MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 67 additions & 61 deletions b/‎.openpublishing.redirection.json
Lines changed: 67 additions & 61 deletions
diff --git a/‎articles/active-directory-b2c/custom-policy-get-started.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/custom-policy-get-started.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/concept-mfa-licensing.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/authentication/concept-mfa-licensing.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md
Lines changed: 4 additions & 0 deletions b/‎articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/active-directory-v2-protocols.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/active-directory-v2-protocols.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/scenario-web-app-call-api-app-configuration.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/develop/scenario-web-app-call-api-app-configuration.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/develop/single-sign-on-saml-protocol.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/develop/single-sign-on-saml-protocol.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/develop/v2-conditional-access-dev-guide.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/v2-conditional-access-dev-guide.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics.md
Lines changed: 1 addition & 1 deletion
@@ -17552,16 +17552,6 @@
       "redirect_url": "/azure/sql-data-warehouse/sql-data-warehouse-load-with-data-factory",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/sql-data-warehouse/sql-data-warehouse-security-threat-detection.md",
-      "redirect_url": "/azure/sql-database/sql-database-threat-detection-overview",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "articles/sql-data-warehouse/sql-data-warehouse-auditing-overview.md",
-      "redirect_url": "/azure/sql-database/sql-database-auditing",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/sql-data-warehouse/sql-data-warehouse-migrate-code.md",
       "redirect_url": "/azure/sql-data-warehouse/sql-data-warehouse-overview-develop",
@@ -17827,26 +17817,6 @@
       "redirect_url": "/azure/synapse-analytics/quickstart-create-sql-pool-portal",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/sql-database/sql-database-auditing-get-started.md",
-      "redirect_url": "/azure/sql-database/sql-database-auditing",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "articles/sql-database/sql-database-auditing-portal.md",
-      "redirect_url": "/azure/sql-database/sql-database-auditing",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "articles/sql-database/sql-database-auditing-powershell.md",
-      "redirect_url": "/azure/sql-database/sql-database-auditing",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "articles/sql-database/sql-database-auditing-rest.md",
-      "redirect_url": "/azure/sql-database/sql-database-auditing",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/sql-database/sql-database-build-multi-tenant-apps.md",
       "redirect_url": "/azure/sql-database/saas-tenancy-app-design-patterns",
@@ -18557,16 +18527,6 @@
       "redirect_url": "/azure/sql-database/sql-database-advanced-data-security",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/sql-database/sql-database-threat-detection-get-started.md",
-      "redirect_url": "/azure/sql-database/sql-database-threat-detection",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "articles/sql-database/sql-database-threat-detection-portal.md",
-      "redirect_url": "/azure/sql-database/sql-database-threat-detection",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/sql-database/sql-database-troubleshoot-backup-and-restore.md",
       "redirect_url": "/azure/sql-database/sql-database-recovery-using-backups",
@@ -19302,11 +19262,6 @@
       "redirect_url": "/azure/load-balancer/load-balancer-get-started-internet-portal",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/virtual-machines/windows/sql/virtual-machines-windows-sql-register-with-rp.md",
-      "redirect_url": "/azure/virtual-machines/windows/sql/virtual-machines-windows-sql-register-with-resource-provider",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/load-balancer/load-balancer-configure-sqlao.md",
       "redirect_url": "/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-alwayson-int-listener",
@@ -29647,11 +29602,6 @@
       "redirect_url": "/azure/data-factory/v1/data-factory-amazon-redshift-connector",
       "redirect_document_id": true
     },
-    {
-      "source_path": "articles/data-factory/connector-azure-sql-database-managed-insance.md",
-      "redirect_url": "/azure/data-factory/connector-azure-sql-database-managed-instance",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/data-factory/how-to-read-write-partitioned-data.md",
       "redirect_url": "/azure/data-factory/tutorial-incremental-copy-overview",
@@ -32857,11 +32807,6 @@
       "redirect_url": "/azure/service-fabric/service-fabric-security-controls",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/sql-database/sql-database-security-attributes.md",
-      "redirect_url": "/azure/sql-database/sql-database-security-controls",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/storage/common/storage-security-attributes.md",
       "redirect_url": "/azure/storage/common/storage-security-controls",
@@ -52299,11 +52244,6 @@
       "redirect_url": "/azure/developer/terraform/",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/sql-database/sql-database-auditing-and-threat-detection-powershell.md",
-      "redirect_url": "/azure/sql-database/scripts/sql-database-auditing-and-threat-detection-powershell",
-      "redirect_document_id": true
-    },
     {
       "source_path": "articles/media-services/azure-media-player/azure-media-player-license.md",
       "redirect_url": "/legal/azure-media-player/azure-media-player-license",
@@ -52428,6 +52368,72 @@
       "source_path":"articles/azure-monitor/app/alerts.md",
       "redirect_url":"/azure/azure-monitor/platform/alerts-log",
       "redirect_document_id": false 		
+    },
+    {
+      "source_path": "articles/virtual-machines/windows/sql/virtual-machines-windows-sql-register-with-rp.md",
+      "redirect_url": "/azure/virtual-machines/windows/sql/virtual-machines-windows-sql-register-with-resource-provider",
+      "redirect_document_id": false
+    },    
+    {   
+      "source_path": "articles/sql-database/sql-database-security-attributes.md",
+      "redirect_url": "/azure/sql-database/sql-database-security-controls",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "articles/data-factory/connector-azure-sql-database-managed-insance.md",
+      "redirect_url": "/azure/data-factory/connector-azure-sql-database-managed-instance",
+      "redirect_document_id": false
+    },          
+    {
+      "source_path": "articles/sql-data-warehouse/sql-data-warehouse-security-threat-detection.md",
+      "redirect_url": "/azure/sql-database/sql-database-threat-detection-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/sql-database/sql-database-threat-detection-get-started.md",
+      "redirect_url": "/azure/sql-database/sql-database-threat-detection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/sql-database/sql-database-threat-detection-portal.md",
+      "redirect_url": "/azure/sql-database/sql-database-threat-detection",
+      "redirect_document_id": false
+    },
+    {
+        "source_path": "articles/sql-data-warehouse/sql-data-warehouse-auditing-overview.md",
+        "redirect_url": "/azure/sql-database/sql-database-auditing",
+        "redirect_document_id": false
+    },  
+    {
+        "source_path": "articles/sql-database/sql-database-auditing-get-started.md",
+        "redirect_url": "/azure/sql-database/sql-database-auditing",
+        "redirect_document_id": false
+    },
+    {
+        "source_path": "articles/sql-database/sql-database-auditing-portal.md",
+        "redirect_url": "/azure/sql-database/sql-database-auditing",
+        "redirect_document_id": false
+    },
+    {
+        "source_path": "articles/sql-database/sql-database-auditing-powershell.md",
+        "redirect_url": "/azure/sql-database/sql-database-auditing",
+        "redirect_document_id": false
+    },
+    {
+        "source_path": "articles/sql-database/sql-database-auditing-rest.md",
+        "redirect_url": "/azure/sql-database/sql-database-auditing",
+        "redirect_document_id": false
+    },    
+    {
+        "source_path": "articles/sql-database/sql-database-auditing-and-threat-detection-powershell.md",
+        "redirect_url": "/azure/sql-database/scripts/sql-database-auditing-and-threat-detection-powershell",
+        "redirect_document_id": true
+      },
+      {
+        "source_path": "articles/cdn/endpoint-multiorigin.md",
+        "redirect_url": "/azure/cdn/cdn-overview",
+        "redirect_document_id": false
     }
-  ]
+
+]
 }
@@ -134,7 +134,7 @@ Next, specify that the application should be treated as a public client:
 
 1. Under **Manage**, select **Authentication**.
 1. Select **Try out the new experience** (if shown).
-1. Under **Advanced settings**, enable **Treat application as a public client** (select **Yes**).
+1. Under **Advanced settings**, enable **Treat application as a public client** (select **Yes**). Ensure that **"allowPublicClient": true** is set in the application manifest. 
 1. Select **Save**.
 
 Now, grant permissions to the API scope you exposed earlier in the *IdentityExperienceFramework* registration:
 
@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/20/2020
+ms.date: 05/20/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -30,7 +30,7 @@ Azure Multi-Factor Authentication can be used, and licensed, in a few different
 | EMS or Microsoft 365 E3 and E5 | EMS E3 or Microsoft 365 E3 (that includes EMS and Office 365), includes Azure AD Premium P1. EMS E5 or Microsoft 365 E5 includes Azure AD Premium P2. You can use the same Conditional Access features noted in the following sections to provide multi-factor authentication to users. |
 | Azure AD Premium P1 | You can use [Azure AD Conditional Access](../conditional-access/overview.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. |
 | Azure AD Premium P2 | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts. |
-| Office 365 Business Premium, E3, or E5 | Azure Multi-Factor Authentication is either enabled or disabled for all users, for all sign-in events. There is no ability to only enable multi-factor authentication for a subset of users, or only under certain scenarios. Management is through the Office 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Office 365 resources with multi-factor authentication](https://support.office.com/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6). |
+| Office 365 Business Premium, E3, or E5 | Azure Multi-Factor Authentication can be [enabled on a per-user basis](howto-mfa-userstates.md), or enabled or disabled for all users, for all sign-in events, using security defaults. Management of Azure Multi-Factor Authentication is through the Office 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Office 365 resources with multi-factor authentication](https://support.office.com/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6). |
 | Azure AD free | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to enable multi-factor authentication for all users, every time an authentication request is made. You don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. |
 
 ## Feature comparison of versions
 
@@ -115,6 +115,10 @@ In addition to the Microsoft apps, administrators can add any Azure AD registere
 - [Custom applications not in the gallery](../manage-apps/add-non-gallery-app.md)
 - [Legacy applications published through app delivery controllers and networks](../manage-apps/secure-hybrid-access.md)
 
+> [!NOTE]
+> Since Conditional access policy sets the requirements for accessing a service you are not able to apply it to a client (public/native) application. Other words the policy is not set directly on a client (public/native) application, but is applied when a client calls a service. For example, a policy set on SharePoint service applies to the clients calling SharePoint. A policy set on Exchange applies to the attempt to access the email using Outlook client. That is why client (public/native) applications are not available for selection in the Cloud Apps picker and Conditional Access option is not available in the application settings for the client (public/native) application registered in your tenant. 
+
+
 ## User actions
 
 User actions are tasks that can be performed by a user. The only currently supported action is **Register security information**, which allows Conditional Access policy to enforce when users who are enabled for combined registration attempt to register their security information. More information can be found in the article, [Combined security information registration](../authentication/concept-registration-mfa-sspr-combined.md).
 
@@ -18,7 +18,7 @@ ms.custom: aaddev
 
 # OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform
 
-The Microsoft identity platform endpoint for identity-as-a-service with industry standard protocols, OpenID Connect (OIDC) and OAuth 2.0. While the service is standards-compliant, there can be subtle differences between any two implementations of these protocols. The information here will be useful if you choose to write your code by directly sending and handling HTTP requests or use a third-party open-source library, rather than using one of our [open-source libraries](reference-v2-libraries.md).
+The Microsoft identity platform endpoint for identity-as-a-service implements authentication and authorization with industry standard protocols OpenID Connect (OIDC) and OAuth 2.0, respectively. While the service is standards-compliant, there can be subtle differences between any two implementations of these protocols. The information here will be useful if you choose to write your code by directly sending and handling HTTP requests or use a third-party open-source library, rather than using one of our [open-source libraries](reference-v2-libraries.md).
 
 ## The basics
 
 
@@ -269,14 +269,14 @@ The ASP.NET core tutorial uses dependency injection to let you decide the token
 
 ```csharp
 // Use a distributed token cache by adding:
-    services.AddSignIn(Configuration, "AzureAd");
+    services.AddSignIn(Configuration, "AzureAd")
             .AddWebAppCallsProtectedWebApi(Configuration,
                                            initialScopes: new string[] { "user.read" })
             .AddDistributedTokenCaches();
 
 // Then, choose your implementation.
 // For instance, the distributed in-memory cache (not cleared when you stop the app):
-services.AddDistributedMemoryCache()
+services.AddDistributedMemoryCache();
 
 // Or a Redis cache:
 services.AddStackExchangeRedisCache(options =>
 
@@ -89,10 +89,10 @@ The `Scoping` element, which includes a list of identity providers, is optional
 If provided, don't include the `ProxyCount` attribute, `IDPListOption` or `RequesterID` element, as they aren't supported.
 
 ### Signature
-Don't include a `Signature` element in `AuthnRequest` elements, as Azure AD does not support signed authentication requests.
+Don't include a `Signature` element in `AuthnRequest` elements. Azure AD does not validate signed authentication requests. Requestor verification is provided for by only responding to registered Assertion Consumer Service URLs.
 
 ### Subject
-Azure AD ignores the `Subject` element of `AuthnRequest` elements.
+Don't include a `Subject` element. Azure AD doesn't support specifying a subject for a request and will return an error if one is provided.
 
 ## Response
 When a requested sign-on completes successfully, Azure AD posts a response to the cloud service. A response to a successful sign-on attempt looks like the following sample:
 
@@ -171,7 +171,7 @@ error_description=AADSTS50076: Due to a configuration change made by your admini
 
 Our app needs to catch the `error=interaction_required`. The application can then use either `acquireTokenPopup()` or `acquireTokenRedirect()` on the same resource. The user is forced to do a multi-factor authentication. After the user completes the multi-factor authentication, the app is issued a fresh access token for the requested resource.
 
-To try out this scenario, see our [JS SPA On-behalf-of code sample](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/master/Microsoft.Identity.Web/README.md#handle-conditional-access). This code sample uses the Conditional Access policy and web API you registered earlier with a JS SPA to demonstrate this scenario. It shows how to properly handle the claims challenge and get an access token that can be used for your web API. Alternatively, checkout the general [Angular.js code sample](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2) for guidance on an Angular SPA
+To try out this scenario, see our [JS SPA On-behalf-of code sample](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/a2b257381b410c765ee01ecb611aa6f98c099eb1/2.%20Web%20API%20now%20calls%20Microsoft%20Graph/README.md). This code sample uses the Conditional Access policy and web API you registered earlier with a JS SPA to demonstrate this scenario. It shows how to properly handle the claims challenge and get an access token that can be used for your web API. Alternatively, checkout the general [Angular.js code sample](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2) for guidance on an Angular SPA
 
 ## See also
 
 
@@ -21,7 +21,7 @@ When you [add a gallery app](add-gallery-app.md) or a [non-gallery web app](add-
 > [!NOTE]
 > Adding a gallery app? Find step-by-step setup instructions in the [list of SaaS app tutorials](../saas-apps/tutorial-list.md)
 
-To configure SAML single sign-on for a non-gallery application without writing code, you need to have a subscription along with an Azure AD Premium license and the application must support SAML 2.0. For more information about Azure AD versions, visit [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/).
+To configure SAML single sign-on for a non-gallery application without writing code, you need to have an Azure AD subscription and the application must support SAML 2.0. For more information about Azure AD versions, visit [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/).
 
 ## Before you begin
 
 
@@ -57,7 +57,7 @@ The logs are pushed to the **AuditLogs** and **SigninLogs** tables in the worksp
 
 1. From the default query view in the previous section, select **Schema** and expand the workspace. 
 
-2. Expand the **Log Management** section and then expand either **AuditLogs** or **SignInLogs** to view the log schema.
+2. Expand the **Log Management** section and then expand either **AuditLogs** or **SigninLogs** to view the log schema.
     ![Audit logs](./media/howto-analyze-activity-logs-log-analytics/auditlogschema.png)
     ![Signin logs](./media/howto-analyze-activity-logs-log-analytics/signinlogschema.png)