Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into image-tutorial

Author: mhopkins-msft

.openpublishing.redirection.json

@@ -273,10 +273,11 @@ Inspect the `B2CGraphClient.SendGraphPatchRequest()` method for details on how t
 
 ### Search users
 
-You can search for users in your B2C tenant in two ways:
+You can search for users in your B2C tenant in the following ways:
 
 * Reference the user's **object ID**.
 * Reference their sign-in identifer, the `signInNames` property.
+* Reference any of the valid OData parameters. For example, 'givenName', 'surname', 'displayName' etc.
 
 Run one of the following commands to search for a user:
 
@@ -290,6 +291,9 @@ For example:
 ```cmd
 B2C Get-User 2bcf1067-90b6-4253-9991-7f16449c2d91
 B2C Get-User $filter=signInNames/any(x:x/value%20eq%20%27consumer@fabrikam.com%27)
+B2C get-user $filter=givenName%20eq%20%27John%27
+B2C get-user $filter=surname%20eq%20%27Doe%27
+B2C get-user $filter=displayName%20eq%20%27John%20Doe%27
 ```
 
 ### Delete users

articles/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.md

@@ -58,7 +58,7 @@ The service itself doesn't directly support this scenario. Your managed domain i
 Yes. For more information, see [how to enable Azure AD Domain Services using PowerShell](powershell-create-instance.md).
 
 ### Can I enable Azure AD Domain Services using a Resource Manager Template?
-No, it's not currently possible to enable Azure AD Domain Services using a template. For a scripted approach, see [how to enable Azure AD Domain Services using PowerShell](powershell-create-instance.md).
+Yes, you can create an Azure AD Domain Services managed domain using a Resource Manager template. A service principal and Azure AD group for administration must be created using the Azure portal or Azure PowerShell before the template is deployed. When you create an Azure AD Domain Services managed domain in the Azure portal, there's an option to export the template for use with additional deployments. There's also an [example template in the GitHub templates sample repo](https://github.com/Azure/azure-quickstart-templates/tree/master/101-AAD-DomainServices).
 
 ### Can I add domain controllers to an Azure AD Domain Services managed domain?
 No. The domain provided by Azure AD Domain Services is a managed domain. You don't need to provision, configure, or otherwise manage domain controllers for this domain. These management activities are provided as a service by Microsoft. Therefore, you can't add additional domain controllers (read-write or read-only) for the managed domain.

articles/active-directory-domain-services/faqs.md

@@ -72,7 +72,7 @@ The following providers offer FIDO2 security keys of different form factors that
 | Feitian | [https://www.ftsafe.com/about/Contact_Us](https://www.ftsafe.com/about/Contact_Us) |
 | HID | [https://www.hidglobal.com/contact-us](https://www.hidglobal.com/contact-us) |
 | Ensurity | [https://www.ensurity.com/contact](https://www.ensurity.com/contact) |
-| eWBM | [https://www.ewbm.com/page/sub1_5](https://www.ewbm.com/page/sub1_5) |
+| eWBM | [https://www.ewbm.com/support](https://www.ewbm.com/support) |
 | AuthenTrend | [https://authentrend.com/about-us/#pg-35-3](https://authentrend.com/about-us/#pg-35-3) |
 
 > [!NOTE]

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -85,7 +85,7 @@ To target specific device groups to enable the credential provider, use the foll
 
 ### Enable with a provisioning package
 
-For devices not managed by Intune, a provisioning package can be installed to enable the functionality. The Windows Configuration Designer app can be installed from the [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
+For devices not managed by Intune, a provisioning package can be installed to enable the functionality. The Windows Configuration Designer app can be installed from the [Microsoft Store](https://www.microsoft.com/en-us/p/windows-configuration-designer/9nblggh4tx22).
 
 1. Launch the Windows Configuration Designer.
 1. Select **File** > **New project**.

articles/active-directory/authentication/howto-authentication-passwordless-security-key-windows.md

@@ -17,6 +17,9 @@ ms.collection: M365-identity-device-management
 ---
 # Deploy Azure AD self-service password reset
 
+> [!NOTE]
+> This guide explains self-service password reset and how to deploy it. If you are looking for the self service password reset tool to get back into your account, go to [https://aka.ms/sspr](https://aka.ms/sspr). 
+
 Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff. Employees must register for or be registered for self-service password reset before using the service. During registration, the employee chooses one or more authentication methods enabled by their organization.
 
 SSPR enables employees to quickly get unblocked and continue working no matter where they are or the time of day. By allowing users to unblock themselves, your organization can reduce the non-productive time and high support costs for most common password-related issues.

articles/active-directory/authentication/howto-sspr-deployment.md

@@ -216,7 +216,7 @@ A workaround for this error is to have separate user accounts for admin-related
 
 If your question isn't answered here, please leave it in the comments at the bottom of the page. Or, here are some additional options for getting help:
 
-* Search the [Microsoft Support Knowledge Base](https://www.microsoft.com/en-us/search?form=mssupport&q=phonefactor&rtc=1) for solutions to common technical issues.
+* Search the [Microsoft Support Knowledge Base](https://support.microsoft.com) for solutions to common technical issues.
 * Search for and browse technical questions and answers from the community, or ask your own question in the [Azure Active Directory forums](https://social.msdn.microsoft.com/Forums/azure/newthread?category=windowsazureplatform&forum=WindowsAzureAD&prof=required).
 * If you're a legacy PhoneFactor customer and you have questions or need help resetting a password, use the [password reset](mailto:[email protected]) link to open a support case.
 * Contact a support professional through [Azure Multi-Factor Authentication Server (PhoneFactor) support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, and the ID of the user who saw the error.

articles/active-directory/authentication/multi-factor-authentication-faq.md

@@ -168,14 +168,41 @@ To add a credential to your web application:
 To add permission(s) to access resource APIs from your client:
 
 1. From the app's **Overview** page, select **API permissions**.
-1. Select the **Add a permission** button.
+1. Under the **Configured permissions** section, select the **Add a permission** button.
 1. By default, the view allows you to select from **Microsoft APIs**. Select the section of APIs that you're interested in:
     * **Microsoft APIs** - Lets you select permissions for Microsoft APIs such as Microsoft Graph.
     * **APIs my organization uses** - Lets you select permissions for APIs that have been exposed by your organization, or APIs that your organization has integrated with.
     * **My APIs** - Lets you select permissions for APIs that you have exposed.
 1. Once you've selected the APIs, you'll see the **Request API Permissions** page. If the API exposes both delegated and application permissions, select which type of permission your application needs.
 1. When finished, select **Add permissions**. You will return to the **API permissions** page, where the permissions have been saved and added to the table.
 
+## Understanding API permissions and admin consent UI
+
+### Configured permissions
+
+This section shows the permissions that have been explicitly configured on the application object (\the permissions that are part of the app's required resource access list). You may add or remove permissions from this table. As an admin, you can also grant/revoke admin consent for a set of an API's permissions or individual permissions in this section.
+
+### Other permissions granted
+
+If your application is registered in a tenant, you may see an additional section titled **Other permissions granted for Tenant**. This section shows permissions that have been granted for the tenant but have not been explicitly configured on the application object (e.g. permissions that were dynamically requested and consented). This section only appears if there is at least one permission that applies.
+
+You may add a set of an API's permissions or individual permissions that appear in this section to the **Configured permissions** section. As an admin, you can also revoke admin consent for individual APIs or permissions in this section.
+
+### Admin consent button
+
+If your application is registered in a tenant, you will see a **Grant admin consent for Tenant** button. It will be disabled if you are not an admin, or if no permissions have been configured for the application.
+This button allows an admin to easily grant admin consent to the permissions configured for the application. Clicking the admin consent button launches a new window with a consent prompt showing all the configured permissions.
+
+> [!NOTE]
+> There is a delay between permissions being configured for the application and them appearing on the consent prompt. If you do not see all the configured permissions in the consent prompt, close it and launch it again.
+
+If you have permissions that have been granted but not configured, when clicking the admin consent button you will be prompted to decide how to handle these permissions. You may add them to configured permissions or you may remove them.
+
+The consent prompt provides the option to **Accept** or **Cancel**. If you select **Accept**, admin consent is granted. If you select **Cancel**, admin consent is not granted, and you will see an error stating that consent has been declined.
+
+> [!NOTE]
+> There is a delay between granting admin consent (selecting **Accept** on the consent prompt) and the status of admin consent being reflected in the UI.
+
 ## Next steps
 
 Learn about these other related app management quickstarts for apps:

articles/active-directory/develop/quickstart-configure-app-access-web-apis.md

@@ -40,7 +40,7 @@ The What's new in Azure Active Directory? release notes provide information abou
 
 Azure AD threat intelligence detection is now available as part of the updated Azure AD Identity Protection feature. This new functionality helps to indicate unusual user activity for a specific user or activity that’s consistent with known attack patterns based on Microsoft’s internal and external threat intelligence sources.
 
-For more information about the refreshed version of Azure AD Identity Protection, see the [Four major Azure AD Identity Protection enhancements are now in public preview](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Four-major-Azure-AD-Identity-Protection-enhancements-are-now-in/ba-p/326935) blog and the [What is Azure Active Directory Identity Protection (refreshed)?](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-v2) article. For more information about Azure AD threat intelligence detection, see the [Azure Active Directory Identity Protection risk detections](https://docs.microsoft.com/azure/active-directory/identity-protection/risk-events-reference#azure-ad-threat-intelligence) article.
+For more information about the refreshed version of Azure AD Identity Protection, see the [Four major Azure AD Identity Protection enhancements are now in public preview](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Four-major-Azure-AD-Identity-Protection-enhancements-are-now-in/ba-p/326935) blog and the [What is Azure Active Directory Identity Protection (refreshed)?](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-v2) article. For more information about Azure AD threat intelligence detection, see the [Azure Active Directory Identity Protection risk detections](https://docs.microsoft.com/azure/active-directory/identity-protection/concept-identity-protection-risks) article.
 
 ---
 

articles/active-directory/fundamentals/whats-new-archive.md

@@ -10,7 +10,7 @@ ms.assetid: 6d42fb79-d9cf-48da-8445-f482c4c536af
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/25/2019
+ms.date: 11/14/2019
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -82,7 +82,9 @@ After entering the forest name and clicking  **Add Directory**, a pop-up dialog
 ![Connect Directory](./media/how-to-connect-install-custom/connectdir02.png)
 
 #### Enterprise Admin and Domain Admin accounts not supported
-As of build 1.4.###.# it is no longer supported to use an Enterprise Admin or a Domain Admin account as the AD DS Connector account.  If you attempt to enter an account that is an enterprise admin or domain admin when specifying **use existing account**, you will receive an error.
+As of build 1.4.18.0 it is no longer supported to use an Enterprise Admin or a Domain Admin account as the AD DS Connector account.  If you attempt to enter an account that is an enterprise admin or domain admin when specifying **use existing account**, you will receive the following error:
+
+  **“Using  an Enterprise or Domain administrator account for your AD forest account is not allowed.  Let Azure AD Connect create the account for you or specify a synchronization account with the correct permissions.  <Learn More>”**
 
 ### Azure AD sign-in configuration
 This page allows you to review the UPN domains present in on-premises AD DS and which have been verified in Azure AD. This page also allows you to configure the attribute to use for the userPrincipalName.