Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

.openpublishing.redirection.json

@@ -1,5 +1,5 @@
 ---
-title: Passwordless security key sign (preview) - Azure Active Directory
+title: Passwordless security key sign-in (preview) - Azure Active Directory
 description: Enable passwordless security key sign-in to Azure AD using FIDO2 security keys (preview)
 
 services: active-directory

articles/active-directory/authentication/howto-authentication-passwordless-security-key.md

@@ -123,13 +123,13 @@ The sign-in activity reports for MFA give you access to the following informatio
 
 First, ensure that you have the [MSOnline V1 PowerShell module](https://docs.microsoft.com/powershell/azure/active-directory/overview?view=azureadps-1.0) installed.
 
-Identify users who have registered for MFA using the PowerShell that follows.
+Identify users who have registered for MFA using the PowerShell that follows. This set of commands excludes disabled users since these accounts cannot authenticate against Azure AD.
 
-```Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName```
+```Get-MsolUser -All | Where-Object {$.StrongAuthenticationMethods -ne $null -and $.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName```
 
-Identify users who have not registered for MFA using the PowerShell that follows.
+Identify users who have not registered for MFA using the PowerShell that follows. This set of commands excludes disabled users since these accounts cannot authenticate against Azure AD.
 
-```Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName```
+```Get-MsolUser -All | Where-Object {$.StrongAuthenticationMethods.Count -eq 0 -and $.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName```
 
 Identify users and output methods registered. 
 

articles/active-directory/authentication/howto-mfa-reporting.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/25/2020
+ms.date: 03/20/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -104,6 +104,8 @@ The safety feature is necessary because *block all users and all cloud apps* has
 
 You can satisfy this safety feature by excluding one user from your policy. Ideally, you should define a few [emergency-access administrative accounts in Azure AD](../users-groups-roles/directory-emergency-access.md) and exclude them from your policy.
 
+Using [report-only mode](concept-conditional-access-report-only.md) when enabling your policy to block legacy authentication provides your organization an opportunity to monitor what the impact of the policy would be.
+
 ## Policy deployment
 
 Before you put your policy into production, take care of:
@@ -133,5 +135,6 @@ If you block legacy authentication using the **Other clients** condition, you ca
 
 ## Next steps
 
+- [Determine impact using Conditional Access report-only mode](howto-conditional-access-report-only.md)
 - If you are not familiar with configuring Conditional Access policies yet, see [require MFA for specific apps with Azure Active Directory Conditional Access](app-based-mfa.md) for an example.
 - For more information about modern authentication support, see [How modern authentication works for Office 2013 and Office 2016 client apps](/office365/enterprise/modern-auth-for-office-2013-and-2016) 

articles/active-directory/conditional-access/block-legacy-authentication.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/11/2020
+ms.date: 03/20/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,6 +19,9 @@ ms.collection: M365-identity-device-management
 
 To configure a Conditional Access policy in report-only mode:
 
+> [!IMPORTANT]
+> If your organization has not already, [Set up Azure Monitor integration with Azure AD](#set-up-azure-monitor-integration-with-azure-ad). This process must take place before data will be available to review.
+
 1. Sign into the **Azure portal** as a Conditional Access administrator, security administrator, or global administrator.
 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
 1. Select **New policy**.
@@ -52,7 +55,7 @@ More information about Azure Monitor pricing can be found on the [Azure Monitor
 
 ## View Conditional Access Insights workbook
 
-Once you’ve integrated your Azure AD logs with Azure Monitor, you can monitor the impact of Conditional Access policies using the new Conditional Access insights workbooks.
+Once you've integrated your Azure AD logs with Azure Monitor, you can monitor the impact of Conditional Access policies using the new Conditional Access insights workbooks.
 
 1. Sign into the **Azure portal** as a security administrator or global administrator.
 1. Browse to **Azure Active Directory** > **Workbooks**.
@@ -75,9 +78,9 @@ Once you’ve integrated your Azure AD logs with Azure Monitor, you can monitor
 
 Customers have noticed that queries sometimes fail if the wrong or multiple workspaces are associated with the workbook. To fix this problem, click **Edit** at the top of the workbook and then the Settings gear. Select and then remove workspaces that are not associated with the workbook. There should be only one workspace associated with each workbook.
 
-### Why doesn’t the Conditional Access Policies dropdown parameter contain my policies?
+### Why doesn't the Conditional Access Policies dropdown parameter contain my policies?
 
-The Conditional Access Policies dropdown is populated by querying the most recent sign-ins over a period of 4 hours. If a tenant doesn’t have any sign-ins in the past 4 hours, it is possible that the dropdown will be empty. If this delay is a persistent problem, such as in small tenants with infrequent sign-ins, admins can edit the query for the Conditional Access Policies dropdown and extend the time for the query to a time longer than 4 hours.
+The Conditional Access Policies dropdown is populated by querying the most recent sign-ins over a period of 4 hours. If a tenant doesn't have any sign-ins in the past 4 hours, it is possible that the dropdown will be empty. If this delay is a persistent problem, such as in small tenants with infrequent sign-ins, admins can edit the query for the Conditional Access Policies dropdown and extend the time for the query to a time longer than 4 hours.
 
 ## Next steps
 

articles/active-directory/conditional-access/howto-conditional-access-report-only.md

@@ -83,7 +83,7 @@ Depending on how your client is built, it can use one (or several) of the authen
 |[Authorization code flow](v2-oauth2-auth-code-flow.md) | | x | x | x | x|  
 |[Implicit flow](v2-oauth2-implicit-grant-flow.md) | | x        | x    |      |                    |
 |[Hybrid OIDC flow](v2-protocols-oidc.md#get-access-tokens)| | x  | |          |            x   |
-|[Refresh token redemption](v2-oauth2-auth-code-flow.md#refreshing-the-access-tokens) | refresh token | x | x | x| |
+|[Refresh token redemption](v2-oauth2-auth-code-flow.md#refresh-the-access-token) | refresh token | x | x | x| |
 |[On-behalf-of flow](v2-oauth2-on-behalf-of-flow.md) | access token| x| x| x| |
 |[Client credentials](v2-oauth2-client-creds-grant-flow.md) | | | x (app-only)| | |
 

articles/active-directory/develop/authentication-scenarios.md

@@ -244,7 +244,8 @@ Example value:
 Specifies what Microsoft accounts are supported for the current application. Supported values are:
 - **AzureADMyOrg** - Users with a Microsoft work or school account in my organization's Azure AD tenant (for example, single tenant)
 - **AzureADMultipleOrgs** - Users with a Microsoft work or school account in any organization's Azure AD tenant (for example, multi-tenant)
-- **AzureADandPersonalMicrosoftAccount** - Users with a personal Microsoft account, or a work or school account in any organization's Azure AD tenant 
+- **AzureADandPersonalMicrosoftAccount** - Users with a personal Microsoft account, or a work or school account in any organization's Azure AD tenant
+- **PersonalMicrosoftAccount** - Personal accounts that are used to sign in to services like Xbox and Skype.
 
 Example value:  
 `AzureADandPersonalMicrosoftAccount` 

articles/active-directory/develop/reference-app-manifest.md

@@ -29,7 +29,7 @@ The value you select for this property has implications on other app object prop
 
 See the following table for the validation differences of various properties for different supported account types.
 
-| Property | `AzureADMyOrg` | `AzureADMultipleOrgs`  | `AzureADandPersonalMicrosoftAccount` |
+| Property | `AzureADMyOrg` | `AzureADMultipleOrgs` | `AzureADandPersonalMicrosoftAccount` and `PersonalMicrosoftAccount` |
 |--------------|---------------|----------------|----------------|
 | Application ID URI (`identifierURIs`)  | Must be unique in the tenant <br><br> urn:// schemes are supported <br><br> Wildcards are not supported <br><br> Query strings and fragments are supported <br><br> Maximum length of 255 characters <br><br> No limit* on number of identifierURIs  | Must be globally unique <br><br> urn:// schemes are supported <br><br> Wildcards are not supported <br><br> Query strings and fragments are supported <br><br> Maximum length of 255 characters <br><br> No limit* on number of identifierURIs | Must be globally unique <br><br> urn:// schemes are not supported <br><br> Wildcards, fragments and query strings are not supported <br><br> Maximum length of 120 characters <br><br> Maximum of 50 identifierURIs |
 | Certificates (`keyCredentials`) | Symmetric signing key | Symmetric signing key | Encryption and asymmetric signing key | 

articles/active-directory/develop/supported-accounts-validation.md

@@ -100,7 +100,9 @@ If your Windows 10 domain joined devices are [Azure AD registered](overview.md#g
 ### Additional considerations
 - If your environment uses virtual desktop infrastructure (VDI), see [Device identity and desktop virtualization](/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure).
 
-- Hybrid Azure AD join is supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Hybrid Azure AD join. Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Please contact your hardware OEM for support. Starting from Windows 10 1903 release, TPMs 1.2 are not used for hybrid Azure AD join and devices with those TPMs will be considered as if they don't have a TPM.
+- Hybrid Azure AD join is supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Hybrid Azure AD join. Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Please contact your hardware OEM for support. 
+
+- Starting from Windows 10 1903 release, TPMs 1.2 are not used with hybrid Azure AD join and devices with those TPMs will be considered as if they don't have a TPM.
 
 ## Review controlled validation of hybrid Azure AD join
 

articles/active-directory/devices/hybrid-azuread-join-plan.md

@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 # Assign or remove licenses in the Azure Active Directory portal
 
-Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service. Only users with active licenses will be able to access and use the licensed Azure AD services for which that's true.
+Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service. Only users with active licenses will be able to access and use the licensed Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other tenants. 
 
 ## Available license plans