Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into 1614957-Part3

Author: damabe

.openpublishing.redirection.json

@@ -206,6 +206,9 @@ function Set-MfaState {
 Get-MsolUser -All | Set-MfaState -State Disabled
 ```
 
+> [!NOTE]
+> We recently changed the behavior and PowerShell script above accordingly. Previously, the script saved off the MFA methods, disabled MFA, and restored the methods. This is no longer necessary now that the default behavior for disable doesn't clear the methods.
+
 ## Plan Conditional Access policies
 
 To plan your Conditional Access policy strategy, which will determine when MFA and other controls are required, refer to [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md).

articles/active-directory/authentication/howto-mfa-getstarted.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: reference
-ms.date: 04/10/2019
+ms.date: 11/07/2019
 
 ms.author: mimart
 author: msmimart
@@ -54,15 +54,21 @@ Absolutely. For more information, see [Adding guest users to a role](add-guest-t
 Unless a user is assigned the role of limited administrator, B2B collaboration users won't require access to the Azure portal. However, B2B collaboration users who are assigned the role of limited administrator can access the portal. Also, if a guest user who isn't assigned one of these admin roles accesses the portal, the user might be able to access certain parts of the experience. The guest user role has some permissions in the directory.
 
 ### Can I block access to the Azure portal for guest users?
-Yes! When you configure this policy, be careful to avoid accidentally blocking access to members and admins.
-To block a guest user's access to the [Azure portal](https://portal.azure.com), use a Conditional Access policy in the Windows Azure classic deployment model API:
-1. Modify the **All Users** group so that it contains only members.
-   ![Screenshot showing All Users group where UserType is not equal Guest](media/faq/modify-all-users-group.png)
-2. Create a dynamic group that contains guest users.
-   ![Screenshot showing a new All Guest Users group](media/faq/group-with-guest-users.png)
-3. Set up a Conditional Access policy to block guest users from accessing the portal, as shown in the following video:
-  
-   > [!VIDEO https://channel9.msdn.com/Blogs/Azure/b2b-block-guest-user/Player] 
+
+Yes! You can create a Conditional Access policy that blocks all guest and external users from accessing the Azure portal. When you configure this policy, be careful to avoid accidentally blocking access to members and admins.
+
+1. Sign in to your [Azure portal](https://portal.azure.com/) as a security administrator or a Conditional Access administrator.
+2. In the Azure portal, select **Azure Active Directory**. 
+3. Under **Manage**, select **Security**.
+4. Under **Protect**, select **Conditional Access**. Select **New policy**.
+5. On the **New** page, in the **Name** textbox, enter a name for the policy (for example "Block guests from accessing the portal").
+6. Under **Assignments**, select **Users and groups**.
+7. On the **Include** tab, choose **Select users and groups**, and then select **All guest and external users (Preview)**.
+9. Select **Done**.
+10. On the **New** page, in the **Assignments** section, select **Cloud apps or actions**.
+11. On the **Cloud apps or actions** page, choose **Select apps**, and then choose **Select**.
+12. On the **Select** page, choose **Microsoft Azure Management**, and then choose **Select**.
+13. On the **Cloud apps or actions** page, select **Done**.
 
 ### Does Azure AD B2B collaboration support multi-factor authentication and consumer email accounts?
 Yes. Multi-factor authentication and consumer email accounts are both supported for Azure AD B2B collaboration.

articles/active-directory/b2b/faq.md

@@ -1,18 +1,19 @@
 ---
 title: Troubleshooting B2B collaboration - Azure Active Directory | Microsoft Docs
 description: Remedies for common problems with Azure Active Directory B2B collaboration
-
 services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
-ms.topic: conceptual
+ms.topic: troubleshooting
 ms.date: 05/25/2017
-
+tags: active-directory
 ms.author: mimart
 author: v-miegge
-manager: celestedg
+manager: dcscontentpm
 ms.reviewer: mal
-ms.custom: "it-pro, seo-update-azuread-jan"
+ms.custom:
+  - it-pro
+  - seo-update-azuread-jan"
 ms.collection: M365-identity-device-management
 ---
 

articles/active-directory/b2b/troubleshoot.md

@@ -29,7 +29,7 @@ Policies are enforced for business-to-business (B2B) collaboration users. Howeve
 
 Yes. A SharePoint Online policy also applies to OneDrive for Business.
 
-## Why can’t I set a policy on client apps, like Word or Outlook?
+## Why can’t I set a policy directly on client apps, like Word or Outlook?
 
 A Conditional Access policy sets requirements for accessing a service. It's enforced when authentication to that service occurs. The policy is not set directly on a client application. Instead, it is applied when a client calls a service. For example, a policy set on SharePoint applies to clients calling SharePoint. A policy set on Exchange applies to Outlook.
 

articles/active-directory/conditional-access/faqs.md

@@ -241,6 +241,8 @@
           href: migrate-android-adal-msal.md
         - name: Migrate to MSAL.iOS and MacOS
           href: migrate-objc-adal-msal.md
+        - name: Migrate to MSAL Java
+          href: migrate-adal-msal-java.md
         - name: Migrate Xamarin apps using brokers from ADAL.NET to MSAL.NET
           href: msal-net-migration-ios-broker.md
       - name: Supported authentication flows
@@ -390,6 +392,10 @@
         href: active-directory-configurable-token-lifetimes.md
     - name: Application configuration
       items:
+      - name: Azure portal app registrations training guide (legacy)
+        href: app-registrations-training-guide-for-app-registrations-legacy-users.md
+      - name: Application Registration Portal app registration guide
+        href: app-registration-portal-training-guide.md
       - name: Convert a single-tenant app to a multi-tenant app
         href: howto-convert-app-to-be-multi-tenant.md
       - name: Create service principal
@@ -446,6 +452,12 @@
               href: request-custom-claims.md
             - name: Redirect URI configuration
               href: redirect-uris-ios.md
+        - name: MSAL Java
+          items:
+            - name: Token cache serialization
+              href: msal-java-token-cache-serialization.md
+            - name: Add and remove accounts from the token cache
+              href: msal-java-get-remove-accounts-token-cache.md
     - name: Work with Visual Studio
       items:
       - name: Use the Active Directory connected service
@@ -594,8 +606,6 @@
         href: reference-saml-tokens.md
     - name: Application configuration
       items:
-      - name: App registrations training guide
-        href: app-registrations-training-guide.md
       - name: Applications and service principals
         href: app-objects-and-service-principals.md
       - name: How and why apps are added to Azure AD

articles/active-directory/develop/TOC.yml

@@ -0,0 +1,205 @@
+---
+title: Application Registration Portal app registrations training guide - Microsoft identity platform | Azure
+description: App registrations in the Azure portal for users familiar with Application registration portal
+services: active-directory
+documentationcenter: ''
+author: archieag
+manager: CelesteDG
+editor: ''
+
+ms.service: active-directory
+ms.subservice: develop
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 11/8/2019
+ms.author: aragra
+ms.reviewer: lenalepa, alamaral
+ms.custom: aaddev
+ms.collection: M365-identity-device-management
+---
+
+# Training guide: Using App registrations in the Azure portal instead of Application Registration Portal
+
+There are many improvements in the new [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience in the Azure portal. If you're more familiar with the Application registration portal (apps.dev.microsoft.com) experience for registering or managing converged applications, referred to as the old experience, this training guide will get you started using the new experience.
+
+## What's not changing?
+
+-   Your applications and related configurations can be found as-is in the new experience. You do not need to register the applications again and users of your applications will not need to sign-in again.
+
+    > [!NOTE]
+    > You must sign-in with the account you used to register applications to find them in the Azure portal. We recommend you
+    check the signed in user in the Azure portal matches the user that
+    was signed into the Application registration portal by comparing the
+    email address from your profile.
+    > 
+    > In some cases, especially when you sign in using personal Microsoft
+    accounts(e.g. Outlook, Live, Xbox, etc.) with an Azure AD email address, we found out that when you
+    go to the Azure portal from the old experience, it signs you into a
+    different account with the same email in your Azure AD tenant. If
+    you still believe your applications are missing, sign out and sign
+    in with the right account.
+
+-   Live SDK apps created using personal Microsoft accounts are not yet supported in the Azure portal and will continue to remain in the old experience in near future.
+
+## Key changes
+
+-   In the old experience, apps were by default registered as converged
+    apps supporting all organizational accounts (multitenant) as well as
+    personal Microsoft accounts. This could not be modified through the
+    old experience, making it difficult to create apps that supported
+    only organizational accounts (either multitenant or single tenant).
+    The new experience allows you to register apps supporting all those
+    options. [Learn more about app
+    types](active-directory-v2-registration-portal.md).
+
+-   In the new experience, if your personal Microsoft account is also in
+    an Azure AD tenant, you will see three tabs--all applications in
+    the tenant, owned applications in the tenant as well as applications
+    from your personal account. So, if you believe that apps registered
+    with your personal Microsoft account are missing, check the
+    **Applications from your personal account** tab.
+
+-   In the new experience, you can easily switch between tenants by
+    navigating to your profile and choosing switch directory.
+
+## List of applications
+
+-   The new app list shows applications that were registered through the
+    legacy app registrations experience in the Azure portal (apps that
+    sign in Azure AD accounts only) as well as apps registered though the
+    [Application registration portal](https://apps.dev.microsoft.com/)
+    (apps that sign in both Azure AD and personal Microsoft accounts).
+
+-   The new app list has two additional columns: **Created on** column and
+    **Certificates & secrets** column that shows the status (current,
+    expiring soon, or expired) of credentials that have been registered
+    on the app.
+
+## New app registration
+
+In the old experience, to register a converged app you were only
+required to provide a Name. The apps that were created were registered
+as converged apps supporting all organizational directory (multitenant)
+as well as personal Microsoft accounts.  This could not be modified through the old experience, making it difficult to create apps that supported only organizational accounts (either multitenant or single tenant). [Learn more about supported account types](v2-supported-account-types.md)
+
+In the new experience, you must provide a Name for the app and choose
+the Supported account types. You can optionally provide a redirect URI.
+If you provide a redirect URI, you'll need to specify if it's
+web/public (native/mobile and desktop). For more info on how to register
+an app using the new app registrations experience, see [this
+quickstart](quickstart-register-app.md).
+
+## App management page
+
+The old experience had a single app management page for converged apps
+with the following sections: Properties, Application secrets, Platforms,
+Owners, Microsoft Graph Permissions, Profile, and Advanced Options.
+
+The new experience in the Azure portal represents these features into
+separate pages. Here's where you can find the equivalent functionality:
+
+-   Properties - Name and Application ID is on the Overview page.
+
+-   Application Secrets is on the Certificates & secrets page
+
+-   Platforms configuration is on the Authentication page
+
+-   Microsoft Graph permissions is on the API permissions page along
+    with other permissions
+
+-   Profile is on Branding page
+
+-   Advanced option - Live SDK support is on the Authentication page.
+
+## Application Secrets/Certificates & secrets
+
+In the new experience, **Application secrets** have been renamed to
+**Certificates & secrets**. In addition, **Public keys** are referred to as
+**Certificates** and **Passwords** are referred to as **Client secrets**. We
+chose to not bring this functionality along in the new experience for
+security reasons, hence, you can no longer generate a new key pair.
+
+## Platforms/Authentication - Reply URLs/Redirect URIs
+In the old experience, an app had Platforms section for Web, native, and
+Web API to configure Redirect URLs, Logout URL and Implicit flow.
+
+In the new experience, Reply URLs can be found on an app\'s
+Authentication section. In addition, they are referred to as redirect
+URIs and the format for redirect URIs has changed. They are required to
+be associated with an app type (web or public client - mobile and
+desktop). [Learn more](quickstart-configure-app-access-web-apis.md#add-redirect-uris-to-your-application)
+
+Web APIs are configured in Expose an API page.
+
+> [!NOTE] 
+> Try out the new Authentication settings experience where you can
+configure settings for your application based on the platform or device
+that you want to target. [Learn more](quickstart-configure-app-access-web-apis.md#configure-platform-settings-for-your-application)
+
+## Microsoft Graph Permissions/API permissions
+
+-   When selecting an API in the old experience, you could choose from
+    Microsoft Graph APIs only. In the new experience, you can choose
+    from many Microsoft APIs including Microsoft Graph, APIs from your
+    organization and your APIs, this is presented in three tabs:
+    Microsoft APIs, APIs my organization uses, or My APIs. The search
+    bar on APIs my organization uses tab searches through service
+    principals in the tenant.
+    
+    > [!NOTE] 
+    > You won't see this tab if your application isn't
+    associated with a tenant. For more info on how to request
+    permissions using the new experience, see [this
+    quickstart](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/quickstart-configure-app-access-web-apis.md).
+
+-   The old experience did not have a **Grant permissions** button. In the
+    new experience, there's a Grant consent section with a **Grant admin consent** button on an app's API permissions section. Only an       admin can grant consent and this button is enabled for admins only. When an admin selects the **Grant admin consent** button, admin     consent is granted to all the requested permissions.
+
+## Profile
+In the old experience, Profile had Logo, Home page URL, Terms of Service
+URL and Privacy Statement URL configuration. In the new experience,
+these can be found in Branding page.
+
+## Application manifest
+In the new experience, Manifest page allows you to edit and update app's
+attributes. For more info, see [Application manifest](reference-app-manifest.md).
+
+## New UI
+There's new UI for properties that could previously only be set using
+the manifest editor or the API, or didn't exist.
+
+-   Implicit grant flow (oauth2AllowImplicitFlow) can be found on the
+    Authentication page. Unlike the old experience, you can enable
+    access tokens or id tokens, or both.
+
+-   Scopes defined by this API (oauth2Permissions) and Authorized client
+    applications (preAuthorizedApplications) can be configured through
+    the Expose an API page. For more info on how to configure an app to
+    be a web API and expose permissions/scopes, see [this
+    quickstart](quickstart-configure-app-expose-web-apis.md).
+
+-   Publisher domain (which is displayed to users on the [application\'s
+    consent
+    prompt](application-consent-experience.md))
+    can be found on the Branding blade page. For more info on how to
+    configure a publisher domain, see [this
+    how-to](howto-configure-publisher-domain.md).
+
+## Limitations
+
+The new experience has the following limitations:
+
+-   The new experience does not yet support App registrations for Azure AD
+    B2C tenants.
+
+-   The new experience does not yet support Live SDK apps created with
+    personal Microsoft accounts.
+
+-   Changing the value for supported accounts is not supported in the
+    UI. You need to use the app manifest unless you\'re switching
+    between Azure AD single-tenant and multi-tenant.
+
+   > [!NOTE]
+   > If you're a personal Microsoft account user in Azure AD tenant, and the tenant admin has restricted access to Azure portal, you may get an access denied. However, if you come through the shortcut by typing App registrations in the search bar or pinning it, you'll be able to access the new experience.