MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 55 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 55 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/claim-resolver-overview.md
Lines changed: 10 additions & 2 deletions b/‎articles/active-directory-b2c/claim-resolver-overview.md
Lines changed: 10 additions & 2 deletions
diff --git a/‎articles/active-directory-b2c/json-transformations.md
Lines changed: 36 additions & 1 deletion b/‎articles/active-directory-b2c/json-transformations.md
Lines changed: 36 additions & 1 deletion
diff --git a/‎articles/active-directory-b2c/string-transformations.md
Lines changed: 41 additions & 6 deletions b/‎articles/active-directory-b2c/string-transformations.md
Lines changed: 41 additions & 6 deletions
diff --git a/‎articles/active-directory-b2c/stringcollection-transformations.md
Lines changed: 35 additions & 1 deletion b/‎articles/active-directory-b2c/stringcollection-transformations.md
Lines changed: 35 additions & 1 deletion
diff --git a/‎articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md
Lines changed: 13 additions & 5 deletions b/‎articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md
Lines changed: 13 additions & 5 deletions
diff --git a/‎articles/active-directory/manage-apps/application-proxy-wildcard.md
Lines changed: 0 additions & 2 deletions b/‎articles/active-directory/manage-apps/application-proxy-wildcard.md
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/active-directory/saas-apps/dynatrace-tutorial.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/saas-apps/dynatrace-tutorial.md
Lines changed: 1 addition & 1 deletion
@@ -1767,6 +1767,21 @@
       "redirect_url": "/azure/cognitive-services/bing-web-search/bing-web-stats",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-csharp-sdk.md",
+      "redirect_url": "/azure/cognitive-services/Anomaly-Detector/quickstarts/client-libraries?pivots=programming-language-csharp",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-nodejs-sdk.md",
+      "redirect_url": "/azure/cognitive-services/Anomaly-Detector/quickstarts/client-libraries?pivots=programming-language-javascript",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-python-sdk.md",
+      "redirect_url": "/azure/cognitive-services/Anomaly-Detector/quickstarts/client-libraries?pivots=programming-language-python",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cognitive-services/Bing-Web-Search/web-search-sdk-quickstart.md",
       "redirect_url": "/azure/cognitive-services/bing-web-search/quickstarts/client-libraries?pivots=programming-language-csharp",
@@ -7556,6 +7571,46 @@
       "redirect_url": "/azure/azure-monitor/app/java-get-started",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/azure-monitor/app/status-monitor-v2-api-disable-instrumentation-engine.md",
+      "redirect_url": "/azure/azure-monitor/app/status-monitor-v2-api-reference.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/azure-monitor/app/status-monitor-v2-api-disable-monitoring.md",
+      "redirect_url": "/azure/azure-monitor/app/status-monitor-v2-api-reference.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/azure-monitor/app/status-monitor-v2-api-enable-instrumentation-engine.md",
+      "redirect_url": "/azure/azure-monitor/app/status-monitor-v2-api-reference.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/azure-monitor/app/status-monitor-v2-api-enable-monitoring.md",
+      "redirect_url": "/azure/azure-monitor/app/status-monitor-v2-api-reference.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/azure-monitor/app/status-monitor-v2-api-get-config.md",
+      "redirect_url": "/azure/azure-monitor/app/status-monitor-v2-api-reference.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/azure-monitor/app/status-monitor-v2-api-get-status.md",
+      "redirect_url": "/azure/azure-monitor/app/status-monitor-v2-api-reference.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/azure-monitor/app/status-monitor-v2-api-set-config.md",
+      "redirect_url": "/azure/azure-monitor/app/status-monitor-v2-api-reference.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/azure-monitor/app/status-monitor-v2-api-start-trace.md",
+      "redirect_url": "/azure/azure-monitor/app/status-monitor-v2-api-reference.md",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/application-insights/app-insights-mobile-hockeyapp.md",
       "redirect_url": "/azure/azure-monitor/app/hockeyapp-bridge-app",
 
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/30/2020
+ms.date: 04/21/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -86,7 +86,14 @@ The following sections list available claim resolvers.
 | {Context:IPAddress} | The user IP address. | 11.111.111.11 |
 | {Context:KMSI} | Indicates whether [Keep me signed in](custom-policy-keep-me-signed-in.md) checkbox is selected. |  true |
 
-### Non-protocol parameters
+### Claims 
+
+| Claim | Description | Example |
+| ----- | ----------- | --------|
+| {Claim:claim type} | An identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file.  For example: `{Claim:displayName}`, or `{Claim:objectId}`. | A claim type value.|
+
+
+### OAuth2 key-value parameters
 
 Any parameter name included as part of an OIDC or OAuth2 request can be mapped to a claim in the user journey. For example, the request from the application might include a query string parameter with a name of `app_session`, `loyalty_number`, or any custom query string.
 
@@ -114,6 +121,7 @@ Any parameter name included as part of an OIDC or OAuth2 request can be mapped t
 | {SAML:AllowCreate} | The `AllowCreate` attribute value, from the `NameIDPolicy` element of the SAML request. | True |
 | {SAML:ForceAuthn} | The `ForceAuthN` attribute value, from the `AuthnRequest` element of the SAML request. | True |
 | {SAML:ProviderName} | The `ProviderName` attribute value, from the `AuthnRequest` element of the SAML request.| Contoso.com |
+| {SAML:RelayState} | The `RelayState` query string parameter.| 
 
 ## Using claim resolvers
 
 
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 12/10/2019
+ms.date: 04/21/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -219,6 +219,39 @@ In the following example, the claims transformation extracts the `id` element fr
 - Output claims:
     - **extractedClaim**: 6353399
 
+## GetSingleItemFromJson
+
+Gets the first element from a JSON data.
+
+| Item | TransformationClaimType | Data Type | Notes |
+| ---- | ----------------------- | --------- | ----- |
+| InputClaim | inputJson | string | The ClaimTypes that are used by the claims transformation to get the item from the JSON data. |
+| OutputClaim | key | string | The first element key in the JSON. |
+| OutputClaim | value | string | The first element value in the JSON. |
+
+In the following example, the claims transformation extracts the first element (given name) from the JSON data.
+
+```XML
+<ClaimsTransformation Id="GetGivenNameFromResponse" TransformationMethod="GetSingleItemFromJson">
+  <InputClaims>
+    <InputClaim ClaimTypeReferenceId="json" TransformationClaimType="inputJson" />
+  </InputClaims>
+  <OutputClaims>
+    <OutputClaim ClaimTypeReferenceId="givenNameKey" TransformationClaimType="key" />
+    <OutputClaim ClaimTypeReferenceId="givenName" TransformationClaimType="value" />
+  </OutputClaims>
+</ClaimsTransformation>
+```
+
+### Example
+
+- Input claims:
+  - **inputJson**: {"givenName": "Emilty", "lastName": "Smith"}
+- Output claims:
+  - **key**: givenName
+  - **value**: Emilty
+
+
 ## GetSingleValueFromJsonArray
 
 Gets the first element from a JSON data array.
@@ -290,3 +323,5 @@ Output claim:
   }
 }
 ```
+
+
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/16/2020
+ms.date: 04/21/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -365,7 +365,7 @@ Copies localized strings into claims.
 
 | Item | TransformationClaimType | Data Type | Notes |
 | ---- | ----------------------- | --------- | ----- |
-| OutputClaim | The name of the localized string | string | List of claim types that is produced after this claims transformation has been invoked. |
+| OutputClaim | The name of the localized string | string | List of claim types that are produced after this claims transformation has been invoked. |
 
 To use the GetLocalizedStringsTransformation claims transformation:
 
@@ -611,13 +611,17 @@ Checks that a string claim `claimToMatch` and `matchTo` input parameter are equa
 | inputClaim | claimToMatch | string | The claim type, which is to be compared. |
 | InputParameter | matchTo | string | The regular expression to match. |
 | InputParameter | outputClaimIfMatched | string | The value to be set if strings are equal. |
+| InputParameter | extractGroups | boolean | [Optional] Specifies whether the Regex match should extract groups values. Possible values: `true`, or `false` (default). | 
 | OutputClaim | outputClaim | string | If regular expression is match, this output claim contains the value of `outputClaimIfMatched` input parameter. Or null, if no match. |
 | OutputClaim | regexCompareResultClaim | boolean | The regular expression match result output claim type, which is to be set as `true` or `false` based on the result of matching. |
+| OutputClaim| The name of the claim| string | If the extractGroups input parameter set to true, list of claim types that are produced after this claims transformation has been invoked. The name of the claimType must match the Regex group name. | 
 
-For example, checks whether the provided phone number is valid, based on phone number regular expression pattern.
+### Example 1
+
+Checks whether the provided phone number is valid, based on phone number regular expression pattern.
 
 ```XML
-<ClaimsTransformation Id="SetIsPhoneRegex" TransformationMethod="setClaimsIfRegexMatch">
+<ClaimsTransformation Id="SetIsPhoneRegex" TransformationMethod="SetClaimsIfRegexMatch">
   <InputClaims>
     <InputClaim ClaimTypeReferenceId="phone" TransformationClaimType="claimToMatch" />
   </InputClaims>
@@ -632,8 +636,6 @@ For example, checks whether the provided phone number is valid, based on phone n
 </ClaimsTransformation>
 ```
 
-### Example
-
 - Input claims:
     - **claimToMatch**: "64854114520"
 - Input parameters:
@@ -643,6 +645,39 @@ For example, checks whether the provided phone number is valid, based on phone n
     - **outputClaim**: "isPhone"
     - **regexCompareResultClaim**: true
 
+### Example 2
+
+Checks whether the provided email address is valid, and return the email alias.
+
+```XML
+<ClaimsTransformation Id="GetAliasFromEmail" TransformationMethod="SetClaimsIfRegexMatch">
+  <InputClaims>
+    <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="claimToMatch" />
+  </InputClaims>
+  <InputParameters>
+    <InputParameter Id="matchTo" DataType="string" Value="(?&lt;mailAlias&gt;.*)@(.*)$" />
+    <InputParameter Id="outputClaimIfMatched" DataType="string" Value="isEmail" />
+    <InputParameter Id="extractGroups" DataType="boolean" Value="true" />
+  </InputParameters>
+  <OutputClaims>
+    <OutputClaim ClaimTypeReferenceId="validationResult" TransformationClaimType="outputClaim" />
+    <OutputClaim ClaimTypeReferenceId="isEmailString" TransformationClaimType="regexCompareResultClaim" />
+    <OutputClaim ClaimTypeReferenceId="mailAlias" />
+  </OutputClaims>
+</ClaimsTransformation>
+```
+
+- Input claims:
+    - **claimToMatch**: "[email protected]"
+- Input parameters:
+    - **matchTo**: `(?&lt;mailAlias&gt;.*)@(.*)$`
+    - **outputClaimIfMatched**:  "isEmail"
+    - **extractGroups**: true
+- Output claims:
+    - **outputClaim**: "isEmail"
+    - **regexCompareResultClaim**: true
+    - **mailAlias**: emily
+    
 ## SetClaimsIfStringsAreEqual
 
 Checks that a string claim and `matchTo` input parameter are equal, and sets the output claims with the value present in `stringMatchMsg` and `stringMatchMsgCode` input parameters, along with  compare result output claim, which is to be set as `true` or `false` based on the result of comparison.
 
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/27/2020
+ms.date: 04/21/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -155,4 +155,38 @@ Following example checks whether the `roles` stringCollection claim type contain
 - Output claims:
     - **outputClaim**: "true"
 
+## StringCollectionContainsClaim
 
+Checks if a StringCollection claim type contains a claim value.
+
+| Item | TransformationClaimType | Data Type | Notes |
+| ---- | ----------------------- | --------- | ----- |
+| InputClaim | collection | stringCollection | The claim type which is to be searched. |
+| InputClaim | item|string| The claim type that contains the value to search.|
+|InputParameter|ignoreCase|string|Specifies whether this comparison should ignore the case of the strings being compared.|
+| OutputClaim | outputClaim | boolean | The ClaimType that is produced after this ClaimsTransformation has been invoked. A boolean indicator if the collection contains such a string |
+
+Following example checks whether the `roles` stringCollection claim type contains the value of the `role` claim type.
+
+```XML
+<ClaimsTransformation Id="HasRequiredRole" TransformationMethod="StringCollectionContainsClaim">
+  <InputClaims>
+    <InputClaim ClaimTypeReferenceId="roles" TransformationClaimType="collection" />
+    <InputClaim ClaimTypeReferenceId="role" TransformationClaimType="item" />
+  </InputClaims>
+  <InputParameters>
+    <InputParameter Id="ignoreCase" DataType="string" Value="true" />
+  </InputParameters>
+  <OutputClaims>
+    <OutputClaim ClaimTypeReferenceId="hasAccess" TransformationClaimType="outputClaim" />
+  </OutputClaims>
+</ClaimsTransformation> 
+```
+
+- Input claims:
+    - **collection**: ["reader", "author", "admin"]
+    - **item**: "Admin"
+- Input parameters:
+    - **ignoreCase**: "true"
+- Output claims:
+    - **outputClaim**: "true"
@@ -14,17 +14,17 @@ ms.date: 09/24/2018
 ms.author: kkrishna
 ms.reviewer: jmprieur
 ms.custom: aaddev
-#Customer intent: As an application developer, I want to restrict an application that I have registered in Azure AD to a select set of users available in my Azure AD tenant
+#Customer intent: As a tenant administrator, I want to restrict an application that I have registered in Azure AD to a select set of users available in my Azure AD tenant
 ---
-# How to: Restrict your Azure AD app to a set of users
+# How to: Restrict your Azure AD app to a set of users in an Azure AD tenant
 
 Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully.
 
 Similarly, in case of a [multi-tenant](howto-convert-app-to-be-multi-tenant.md) app, all users in the Azure AD tenant where this app is provisioned will be able to access this application once they successfully authenticate in their respective tenant.
 
 Tenant administrators and developers often have requirements where an app must be restricted to a certain set of users. Developers can accomplish the same by using popular authorization patterns like Role Based Access Control (RBAC), but this approach requires a significant amount of work on part of the developer.
 
-Azure AD allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant.
+Tenant administrators and developers can restrict an app to a specific set of users or security groups in the tenant by using this built-in feature of Azure AD as well.
 
 ## Supported app configurations
 
@@ -58,7 +58,7 @@ There are two ways to create an application with enabled user assignment. One re
 
 1. Select the application you want to assign a user or security group to from the list.
 1. On the application's **Overview** page, select **Properties** from the application’s left-hand navigation menu.
-1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users must first be assigned to this application before they can access it.
+1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
 1. Select **Save** to save this configuration change.
 
 ### App registration
@@ -71,7 +71,7 @@ There are two ways to create an application with enabled user assignment. One re
 1. Create or select the app you want to manage. You need to be **Owner** of this app registration.
 1. On the application's **Overview** page, follow the **Managed application in local directory** link under the essentials in the top of the page. This will take you to the _managed Enterprise Application_ of your app registration.
 1. From the navigation blade on the left, select **Properties**.
-1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users must first be assigned to this application before they can access it.
+1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
 1. Select **Save** to save this configuration change.
 
 ## Assign users and groups to the app
@@ -85,6 +85,14 @@ Once you've configured your app to enable user assignment, you can go ahead and
      A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
 
 1. Once you are done selecting the users and groups, press the **Select** button on bottom to move to the next part.
+1. (Optional) If you have defined App roles in your application, you can use the **Select role** option to assign the selected users and groups to one of the application's roles. 
 1. Press the **Assign** button on the bottom to finish the assignments of users and groups to the app. 
 1. Confirm that the users and groups you added are showing up in the updated **Users and groups** list.
 
+## More information
+
+- [How to: Add app roles in your application](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps)
+- [Add authorization using app roles & roles claims to an ASP.NET Core web app](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles)
+- [Using Security Groups and Application Roles in your apps (Video)](https://www.youtube.com/watch?v=V8VUPixLSiM)
+- [Azure Active Directory, now with Group Claims and Application Roles](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862)
+- [Azure Active Directory app manifest](https://docs.microsoft.com/azure/active-directory/develop/reference-app-manifest)
@@ -46,8 +46,6 @@ For example: `http(s)://*.adventure-works.com`.
 
 While the internal and external URLs can use different domains, as a best practice, they should be same. When publishing the application, you see an error if one of the URLs doesn't have a wildcard.
 
-If you have additional applications with different configuration settings, you must publish these exceptions as separate applications to overwrite the defaults set for the wildcard. Applications without a wildcard do always take precedence over wildcard applications. From the configuration perspective, these are "just" regular applications.
-
 Creating a wildcard application is based on the same [application publishing flow](application-proxy-add-on-premises-application.md) that is available for all other applications. The only difference is that you include a wildcard in the URLs and potentially the SSO configuration.
 
 ## Prerequisites
 
@@ -138,7 +138,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ## Configure Dynatrace SSO
 
-To configure single sign-on on the **Dynatrace** side, you need to send the downloaded **Federation Metadata XML** file and the appropriate copied URLs from the Azure portal to the [Dynatrace support team](https://www.dynatrace.com/services-support/). They configure this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on the **Dynatrace** side, you need to send the downloaded **Federation Metadata XML** file and the appropriate copied URLs from the Azure portal to [Dynatrace](https://www.dynatrace.com/support/help/shortlink/users-sso-hub). You can follow the instructions on the Dynatrace website to configure the SAML SSO connection on both sides.
 
 ### Create Dynatrace test user