Merge branch 'master' into repo_sync_working_branch

Author: rmca14

.openpublishing.publish.config.json

@@ -354,6 +354,12 @@
       "path_to_root": "cognitive-services-quickstart-code",
       "url": "https://github.com/Azure-Samples/cognitive-services-quickstart-code",
       "branch": "master"
+    },
+    {
+      "path_to_root": "ImmersiveReaderSdk",
+      "url": "https://github.com/microsoft/immersive-reader-sdk",
+      "branch": "master",
+      "branch_mapping": {}
     }
   ],
   "branch_target_mapping": {

.openpublishing.redirection.json

@@ -24539,6 +24539,11 @@
       "redirect_url": "/azure/active-directory/user-help/device-management-azuread-joined-devices-setup",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/user-help/multi-factor-authentication-end-user.md",
+      "redirect_url": "/azure/active-directory/user-help/user-help-two-step-verification-overview",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "articles/active-directory/user-help/security-info-manage-settings.md",
       "redirect_url": "/azure/active-directory/user-help/security-info-add-update-methods-overview",

articles/active-directory-b2c/active-directory-b2c-custom-setup-goog-idp.md

@@ -77,7 +77,7 @@ You can define a Google account as a claims provider by adding it to the **Claim
             <Item Key="authorization_endpoint">https://accounts.google.com/o/oauth2/auth</Item>
             <Item Key="AccessTokenEndpoint">https://accounts.google.com/o/oauth2/token</Item>
             <Item Key="ClaimsEndpoint">https://www.googleapis.com/oauth2/v1/userinfo</Item>
-            <Item Key="scope">email</Item>
+            <Item Key="scope">email profile</Item>
             <Item Key="HttpBinding">POST</Item>
             <Item Key="UsePolicyInRedirectUri">0</Item>
             <Item Key="client_id">Your Google application ID</Item>

articles/active-directory/authentication/howto-mfa-mfasettings.md

@@ -386,8 +386,7 @@ The _remember Multi-Factor Authentication_ feature for devices and browsers that
 >[!IMPORTANT]
 >If an account or device is compromised, remembering Multi-Factor Authentication for trusted devices can affect security. If a corporate account becomes compromised or a trusted device is lost or stolen, you should [restore Multi-Factor Authentication on all devices](howto-mfa-userdevicesettings.md#restore-mfa-on-all-remembered-devices-for-a-user).
 >
->The restore action revokes the trusted status from all devices, and the user is required to perform two-step verification again. You can also instruct your users to restore Multi-Factor Authentication on their own devices with the instructions in [Manage your settings for two-step verification](../user-help/multi-factor-authentication-end-user-manage-settings.md#require-two-step-verification-again-on-a-device-youve-marked-as-trusted).
->
+>The restore action revokes the trusted status from all devices, and the user is required to perform two-step verification again. You can also instruct your users to restore Multi-Factor Authentication on their own devices with the instructions in [Manage your settings for two-step verification](../user-help/multi-factor-authentication-end-user-manage-settings.md#turn-on-two-factor-verification-prompts-on-a-trusted-device).
 
 ### How the feature works
 

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -57,6 +57,7 @@ After the feature has been running in audit mode for a reasonable period, you ca
     |`https://login.microsoftonline.com`|Authentication requests|
     |`https://enterpriseregistration.windows.net`|Azure AD password protection functionality|
 
+* All machines that host the proxy service for password protection must be configured to grant domain controllers the ability to logon to the proxy service. This is controlled via the "Access this computer from the network" privilege assignment.
 * All machines that host the proxy service for password protection must be configured to allow outbound TLS 1.2 HTTP traffic.
 * A Global Administrator account to register the proxy service for password protection and forest with Azure AD.
 * An account that has Active Directory domain administrator privileges in the forest root domain to register the Windows Server Active Directory forest with Azure AD.

articles/active-directory/authentication/howto-password-ban-bad-on-premises-troubleshoot.md

@@ -39,6 +39,8 @@ The main symptom of this problem is 30018 events in the DC agent Admin event log
 
    The Azure AD Password Protection Proxy installer automatically creates a Windows Firewall inbound rule that allows access to any inbound ports listened to by the Azure AD Password Protection Proxy service. If this rule is later deleted or disabled, DC agents will be unable to communicate with the Proxy service. If the builtin Windows Firewall has been disabled in lieu of another firewall product, you must configure that firewall to allow access to any inbound ports listened to by the Azure AD Password Protection Proxy service. This configuration may be made more specific if the Proxy service has been configured to listen on a specific static RPC port (using the `Set-AzureADPasswordProtectionProxyConfiguration` cmdlet).
 
+1. The proxy host machine is not configured to allow domain controllers the ability to logon to the machine. This behavior is controlled via the "Access this computer from the network" user privilege assignment. All domain controllers in all domains in the forest must be granted this privilege. This setting is often constrained as part of a larger network hardening effort.
+
 ## Proxy service is unable to communicate with Azure
 
 1. Ensure the proxy machine has connectivity to the endpoints listed in the [deployment requirements](howto-password-ban-bad-on-premises-deploy.md).

articles/active-directory/conditional-access/best-practices.md

@@ -47,6 +47,7 @@ More than one Conditional Access policy may apply when you access a cloud app. I
 All policies are enforced in two phases:
 
 - In the **first** phase, all policies are evaluated and all access controls that aren't satisfied are collected. 
+
 - In the **second** phase, you are prompted to satisfy the requirements you haven't met. If any one of the policies block access, you are blocked and not prompted to satisfy other policy controls. If none of the policies block you, you are prompted to satisfy other policy controls in the following order:
 
    ![Order](./media/best-practices/06.png)

articles/active-directory/devices/device-management-azure-portal.md

@@ -116,7 +116,7 @@ This section provides you with information about common device identity manageme
 
 ### Manage an Intune device
 
-If you are an Intune administrator, you can manage devices marked as **Microsoft Intune**.
+If you are an Intune administrator, you can manage devices marked as **Microsoft Intune**. If the device is not enrolled with Microsoft Intune the "Manage" option will be greyed out.
 
 ![Manage an Intune device](./media/device-management-azure-portal/31.png)
 

articles/active-directory/devices/manage-stale-devices.md

@@ -100,7 +100,7 @@ To cleanup Azure AD:
 - **Windows 7/8** - Disable or delete Windows 7/8 devices in your on-premises AD first. You can't use Azure AD Connect to disable or delete Windows 7/8 devices in Azure AD. Instead, when you make the change in your on-premises, you must disable/delete in Azure AD.
 
 > [!NOTE]
->* Deleting devices in your on-premises AD or Azure AD does not registration on the client. It will only prevent access to resources using device as an identity (e.g. conditional access). Read additional information on how to [remove registration on the client](faq.md#hybrid-azure-ad-join-faq).
+>* Deleting devices in your on-premises AD or Azure AD does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g. conditional access). Read additional information on how to [remove registration on the client](faq.md#hybrid-azure-ad-join-faq).
 >* Deleting a Windows 10 device only in Azure AD will re-synchronize the device from your on-premises using Azure AD connect but as a new object in "Pending" state. A re-registration is required on the device.
 >* Removing the device from sync scope for Windows 10/Server 2016 devices will delete the Azure AD device. Adding it back to sync scope will place a new object in "Pending" state. A re-registration of the device is required.
 >* If you not using Azure AD Connect for Windows 10 devices to synchronize (e.g. ONLY using AD FS for registration), you must manage lifecycle similar to Windows 7/8 devices.

articles/active-directory/fundamentals/active-directory-data-storage-eu.md

@@ -40,6 +40,15 @@ Azure AD B2B stores invitations with redeem link and redirect URL information in
 
 Azure AD DS stores user data in the same location as the customer-selected Azure Virtual Network. So, if the network is outside Europe, the data is replicated and stored outside Europe.
 
+## Federation in Microsoft Exchange Server 2013
+    
+- Application identifier (AppID) - A unique number generated by the Azure Active Directory authentication system to identify Exchange organizations.
+- Approved Federated domains list for Application
+- Application’s token signing Public Key 
+
+For more info about federation in Microsoft Exchange server, see the [Federation: Exchange 2013 Help](https://docs.microsoft.com/exchange/federation-exchange-2013-help) article.
+
+
 ## Other considerations
 
 Services and applications that integrate with Azure AD have access to identity data. Evaluate each service and application you use to determine how identity data is processed by that specific service and application, and whether they meet your company's data storage requirements.