Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into mm-assign

Author: msmimart

articles/active-directory-b2c/restful-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/24/2020
+ms.date: 03/02/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -122,6 +122,7 @@ The technical profile also returns claims, that aren't returned by the identity
 | --------- | -------- | ----------- |
 | ServiceUrl | Yes | The URL of the REST API endpoint. |
 | AuthenticationType | Yes | The type of authentication being performed by the RESTful claims provider. Possible values: `None`, `Basic`, `Bearer`, or `ClientCertificate`. The `None` value indicates that the REST API is not anonymous. The `Basic` value indicates that the REST API is secured with HTTP basic authentication. Only verified users, including Azure AD B2C, can access your API. The `ClientCertificate` (recommended) value indicates that the REST API restricts access by using client certificate authentication. Only services that have the appropriate certificates, for example Azure AD B2C, can access your API. The `Bearer` value indicates that the REST API restricts access using client OAuth2 Bearer token. |
+| AllowInsecureAuthInProduction| No| Indicates whether the `AuthenticationType` can be set to `none` in production environment (`DeploymentMode` of the [TrustFrameworkPolicy](trustframeworkpolicy.md) is set to `Production`, or not specified). Possible values: true, or false (default). |
 | SendClaimsIn | No | Specifies how the input claims are sent to the RESTful claims provider. Possible values: `Body` (default), `Form`, `Header`, or `QueryString`. The `Body` value is the input claim that is sent in the request body in JSON format. The `Form` value is the input claim that is sent in the request body in an ampersand '&' separated key value format. The `Header` value is the input claim that is sent in the request header. The `QueryString` value is the input claim that is sent in the request query string. The HTTP verbs invoked by each are as follows:<br /><ul><li>`Body`: POST</li><li>`Form`: POST</li><li>`Header`: GET</li><li>`QueryString`: GET</li></ul> |
 | ClaimsFormat | No | Specifies the format for the output claims. Possible values: `Body` (default), `Form`, `Header`, or `QueryString`. The `Body` value is the output claim that is sent in the request body in JSON format. The `Form` value is the output claim that is sent in the request body in an ampersand '&' separated key value format. The `Header` value is the output claim that is sent in the request header. The `QueryString` value is the output claim that is sent in the request query string. |
 | ClaimUsedForRequestPayload| No | Name of a string claim that contains the payload to be sent to the REST API. |

articles/active-directory-domain-services/troubleshoot.md

@@ -134,7 +134,7 @@ If one or more users in your Azure AD tenant can't sign in to the Azure AD DS ma
       * You've deployed, or updated to, the [latest recommended release of Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594).
       * You've configured Azure AD Connect to [perform a full synchronization][hybrid-phs].
       * Depending on the size of your directory, it may take a while for user accounts and credential hashes to be available in Azure AD DS. Make sure you wait long enough before trying to authenticate against the managed domain.
-      * If the issue persists after verifying the previous steps, try restarting the *Microsoft Azure AD Sync Service*. From your [management VM][management-vm], open a command prompt and run the following commands:
+      * If the issue persists after verifying the previous steps, try restarting the *Microsoft Azure AD Sync Service*. From your Azure AD Connect server, open a command prompt and run the following commands:
 
         ```console
         net stop 'Microsoft Azure AD Sync'

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -91,6 +91,10 @@ End users who are enabled for MFA through an organization’s on-premises Azure
 
 One of the prerequisites to create this new strong credential, is that the device, where the Microsoft Authenticator app is installed, must also be registered within the Azure AD tenant to an individual user. Due to current device registration restrictions, a device can only be registered in a single tenant. This limit means that only one work or school account in the Microsoft Authenticator app can be enabled for phone sign-in.
 
+### Intune mobile application management 
+
+End users who are subject to a policy that requires mobile application management (MAM) can't register the passwordless credential in the Microsoft Authenticator app. 
+
 > [!NOTE]
 > Device registration is not the same as device management or "MDM." It only associates a device ID and a user ID together in the Azure AD directory.  
 

articles/active-directory/b2b/media/use-dynamic-groups/all-guest-user-rule-syntax.png

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 12/14/2017
+ms.date: 02/28/2020
 
 ms.author: mimart
 author: msmimart
@@ -23,21 +23,51 @@ Dynamic configuration of security group membership for Azure Active Directory (A
 
 The appropriate [Azure AD Premium P1 or P2 licensing](https://azure.microsoft.com/pricing/details/active-directory/) is required to create and use dynamic groups. Learn more in the article [Create attribute-based rules for dynamic group membership in Azure Active Directory](../users-groups-roles/groups-dynamic-membership.md).
 
-## What are the built-in dynamic groups?
-The **All users** dynamic group enables tenant admins to create a group containing all users in the tenant with a single click. By default, the **All users** group includes all users in the directory, including Members and Guests.
-Within the new Azure Active Directory admin portal, you can choose to enable the **All users** group in the Group Settings view.
+## Creating an "all users" dynamic group
+You can create a group containing all users within a tenant using a membership rule. When users are added or removed from the tenant in the future, the group's membership is adjusted automatically.
 
-![Shows enable the All Users group set to Yes](media/use-dynamic-groups/enable-all-users-group.png)
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is assigned the Global administrator or User administrator role in the tenant.
+1. Select **Azure Active Directory**.
+2. Under **Manage**, select **Groups**, and then select **New group**.
+1. On the **New Group** page, under **Group type**, select **Security**. Enter a **Group name** and **Group description** for the new group. 
+2. Under **Membership type**, select **Dynamic User**, and then select **Add dynamic query**. 
+4. Above the **Rule syntax** text box, select **Edit**. On the **Edit rule syntax** page, type the following expression in the text box:
 
-## Hardening the All users dynamic group
-By default, the **All users** group contains your B2B collaboration (guest) users as well. You can further secure your **All users** group by using a rule to remove guest users. The following illustration shows the **All users** group modified to exclude guests.
+   ```
+   user.objectId -ne null
+   ```
+1. Select **OK**. The rule appears in the Rule syntax box:
 
-![Shows rule where user type not equals guest](media/use-dynamic-groups/exclude-guest-users.png)
+   ![Rule syntax for all users dynamic group](media/use-dynamic-groups/all-user-rule-syntax.png)
 
-You might also find it useful to create a new dynamic group that contains only guest users, so that you can apply policies (such as Azure AD Conditional Access policies) to them.
-What such a group might look like:
+1.  Select **Save**. The new dynamic group will now include B2B guest users as well as member users.
 
-![Shows rule where user type equals guest](media/use-dynamic-groups/only-guest-users.png)
+
+1. Select **Create** on the **New group** page to create the group.
+
+## Creating a group of members only
+
+If you want your group to exclude guest users and include only members of your tenant, create a dynamic group as described above, but in the **Rule syntax** box, enter the following expression:
+
+```
+(user.objectId -ne null) and (user.userType -eq "Member")
+```
+
+The following image shows the rule syntax for a dynamic group modified to include members only and exclude guests.
+
+![Shows rule where user type equals member](media/use-dynamic-groups/all-member-user-rule-syntax.png)
+
+## Creating a group of guests only
+
+You might also find it useful to create a new dynamic group that contains only guest users, so that you can apply policies (such as Azure AD Conditional Access policies) to them. Create a dynamic group as described above, but in the **Rule syntax** box, enter the following expression:
+
+```
+(user.objectId -ne null) and (user.userType -eq "Guest")
+```
+
+The following image shows the rule syntax for a dynamic group modified to include guests only and exclude member users.
+
+![Shows rule where user type equals guest](media/use-dynamic-groups/all-guest-user-rule-syntax.png)
 
 ## Next steps