Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into endpoint

Author: billmath

.openpublishing.redirection.json

@@ -40291,6 +40291,16 @@
       "redirect_url": "/azure/governance/policy/samples/index",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/governance/policy/concepts/rego-for-aks.md",
+      "redirect_url": "/azure/governance/policy/concepts/policy-for-kubernetes",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/governance/policy/concepts/aks-engine.md",
+      "redirect_url": "/azure/governance/policy/concepts/policy-for-kubernetes",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/azure-stack/azure-stack-tools-paas-services.md",
       "redirect_url": "/azure/azure-stack/azure-stack-offer-services-overview",

articles/active-directory/authentication/howto-mfaserver-deploy-userportal.md

@@ -102,7 +102,7 @@ Installing the user portal on a server other than the Azure Multi-Factor Authent
     * Find the key **"USE_WEB_SERVICE_SDK"** and change **value="false"** to **value="true"**
     * Find the key **"WEB_SERVICE_SDK_AUTHENTICATION_USERNAME"** and change **value=""** to **value="DOMAIN\User"** where DOMAIN\User is a Service Account that is a part of "PhoneFactor Admins" Group.
     * Find the key **"WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD"** and change **value=""** to **value="Password"** where Password is the password for the Service Account entered in the previous line.
-    * Find the value **https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx** and change this placeholder URL to the Web Service SDK URL we installed in step 2.
+    * Find the value `https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx` and change this placeholder URL to the Web Service SDK URL we installed in step 2.
     * Save the Web.Config file and close Notepad.
 
 6. Open a web browser from any computer and navigate to the URL where the user portal was installed (Example: `https://mfa.contoso.com/MultiFactorAuth`). Ensure that no certificate warnings or errors are displayed.

articles/active-directory/b2b/facebook-federation.md

@@ -20,6 +20,8 @@ ms.collection: M365-identity-device-management
 # Add Facebook as an identity provider for External Identities
 
 You can add Facebook to your self-service sign-up user flows (Preview) so that users can sign in to your applications using their own Facebook accounts. To allow users to sign in using Facebook, you'll first need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. After you add Facebook as an identity provider, set up a user flow for the application and select Facebook as one of the sign-in options.
+> [!NOTE]
+> Users can only use their Facebook accounts to sign up through apps using self-service sign-up and user flows. Users cannot be invited and redeem their invitation using a Facebook account.
 
 ## Create an app in the Facebook developers console
 
@@ -51,7 +53,9 @@ To use a Facebook account as an [identity provider](identity-providers.md), you
 18. To make your Facebook application available to Azure AD, select the Status selector at the top right of the page and turn it **On** to make the Application public, and then select **Switch Mode**. At this point the Status should change from **Development** to **Live**.
 
 ## Configure a Facebook account as an identity provider
+Now you'll set the Facebook client ID and client secret, either by entering it in the Azure AD portal or by using PowerShell. You can test your Facebook configuration by signing up via a user flow on an app enabled for self-service sign-up.
 
+### To configure Facebook federation in the Azure AD portal
 1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of your Azure AD tenant.
 2. Under **Azure services**, select **Azure Active Directory**.
 3. In the left menu, select **External Identities**.
@@ -62,8 +66,39 @@ To use a Facebook account as an [identity provider](identity-providers.md), you
    ![Screenshot showing the Add social identity provider page](media/facebook-federation/add-social-identity-provider-page.png)
 
 7. Select **Save**.
+### To configure Facebook federation by using PowerShell
+1. Install the latest version of the Azure AD PowerShell for Graph module ([AzureADPreview](https://www.powershellgallery.com/packages/AzureADPreview)).
+2. Run the following command:
+   `Connect-AzureAD`.
+3. At the sign-in prompt, sign in with the managed Global Administrator account.  
+4. Run the following command: 
+   
+   `New-AzureADMSIdentityProvider -Type Facebook -Name Facebook -ClientId [Client ID] -ClientSecret [Client secret]`
+ 
+   > [!NOTE]
+   > Use the client ID and client secret from the app you created above in the Facebook developer console. For more information, see the [New-AzureADMSIdentityProvider](https://docs.microsoft.com/powershell/module/azuread/new-azureadmsidentityprovider?view=azureadps-2.0-preview) article. 
+
+## How do I remove Facebook federation?
+You can delete your Facebook federation setup. If you do so, any users who have signed up through user flows with their Facebook accounts will no longer be able to log in. 
+
+### To delete Facebook federation in the Azure AD portal: 
+1. Go to the [Azure portal](https://portal.azure.com). In the left pane, select **Azure Active Directory**. 
+2. Select **External Identities**.
+3. Select **All identity providers**.
+4. On the **Facebook** line, select the context menu (**...**) and then select **Delete**. 
+5. Select **Yes** to confirm deletion.
+
+### To delete Facebook federation by using PowerShell: 
+1. Install the latest version of the Azure AD PowerShell for Graph module ([AzureADPreview](https://www.powershellgallery.com/packages/AzureADPreview)).
+2. Run `Connect-AzureAD`.  
+4. In the sign-in prompt, sign in with the managed Global Administrator account.  
+5. Enter the following command:
+
+    `Remove-AzureADMSIdentityProvider -Id Facebook-OAUTH`
+
+   > [!NOTE]
+   > For more information, see [Remove-AzureADMSIdentityProvider](https://docs.microsoft.com/powershell/module/azuread/Remove-AzureADMSIdentityProvider?view=azureadps-2.0-preview). 
 
 ## Next steps
 
-- [Invite external users for collaboration](add-users-administrator.md)
 - [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)

articles/active-directory/conditional-access/app-protection-based-conditional-access.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 04/02/2020
+ms.date: 05/08/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,10 +19,11 @@ ms.collection: M365-identity-device-management
 
 People regularly use their mobile devices for both personal and work tasks. While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications. With Conditional Access, organizations can restrict access to approved (modern authentication capable) client apps with Intune app protection policies applied to them.
 
-This article presents two scenarios to configure Conditional Access policies for resources like Office 365, Exchange Online, and SharePoint Online.
+This article presents three scenarios to configure Conditional Access policies for resources like Office 365, Exchange Online, and SharePoint Online.
 
 - [Scenario 1: Office 365 apps require approved apps with app protection policies](#scenario-1-office-365-apps-require-approved-apps-with-app-protection-policies)
-- [Scenario 2: Exchange Online and SharePoint Online require an approved client app and app protection policy](#scenario-2-exchange-online-and-sharepoint-online-require-an-approved-client-app-and-app-protection-policy)
+- [Scenario 2: Browser apps require approved apps with app protection policies](#scenario-2-browser-apps-require-approved-apps-with-app-protection-policies)
+- [Scenario 3: Exchange Online and SharePoint Online require an approved client app and app protection policy](#scenario-3-exchange-online-and-sharepoint-online-require-an-approved-client-app-and-app-protection-policy)
 
 In the Conditional Access, these client apps are known to be protected with an app protection policy. More information about app protection policies can be found in the article, [App protection policies overview](/intune/apps/app-protection-policy)
 
@@ -83,7 +84,40 @@ For the Conditional Access policy in this step, configure the following componen
 
 Review the article [How to create and assign app protection policies](/intune/apps/app-protection-policies), for steps to create app protection policies for Android and iOS. 
 
-## Scenario 2: Exchange Online and SharePoint Online require an approved client app and app protection policy
+## Scenario 2: Browser apps require approved apps with app protection policies
+
+In this scenario, Contoso has decided that all mobile web browsing access to Office 365 resources must use an approved client app, like Edge for iOS and Android, protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.
+
+Organizations must complete the following steps in order to require the use of an approved client app on mobile devices.
+
+**Step 1: Configure an Azure AD Conditional Access policy for Office 365**
+
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users and groups**
+   1. Under **Include**, select **All users** or the specific **Users and groups** you wish to apply this policy to. 
+   1. Select **Done**.
+1. Under **Cloud apps or actions** > **Include**, select **Office 365 (preview)**.
+1. Under **Conditions**, select **Device platforms**.
+   1. Set **Configure** to **Yes**.
+   1. Include **Android** and **iOS**.
+1. Under **Conditions**, select **Client apps (preview)**.
+   1. Set **Configure** to **Yes**.
+   1. Select **Browser**.
+1. Under **Access controls** > **Grant**, select the following options:
+   - **Require approved client app**
+   - **Require app protection policy (preview)**
+   - **Require all the selected controls**
+1. Confirm your settings and set **Enable policy** to **On**.
+1. Select **Create** to create and enable your policy.
+
+**Step 2: Configure Intune app protection policy for iOS and Android client applications**
+
+Review the article [How to create and assign app protection policies](/intune/apps/app-protection-policies), for steps to create app protection policies for Android and iOS. 
+
+## Scenario 3: Exchange Online and SharePoint Online require an approved client app and app protection policy
 
 In this scenario, Contoso has decided that users may only access email and SharePoint data on mobile devices as long as they use an approved client app like Outlook mobile protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.
 

articles/active-directory/develop/quickstart-v2-python-webapp.md

@@ -25,7 +25,7 @@ When you've completed the guide, your application will accept sign-ins of person
 To run this sample, you will need:
 
 - [Python 2.7+](https://www.python.org/downloads/release/python-2713) or [Python 3+](https://www.python.org/downloads/release/python-364/)
-- [Flask](http://flask.pocoo.org/), [Flask-Session](https://pythonhosted.org/Flask-Session/), [requests](https://requests.kennethreitz.org/en/master/)
+- [Flask](http://flask.pocoo.org/), [Flask-Session](https://pypi.org/project/Flask-Session/), [requests](https://requests.kennethreitz.org/en/master/)
 - [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python)
 
 > [!div renderon="docs"]

articles/active-directory/develop/registration-config-multi-tenant-application-add-to-gallery-how-to.md

@@ -21,7 +21,7 @@ ms.reviewer: jeedes
 
 ## What is the Azure AD application gallery?
 
-Azure Active Directory (Azure AD) is a cloud-based identity service. The [Azure AD application gallery](https://azure.microsoft.com/marketplace/active-directory/all/) is in the Azure Marketplace app store, where all application connectors are published for single sign-on and user provisioning. Customers who use Azure AD as an identity provider find the different SaaS application connectors published here. IT administrators add connectors from the app gallery, and then configure and use the connectors for single sign-on and provisioning. Azure AD supports all major federation protocols, including SAML 2.0, OpenID Connect, OAuth, and WS-Fed for single sign-on. 
+Azure Active Directory (Azure AD) is a cloud-based identity service. The [Azure AD application gallery](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.AzureActiveDirectory) is in the Azure Marketplace app store, where all application connectors are published for single sign-on and user provisioning. Customers who use Azure AD as an identity provider find the different SaaS application connectors published here. IT administrators add connectors from the app gallery, and then configure and use the connectors for single sign-on and provisioning. Azure AD supports all major federation protocols, including SAML 2.0, OpenID Connect, OAuth, and WS-Fed for single sign-on. 
 
 ## If your application supports SAML or OpenIDConnect
 If you have a multitenant application that you want listed in the Azure AD application gallery, you must first make sure that your application supports one of the following single sign-on technologies:

articles/active-directory/fundamentals/active-directory-faq.md

@@ -149,7 +149,7 @@ We do have a gateway that filters requests and provides some protection from bot
 
 **A:** Azure AD has more than 2,600 pre-integrated applications from Microsoft, application service providers, and partners. All pre-integrated applications support single sign-on (SSO). SSO lets you use your organizational credentials to access your apps. Some of the applications also support automated provisioning and de-provisioning.
 
-For a complete list of the pre-integrated applications, see the [Active Directory Marketplace](https://azure.microsoft.com/marketplace/active-directory/).
+For a complete list of the pre-integrated applications, see the [Active Directory Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.AzureActiveDirectory).
 
 ---
 **Q: What if the application I need is not in the Azure AD marketplace?**

articles/active-directory/fundamentals/whats-new-archive.md

@@ -1841,7 +1841,7 @@ For more information about group-based licensing, see [What is group-based licen
 
 In November 2018, we've added these 26 new apps with Federation support to the app gallery:
 
-[CoreStack](https://cloud.corestack.io/site/login), [HubSpot](https://docs.microsoft.com/azure/active-directory/saas-apps/HubSpot-tutorial), [GetThere](https://docs.microsoft.com/azure/active-directory/saas-apps/getthere-tutorial), [Gra-Pe](https://docs.microsoft.com/azure/active-directory/saas-apps/grape-tutorial), [eHour](https://getehour.com/try-now), [Consent2Go](https://docs.microsoft.com/azure/active-directory/saas-apps/Consent2Go-tutorial), [Appinux](https://docs.microsoft.com/azure/active-directory/saas-apps/appinux-tutorial), [DriveDollar](https://azuremarketplace.microsoft.com/marketplace/apps/savitas.drivedollar-azuread?tab=Overview), [Useall](https://docs.microsoft.com/azure/active-directory/saas-apps/useall-tutorial), [Infinite Campus](https://docs.microsoft.com/azure/active-directory/saas-apps/infinitecampus-tutorial), [Alaya](https://alayagood.com/en/demo/), [HeyBuddy](https://docs.microsoft.com/azure/active-directory/saas-apps/heybuddy-tutorial), [Wrike SAML](https://docs.microsoft.com/azure/active-directory/saas-apps/wrike-tutorial), [Drift](https://docs.microsoft.com/azure/active-directory/saas-apps/drift-tutorial), [Zenegy for Business Central 365](https://accounting.zenegy.com/), [Everbridge Member Portal](https://docs.microsoft.com/azure/active-directory/saas-apps/everbridge-tutorial), [IDEO](https://profile.ideo.com/users/sign_up), [Ivanti Service Manager (ISM)](https://docs.microsoft.com/azure/active-directory/saas-apps/ivanti-service-manager-tutorial), [Peakon](https://docs.microsoft.com/azure/active-directory/saas-apps/peakon-tutorial), [Allbound SSO](https://docs.microsoft.com/azure/active-directory/saas-apps/allbound-sso-tutorial), [Plex Apps - Classic Test](https://test.plexonline.com/signon), [Plex Apps – Classic](https://www.plexonline.com/signon), [Plex Apps - UX Test](https://test.cloud.plex.com/sso), [Plex Apps – UX](https://cloud.plex.com/sso), [Plex Apps – IAM](https://accounts.plex.com/), [CRAFTS - Childcare Records, Attendance, & Financial Tracking System](https://getcrafts.ca/craftsregistration)
+[CoreStack](https://cloud.corestack.io/site/login), [HubSpot](https://docs.microsoft.com/azure/active-directory/saas-apps/HubSpot-tutorial), [GetThere](https://docs.microsoft.com/azure/active-directory/saas-apps/getthere-tutorial), [Gra-Pe](https://docs.microsoft.com/azure/active-directory/saas-apps/grape-tutorial), [eHour](https://getehour.com/try-now), [Consent2Go](https://docs.microsoft.com/azure/active-directory/saas-apps/Consent2Go-tutorial), [Appinux](https://docs.microsoft.com/azure/active-directory/saas-apps/appinux-tutorial), [DriveDollar](https://azuremarketplace.microsoft.com/marketplace/apps/savitas.drivedollar-azuread?tab=Overview), [Useall](https://docs.microsoft.com/azure/active-directory/saas-apps/useall-tutorial), [Infinite Campus](https://docs.microsoft.com/azure/active-directory/saas-apps/infinitecampus-tutorial), [Alaya](https://alayagood.com), [HeyBuddy](https://docs.microsoft.com/azure/active-directory/saas-apps/heybuddy-tutorial), [Wrike SAML](https://docs.microsoft.com/azure/active-directory/saas-apps/wrike-tutorial), [Drift](https://docs.microsoft.com/azure/active-directory/saas-apps/drift-tutorial), [Zenegy for Business Central 365](https://accounting.zenegy.com/), [Everbridge Member Portal](https://docs.microsoft.com/azure/active-directory/saas-apps/everbridge-tutorial), [IDEO](https://profile.ideo.com/users/sign_up), [Ivanti Service Manager (ISM)](https://docs.microsoft.com/azure/active-directory/saas-apps/ivanti-service-manager-tutorial), [Peakon](https://docs.microsoft.com/azure/active-directory/saas-apps/peakon-tutorial), [Allbound SSO](https://docs.microsoft.com/azure/active-directory/saas-apps/allbound-sso-tutorial), [Plex Apps - Classic Test](https://test.plexonline.com/signon), [Plex Apps – Classic](https://www.plexonline.com/signon), [Plex Apps - UX Test](https://test.cloud.plex.com/sso), [Plex Apps – UX](https://cloud.plex.com/sso), [Plex Apps – IAM](https://accounts.plex.com/), [CRAFTS - Childcare Records, Attendance, & Financial Tracking System](https://getcrafts.ca/craftsregistration)
 
 For more information about the apps, see [SaaS application integration with Azure Active Directory](https://aka.ms/appstutorial). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](https://aka.ms/azureadapprequest).