Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into postgres-app

Author: v-thepet

.openpublishing.redirection.json

@@ -42218,6 +42218,26 @@
       "redirect_url": "/azure/iot-central/preview/quick-monitor-devices/",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/iot-pnp/quickstart-connect-pnp-device-linux.md",
+      "redirect_url": "/azure/iot-pnp/quickstart-connect-pnp-device-c-linux/",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-pnp/quickstart-connect-pnp-device.md",
+      "redirect_url": "/azure/iot-pnp/quickstart-connect-pnp-device-c-windows/",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-pnp/quickstart-connect-pnp-device-solution.md",
+      "redirect_url": "/azure/iot-pnp/quickstart-connect-pnp-device-solution-node/",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-pnp/quickstart-create-pnp-device.md",
+      "redirect_url": "/azure/iot-pnp/quickstart-create-pnp-device-windows/",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/iot-central/core/overview-iot-options.md",
       "redirect_url": "/azure/iot-fundamentals/iot-services-and-technologies/",

articles/active-directory-b2c/page-layout.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 07/04/2019
+ms.date: 12/18/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -42,9 +42,9 @@ In your custom policies, you may have [ContentDefinitions](contentdefinitions.md
 </ContentDefinition>
 ```
 
-To select a page layout, you change the **DataUri** values in your [ContentDefinitions](contentdefinitions.md) in your policies. By switching from the old **DataUri** values to the new values, you're selecting an immutable package. The benefit of using this package is that you’ll know it won't change and cause unexpected behavior on your page.
+To select a page layout, you change the **DataUri** values in your [ContentDefinitions](contentdefinitions.md) in your policies. By switching from the old **DataUri** values to the new values, you're selecting an immutable package. The benefit of using this package is that you know it won't change and cause unexpected behavior on your page.
 
-To set up a page layout, use the following table to find **DataUri** values.
+To specify a page layout in your custom policies that use an old **DataUri** value, insert `contract` between `elements` and the page type (for example, `selfasserted`), and specify the version number. For example:
 
 | Old DataUri value | New DataUri value |
 | ----------------- | ----------------- |
@@ -64,17 +64,23 @@ To set up a page layout, use the following table to find **DataUri** values.
 
 Page layout packages are periodically updated to include fixes and improvements in their page elements. The following change log specifies the changes introduced in each version.
 
-### 1.2.0 
+### 2.0.0
+
+- Self-asserted page (`selfasserted`)
+  - Added support for [display controls](display-controls.md) in custom policies.
+
+### 1.2.0
+
 - All pages
   - Accessibility fixes
   - You can now add the `data-preload="true"` attribute in your HTML tags to control the load order for CSS and JavaScript. Scenarios include:
-      - Use this on your CSS link to load the CSS at the same time as your HTML so that it doesn't 'flicker' between loading the files
-      - This attribute allows you to control the order in which your Script tags are fetched and executed before the page load
+    - Use this on your CSS link to load the CSS at the same time as your HTML so that it doesn't 'flicker' between loading the files
+    - This attribute allows you to control the order in which your Script tags are fetched and executed before the page load
   - Email field is now `type=email` and mobile keyboards will provide the correct suggestions
   - Support for Chrome translate
 - Unified and self-asserted page
   - The username/email and password fields now use the form HTML element.  This will now allow Edge and IE to properly save this information
-  
+
 ### 1.1.0
 
 - Exception page (globalexception)

articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md

@@ -36,7 +36,7 @@ Before enabling the new experience, review the article [Combined security inform
 Complete these steps to enable combined registration:
 
 1. Sign in to the Azure portal as a user administrator or global administrator.
-2. Go to **Azure Active Directory** > **User settings** > **Manage settings for access panel preview features**.
+2. Go to **Azure Active Directory** > **User settings** > **Manage user feature preview settings**.
 3. Under **Users can use preview features for registering and managing security info**, choose to enable for a **Selected** group of users or for **All** users.
 
    ![Enable the combined security info preview experience for All users](media/howto-registration-mfa-sspr-combined/enable-the-combined-security-info-preview.png)
@@ -63,7 +63,7 @@ The following policy applies to all selected users, who attempt to register usin
 
 ![Create a CA policy to control security info registration](media/howto-registration-mfa-sspr-combined/require-registration-from-trusted-location.png)
 
-1. In the **Azure portal**, browse to **Azure Active Directory** > **Conditional Access**
+1. In the **Azure portal**, browse to **Azure Active Directory** > **Security** > **Conditional Access**
 1. Select **New policy**
 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**
 1. Under **Assignments**, click **Users and groups**, and select the users and groups you want this policy to apply to

articles/active-directory/conditional-access/concept-baseline-protection.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 12/17/2019
+ms.date: 12/18/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -37,6 +37,10 @@ There are four baseline policies:
 
 All four of these policies will impact legacy authentication flows like POP, IMAP, and older Office desktop clients.
 
+### Exclusions
+
+When baseline policies went into their initial public preview, there was an option to exclude users from the policies. This capability evolved through the preview and was removed in July of 2019. Organizations who had already created exclusions were able to continue to keep them new users were unable to add exclusions to the policies.
+
 ### Require MFA for admins (preview)
 
 Due to the power and access that administrator accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification when they are used to sign in. In Azure Active Directory, you can get a stronger account verification by requiring administrators to register for and use Azure Multi-Factor Authentication.
@@ -60,8 +64,8 @@ High privileged administrators aren’t the only ones targeted in attacks. Bad a
 
 **End user protection (preview)** is a baseline policy that protects all users in a directory. Enabling this policy requires all users to register for Azure Multi-Factor Authentication within 14 days. Once registered, users will be prompted for MFA only during risky sign-in attempts. Compromised user accounts are blocked until password reset and risk dismissal. 
 
-[!NOTE]
-Any users previously flagged for risk are blocked until password reset and risk dismissal upon policy activation.
+> [!NOTE]
+> Any users previously flagged for risk are blocked until password reset and risk dismissal upon policy activation.
 
 ### Block legacy authentication (preview)
 

articles/active-directory/conditional-access/controls.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 11/21/2019
+ms.date: 12/20/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -112,7 +112,7 @@ Providers currently offering a compatible service include:
 - [Entrust Datacard](https://www.entrustdatacard.com/products/authentication/intellitrust)
 - [GSMA](https://mobileconnect.io/azure/)
 - [Ping Identity](https://documentation.pingidentity.com/pingid/pingidAdminGuide/index.shtml#pid_c_AzureADIntegration.html)
-- RSA
+- [RSA](https://community.rsa.com/docs/DOC-81278)
 - [SecureAuth](https://docs.secureauth.com/pages/viewpage.action?pageId=47238992#)
 - [Silverfort](https://www.silverfort.io/company/using-silverfort-mfa-with-azure-active-directory/)
 - [Symantec VIP](https://help.symantec.com/home/VIP_Integrate_with_Azure_AD)

articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 12/12/2019
+ms.date: 12/20/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -31,9 +31,11 @@ The following steps will help create a Conditional Access policy to block legacy
    1. Under **Include**, select **All users**.
    1. Under **Exclude**, select **Users and groups** and choose any accounts that must maintain the ability to use legacy authentication. 
    1. Select **Done**.
+1. Under **Cloud apps or actions** select **All cloud apps**.
+   1. Select **Done**.
 1. Under **Conditions** > **Client apps (preview)**, set **Configure** to **Yes**.
    1. Check only the boxes **Mobile apps and desktop clients** > **Other clients**.
-   2. Select **Done**.
+   1. Select **Done**.
 1. Under **Access controls** > **Grant**, select **Block access**.
    1. Select **Select**.
 1. Confirm your settings and set **Enable policy** to **On**.

articles/active-directory/develop/reference-aadsts-error-codes.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: reference
-ms.date: 08/30/2019
+ms.date: 12/18/2019
 ms.author: ryanwi
 ms.reviewer: hirsin
 ms.custom: aaddev
@@ -129,6 +129,8 @@ Search on the numeric part of the returned error code.  For example, if you rece
 | AADSTS50178 | SessionControlNotSupportedForPassthroughUsers - Session control is not supported for passthrough users. |
 | AADSTS50180 | WindowsIntegratedAuthMissing - Integrated Windows authentication is needed. Enable the tenant for Seamless SSO. |
 | AADSTS50187 | DeviceInformationNotProvided - The service failed to perform device authentication. |
+| AADSTS50196 | LoopDetected - A client loop has been detected. Check the app’s logic to ensure that token caching is implemented, and that error conditions are handled correctly.  The app has made too many of the same request in too short a period, indicating that it is in a faulty state or is abusively requesting tokens. |
+| AADSTS50199 | CmsiInterrupt - user interaction is required for this authentication.  Because this is an "interaction_required" error, the client should do interactive auth.  This occurs because a system webview has been used to request a token for a native application - the user must be prompted to ask if this was actually the app they meant to sign into.|
 | AADSTS51000 | RequiredFeatureNotEnabled - The feature is disabled. |
 | AADSTS51001 | DomainHintMustbePresent - Domain hint must be present with on-premises security identifier or on-premises UPN. |
 | AADSTS51004 | UserAccountNotInDirectory - The user account doesn’t exist in the directory. |

articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md

@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 11/19/2019
+ms.date: 12/17/2019
 ms.author: ryanwi
 ms.reviewer: hirsin
 ms.custom: aaddev, identityplatformtop40
@@ -61,7 +61,7 @@ This type of authorization is common for daemons and service accounts that need
 
 ### Application permissions
 
-Instead of using ACLs, you can use APIs to expose a set of application permissions. An application permission is granted to an application by an organization's administrator, and can be used only to access data owned by that organization and its employees. For example, Microsoft Graph exposes several application permissions to do the following:
+Instead of using ACLs, you can use APIs to expose a set of **application permissions**. An application permission is granted to an application by an organization's administrator, and can be used only to access data owned by that organization and its employees. For example, Microsoft Graph exposes several application permissions to do the following:
 
 * Read mail in all mailboxes
 * Read and write mail in all mailboxes
@@ -72,6 +72,11 @@ For more information about application permissions, go to [Microsoft Graph](http
 
 To use application permissions in your app, follow the steps discussed in the next sections.
 
+
+> [!NOTE]
+> When authenticating as an application, as opposed to with a user, you cannot use "delegated permissions" (scopes that are granted by a user).  You must use "application permissions", also known as "roles", that are granted by an admin for the application (or via pre-authorization by the web API).    
+
+
 #### Request the permissions in the app registration portal
 
 1. Register and create an app through the new [App registrations (Preview) experience](quickstart-register-app.md).

articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md

@@ -70,6 +70,9 @@ Today, the majority of compromising sign-in attempts come from legacy authentica
 
 After security defaults are enabled in your tenant, all authentication requests made by an older protocol will be blocked. Security defaults don't block Exchange ActiveSync.
 
+> [!WARNING]
+> Before you enable security defaults, make sure your administrators aren't using older authentication protocols. For more information, see [How to move away from legacy authentication](concept-fundamentals-block-legacy-authentication.md).
+
 ### Protecting privileged actions
 
 Organizations use a variety of Azure services managed through the Azure Resource Manager API, including:
@@ -86,6 +89,9 @@ After you enable security defaults in your tenant, any user who's accessing the
 
 If the user isn't registered for Multi-Factor Authentication, the user will be required to register by using the Microsoft Authenticator app in order to proceed. No 14-day Multi-Factor Authentication registration period will be provided.
 
+> [!NOTE]
+> The Azure AD Connect synchronization account is excluded from security defaults and will not be prompted to register for or perform multi-factor authentication. Organizations should not be using this account for other purposes.
+
 ## Deployment considerations
 
 The following additional considerations are related to deployment of security defaults for your tenant.
@@ -104,18 +110,9 @@ Security defaults allow registration and use of Azure Multi-Factor Authenticatio
 
 ** App passwords are only available in per-user MFA with legacy authentication scenarios only if enabled by administrators.
 
-### Older protocols
-
-Mail clients use older authentication protocols (like IMAP, SMTP, and POP3) to make authentication requests. These protocols don't support Multi-Factor Authentication. Most of the account compromises that Microsoft sees are from attacks against older protocols that are trying to bypass Multi-Factor Authentication. 
-
-To ensure that Multi-Factor Authentication is required for signing in to an administrative account and attackers can't bypass it, security defaults block all authentication requests made to administrator accounts from older protocols.
-
-> [!WARNING]
-> Before you enable this setting, make sure your administrators aren't using older authentication protocols. For more information, see [How to move away from legacy authentication](concept-fundamentals-block-legacy-authentication.md).
-
 ### Conditional Access
 
-You can use Conditional Access to configure policies similar to security defaults, but with more granularity. If you're using Conditional Access and have Conditional Access policies enabled in your environment, security defaults won't be available to you. If you have a license that provides Conditional Access but don't have any Conditional Access policies enabled in your environment, you are welcome to use security defaults until you enable Conditional Access policies. More information about Azure AD licensing can be found on the [Azure AD pricing page](https://azure.microsoft.com/pricing/details/active-directory/).
+You can use Conditional Access to configure policies similar to security defaults, but with more granularity including user exclusions, which are not available in security defaults. If you're using Conditional Access and have Conditional Access policies enabled in your environment, security defaults won't be available to you. If you have a license that provides Conditional Access but don't have any Conditional Access policies enabled in your environment, you are welcome to use security defaults until you enable Conditional Access policies. More information about Azure AD licensing can be found on the [Azure AD pricing page](https://azure.microsoft.com/pricing/details/active-directory/).
 
 ![Warning message that you can have security defaults or Conditional Access not both](./media/concept-fundamentals-security-defaults/security-defaults-conditional-access.png)
 

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -38,7 +38,7 @@ Not all releases of Azure AD Connect will be made available for auto upgrade. Th
 >
 > You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience. 
 >
->If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance improvements, toubleshooting and diagnostic tools and service enhancements, and if you require support we may not be able to provide you with the level of service your organization needs.
+>If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support we may not be able to provide you with the level of service your organization needs.
 >
 >If you have enabled Azure AD Connect for sync you will soon automatically begin receiving Health notifications that warn you about upcoming deprecations when you are running one of the older versions.
 >