Merge pull request #105737 from julieMSFT/release-rebrand-sqldw

Dirty PR to resolve merge conflicts with master in release-rebrand-sqldw

Author: ktoliver

.openpublishing.redirection.json

@@ -3666,6 +3666,11 @@
       "redirect_url": "/azure/architecture",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/azure-monitor/azure-monitor-log-hub.md",
+      "redirect_url": "/azure/azure-monitor/overview",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cloud-services/cloud-services-dotnet-diagnostics-storage.md",
       "redirect_url": "/azure/azure-monitor/platform/diagnostics-extension-to-storage",

articles/active-directory-b2c/TOC.yml

@@ -350,8 +350,9 @@
     - name: Azure Monitor
       href: azure-monitor.md
       displayName: log, logs, logging, usage, events
-    - name: Account management
+    - name: Manage users - Microsoft Graph
       href: manage-user-accounts-graph-api.md
+      displayName: account, accounts
     - name: Deploy with Azure Pipelines
       href: deploy-custom-policies-devops.md
       displayName: azure devops, ci/cd, cicd, custom policy, policies

articles/active-directory-b2c/phone-authentication.md

@@ -1,29 +1,35 @@
 ---
-title: Phone sign-up and sign-in with custom policies
+title: Phone sign-up and sign-in with custom policies (Preview)
 titleSuffix: Azure AD B2C
-description: Learn how to send one-time passwords in text messages to your application users' phones with custom policies in Azure Active Directory B2C.
+description: Send one-time passwords (OTP) in text messages to your application users' phones with custom policies in Azure Active Directory B2C.
 services: active-directory-b2c
 author: mmacy
 manager: celestedg
 
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 12/17/2019
+ms.date: 02/25/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
 
-# Set up phone sign-up and sign-in with custom policies in Azure AD B2C
+# Set up phone sign-up and sign-in with custom policies in Azure AD B2C (Preview)
 
 Phone sign-up and sign-in in Azure Active Directory B2C (Azure AD B2C) enables your users to sign up and sign in to your applications by using a one-time password (OTP) sent in a text message to their phone. One-time passwords can help minimize the risk of your users forgetting or having their passwords compromised.
 
 Follow the steps in this article to use the custom policies to enable your customers to sign up and sign in to your applications by using a one-time password sent to their phone.
 
 [!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
 
+## Pricing
+
+One-time passwords are sent to your users by using SMS text messages, and you may be charged for each message sent. For pricing information, see the **Separate Charges** section of [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).
+
 ## Prerequisites
 
+You need the following resources in place before setting up OTP.
+
 * [Azure AD B2C tenant](tutorial-create-tenant.md)
 * [Web application registered](tutorial-register-applications.md) in your tenant
 * [Custom policies](custom-policy-get-started.md) uploaded to your tenant
@@ -66,6 +72,22 @@ As you upload each file, Azure adds the prefix `B2C_1A_`.
 1. Select **Run now** and sign up using an email address or a phone number.
 1. Select **Run now** once again and sign in with the same account to confirm that you have the correct configuration.
 
+## Get user account by phone number
+
+A user that signs up with a phone number but does not provide a recovery email address is recorded in your Azure AD B2C directory with their phone number as their sign-in name. If the user then wishes to change their phone number, your help desk or support team must first find their account, and then update their phone number.
+
+You can find a user by their phone number (sign-in name) by using [Microsoft Graph](manage-user-accounts-graph-api.md):
+
+```http
+GET https://graph.microsoft.com/v1.0/users?$filter=identities/any(c:c/issuerAssignedId eq '+{phone number}' and c/issuer eq '{tenant name}.onmicrosoft.com')
+```
+
+For example:
+
+```http
+GET https://graph.microsoft.com/v1.0/users?$filter=identities/any(c:c/issuerAssignedId eq '+450334567890' and c/issuer eq 'contosob2c.onmicrosoft.com')
+```
+
 ## Next steps
 
 You can find the phone sign-up and sign-in custom policy starter pack (and other starter packs) on GitHub:

articles/active-directory/authentication/concept-mfa-licensing.md

@@ -39,7 +39,7 @@ The following table provides a list of the features that are available in the va
 
 | Feature | Azure AD Free - Security defaults | Azure AD Free - Azure AD Global Administrators | Office 365 Business Premium, E3, or E5 | Azure AD Premium P1 or P2 |
 | --- |:---:|:---:|:---:|:---:|
-| Protect Azure AD admin accounts with MFA | ● | ● (*Azure AD Global Administrator* accounts only) | ● | ● |
+| Protect Azure AD tenant admin accounts with MFA | ● | ● (*Azure AD Global Administrator* accounts only) | ● | ● |
 | Mobile app as a second factor | ● | ● | ● | ● |
 | Phone call as a second factor | | ● | ● | ● |
 | SMS as a second factor | | ● | ● | ● |

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/21/2020
+ms.date: 02/26/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -52,7 +52,7 @@ Selecting this checkbox will require users to perform Azure Multi-Factor Authent
 
 Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet specific compliance requirements. This policy compliance information is forwarded from Intune to Azure AD where Conditional Access can make decisions to grant or block access to resources. For more information about compliance policies, see the article [Set rules on devices to allow access to resources in your organization using Intune](https://docs.microsoft.com/intune/protect/device-compliance-get-started).
 
-A device can be marked as compliant by Intune (for any device OS) or by third-party MDM system for Windows 10 devices. Third-party MDM systems for device OS types other than Windows 10 are not supported.
+A device can be marked as compliant by Intune (for any device OS) or by third-party MDM system for Windows 10 devices. Jamf pro is the only supported third-party MDM system. More information about integration can be found in the article, [Integrate Jamf Pro with Intune for compliance](/intune/protect/conditional-access-integrate-jamf).
 
 Devices must be registered in Azure AD before they can be marked as compliant. More information about device registration can be found in the article, [What is a device identity](../devices/overview.md).
 

articles/active-directory/develop/howto-authenticate-service-principal-powershell.md

@@ -46,7 +46,7 @@ You can set the scope at the level of the subscription, resource group, or resou
 
 ## Create service principal with self-signed certificate
 
-The following example covers a simple scenario. It uses [New-​AzAD​Service​Principal](/powershell/module/az.resources/new-azadserviceprincipal) to create a service principal with a self-signed certificate, and uses [New-​Azure​Rm​Role​Assignment](/powershell/module/az.resources/new-azroleassignment) to assign the [Reader](/azure/role-based-access-control/built-in-roles#reader) role to the service principal. The role assignment is scoped to your currently selected Azure subscription. To select a different subscription, use [Set-AzContext](/powershell/module/Az.Accounts/Set-AzContext).
+The following example covers a simple scenario. It uses [New-​AzAD​Service​Principal](/powershell/module/az.resources/new-azadserviceprincipal) to create a service principal with a self-signed certificate, and uses [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) to assign the [Reader](/azure/role-based-access-control/built-in-roles#reader) role to the service principal. The role assignment is scoped to your currently selected Azure subscription. To select a different subscription, use [Set-AzContext](/powershell/module/Az.Accounts/Set-AzContext).
 
 > [!NOTE]
 > The New-SelfSignedCertificate cmdlet and the PKI module are currently not supported in PowerShell Core. 

articles/active-directory/develop/howto-create-service-principal-portal.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-ms.date: 10/14/2019
+ms.date: 02/26/2020
 ms.author: ryanwi
 ms.reviewer: tomfitz
 ms.custom: aaddev, seoapril2019, identityplatformtop40
@@ -81,16 +81,26 @@ Daemon applications can use two forms of credentials to authenticate with Azure
 
 ### Upload a certificate
 
-You can use an existing certificate if you have one.  Optionally, you can create a self-signed certificate for testing purposes. Open PowerShell and run [New-SelfSignedCertificate](/powershell/module/pkiclient/new-selfsignedcertificate) with the following parameters to create a self-signed certificate in the user certificate store on your computer: 
+You can use an existing certificate if you have one.  Optionally, you can create a self-signed certificate for *testing purposes only*. Open PowerShell and run [New-SelfSignedCertificate](/powershell/module/pkiclient/new-selfsignedcertificate) with the following parameters to create a self-signed certificate in the user certificate store on your computer: 
 
 ```powershell
 $cert=New-SelfSignedCertificate -Subject "CN=DaemonConsoleCert" -CertStoreLocation "Cert:\CurrentUser\My"  -KeyExportPolicy Exportable -KeySpec Signature
 ```
 
 Export this certificate to a file using the [Manage User Certificate](/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in) MMC snap-in accessible from the Windows Control Panel.
 
+1. Select **Run** from the **Start** menu, and then enter **certmgr.msc**.
+
+   The Certificate Manager tool for the current user appears.
+
+1. To view your certificates, under **Certificates - Current User** in the left pane, expand the **Personal** directory.
+1. Right-click on the cert you created, select **All tasks->Export**.
+1. Follow the Certificate Export wizard.  Export the private key, specify a password for the cert file, and export to a file.
+
 To upload the certificate:
 
+1. Select **Azure Active Directory**.
+1. From **App registrations** in Azure AD, select your application.
 1. Select **Certificates & secrets**.
 1. Select **Upload certificate** and select the certificate (an existing certificate or the self-signed certificate you exported).
 
@@ -142,15 +152,21 @@ In your Azure subscription, your account must have `Microsoft.Authorization/*/Wr
 
 To check your subscription permissions:
 
-1. Select your account in the upper right corner, and select **... -> My permissions**.
+1. Search for and select **Subscriptions**, or select **Subscriptions** on the **Home** page.
 
-   ![Select your account and your user permissions](./media/howto-create-service-principal-portal/select-my-permissions.png)
+   ![Search](./media/howto-create-service-principal-portal/select-subscription.png)
+
+1. Select the subscription you want to create the service principal in.
+
+   ![Select subscription for assignment](./media/howto-create-service-principal-portal/select-one-subscription.png)
+
+   If you don't see the subscription you're looking for, select **global subscriptions filter**. Make sure the subscription you want is selected for the portal.
 
-1. From the drop-down list, select the subscription you want to create the service principal in. Then, select **Click here to view complete access details for this subscription**.
+1. Select **My permissions**. Then, select **Click here to view complete access details for this subscription**.
 
    ![Select the subscription you want to create the service principal in](./media/howto-create-service-principal-portal/view-details.png)
 
-1. Select **Role assignments** to view your assigned roles, and determine if you have adequate permissions to assign a role to an AD app. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned the Owner role, which means that user has adequate permissions.
+1. Select **View** in **Role assignments** to view your assigned roles, and determine if you have adequate permissions to assign a role to an AD app. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned the Owner role, which means that user has adequate permissions.
 
    ![This example shows the user is assigned the Owner role](./media/howto-create-service-principal-portal/view-user-role.png)
 

articles/active-directory/develop/media/howto-create-service-principal-portal/view-details.png

@@ -49,7 +49,7 @@ The Azure AD application model doesn't support wildcard URIs for apps that are c
 > [!NOTE]
 > The new [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience doesn't allow developers to add wildcard URIs on the UI. Adding wilcard URI for apps that sign in work or school accounts is supported only through the app manifest editor. Going forward, new apps won't be able to use wildcards in the redirect URI. However, older apps that contain wildcards in redirect URIs will continue to work.
 
-If your scenario requires more redirect URIs than the maximum limit allowed, instead of adding a wildcard redirect URI, consider one of the following approaches.
+If your scenario requires more redirect URIs than the maximum limit allowed, instead of adding a wildcard redirect URI, consider the following approach.
 
 ### Use a state parameter
 
@@ -66,10 +66,6 @@ In this approach:
 > [!NOTE]
 > This approach allows a compromised client to modify the additional parameters sent in the state parameter, thereby redirecting the user to a different URL, which is the [open redirector threat](https://tools.ietf.org/html/rfc6819#section-4.2.4) described in RFC 6819. Therefore, the client must protect these parameters by encrypting the state or verifying it by some other means such as validating domain name in the redirect URI against the token.
 
-### Add redirect URIs to service principals
-
-Another approach is to add redirect URIs to the [service principals](app-objects-and-service-principals.md#application-and-service-principal-relationship) that represent your app registration in any Azure AD tenant. You can use this approach when you can't use a state parameter or your scenario requires you to add new redirect URIs to your app registration for every new tenant you support. 
-
 ## Next steps
 
 - Learn about the [Application manifest](reference-app-manifest.md)

articles/active-directory/develop/reply-url.md

@@ -38,11 +38,11 @@ This article gives you an overview of the audit report.
 
 ## Who can access the data?
 
-* Users in the **Security Administrator**, **Security Reader**, **Report Reader** or **Global Administrator** roles
+* Users in the **Security Administrator**, **Security Reader**, **Report Reader** , **Global Reader** or **Global Administrator** roles
 
 ## Audit logs
 
-The Azure AD audit logs provide records of system activities for compliance. To access the audit report, select **Audit logs** in the **Activity** section of **Azure Active Directory**. Note that audit logs may have a latency of up to an hour, so it may take that long for audit activity data to show up in the portal after you have completed the task.
+The Azure AD audit logs provide records of system activities for compliance. To access the audit report, select **Audit logs** in the **Monitoring** section of **Azure Active Directory**. Note that audit logs may have a latency of up to an hour, so it may take that long for audit activity data to show up in the portal after you have completed the task.
 
 
 
@@ -87,16 +87,20 @@ You can filter the audit data on the following fields:
 The **Service** filter allows you to select from a drop-down list of the following services:
 
 - All
+- AAD Management UX
 - Access Reviews
-- Account Provisioning 
-- Application SSO
+- Account Provisioning
+- Application Proxy
 - Authentication Methods
 - B2C
 - Conditional Access
 - Core Directory
 - Entitlement Management
+- Hybrid Authentication
 - Identity Protection
 - Invited Users
+- MIM Service
+- MyApps
 - PIM
 - Self-service Group Management
 - Self-service Password Management
@@ -115,7 +119,11 @@ The **Category** filter enables you to select one of the following filters:
 - DirectoryManagement
 - EntitlementManagement
 - GroupManagement
+- KerberosDomain
+- KeyManagement
+- Label
 - Other
+- PermissionGrantPolicy
 - Policy
 - ResourceManagement
 - RoleManagement
@@ -131,14 +139,13 @@ The **Status** filter allows you to filter based on the status of an audit opera
 - Success
 - Failure
 
-The **Target** filter allows you to search for a particular target by name or user principal name (UPN). The target name and UPN are case-sensitive. 
+The **Target** filter allows you to search for a particular target by the starting of the name or user principal name (UPN). The target name and UPN are case-sensitive. 
 
-The **Initiated by** filter enables you to define an actor's name or a universal principal name (UPN). The name and UPN are case-sensitive.
+The **Initiated by** filter enables you to define what an actor's name or a universal principal name (UPN) starts with. The name and UPN are case-sensitive.
 
 The **Date range** filter enables to you to define a timeframe for the returned data.  
 Possible values are:
 
-- 1 month
 - 7 days
 - 24 hours
 - Custom
@@ -176,11 +183,11 @@ With user and group-based audit reports, you can get answers to questions such a
 
 - What licenses have been assigned to a group or a user?
 
-If you want to review only auditing data that is related to users, you can find a filtered view under **Audit logs** in the **Activity** section of the **Users** tab. This entry point has **UserManagement** as preselected category.
+If you want to review only auditing data that is related to users, you can find a filtered view under **Audit logs** in the **Monitoring** section of the **Users** tab. This entry point has **UserManagement** as preselected category.
 
 ![Audit logs](./media/concept-audit-logs/users.png "Audit logs")
 
-If you want to review only auditing data that is related to groups, you can find a filtered view under **Audit logs** in the **Activity** section of the **Groups** tab. This entry point has **GroupManagement** as preselected category.
+If you want to review only auditing data that is related to groups, you can find a filtered view under **Audit logs** in the **Monitoring** section of the **Groups** tab. This entry point has **GroupManagement** as preselected category.
 
 ![Audit logs](./media/concept-audit-logs/groups.png "Audit logs")