MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 15 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 15 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/active-directory-b2c-setup-oidc-azure-active-directory.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory-b2c/active-directory-b2c-setup-oidc-azure-active-directory.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/active-directory-domain-services/tutorial-create-instance.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-domain-services/tutorial-create-instance.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/active-directory-passwords-troubleshoot.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/authentication/active-directory-passwords-troubleshoot.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/authentication/concept-authentication-methods.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/authentication/concept-authentication-methods.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/concept-sspr-howitworks.md
Lines changed: 6 additions & 0 deletions b/‎articles/active-directory/authentication/concept-sspr-howitworks.md
Lines changed: 6 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/howto-mfa-mfasettings.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/authentication/howto-mfa-mfasettings.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/howto-sspr-reporting.md
Lines changed: 0 additions & 4 deletions b/‎articles/active-directory/authentication/howto-sspr-reporting.md
Lines changed: 0 additions & 4 deletions
@@ -42587,6 +42587,21 @@
       "source_path": "articles/security/fundamentals/service-fabric-checklist.md",
       "redirect_url": "/azure/service-fabric/service-fabric-best-practices-security",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/fundamentals/white-papers.md",
+      "redirect_url": "https://azure.microsoft.com/resources/whitepapers/search/?term=security&type=WhitePaperResource",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/fundamentals/overviews.md",
+      "redirect_url": "/azure/security/fundamentals/overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/fundamentals/mvp.md",
+      "redirect_url": "https://mvp.microsoft.com/",
+      "redirect_document_id": false
     }
   ]
 }
@@ -11,6 +11,7 @@ ms.topic: conceptual
 ms.date: 08/08/2019
 ms.author: marsma
 ms.subservice: B2C
+ms.custom: fasttrack-edit
 ---
 
 # Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C
@@ -55,6 +56,8 @@ To enable sign-in for users from a specific Azure AD organization, you need to r
 
     For example, `https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration`.
 
+    **Do not** use the Azure AD v2.0 metadata endpoint, for example `https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration`. Doing so results in an error similar to `AADB2C: A claim with id 'UserId' was not found, which is required by ClaimsTransformation 'CreateAlternativeSecurityId' with id 'CreateAlternativeSecurityId' in policy 'B2C_1_SignUpOrIn' of tenant 'contoso.onmicrosoft.com'` when attempting to sign in.
+
 1. For **Client ID**, enter the application ID that you previously recorded.
 1. For **Client secret**, enter the client secret that you previously recorded.
 1. Leave the default values for **Scope**, **Response type**, and **Response mode**.
 
@@ -115,7 +115,7 @@ On the **Summary** page of the wizard, review the configuration settings for the
 
     ![Domain Services status once successfully provisioned](./media/tutorial-create-instance/successfully-provisioned.png)
 
-During the provisioning process, Azure AD DS creates two Enterprise Applications named *Domain Controller Services* and *AzureActiveDirectoryDomainControllerServices* in your directory. These Enterprise Applications are needed to service your managed domain. It's imperative that these applications are not deleted at any time.
+We provision Azure AD Domain Services on the Azure Active Directory tenant and the Azure AD Domain Services resource for the service is created within the associated Azure subscription. During the provisioning process, Azure AD DS creates two Enterprise Applications named *Domain Controller Services* and *AzureActiveDirectoryDomainControllerServices* in your Azure Active directory instance where you have enabled the Azure AD domain services. These Enterprise Applications are needed to service your managed domain.  It's imperative that these applications are not deleted at any time.
 
 ## Update DNS settings for the Azure virtual network
 
 
@@ -125,16 +125,16 @@ A best practice when you troubleshoot problems with password writeback is to ins
 | 31018| KeyPairCreationSuccess| This event indicates that we successfully created the password encryption key. This key is used to encrypt passwords from the cloud to be sent to your on-premises environment.|
 | 32000| UnknownError| This event indicates an unknown error occurred during a password management operation. Look at the exception text in the event for more details. If you're having problems, try disabling and then re-enabling password writeback. If this does not help, include a copy of your event log along with the tracking ID specified insider to your support engineer.|
 | 32001| ServiceError| This event indicates there was an error connecting to the cloud password reset service. This error generally occurs when the on-premises service was unable to connect to the password-reset web service.|
-| 32002| ServiceBusError| This event indicates there was an error connecting to your tenant’s Service Bus instance. This can happen if you're blocking outbound connections in your on-premises environment. Check your firewall to ensure that you allow connections over TCP 443 and to https://ssprsbprodncu-sb.accesscontrol.windows.net/, and then try again. If you're still having problems, try disabling and then re-enabling password writeback.|
+| 32002| ServiceBusError| This event indicates there was an error connecting to your tenant’s Service Bus instance. This can happen if you're blocking outbound connections in your on-premises environment. Check your firewall to ensure that you allow connections over TCP 443 and to https://ssprdedicatedsbprodncu.servicebus.windows.net, and then try again. If you're still having problems, try disabling and then re-enabling password writeback.|
 | 32003| InPutValidationError| This event indicates that the input passed to our web service API was invalid. Try the operation again.|
 | 32004| DecryptionError| This event indicates that there was an error decrypting the password that arrived from the cloud. This might be due to a decryption key mismatch between the cloud service and your on-premises environment. To resolve this problem, disable and then re-enable password writeback in your on-premises environment.|
 | 32005| ConfigurationError| During onboarding, we save tenant-specific information in a configuration file in your on-premises environment. This event indicates that there was an error saving this file or that when the service was started, there was an error reading the file. To fix this problem, try disabling and then re-enabling password writeback to force a rewrite of the configuration file.|
 | 32007| OnBoardingConfigUpdateError| During onboarding, we send data from the cloud to the on-premises password-reset service. That data is then written to an in-memory file before it is sent to the sync service to be stored securely on disk. This event indicates that there is a problem with writing or updating that data in memory. To fix this problem, try disabling and then re-enabling password writeback to force a rewrite of this configuration file.|
 | 32008| ValidationError| This event indicates we received an invalid response from the password-reset web service. To fix this problem, try disabling and then re-enabling password writeback.|
 | 32009| AuthTokenError| This event indicates that we couldn't get an authorization token for the global administrator account specified during Azure AD Connect setup. This error can be caused by a bad username or password specified for the global admin account. This error can also occur if the global admin account specified is federated. To fix this problem, rerun the configuration with the correct username and password and ensure that the administrator is a managed (cloud-only or password-synchronized) account.|
 | 32010| CryptoError| This event indicates there was an error generating the password encryption key or decrypting a password that arrives from the cloud service. This error likely indicates a problem with your environment. Look at the details of your event log to learn more about how to resolve this problem. You can also try disabling and then re-enabling the password writeback service.|
-| 32011| OnBoardingServiceError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the onboarding process. This can happen as a result of a firewall rule or if there is a problem getting an authentication token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over TCP 443 and TCP 9350-9354 or to https://ssprsbprodncu-sb.accesscontrol.windows.net/. Also ensure that the Azure AD admin account you're using to onboard isn't federated.|
-| 32013| OffBoardingError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the offboarding process. This can happen as a result  of a firewall rule or if there is a problem getting an authorization token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over 443 or to https://ssprsbprodncu-sb.accesscontrol.windows.net/, and that the Azure Active Directory admin account you're using to offboard isn't federated.|
+| 32011| OnBoardingServiceError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the onboarding process. This can happen as a result of a firewall rule or if there is a problem getting an authentication token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over TCP 443 and TCP 9350-9354 or to https://ssprdedicatedsbprodncu.servicebus.windows.net. Also ensure that the Azure AD admin account you're using to onboard isn't federated.|
+| 32013| OffBoardingError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the offboarding process. This can happen as a result  of a firewall rule or if there is a problem getting an authorization token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over 443 or to https://ssprdedicatedsbprodncu.servicebus.windows.net, and that the Azure Active Directory admin account you're using to offboard isn't federated.|
 | 32014| ServiceBusWarning| This event indicates that we had to retry to connect to your tenant’s Service Bus instance. Under normal conditions, this should not be a concern, but if you see this event many times, consider checking your network connection to Service Bus, especially if it’s a high-latency or low-bandwidth connection.|
 | 32015| ReportServiceHealthError| In order to monitor the health of your password writeback service, we send heartbeat data to our password-reset web service every five minutes. This event indicates that there was an error when sending this health information back to the cloud web service. This health information does not include an object identifiable information (OII) or personally identifiable information (PII) data, and is purely a heartbeat and basic service statistics so that we can provide service status information in the cloud.|
 | 33001| ADUnKnownError| This event indicates that there was an unknown error returned by Active Directory. Check the Azure AD Connect server event log for events from the ADSync source for more information.|
@@ -173,7 +173,7 @@ For more granularity, reference the updated list of [Microsoft Azure Datacenter
 For more information, review the connectivity prerequisites in the [Prerequisites for Azure AD Connect](../hybrid/how-to-connect-install-prerequisites.md) article.
 
 > [!NOTE]
-> SSPR can also fail if the account if the "Password never expires" or "User cannot change password" settings are configured on the account in AD DS on-premises. 
+> SSPR can also fail if the "Password never expires" or "User cannot change password" settings are configured on the account in AD DS on-premises. 
 
 ### Restart the Azure AD Connect Sync service
 
 
@@ -120,7 +120,7 @@ Microsoft recommends the use of an email account that would not require the user
 
 The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account.
 
-The Microsoft Authenticator app is available for [Android](https://go.microsoft.com/fwlink/?linkid=866594), [iOS](https://go.microsoft.com/fwlink/?linkid=866594), and [Windows Phone](https://go.microsoft.com/fwlink/?Linkid=825071).
+The Microsoft Authenticator app is available for [Android](https://go.microsoft.com/fwlink/?linkid=866594), [iOS](https://go.microsoft.com/fwlink/?linkid=866594), and [Windows Phone](https://www.microsoft.com/p/microsoft-authenticator/9nblgggzmcj6).
 
 > [!NOTE]
 > Users will not have the option to register their mobile app when registering for self-service password reset. Instead, users can register their mobile app at [https://aka.ms/mfasetup](https://aka.ms/mfasetup) or in the security info registration preview at [https://aka.ms/setupsecurityinfo](https://aka.ms/setupsecurityinfo).
 
@@ -33,6 +33,9 @@ Azure AD combined security information registration is not currently available t
 > [!IMPORTANT]
 > Users who are enabled for both the original preview and the enhanced combined registration experience will see the new behavior. Users who are enabled for both experiences will see only the new My Profile experience. The new My Profile aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Profile by going to [https://myprofile.microsoft.com](https://myprofile.microsoft.com).
 
+> [!NOTE] 
+> You might encounter an error message while trying to access the Security info option. For example, "Sorry, we can't sign you in". In this case, confirm that you don't have any configuration or group policy object that blocks third-party cookies on the web browser. 
+
 My Profile pages are localized based on the language settings of the computer accessing the page. Microsoft stores the most recent language used in the browser cache, so subsequent attempts to access the pages will continue to render in the last language used. If you clear the cache, the pages will re-render. If you want to force a specific language, you can add `?lng=<language>` to the end of the URL, where `<language>` is the code of the language you want to render.
 
 ![Set up SSPR or other security verification methods](media/howto-registration-mfa-sspr-combined/combined-security-info-my-profile.png)
 
@@ -94,6 +94,12 @@ Users do not have the option to register their mobile app when registering for s
 > [!WARNING]
 > You must enable the [Converged registration for self-service password reset and Azure Multi-Factor Authentication (Public preview)](concept-registration-mfa-sspr-converged.md) before users will be able to access the new experience at [https://aka.ms/setupsecurityinfo](https://aka.ms/setupsecurityinfo).
 
+> [!IMPORTANT]
+> The authenticator app cannot be selected as the only authentication method when configuring a 1-gate policy. Similarly, the authenticator app and only one additional method cannot be selected when configuring a 2-gates policy.
+> Then, when configuring SSPR policies that include the authenticator app as a method, at least an additional method should be selected when configuring a 1-gate policy, and at least two additional methods should be selected when configuring a 2-gates policy.
+> The reason for this requirement is because the current SSPR registration experience does not include the option to register the authenticator app. The option to register the authenticator app is included with the new [Converged registration for self-service password reset and Azure Multi-Factor Authentication (Public preview)](concept-registration-mfa-sspr-converged.md).
+> Allowing policies that only use the authenticator app (for 1-gate policies), or the authenticator app and only one additional method (for 2-gates policies), could lead to users being blocked from registering for  SSPR until they have been configured to use the new registration experience.
+
 ### Change authentication methods
 
 If you start with a policy that has only one required authentication method for reset or unlock registered and you change that to two methods, what happens?
 
@@ -365,8 +365,8 @@ When your users enroll their accounts for Azure Multi-Factor Authentication, the
 |:--- |:--- |
 | Call to phone |Places an automated voice call. The user answers the call and presses # in the phone keypad to authenticate. The phone number is not synchronized to on-premises Active Directory. |
 | Text message to phone |Sends a text message that contains a verification code. The user is prompted to enter the verification code into the sign-in interface. This process is called one-way SMS. Two-way SMS means that the user must text back a particular code. Two-way SMS is deprecated and not supported after November 14, 2018. Users who are configured for two-way SMS are automatically switched to _call to phone_ verification at that time.|
-| Notification through mobile app |Sends a push notification to your phone or registered device. The user views the notification and selects **Verify** to complete verification. The Microsoft Authenticator app is available for [Windows Phone](https://go.microsoft.com/fwlink/?Linkid=825071), [Android](https://go.microsoft.com/fwlink/?Linkid=825072), and [iOS](https://go.microsoft.com/fwlink/?Linkid=825073). |
-| Verification code from mobile app or hardware token |The Microsoft Authenticator app generates a new OATH verification code every 30 seconds. The user enters the verification code into the sign-in interface. The Microsoft Authenticator app is available for [Windows Phone](https://go.microsoft.com/fwlink/?Linkid=825071), [Android](https://go.microsoft.com/fwlink/?Linkid=825072), and [iOS](https://go.microsoft.com/fwlink/?Linkid=825073). |
+| Notification through mobile app |Sends a push notification to your phone or registered device. The user views the notification and selects **Verify** to complete verification. The Microsoft Authenticator app is available for [Windows Phone](https://www.microsoft.com/p/microsoft-authenticator/9nblgggzmcj6), [Android](https://go.microsoft.com/fwlink/?Linkid=825072), and [iOS](https://go.microsoft.com/fwlink/?Linkid=825073). |
+| Verification code from mobile app or hardware token |The Microsoft Authenticator app generates a new OATH verification code every 30 seconds. The user enters the verification code into the sign-in interface. The Microsoft Authenticator app is available for [Windows Phone](https://www.microsoft.com/p/microsoft-authenticator/9nblgggzmcj6), [Android](https://go.microsoft.com/fwlink/?Linkid=825072), and [iOS](https://go.microsoft.com/fwlink/?Linkid=825073). |
 
 ### Enable and disable verification methods
 
 
@@ -36,10 +36,6 @@ The following questions can be answered by the reports that exist in the [Azure
 * What admins are resetting their own passwords frequently?
 * Is there any suspicious activity going on with password reset?
 
-## Power BI content pack
-
-If you're a Power BI user, there is a content pack for Azure AD that includes easy-to-use reporting for SSPR. For more information on how to use and deploy the content pack, see [How to use the Azure Active Directory Power BI content pack](../reports-monitoring/howto-power-bi-content-pack.md). With the content pack, you can create your own dashboards and share them with others in your organization.
-
 ## How to view password management reports in the Azure portal
 
 In the Azure portal experience, we have improved the way that you can view password reset and password reset registration activity. Use the following the steps to find the password reset and password reset registration events: