Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into us1669724a

Author: TimShererWithAquent

.openpublishing.redirection.json

@@ -3732,7 +3732,12 @@
     },
     {
       "source_path": "articles/azure-resource-manager/resource-group-create-multiple.md",
-      "redirect_url": "/azure/azure-resource-manager/templates/create-multiple-instances",
+      "redirect_url": "/azure/azure-resource-manager/templates/copy-resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/azure-resource-manager/templates/create-multiple-instances.md",
+      "redirect_url": "/azure/azure-resource-manager/templates/copy-resources",
       "redirect_document_id": false
     },
     {
@@ -4662,7 +4667,7 @@
     },
     {
       "source_path": "articles/resource-group-create-multiple.md",
-      "redirect_url": "/azure/azure-resource-manager/templates/create-multiple-instances",
+      "redirect_url": "/azure/azure-resource-manager/templates/copy-resources",
       "redirect_document_id": false
     },
     {
@@ -12037,7 +12042,7 @@
     },
     {
       "source_path": "articles/azure-resource-manager/resource-manager-property-copy.md",
-      "redirect_url": "/azure/azure-resource-manager/templates/create-multiple-instances",
+      "redirect_url": "/azure/azure-resource-manager/templates/copy-properties",
       "redirect_document_id": false
     },
     {
@@ -12047,7 +12052,7 @@
     },
     {
       "source_path": "articles/azure-resource-manager/resource-manager-sequential-loop.md",
-      "redirect_url": "/azure/azure-resource-manager/templates/create-multiple-instances",
+      "redirect_url": "/azure/azure-resource-manager/templates/copy-resources",
       "redirect_document_id": false
     },
     {

CODEOWNERS

@@ -1,6 +1,6 @@
 # Testing the new code owners feature in GitHub. Please contact Cory Fowler if you have questions.
 # Cognitive Services
-articles/cognitive-services/ @diberry @erhopf, @nitinme
+articles/cognitive-services/ @diberry @erhopf @aahill @ievangelist @patrickfarley @nitinme
 
 # DevOps
 articles/ansible/ @TomArcherMsft

articles/active-directory-b2c/claim-resolver-overview.md

@@ -122,7 +122,7 @@ Settings:
 1. The `IncludeClaimResolvingInClaimsHandling` metadata must set to `true`
 1. The input or output claims attribute `AlwaysUseDefaultValue` must set to `true`
 
-## How to use claim resolvers
+## Claim resolvers samples
 
 ### RESTful technical profile
 
@@ -138,12 +138,13 @@ The following example shows a RESTful technical profile:
     <Item Key="ServiceUrl">https://your-app.azurewebsites.net/api/identity</Item>
     <Item Key="AuthenticationType">None</Item>
     <Item Key="SendClaimsIn">Body</Item>
+    <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
   </Metadata>
   <InputClaims>
-    <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" />
-    <InputClaim ClaimTypeReferenceId="policyName" DefaultValue="{Policy:PolicyId}" />
-    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="{OIDC:scope}" />
-    <InputClaim ClaimTypeReferenceId="clientId" DefaultValue="{OIDC:ClientId}" />
+    <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="policyName" DefaultValue="{Policy:PolicyId}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="{OIDC:scope}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="clientId" DefaultValue="{OIDC:ClientId}" AlwaysUseDefaultValue="true" />
   </InputClaims>
   <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
 </TechnicalProfile>
@@ -175,6 +176,17 @@ As a result Azure AD B2C sends the above parameters to the HTML content page:
 /selfAsserted.aspx?campaignId=hawaii&language=en-US&app=0239a9cc-309c-4d41-87f1-31288feb2e82
 ```
 
+### Content definition
+
+In a [ContentDefinition](contentdefinitions.md) `LoadUri`, you can send claim resolvers to pull content from different places, based on the parameters used. 
+
+```XML
+<ContentDefinition Id="api.signuporsignin">
+  <LoadUri>https://contoso.blob.core.windows.net/{Culture:LanguageName}/myHTML/unified.html</LoadUri>
+  ...
+</ContentDefinition>
+```
+
 ### Application Insights technical profile
 
 With Azure Application Insights and claim resolvers you can gain insights on user behavior. In the Application Insights technical profile, you send input claims that are persisted to Azure Application Insights. For more information, see [Track user behavior in Azure AD B2C journeys by using Application Insights](analytics-with-application-insights.md). The following example sends the policy ID, correlation ID, language, and the client ID to Azure Application Insights.
@@ -192,3 +204,28 @@ With Azure Application Insights and claim resolvers you can gain insights on use
   </InputClaims>
 </TechnicalProfile>
 ```
+
+### Relying party policy
+
+In a [Relying party](relyingparty.md) policy technical profile, you may want to send the tenant ID, or correlation ID to the relying party application. 
+
+```XML
+<RelyingParty>
+    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
+    <TechnicalProfile Id="PolicyProfile">
+      <DisplayName>PolicyProfile</DisplayName>
+      <Protocol Name="OpenIdConnect" />
+      <OutputClaims>
+        <OutputClaim ClaimTypeReferenceId="displayName" />
+        <OutputClaim ClaimTypeReferenceId="givenName" />
+        <OutputClaim ClaimTypeReferenceId="surname" />
+        <OutputClaim ClaimTypeReferenceId="email" />
+        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
+        <OutputClaim ClaimTypeReferenceId="identityProvider" />
+        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
+        <OutputClaim ClaimTypeReferenceId="correlationId" AlwaysUseDefaultValue="true" DefaultValue="{Context:CorrelationId}" />
+      </OutputClaims>
+      <SubjectNamingInfo ClaimType="sub" />
+    </TechnicalProfile>
+  </RelyingParty>
+```

articles/active-directory-b2c/phone-number-claims-transformations.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 02/12/2020
+ms.date: 02/14/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -28,7 +28,8 @@ This claim validates the format of the phone number. If it is in a valid format,
 
 | Item | TransformationClaimType | Data Type | Notes |
 | ---- | ----------------------- | --------- | ----- |
-| InputClaim | inputClaim | string | The claim of string type converting from. |
+| InputClaim | phoneNumberString | string |  The string claim for the phone number. The phone number has to be in international format, complete with a leading "+" and country code. If input claim `country` is provided, the phone number is in local format (without the country code). |
+| InputClaim | country | string | [Optional] The string claim for the country code of the phone number in ISO3166 format (the two-letter ISO-3166 country code). |
 | OutputClaim | outputClaim | phoneNumber | The result of this claims transformation. |
 
 The **ConvertStringToPhoneNumberClaim** claims transformation is always executed from a [validation technical profile](validation-technical-profile.md) that is called by a [self-asserted technical profile](self-asserted-technical-profile.md) or [display control](display-controls.md). The **UserMessageIfClaimsTransformationInvalidPhoneNumber** self-asserted technical profile metadata controls the error message that is presented to the user.
@@ -40,7 +41,8 @@ You can use this claims transformation to ensure that the provided string claim
 ```XML
 <ClaimsTransformation Id="ConvertStringToPhoneNumber" TransformationMethod="ConvertStringToPhoneNumberClaim">
   <InputClaims>
-    <InputClaim ClaimTypeReferenceId="phoneString" TransformationClaimType="inputClaim" />
+    <InputClaim ClaimTypeReferenceId="phoneString" TransformationClaimType="phoneNumberString" />
+    <InputClaim ClaimTypeReferenceId="countryCode" TransformationClaimType="country" />
   </InputClaims>
   <OutputClaims>
     <OutputClaim ClaimTypeReferenceId="phoneNumber" TransformationClaimType="outputClaim" />
@@ -59,11 +61,19 @@ The self-asserted technical profile that calls the validation technical profile
 </TechnicalProfile>
 ```
 
-### Example
+### Example 1
 
 - Input claims:
-  - **inputClaim**: +1 (123) 456-7890
+  - **phoneNumberString**: 045 456-7890
+  - **country**: DK
 - Output claims:
+  - **outputClaim**: +450546148120
+
+### Example 2
+
+- Input claims:
+  - **phoneNumberString**: +1 (123) 456-7890
+- Output claims: 
   - **outputClaim**: +11234567890
 
 ## GetNationalNumberAndCountryCodeFromPhoneNumberString

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -296,7 +296,7 @@ Certain attributes such as phoneNumbers and emails are multi-value attributes wh
 
 ## Restoring the default attributes and attribute-mappings
 
-Should you need to start over and reset your existing mappings back to their default state, you can select the **Restore default mappings** check box and save the configuration. Doing so sets all mappings as if the application was just added to your Azure AD tenant from the application gallery.
+Should you need to start over and reset your existing mappings back to their default state, you can select the **Restore default mappings** check box and save the configuration. Doing so sets all mappings and scoping filters as if the application was just added to your Azure AD tenant from the application gallery.
 
 Selecting this option will effectively force a resynchronization of all users while the provisioning service is running.
 

articles/active-directory/b2b/current-limitations.md

@@ -31,6 +31,22 @@ Azure AD B2B is subject to Azure AD service directory limits. For details about
 ## National clouds
 [National clouds](https://docs.microsoft.com/azure/active-directory/develop/authentication-national-cloud) are physically isolated instances of Azure. B2B collaboration is not supported across national cloud boundaries. For example, if your Azure tenant is in the public, global cloud, you can't invite a user whose account is in a national cloud. To collaborate with the user, ask them for another email address or create a member user account for them in your directory.
 
+## Azure US Government clouds
+Within the Azure US Government cloud, B2B collaboration is currently only supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that isn't part of the Azure US Government cloud or that doesn't yet support B2B collaboration, the invitation will fail or the user won't be able to redeem the invitation. For details about other limitations, see [Azure Active Directory Premium P1 and P2 Variations](https://docs.microsoft.com/azure/azure-government/documentation-government-services-securityandidentity#azure-active-directory-premium-p1-and-p2).
+
+### How can I tell if B2B collaboration is available in my Azure US Government tenant?
+To find out if your Azure US Government cloud tenant supports B2B collaboration, do the following:
+
+1. In a browser, go to the following URL, substituting your tenant name for *<tenantname>*:
+
+   `https://login.microsoftonline.com/<tenantname>/v2.0/.well-known/openid-configuration`
+
+2. Find `"tenant_region_scope"` in the JSON response:
+
+   - If `"tenant_region_scope":"USGOV”` appears, B2B is supported.
+   - If `"tenant_region_scope":"USG"` appears, B2B is not supported.
+ 
+
 ## Next steps
 
 See the following articles on Azure AD B2B collaboration:

articles/active-directory/b2b/self-service-portal.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: sample
-ms.date: 05/08/2018
+ms.date: 02/12/2020
 
 ms.author: mimart
 author: msmimart
@@ -16,17 +16,17 @@ ms.reviewer: mal
 ms.collection: M365-identity-device-management
 ---
 
-# Self-service portal for Azure AD B2B collaboration sign-up
+# Self-service for Azure AD B2B collaboration sign-up
 
-Customers can do a lot with the built-in features that are exposed through the [Azure portal](https://portal.azure.com) and the [Application Access Panel](https://myapps.microsoft.com) for end users. However, you might need to customize the onboarding workflow for B2B users to fit your organization’s needs. You can do that with [the invitation API](https://developer.microsoft.com/graph/docs/api-reference/v1.0/resources/invitation).
+Customers can do a lot with the built-in features that are exposed through the [Azure portal](https://portal.azure.com) and the [Application Access Panel](https://myapps.microsoft.com) for end users. However, you might need to customize the onboarding workflow for B2B users to fit your organization’s needs.
 
-As an inviting organization, you may not know ahead of time who the individual external collaborators are who need access to your resources. You need a way for users from partner companies to sign themselves up with a set of policies that you as the inviting organization controls. This scenario is possible through the APIs. There's a [sample project on GitHub](https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web) that does just that.
+## Azure AD entitlement management for B2B guest user sign-up
 
-This GitHub project shows how organizations can use the APIs to provide a policy-based, self-service sign-up capability for your trusted partners, with rules that determine the apps they can access. Partner users can get access to resources when they need them. They can do this securely, without requiring the inviting organization to manually onboard them. You can easily deploy the project into an Azure subscription of your choice.
+As an inviting organization, you might not know ahead of time who the individual external collaborators are who need access to your resources. You need a way for users from partner companies to sign themselves up with policies that you control. If you want to enable users from other organizations to request access, and upon approval be provisioned with guest accounts and assigned to groups, apps and SharePoint Online sites, you can use [Azure AD entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview) to configure policies that [manage access for external users](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-external-users#how-access-works-for-external-users).
 
-## As-is code
+## Azure Active Directory B2B invitation API
 
-This code is made available as a sample to demonstrate usage of the Azure Active Directory B2B invitation API. It should be customized by your development team or a partner, and should be reviewed before you deploy it in a production scenario.
+Organizations can use the [Microsoft Graph invitation manager API](https://docs.microsoft.com/graph/api/resources/invitation?view=graph-rest-1.0) to build their own onboarding experiences for B2B guest users. When you want to offer self-service B2B guest user sign-up, we recommend that you use [Azure AD entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview). But if you want to build your own experience, you can use the [create invitation API](https://docs.microsoft.com/graph/api/invitation-post?view=graph-rest-1.0&tabs=http) to automatically send your customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.
 
 ## Next steps
 

articles/active-directory/b2b/toc.yml

@@ -23,8 +23,6 @@
       href: b2b-tutorial-require-mfa.md
   - name: Samples
     items:
-    - name: Self-service sign-up portal sample
-      href: self-service-portal.md
     - name: Code and Azure PowerShell samples
       href: code-samples.md
   - name: Concepts
@@ -50,6 +48,8 @@
       href: conditional-access.md
     - name: B2B for hybrid organizations
       href: hybrid-organizations.md
+    - name: Self-service sign-up
+      href: self-service-portal.md
     - name: Current limitations
       href: current-limitations.md
   - name: How-to guides

articles/active-directory/b2b/troubleshoot.md

@@ -94,6 +94,11 @@ If the identity tenant is a just-in-time (JIT) or viral tenant (meaning it's a s
 
 As of November 18, 2019, guest users in your directory (defined as user accounts where the **userType** property equals **Guest**) are blocked from using the AzureAD PowerShell V1 module. Going forward, a user will need to either be a member user (where **userType** equals **Member**) or use the AzureAD PowerShell V2 module.
 
+## In an Azure US Government tenant, I can't invite a B2B collaboration guest user
+
+Within the Azure US Government cloud, B2B collaboration is currently only supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that isn't part of the Azure US Government cloud or that doesn't yet support B2B collaboration, you'll get an error. For details and limitations, see [Azure Active Directory Premium P1 and P2 Variations](https://docs.microsoft.com/azure/azure-government/documentation-government-services-securityandidentity#azure-active-directory-premium-p1-and-p2).
+
+
 ## Next steps
 
 [Get support for B2B collaboration](get-support.md)