Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into heidist-bugfix

Author: HeidiSteen

.openpublishing.redirection.json

@@ -51925,7 +51925,7 @@
     },
     {
       "source_path": "articles/terraform/terraform-create-complete-vm.md",
-      "redirect_url": "/azure/developer/terraform/create-linux-virtual machine-with-infrastructure",
+      "redirect_url": "/azure/developer/terraform/create-linux-virtual-machine-with-infrastructure",
       "redirect_document_id": false
     },
     {

.vscode/settings.json

@@ -59,7 +59,8 @@
         "YAML"
     ],
     "cSpell.words": [
-        "auditd"
+        "auditd",
+        "covid"
     ],
     "git.ignoreLimitWarning": true
 }

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -102,7 +102,7 @@ Applications and systems that support customization of the attribute list includ
 - Salesforce
 - ServiceNow
 - Workday
-- Azure Active Directory ([Microsoft Graph REST API v1.0 reference](https://docs.microsoft.com/graph/api/overview?view=graph-rest-1.0) and custom directory extensions are supported)
+- Azure Active Directory ([Azure AD Graph API default attributes](https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#user-entity) and custom directory extensions are supported)
 - Apps that support [SCIM 2.0](https://tools.ietf.org/html/rfc7643), where attributes defined in the [core schema](https://tools.ietf.org/html/rfc7643) need to be added
 
 > [!NOTE]

articles/active-directory/authentication/concept-sspr-writeback.md

@@ -137,6 +137,7 @@ Passwords aren't written back in any of the following situations:
 * **Unsupported administrator operations**
    * Any administrator-initiated end-user password reset from PowerShell version 1, version 2, or the Microsoft Graph API (the [Microsoft Graph API beta](https://docs.microsoft.com/graph/api/passwordauthenticationmethod-resetpassword?view=graph-rest-beta&tabs=http) is supported).
    * Any administrator-initiated end-user password reset from the [Microsoft 365 admin center](https://admin.microsoft.com).
+   * Any administrator cannot use password reset tool to reset their own password for password writeback.
 
 > [!WARNING]
 > Use of the checkbox "User must change password at next logon" in on-premises AD DS administrative tools like Active Directory Users and Computers or the Active Directory Administrative Center is supported as a preview feature of Azure AD Connect. For more information, see [Implement password hash synchronization with Azure AD Connect sync](../hybrid/how-to-connect-password-hash-synchronization.md).

articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md

@@ -33,9 +33,6 @@ The following roles can access insights and reporting:
 
 Users also need one of the following Log Analytics workspace roles:  
 
-- Reader 
-- Monitoring reader 
-- Log Analytics reader 
 - Contributor  
 - Owner 
 

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -8,12 +8,11 @@ ms.assetid: ef2797d7-d440-4a9a-a648-db32ad137494
 ms.service: active-directory
 ms.topic: reference
 ms.workload: identity
-ms.date: 04/23/2020
+ms.date: 05/07/2020
 ms.subservice: hybrid
 ms.author: billmath
 
 ms.collection: M365-identity-device-management
-ms.custom: has-adal-ref
 ---
 # Azure AD Connect: Version release history
 The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and functionality. Not all additions are applicable to all audiences.
@@ -50,10 +49,7 @@ Not all releases of Azure AD Connect will be made available for auto upgrade. Th
 05/07/2020: Released for download
 
 ### Fixed issues
-- Fixed an issue where unselected domains were getting incorrectly selected from the wizard UI.
-- Fixed an issue in the ADSyncConfig PowerShell module, where invoking DSACLS command used in all the Set-ADSync* Permissions cmdlets would cause one of the following errors:
-     - `GrantAclsNoInheritance : The parameter is incorrect.   The command failed to complete successfully.`
-     - `GrantAcls : No GUID Found for computer …`
+This hotfix build fixes an issue where unselected domains were getting incorrectly selected from the wizard UI if only grandchild containers were selected.
 
 ## 1.5.29.0
 
@@ -77,7 +73,10 @@ This hotfix build fixes an issue in build 1.5.20.0 if you have cloned the **In f
 04/09/2020: Released for download
 
 ### Fixed issues
-This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.
+- This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.
+- Fixed an issue in the ADSyncConfig PowerShell module, where invoking DSACLS command used in all the Set-ADSync* Permissions cmdlets would cause one of the following errors:
+     - `GrantAclsNoInheritance : The parameter is incorrect.   The command failed to complete successfully.`
+     - `GrantAcls : No GUID Found for computer …`
 
 > [!IMPORTANT]
 > If you have cloned the **In from AD - Group Join** sync rule and have not cloned the **In from AD - Group Common** sync rule and plan to upgrade, complete the following steps as part of the upgrade:
@@ -112,7 +111,6 @@ This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filte
 - Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account has not propagated across all service replicas before attempted use. 
 - Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly. 
 - Fixed a bug in the auto upgrade which left the server in the scheduler suspended state. 
-- Fixed a bug in the Domain/OU filtering page that would remove the Run Profiles of a domain by just partially expanding the domain tree, without making any changes.
 
 ## 1.4.38.0
 ### Release status

articles/active-directory/identity-protection/overview-identity-protection.md

@@ -83,6 +83,8 @@ Identity Protection requires users be a Security Reader, Security Operator, Secu
 | Security operator | View all Identity Protection reports and Overview blade <br><br> Dismiss user risk, confirm safe sign-in, confirm compromise | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts |
 | Security reader | View all Identity Protection reports and Overview blade | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts <br><br> Give feedback on detections |
 
+Currently, the security operator role cannot access the Risky sign-ins report.
+
 Conditional Access administrators can also create policies that factor in sign-in risk as a condition, find more information in the article [Conditional Access: Conditions](../conditional-access/concept-conditional-access-conditions.md#sign-in-risk).
 
 ## License requirements

articles/active-directory/manage-apps/application-proxy-configure-native-client-application.md

@@ -12,23 +12,23 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 04/15/2019
+ms.date: 05/12/2020
 ms.author: mimart
 ms.reviewer: japere
-ms.custom: it-pro, has-adal-ref
+ms.custom: it-pro
 
 ms.collection: M365-identity-device-management
 ---
 
 # How to enable native client applications to interact with proxy applications
 
-You can use Azure Active Directory (Azure AD) Application Proxy to publish web apps, but it also can be used to publish native client applications that are configured with the Azure AD Authentication Library (ADAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
+You can use Azure Active Directory (Azure AD) Application Proxy to publish web apps, but it also can be used to publish native client applications that are configured with the Microsoft Authentication Library (MSAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
 
 To support native client applications, Application Proxy accepts Azure AD-issued tokens that are sent in the header. The Application Proxy service does the authentication for the users. This solution doesn't use application tokens for authentication.
 
 ![Relationship between end users, Azure AD, and published applications](./media/application-proxy-configure-native-client-application/richclientflow.png)
 
-To publish native applications, use the Azure AD Authentication Library, which takes care of authentication and supports many client environments. Application Proxy fits into the [Native Application to Web API scenario](../azuread-dev/native-app.md).
+To publish native applications, use the Microsoft Authentication Library, which takes care of authentication and supports many client environments. Application Proxy fits into the [Desktop app that calls a web API on behalf of a signed-in user](https://docs.microsoft.com/azure/active-directory/develop/authentication-flows-app-scenarios#desktop-app-that-calls-a-web-api-on-behalf-of-a-signed-in-user) scenario.
 
 This article walks you through the four steps to publish a native application with Application Proxy and the Azure AD Authentication Library.
 
@@ -53,8 +53,7 @@ You now need to register your application in Azure AD, as follows:
    - To target only accounts that are internal to your organization, select **Accounts in this organizational directory only**.
    - To target only business or educational customers, select **Accounts in any organizational directory**.
    - To target the widest set of Microsoft identities, select **Accounts in any organizational directory and personal Microsoft accounts**.
-
-1. In the **Redirect URI** heading, select **Public client (mobile & desktop)**, and then type the redirect URI for your application.
+1. Under **Redirect URI**, select **Public client (mobile & desktop)**, and then type the redirect URI `https://login.microsoftonline.com/common/oauth2/nativeclient` for your application.
 1. Select and read the **Microsoft Platform Policies**, and then select **Register**. An overview page for the new application registration is created and displayed.
 
 For more detailed information about creating a new application registration, see [Integrating applications with Azure Active Directory](../develop/quickstart-register-app.md).
@@ -66,42 +65,60 @@ Now that you've registered your native application, you can give it access to ot
 1. In the sidebar of the new application registration page, select **API permissions**. The **API permissions** page for the new application registration appears.
 1. Select **Add a permission**. The **Request API permissions** page appears.
 1. Under the **Select an API** setting, select **APIs my organization uses**. A list appears, containing the applications in your directory that expose APIs.
-1. Type in the search box or scroll to find the proxy application that you published in [Step 1: Publish your proxy application](#step-1-publish-your-proxy-application), and then select the proxy application.
+1. Type in the search box or scroll to find the proxy application that you published in [Step 1: Publish your proxy application](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-configure-native-client-application#step-1-publish-your-proxy-application), and then select the proxy application.
 1. In the **What type of permissions does your application require?** heading, select the permission type. If your native application needs to access the proxy application API as the signed-in user, choose **Delegated permissions**.
 1. In the **Select permissions** heading, select the desired permission, and select **Add permissions**. The **API permissions** page for your native application now shows the proxy application and permission API that you added.
 
-## Step 4: Edit the Active Directory Authentication Library
+## Step 4: Add the Microsoft Authentication Library to your code (.NET C# sample)
 
-Edit the native application code in the authentication context of the Active Directory Authentication Library (ADAL) to include the following text:
+Edit the native application code in the authentication context of the Microsoft Authentication Library (MSAL) to include the following text: 
 
-```
+```         
 // Acquire Access Token from AAD for Proxy Application
-AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/<Tenant ID>");
-AuthenticationResult result = await authContext.AcquireTokenAsync("< External Url of Proxy App >",
-        "<App ID of the Native app>",
-        new Uri("<Redirect Uri of the Native App>"),
-        PromptBehavior.Never);
-
-//Use the Access Token to access the Proxy Application
-HttpClient httpClient = new HttpClient();
-httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
-HttpResponseMessage response = await httpClient.GetAsync("< Proxy App API Url >");
+IPublicClientApplication clientApp = PublicClientApplicationBuilder
+.Create(<App ID of the Native app>)
+.WithDefaultRedirectUri() // will automatically use the default Uri for native app
+.WithAuthority("https://login.microsoftonline.com/{<Tenant ID>}")
+.Build();
+
+AuthenticationResult authResult = null;
+var accounts = await clientApp.GetAccountsAsync();
+IAccount account = accounts.FirstOrDefault();
+
+IEnumerable<string> scopes = new string[] {"<Scope>"};
+
+try
+ {
+    authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
+ }
+    catch (MsalUiRequiredException ex)
+ {
+     authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();                
+ }
+
+if (authResult != null)
+ {
+  //Use the Access Token to access the Proxy Application
+
+  HttpClient httpClient = new HttpClient();
+  HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
+  HttpResponseMessage response = await httpClient.GetAsync("<Proxy App Url>");
+ }
 ```
 
 The required info in the sample code can be found in the Azure AD portal, as follows:
 
 | Info required | How to find it in the Azure AD portal |
 | --- | --- |
 | \<Tenant ID> | **Azure Active Directory** > **Properties** > **Directory ID** |
-| \<External Url of Proxy App> | **Enterprise applications** > *your proxy application* > **Application proxy** > **External Url** |
-| \<App ID of the Native app> | **Enterprise applications** > *your native application* > **Properties** > **Application ID** |
-| \<Redirect URI of the Native App> | **Azure Active Directory** > **App registrations** > *your native application* > **Redirect URIs** |
-| \<Proxy App API Url> | **Azure Active Directory** > **App registrations** > *your native application* > **API permissions** > **API / PERMISSIONS NAME** |
+| \<App ID of the Native app> | **Application registration** > *your native application* > **Overview** > **Application ID** |
+| \<Scope> | **Application registration** > *your native application* > **API permissions** > Click on the Permission API (user_impersonation) > A panel with the caption **user_impersonation** appears on the right hand side. > The scope is the URL in the edit box.
+| \<Proxy App Url> | the External Url and path to the API
 
-After you edit the ADAL with these parameters, your users can authenticate to native client applications even when they're outside of the corporate network.
+After you edit the MSAL code with these parameters, your users can authenticate to native client applications even when they are outside of the corporate network.
 
 ## Next steps
 
 For more information about the native application flow, see [Native apps in Azure Active Directory](../azuread-dev/native-app.md).
 
-Learn about setting up [Single sign-on to applications in Azure Active Directory](what-is-single-sign-on.md#choosing-a-single-sign-on-method).
+Learn about setting up [Single sign-on to applications in Azure Active Directory](what-is-single-sign-on.md#choosing-a-single-sign-on-method).