Merge branch 'master' into managed-identity-based-authentication

Author: ttorble

.openpublishing.redirection.json

@@ -62,4 +62,4 @@
         "auditd"
     ],
     "git.ignoreLimitWarning": true
-}
+}

.vscode/settings.json

@@ -80,8 +80,8 @@ To onboard your Azure AD tenant (the **Customer**), create an [Azure Resource Ma
 
 Download the Azure Resource Manager template and parameter files:
 
-- [rgDelegatedResourceManagement.json](https://raw.githubusercontent.com/Azure/Azure-Lighthouse-samples/master/Azure-Delegated-Resource-Management/templates/rg-delegated-resource-management/rgDelegatedResourceManagement.json)
-- [rgDelegatedResourceManagement.parameters.json](https://raw.githubusercontent.com/Azure/Azure-Lighthouse-samples/master/Azure-Delegated-Resource-Management/templates/rg-delegated-resource-management/rgDelegatedResourceManagement.parameters.json)
+- [rgDelegatedResourceManagement.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/rg-delegated-resource-management/rgDelegatedResourceManagement.json)
+- [rgDelegatedResourceManagement.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/rg-delegated-resource-management/rgDelegatedResourceManagement.parameters.json)
 
 Next, update the parameters file with the values you recorded earlier. The following JSON snippet shows an example of an Azure Resource Manager template parameters file. For `authorizations.value.roleDefinitionId`, use the [built-in role](../role-based-access-control/built-in-roles.md) value for the *Contributor role*, `b24988ac-6180-42a0-ab88-20f7382dd24c`.
 

articles/active-directory-b2c/azure-monitor.md

@@ -112,7 +112,7 @@ Next, expose the API by adding a scope:
 1. In **App registrations (Legacy)**, select **New application registration**.
 1. For **Name**, enter `ProxyIdentityExperienceFramework`.
 1. For **Application type**, choose **Native**.
-1. For **Redirect URI**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com`, where `your-tenant-name` is your Azure AD B2C tenant.
+1. For **Redirect URI**, enter `myapp://auth`.
 1. Select **Create**. After it's created, copy the application ID and save it to use later.
 1. Select **Settings**, then select **Required permissions**, and then select **Add**.
 1. Choose **Select an API**, search for and select **IdentityExperienceFramework**, and then click **Select**.
@@ -125,7 +125,7 @@ Next, expose the API by adding a scope:
 1. For **Name**, enter `ProxyIdentityExperienceFramework`.
 1. Under **Supported account types**, select **Accounts in this organizational directory only**.
 1. Under **Redirect URI**, use the drop-down to select **Public client/native (mobile & desktop)**.
-1. For **Redirect URI**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com`, where `your-tenant-name` is your Azure AD B2C tenant.
+1. For **Redirect URI**, enter `myapp://auth`.
 1. Under **Permissions**, select the *Grant admin consent to openid and offline_access permissions* check box.
 1. Select **Register**.
 1. Record the **Application (client) ID** for use in a later step.

articles/active-directory-b2c/custom-policy-get-started.md

@@ -165,7 +165,7 @@ Now that you have a button in place, you need to link it to an action. The actio
 To use ADFS as an identity provider in Azure AD B2C, you need to create an ADFS Relying Party Trust with the Azure AD B2C SAML metadata. The following example shows a URL address to the SAML metadata of an Azure AD B2C technical profile:
 
 ```
-https://your-tenant-name.b2clogin.com/your-tenant-name/your-policy/samlp/metadata?idptp=your-technical-profile
+https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/your-policy/samlp/metadata?idptp=your-technical-profile
 ```
 
 Replace the following values:

articles/active-directory-b2c/identity-provider-adfs2016-custom.md

@@ -22,22 +22,16 @@
   items:
   - name: Authentication methods
     href: concept-authentication-methods.md
-  - name: Passwordless authentication
-    href: concept-authentication-passwordless.md
-  - name: Security information registration
-    href: concept-registration-mfa-sspr-combined.md
-  - name: Password reset
+  - name: Self-service password reset
     items:
     - name: How password reset works
       href: concept-sspr-howitworks.md
-    - name: Password reset options
-      href: concept-sspr-customization.md
-    - name: Password reset policies
-      href: concept-sspr-policy.md
-    - name: What license do I need?
-      href: concept-sspr-licensing.md
     - name: On-premises integration
       href: concept-sspr-writeback.md
+    - name: Policies
+      href: concept-sspr-policy.md
+    - name: Licenses
+      href: concept-sspr-licensing.md
   - name: Multi-Factor Authentication
     items:
     - name: How MFA works
@@ -50,12 +44,16 @@
       href: https://docs.microsoft.com/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
     - name: FAQ
       href: multi-factor-authentication-faq.md
-  - name: Azure AD password protection
+  - name: Passwordless authentication
+    href: concept-authentication-passwordless.md
+  - name: Password protection
     items:
     - name: Eliminate weak passwords in the cloud
       href: concept-password-ban-bad.md
     - name: Eliminate weak passwords on-premises
       href: concept-password-ban-bad-on-premises.md
+  - name: Security information registration
+    href: concept-registration-mfa-sspr-combined.md
   - name: Resilient access controls
     href: concept-resilient-controls.md
 - name: How-to guides
@@ -64,6 +62,8 @@
     items:
     - name: Deployment guide
       href: howto-sspr-deployment.md
+    - name: User customization options
+      href: howto-sspr-customization.md
     - name: Pre-register authentication data
       href: howto-sspr-authenticationdata.md
     - name: SSPR for Windows clients
@@ -100,28 +100,6 @@
         href: howto-mfa-nps-extension-rdg.md
       - name: VPN
         href: howto-mfa-nps-extension-vpn.md
-  - name: Security info registration
-    items:
-    - name: Enable combined registration
-      href: howto-registration-mfa-sspr-combined.md
-    - name: Troubleshoot combined registration
-      href: howto-registration-mfa-sspr-combined-troubleshoot.md
-  - name: Azure AD password protection
-    items:
-    - name: Plan and deploy on-premises
-      href: howto-password-ban-bad-on-premises-deploy.md
-    - name: Enable and configure on-premises
-      href: howto-password-ban-bad-on-premises-operations.md
-    - name: Monitor on-premises deployments
-      href: howto-password-ban-bad-on-premises-monitor.md
-    - name: Troubleshoot on-premises deployments
-      href: howto-password-ban-bad-on-premises-troubleshoot.md
-    - name: On-premises FAQs
-      href: howto-password-ban-bad-on-premises-faq.md
-    - name: On-premises agent version history
-      href: howto-password-ban-bad-on-premises-agent-versions.md
-  - name: Azure AD smart lockout
-    href: howto-password-smart-lockout.md
   - name: Passwordless
     items: 
       - name: Deploying passwordless
@@ -138,16 +116,38 @@
         href: howto-authentication-passwordless-phone.md
       - name: Windows Hello for Business
         href: https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification
+  - name: Security info registration
+    items:
+    - name: Enable combined registration
+      href: howto-registration-mfa-sspr-combined.md
+    - name: Troubleshoot combined registration
+      href: howto-registration-mfa-sspr-combined-troubleshoot.md
+  - name: On-premises password protection
+    items:
+    - name: Plan and deploy
+      href: howto-password-ban-bad-on-premises-deploy.md
+    - name: Enable and configure
+      href: howto-password-ban-bad-on-premises-operations.md
+    - name: Monitor
+      href: howto-password-ban-bad-on-premises-monitor.md
+    - name: Troubleshoot
+      href: howto-password-ban-bad-on-premises-troubleshoot.md
+    - name: FAQs
+      href: howto-password-ban-bad-on-premises-faq.md
+    - name: Agent version history
+      href: howto-password-ban-bad-on-premises-agent-versions.md
   - name: Use SMS-based authentication (preview)
     href: howto-authentication-sms-signin.md
+  - name: Azure AD smart lockout
+    href: howto-password-smart-lockout.md
   - name: Certificate-based authentication
     items:
     - name: Get started with certificate auth
       href: active-directory-certificate-based-authentication-get-started.md
       items:
-      - name: CBA on Android Devices
+      - name: Use on Android Devices
         href: active-directory-certificate-based-authentication-android.md
-      - name: CBA on iOS Devices
+      - name: Use on iOS Devices
         href: active-directory-certificate-based-authentication-ios.md
   - name: Reporting
     items:

articles/active-directory/authentication/TOC.yml

@@ -24,7 +24,7 @@ iOS devices can use certificate-based authentication (CBA) to authenticate to Az
 
 Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.
 
-This topic provides you with the requirements and the supported scenarios for configuring CBA on an iOS(Android) device for users of tenants in Office 365 Enterprise, Business, Education, US Government, China, and Germany plans.
+This topic provides you with the requirements and the supported scenarios for configuring CBA on an iOS device for users of tenants in Office 365 Enterprise, Business, Education, US Government, China, and Germany plans.
 
 This feature is available in preview in Office 365 US Government Defense and Federal plans.
 

articles/active-directory/authentication/active-directory-certificate-based-authentication-ios.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 07/11/2018
+ms.date: 04/15/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -232,7 +232,7 @@ This FAQ is split into the following sections:
   >
 * **Q:  Is there an API to access the password reset or registration reporting data?**
 
-  > **A:** Yes. To learn how you can access the password reset reporting data stream, see [Learn how to access password reset reporting events programmatically](https://msdn.microsoft.com/library/azure/mt126081.aspx#BKMK_SsprActivityEvent).
+  > **A:** Yes. To learn how you can access the password reset reporting data, see the [Azure Log Analytics REST API Reference](/rest/api/loganalytics/).
   >
   >
 

articles/active-directory/authentication/active-directory-passwords-faq.md

@@ -1,40 +1,39 @@
 ---
 title: Combined registration for SSPR and MFA - Azure Active Directory
-description: Azure AD Multi-Factor Authentication and self-service password reset registration (preview)
+description: Azure AD Multi-Factor Authentication and self-service password reset registration
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/06/2020
+ms.date: 04/15/2020
 
 ms.author: iainfou
 author: iainfoulds
 manager: daveba
-ms.reviewer: sahenry
+ms.reviewer: rhicock
 
 ms.collection: M365-identity-device-management
 ---
-# Combined security information registration (preview)
+# Combined security information registration overview
 
 Before combined registration, users registered authentication methods for Azure Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Multi-Factor Authentication and SSPR.
 
+This article outlines what combined security registration is. To get started with combined security registration, see the following article:
+
+> [!div class="nextstepaction"]
+> [Enable combined security regiration](howto-registration-mfa-sspr-combined.md)
+
 ![My Profile showing registered Security info for a user](media/concept-registration-mfa-sspr-combined/combined-security-info-defualts-registered.png)
 
 Before enabling the new experience, review this administrator-focused documentation and the user-focused documentation to ensure you understand the functionality and effect of this feature. Base your training on the [user documentation](../user-help/user-help-security-info-overview.md) to prepare your users for the new experience and help to ensure a successful rollout.
 
 Azure AD combined security information registration is not currently available to national clouds like Azure US Government, Azure Germany, or Azure China 21Vianet.
 
-|     |
-| --- |
-| Combined security information registration for Multi-Factor Authentication and Azure Active Directory (Azure AD) self-service password reset is a public preview feature of Azure AD. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).|
-|     |
-
 > [!IMPORTANT]
 > Users who are enabled for both the original preview and the enhanced combined registration experience will see the new behavior. Users who are enabled for both experiences will see only the new My Profile experience. The new My Profile aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Profile by going to [https://myprofile.microsoft.com](https://myprofile.microsoft.com).
-
-> [!NOTE] 
-> You might encounter an error message while trying to access the Security info option. For example, "Sorry, we can't sign you in". In this case, confirm that you don't have any configuration or group policy object that blocks third-party cookies on the web browser. 
+>
+> You might encounter an error message while trying to access the Security info option. For example, "Sorry, we can't sign you in". In this case, confirm that you don't have any configuration or group policy object that blocks third-party cookies on the web browser.
 
 My Profile pages are localized based on the language settings of the computer accessing the page. Microsoft stores the most recent language used in the browser cache, so subsequent attempts to access the pages will continue to render in the last language used. If you clear the cache, the pages will re-render. If you want to force a specific language, you can add `?lng=<language>` to the end of the URL, where `<language>` is the code of the language you want to render.
 
@@ -74,7 +73,6 @@ As we continue to add more authentication methods to Azure AD, those methods wil
 There are two modes of combined registration: interrupt and manage.
 
 - **Interrupt mode** is a wizard-like experience, presented to users when they register or refresh their security info at sign-in.
-
 - **Manage mode** is part of the user profile and allows users to manage their security info.
 
 For both modes, users who have previously registered a method that can be used for Multi-Factor Authentication will need to perform Multi-Factor Authentication before they can access their security info.
@@ -136,14 +134,8 @@ A user who has previously set up at least one method that can be used for Multi-
 
 ## Next steps
 
-[Force users to re-register authentication methods](howto-mfa-userdevicesettings.md#manage-user-authentication-options)
-
-[Enable combined registration in your tenant](howto-registration-mfa-sspr-combined.md)
-
-[SSPR and MFA usage and insights reporting](howto-authentication-methods-usage-insights.md)
-
-[Available methods for Multi-Factor Authentication and SSPR](concept-authentication-methods.md)
+To get started, see the tutorials to [enable self-service password reset](tutorial-enable-sspr.md) and [enable Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md).
 
-[Configure self-service password reset](howto-sspr-deployment.md)
+Learn how to [enable combined registration in your tenant](howto-registration-mfa-sspr-combined.md) or [force users to re-register authentication methods](howto-mfa-userdevicesettings.md#manage-user-authentication-options).
 
-[Configure Azure Multi-Factor Authentication](howto-mfa-getstarted.md)
+You can also review the [available methods for Azure Multi-Factor Authentication and SSPR](concept-authentication-methods.md).