Merge pull request #49173 from MicrosoftDocs/master

8/16 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -26421,6 +26421,11 @@
             "redirect_url": "/azure/azure-stack/user/azure-stack-create-vm-template",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/azure-stack/user/azure-stack-powershell-download.md",
+            "redirect_url": "/azure/azure-stack/azure-stack-powershell-download",
+            "redirect_document_id": false
+        },
         {
             "source_path": "articles/active-directory/application-proxy-teams.md",
             "redirect_url": "/azure/active-directory/manage-apps/application-proxy-integrate-with-teams",

articles/active-directory-b2c/active-directory-b2c-setup-aad-custom.md

@@ -8,7 +8,7 @@ manager: mtillman
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/04/2017
+ms.date: 08/15/2018
 ms.author: davidmu
 ms.component: B2C
 ---
@@ -109,7 +109,7 @@ You can define Azure AD as a claims provider by adding Azure AD to the `<ClaimsP
                     <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
                     <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
                     <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
-                    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="contosoAuthentication" />
+                    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
                     <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureADContoso" />
                 </OutputClaims>
                 <OutputClaimsTransformations>

articles/active-directory-b2c/active-directory-b2c-setup-sf-app-custom.md

@@ -8,7 +8,7 @@ manager: mtillman
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 06/11/2017
+ms.date: 08/15/2018
 ms.author: davidmu
 ms.component: B2C
 ---
@@ -146,7 +146,7 @@ You need to define Salesforce as a claims provider so users can sign in by using
             <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
             <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
             <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="username"/>
-            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="externalIdp"/>
+            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication"/>
             <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="SAMLIdp" />
           </OutputClaims>
           <OutputClaimsTransformations>

articles/active-directory/TOC.md

@@ -400,34 +400,6 @@
 ### [Retrieve access review results](active-directory-azure-ad-controls-retrieve-access-review.md)
 
 ## Secure your identities
-### Conditional access
-#### [Overview](conditional-access/overview.md)
-#### Quickstarts
-##### [Require MFA for specific apps](conditional-access/app-based-mfa.md)
-##### [Require terms of use to be accepted](conditional-access/require-tou.md)
-##### [Block access when a session risk is detected](conditional-access/app-sign-in-risk.md)
-#### Tutorials
-##### [Migrate classic MFA policy](conditional-access/policy-migration-mfa.md)
-#### Concepts
-##### [Baseline Protection](conditional-access/baseline-protection.md)
-##### [Conditions](conditional-access/conditions.md)
-##### [Location conditions](conditional-access/location-condition.md)
-##### [Controls](conditional-access/controls.md)
-##### [What if tool](conditional-access/what-if-tool.md)
-#### How-to guides
-##### [Best practices](conditional-access/best-practices.md)
-##### [Require MFA for access attempts from untrusted networks](conditional-access/untrusted-networks.md)
-##### [Require managed devices](conditional-access/require-managed-devices.md)
-##### [Require approved client apps](conditional-access/app-based-conditional-access.md)
-##### [Require terms of use for users and apps](active-directory-tou.md)
-##### [Migrate classic policies](conditional-access/policy-migration.md)
-##### [Set up VPN connectivity](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy)
-##### [Set up SharePoint and Exchange Online](conditional-access/conditional-access-for-exo-and-spo.md)
-##### [Remediation](active-directory-conditional-access-device-remediation.md)
-#### [Reference](conditional-access/technical-reference.md)
-##### [Technical reference](conditional-access/technical-reference.md)
-#### [FAQs](conditional-access/faqs.md)
-
 ### Certificate-based Authentication
 #### [Android](active-directory-certificate-based-authentication-android.md)
 #### [iOS](active-directory-certificate-based-authentication-ios.md)

articles/active-directory/conditional-access/TOC.yml

@@ -0,0 +1,64 @@
+- name: Conditional Access Documentation
+  href: index.yml
+- name: Overview
+  items:
+  - name: What is conditional access?
+    href: overview.md
+- name: Quickstarts
+  items:
+  - name: Require MFA for specific apps
+    href: app-based-mfa.md
+  - name: Require terms of use to be accepted
+    href: require-tou.md
+  - name: Block access when a session risk is detected
+    href: app-sign-in-risk.md
+- name: Tutorials
+  items:
+  - name: Migrate classic MFA policies
+    href: policy-migration-mfa.md
+- name: Concepts
+  expanded: false
+  items:
+  - name: Baseline Protection
+    href: baseline-protection.md
+  - name: Conditions
+    href: conditions.md
+  - name: Location conditions
+    href: location-condition.md
+  - name: Controls
+    href: controls.md
+  - name: What if tool
+    href: what-if-tool.md
+- name: How-to guides
+  expanded: true
+  items:
+  - name: Best practices
+    href: best-practices.md
+  - name: Require MFA for access attempts from untrusted networks
+    href: untrusted-networks.md
+  - name: Require managed devices
+    href: require-managed-devices.md
+  - name: Require approved client apps
+    href: app-based-conditional-access.md
+  - name: Control access to Exchange Online and SharePoint Online
+    href: conditional-access-for-exo-and-spo.md
+  - name: Migrate classic policies
+    href: policy-migration.md
+- name: Reference
+  items:
+  - name: Technical reference
+    href: technical-reference.md
+- name: Resources
+  items:
+  - name: Azure feedback forum
+    href: https://feedback.azure.com/forums/169401-azure-active-directory
+  - name: MSDN forum
+    href: https://social.msdn.microsoft.com/Forums/azure/home?forum=WindowsAzureAD
+  - name: Pricing
+    href: https://azure.microsoft.com/pricing/details/active-directory/
+  - name: Service updates
+    href: ../fundamentals/whats-new.md
+  - name: Stack Overflow
+    href: http://stackoverflow.com/questions/tagged/azure-active-directory
+  - name: Videos
+    href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory

articles/active-directory/conditional-access/index.yml

@@ -0,0 +1,58 @@
+### YamlMime:YamlDocument
+documentType: LandingData
+title: Azure AD Conditional Access Documentation
+metadata:
+  document_id: 
+  title: Azure Active Directory Conditional Access Documentation - Tutorials, quickstarts, concepts, references | Microsoft Docs
+  description: Learn how to configure and test Azure Active Directory conditional access.
+  services: active-directory
+  ms.component: authentication
+  author: MarkusVi
+  manager: mtillman
+  ms.service: active-directory
+  ms.tgt_pltfrm: na
+  ms.devlang: na
+  ms.topic: landing-page
+  ms.date: 08/14/2018
+  ms.author: markvi
+abstract:
+  description: "Learn how to master the balance between security and productivity by configuring Azure AD conditional access.
+With conditional access policies, you can factor how your cloud apps are accessed into your access decisions.
+For example, you can address in your access decisions the following questions:<ul><li>What is the user&#39;s network location?</li><li>Has the access attempt be initiated from a managed device?</li><li>From which client app has a connection attempt been initiated?</li><li>Has an access attempt been made from a risky sign-in?</li></ul>The following resources help you to quickly get started."
+  aside:
+    image:
+      alt: 
+      height: 110
+      src: ./media/index/video.png
+      width: 246  
+    title: Conditional access explained
+    href: https://www.youtube.com/watch?v=A7IrxAH87wc
+    width: 246
+sections:
+- title: 5-minute quickstarts
+  items:
+  - type: paragraph
+    text: 'Learn how to configure conditional access policies for common access scenarios.'
+  - type: list
+    style: icon48
+    items: 
+    - image: 
+        src: ./media/index/i_security-management.png
+      text: Require MFA for specific apps
+      href: app-based-mfa.md
+    - image: 
+        src: ./media/index/i_security-management.png
+      text: Block access when a session risk is detected
+      href: app-sign-in-risk.md
+    - image: 
+        src: ./media/index/i_security-management.png
+      text: Require terms of use to be accepted 
+      href: require-tou.md
+- title: Step-by-Step Tutorials
+  items:
+  - type: paragraph
+    text: Learn how to migrate your classic conditional access policies.
+  - type: list
+    style: unordered
+    items:
+    - html: <a href="/azure/active-directory/conditional-access/policy-migration-mfa">Migrate a classic policy that requires multi-factor authentication</a>

articles/active-directory/conditional-access/media/index/i_security-management.png

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: landing-page
-ms.date: 04/13/2018
+ms.date: 08/16/2018
 ms.author: mtillman
 experimental: true
 experiment_id: "50f26fb6-3aa0-42"
@@ -98,7 +98,7 @@ Azure Active Directory (Azure AD) is a multi-tenant, cloud-based directory and i
                         <h3>Protection</h3>
                         <p>
                         <a href="/azure/active-directory/active-directory-identityprotection">Identity protection</a><br/>
-                        <a href="/azure/active-directory/active-directory-conditional-access-azure-portal">Conditional access</a><br/>
+                        <a href="/azure/active-directory/conditional-access/index">Conditional access</a><br/>
                         <a href="/azure/active-directory/privileged-identity-management/pim-configure">Privileged identity management</a>
                         </p>
                     </div>

articles/active-directory/conditional-access/media/index/video.png

@@ -38,7 +38,11 @@ In this article, you learn how to perform the following Managed Service Identity
 - To run the CLI script examples, you have three options:
     - Use [Azure Cloud Shell](../../cloud-shell/overview.md) from the Azure portal (see next section).
     - Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
-    - [Install the latest version of CLI 2.0](https://docs.microsoft.com/cli/azure/install-azure-cli) (2.0.13 or later) if you prefer to use a local CLI console. 
+    - [Install the latest version of Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) if you prefer to use a local CLI console.
+      
+      > [!NOTE]
+      > The commands have been updated to reflect the latest release of the [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli).     
+        
 
 [!INCLUDE [cloud-shell-try-it.md](../../../includes/cloud-shell-try-it.md)]
 
@@ -84,7 +88,7 @@ If you need to enable the system assigned identity on an existing VM:
    az vm identity assign -g myResourceGroup -n myVm
    ```
 
-### Disable the system assigned identity from an Azure VM
+### Disable system assigned identity from an Azure VM
 
 If you have a Virtual Machine that no longer needs the system assigned identity, but still needs user assigned identities, use the following command:
 
@@ -136,7 +140,7 @@ This section walks you through creation of a VM with assignment of a user assign
        "clientSecretUrl": "https://control-westcentralus.identity.azure.net/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MSI NAME>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
        "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MSI NAME>",
        "location": "westcentralus",
-       "name": "<MSI NAME>",
+       "name": "<USER ASSIGNED IDENTITY NAME>",
        "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
        "resourceGroup": "<RESOURCE GROUP>",
        "tags": {},
@@ -145,10 +149,10 @@ This section walks you through creation of a VM with assignment of a user assign
    }
    ```
 
-3. Create a VM using [az vm create](/cli/azure/vm/#az-vm-create). The following example creates a VM associated with the new user assigned identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VM NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<MSI ID>` parameter values with your own values. For `<MSI ID>`, use the user assigned identity's resource `id` property created in the previous step: 
+3. Create a VM using [az vm create](/cli/azure/vm/#az-vm-create). The following example creates a VM associated with the new user assigned identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VM NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values. 
 
    ```azurecli-interactive 
-   az vm create --resource-group <RESOURCE GROUP> --name <VM NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <MSI ID>
+   az vm create --resource-group <RESOURCE GROUP> --name <VM NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY NAME>
    ```
 
 ### Assign a user assigned identity to an existing Azure VM
@@ -161,7 +165,7 @@ This section walks you through creation of a VM with assignment of a user assign
     ```azurecli-interactive
     az identity create -g <RESOURCE GROUP> -n <MSI NAME>
     ```
-The response contains details for the user assigned managed identity created, similar to the following. The resource `id` value assigned to the user assigned identity is used in the following step.
+   The response contains details for the user assigned managed identity created, similar to the following. 
 
    ```json
    {
@@ -178,18 +182,18 @@ The response contains details for the user assigned managed identity created, si
    }
    ```
 
-2. Assign the user assigned identity to your VM using [az vm identity assign](/cli/azure/vm#az-vm-identity-assign). Be sure to replace the `<RESOURCE GROUP>` and `<VM NAME>` parameter values with your own values. The `<MSI ID>` will be the user assigned identity's resource `id` property, as created in the previous step:
+2. Assign the user assigned identity to your VM using [az vm identity assign](/cli/azure/vm#az-vm-identity-assign). Be sure to replace the `<RESOURCE GROUP>` and `<VM NAME>` parameter values with your own values. The `<USER ASSIGNED IDENTITY>` is the user assigned identity's resource `name` property, as created in the previous step:
 
     ```azurecli-interactive
-    az vm identity assign -g <RESOURCE GROUP> -n <VM NAME> --identities <MSI ID>
+    az vm identity assign -g <RESOURCE GROUP> -n <VM NAME> --identities <USER ASSIGNED IDENTITY>
     ```
 
 ### Remove a user assigned identity from an Azure VM
 
-To remove a user assigned identity from a VM use [az vm identity remove](/cli/azure/vm#az-vm-identity-remove). Be sure to replace the `<RESOURCE GROUP>` and `<VM NAME>` parameter values with your own values. The `<MSI NAME>` will be the user assigned identity's `name` property, which can be found by in the identity section of the VM using `az vm identity show`:
+To remove a user assigned identity from a VM use [az vm identity remove](/cli/azure/vm#az-vm-identity-remove). If this is the only user assigned identity assigned to the virtual machine, `UserAssigned` will be removed from the identity type value.  Be sure to replace the `<RESOURCE GROUP>` and `<VM NAME>` parameter values with your own values. The `<USER ASSIGNED IDENTITY>` will be the user assigned identity's `name` property, which can be found in the identity section of the virtual machine using `az vm identity show`:
 
 ```azurecli-interactive
-az vm identity remove -g <RESOURCE GROUP> -n <VM NAME> --identities <MSI NAME>
+az vm identity remove -g <RESOURCE GROUP> -n <VM NAME> --identities <USER ASSIGNED IDENTITY>
 ```
 
 If your VM does not have a system assigned identity and you want to remove all user assigned identities from it, use the following command:
@@ -198,13 +202,13 @@ If your VM does not have a system assigned identity and you want to remove all u
 > The value `none` is case sensitive. It must be lowercase.
 
 ```azurecli-interactive
-az vm update -n myVM -g myResourceGroup --set identity.type="none" identity.identityIds=null
+az vm update -n myVM -g myResourceGroup --set identity.type="none" identity.userAssignedIdentities=null
 ```
 
 If your VM has both system assigned and user assigned identities, you can remove all the user assigned identities by switching to use only system assigned. Use the following command:
 
 ```azurecli-interactive
-az vm update -n myVM -g myResourceGroup --set identity.type='SystemAssigned' identity.identityIds=null 
+az vm update -n myVM -g myResourceGroup --set identity.type='SystemAssigned' identity.userAssignedIdentities=null 
 ```
 
 ## Related content