Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-ignite-disk-bursting

Author: v-alje

articles/active-directory-domain-services/tutorial-configure-networking.md

@@ -151,7 +151,7 @@ To see this managed domain in action, create and join a virtual machine to the d
 > [!div class="nextstepaction"]
 > [Join a Windows Server virtual machine to your managed domain](join-windows-vm.md)
 
-<!-- INTERNAL LINKS -->
+<!-- INTERNAL LINKS --> 
 [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
 [associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
 [create-azure-ad-ds-instance]: tutorial-create-instance.md

articles/active-directory/authentication/howto-mfa-mfasettings.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 06/03/2019
+ms.date: 10/28/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -112,6 +112,8 @@ Configure email addresses here for users who will receive fraud alert emails.
 >[!NOTE]
 >When Multi-Factor Authentication calls are placed through the public telephone network, sometimes they are routed through a carrier that doesn't support caller ID. Because of this, caller ID is not guaranteed, even though the Multi-Factor Authentication system always sends it.
 
+In the United States, if you haven't configured MFA Caller ID, voice calls from Microsoft come from the following numbers: +1 (866) 539 4191, +1 (855) 330 8653, and +1 (877) 668 6536. If using spam filters, make sure to exclude these numbers.
+
 ### Custom voice messages
 
 You can use your own recordings or greetings for two-step verification with the _custom voice messages_ feature. These messages can be used in addition to or to replace the Microsoft recordings.
@@ -384,7 +386,7 @@ Additional details about the use of authentication methods can be found in the a
 The _remember Multi-Factor Authentication_ feature for devices and browsers that are trusted by the user is a free feature for all Multi-Factor Authentication users. Users can bypass subsequent verifications for a specified number of days, after they've successfully signed-in to a device by using Multi-Factor Authentication. The feature enhances usability by minimizing the number of times a user has to perform two-step verification on the same device.
 
 >[!IMPORTANT]
->If an account or device is compromised, remembering Multi-Factor Authentication for trusted devices can affect security. If a corporate account becomes compromised or a trusted device is lost or stolen, you should [restore Multi-Factor Authentication on all devices](howto-mfa-userdevicesettings.md#restore-mfa-on-all-remembered-devices-for-a-user).
+>If an account or device is compromised, remembering Multi-Factor Authentication for trusted devices can affect security. If a corporate account becomes compromised or a trusted device is lost or stolen, you should [Revoke MFA Sessions](howto-mfa-userdevicesettings.md).
 >
 >The restore action revokes the trusted status from all devices, and the user is required to perform two-step verification again. You can also instruct your users to restore Multi-Factor Authentication on their own devices with the instructions in [Manage your settings for two-step verification](../user-help/multi-factor-authentication-end-user-manage-settings.md#turn-on-two-factor-verification-prompts-on-a-trusted-device).
 

articles/active-directory/authentication/howto-mfa-userdevicesettings.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 08/29/2019
+ms.date: 10/28/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -36,33 +36,9 @@ As an administrator assigned the Authentication Administrator role you can requi
    - **Require Re-register MFA** will make it so that when the user signs in next time, they will be requested to setup a new MFA authentication method.
    - **Revoke MFA Sessions** clears the user's remembered MFA sessions and requires them to perform MFA the next time it is required by the policy on the device.
 
-## Require users to provide contact methods again
-
-This setting forces the user to complete the registration process again. Non-browser apps continue to work if the user has app passwords for them.  You can delete the users app passwords by also selecting **Delete all existing app passwords generated by the selected users**.
-
-### How to require users to provide contact methods again
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. On the left, select **Azure Active Directory** > **Users** > **All users**.
-3. On the right, select **Multi-Factor Authentication** on the toolbar. The multi-factor authentication page opens.
-4. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right.
-5. Select **Manage user settings**.
-6. Check the box for **Require selected users to provide contact methods again**.
-   ![Require users to provide contact methods again](./media/howto-mfa-userdevicesettings/reproofup.png)
-7. Click **save**.
-8. Click **close**.
-
-Organizations can complete these steps with PowerShell using the following as a guide to clear the `StrongAuthenticationMethods` attribute:
-
-```PowerShell
-$Upn = "[email protected]"
-$noMfaConfig = @()
-Set-MsolUser -UserPrincipalName $Upn -StrongAuthenticationMethods $noMfaConfig
-```
-
 ## Delete users existing app passwords
 
-This setting deletes all of the app passwords that a user has created. Non-browser apps that were associated with these app passwords stop working until a new app password is created.
+This setting deletes all of the app passwords that a user has created. Non-browser apps that were associated with these app passwords stop working until a new app password is created. Global administrator permissions are required to perform this action.
 
 ### How to delete users existing app passwords
 
@@ -76,26 +52,6 @@ This setting deletes all of the app passwords that a user has created. Non-brows
 7. Click **save**.
 8. Click **close**.
 
-## Restore MFA on all remembered devices for a user
-
-One of the configurable features of Azure Multi-Factor Authentication is giving your users the option to mark devices as trusted. For more information, see [Configure Azure Multi-Factor Authentication settings](howto-mfa-mfasettings.md#remember-multi-factor-authentication).
-
-Users can opt out of two-step verification for a configurable number of days on their regular devices. If an account is compromised or a trusted device is lost, you need to be able to remove the trusted status and require two-step verification again.
-
-When checked, **Restore multi-factor authentication on all remembered devices** users are required to perform two-step verification the next time they sign in, even if they marked their device as trusted.
-
-### How to restore MFA on all suspended devices for a user
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. On the left, select **Azure Active Directory** > **Users** > **All users**.
-3. On the right, select **Multi-Factor Authentication** on the toolbar. The multi-factor authentication page opens.
-4. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right.
-5. Select **Manage user settings**.
-6. Check the box for **Restore multi-factor authentication on all remembered devices**
-   ![Restore multi-factor authentication on all remembered devices](./media/howto-mfa-userdevicesettings/rememberdevices.png)
-7. Click **save**.
-8. Click **close**.
-
 ## Next steps
 
 - Get more information about how to [Configure Azure Multi-Factor Authentication settings](howto-mfa-mfasettings.md)

articles/active-directory/authentication/howto-sspr-windows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 07/17/2019
+ms.date: 10/28/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -35,7 +35,6 @@ For machines running Windows 7, 8, 8.1, and 10 you can enable users to reset the
 ## General limitations
 
 - Password reset is not currently supported from a Remote Desktop or from Hyper-V enhanced sessions.
-- Account unlock, mobile app notification, and mobile app code are not supported.
 - This feature does not work for networks with 802.1x network authentication deployed and the option “Perform immediately before user logon”. For networks with 802.1x network authentication deployed it is recommended to use machine authentication to enable this feature.
 
 ## Windows 10 password reset

articles/active-directory/authentication/media/howto-mfa-userdevicesettings/rememberdevices.png

@@ -58,10 +58,10 @@ To modify the device administrator role, configure **Additional local administra
 >[!NOTE]
 > This option requires an Azure AD Premium tenant. 
 
-Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. For the devices, a user is already signed into, the privilege update takes place:
+Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege update takes place when *both* the below actions happen:
 
-- When a user signs out.
-- After 4 hours, when a new Primary Refresh Token is issued. 
+- 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges. 
+- User signs out and signs back in, not lock/unlock, to refresh their profile.
 
 ## Manage regular users
 

articles/active-directory/authentication/media/howto-mfa-userdevicesettings/reproofup.png

@@ -77,6 +77,8 @@ These scenarios are not supported for staged rollout:
 
 If you want to test Password Hash Sync (PHS) sign-in using staged rollout, please complete the below pre-work to enable Password Hash Sync staged rollout.
 
+For more information on the PowerShell cmdlets used, see [AzureAD 2.0 preview](https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0-preview#staged_rollout)
+
 ## Pre-work for Password Hash Sync
 
 1. Enable Password Hash Sync from the [Optional features](how-to-connect-install-custom.md#optional-features) page in Azure AD Connect. 
@@ -235,3 +237,6 @@ Here is how you can track user sign-ins still happening on AD FS for selected st
 -   **Q: Can we use PowerShell to perform staged rollout?**
 
 -   A: Yes, Please find the documentation to use PowerShell to perform staged rollout here.
+
+## Next Steps
+- [AzureAD 2.0 preview](https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0-preview#staged_rollout )

articles/active-directory/devices/assign-local-admin.md

@@ -13,7 +13,7 @@ ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 11/13/2018
+ms.date: 10/28/2019
 ms.author: chadam
 ms.reviewer: dhanyahk