device registration. These devices have the JOIN TYPE set to "Hybrid Azure AD joined". Learn more on [how to plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md).
 
 >[!NOTE]
 >A device can also change from having a registered state to "Pending"
->* If a device is deleted and from Azure AD first and re-synchronized from on-premises AD.
+>* If a device is deleted from Azure AD first and re-synchronized from an on-premises AD.
 >* If a device is removed from a sync scope on Azure AD Connect and added back.
 >
 >In both cases, you must re-register the device manually on each of these devices. To review whether the device was previously registered, you can [troubleshoot devices using the dsregcmd command](troubleshoot-device-dsregcmd.md).