Merge pull request #48134 from MicrosoftDocs/master

8/2 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -1147,7 +1147,7 @@
         },
         {
             "source_path": "articles/virtual-machines/linux/key-vault-setup-cli-nodejs.md",
-            "redirect_url": "/azure/virtual-machines/linux/key-vault-setup-cli",
+            "redirect_url": "/azure/virtual-machines/linux/key-vault-setup",
             "redirect_document_id": true
         },
         {
@@ -5507,8 +5507,8 @@
         },
         {
             "source_path": "articles/active-directory/active-directory-saas-linkedinlearning-provisioning-tutorial.md",
-            "redirect_url": "/azure/active-directory/saas-apps/linkedinlearning-provisioning-tutorial",
-            "redirect_document_id": true
+            "redirect_url": "/azure/active-directory/saas-apps/linkedinlearning-tutorial",
+            "redirect_document_id": false
         },
         {
             "source_path": "articles/active-directory/active-directory-saas-linkedinlearning-tutorial.md",
@@ -7927,7 +7927,7 @@
         },
         {
             "source_path": "articles/guidance/guidance-ra-app-service.md",
-            "redirect_url": "/azure/architecture/reference-architectures/managed-web-app",
+            "redirect_url": "/azure/architecture/reference-architectures/app-service-web-app/basic-web-app",
             "redirect_document_id": false
         },
         {
@@ -10947,7 +10947,7 @@
         },
         {
             "source_path": "articles/sql-database/sql-database-manage-single-databases-tsql.md",
-            "redirect_url": "https://docs.microsoft.com/sql/t-sql/statements/alter-database-azure-sql-database",
+            "redirect_url": "/sql/t-sql/statements/alter-database-transact-sql",
             "redirect_document_id": false
         },
         {
@@ -15402,7 +15402,7 @@
         },
         {
             "source_path": "articles/virtual-machines/virtual-machines-linux-key-vault-setup-cli-nodejs.md",
-            "redirect_url": "/azure/virtual-machines/linux/key-vault-setup-cli-nodejs",
+            "redirect_url": "/azure/virtual-machines/linux/key-vault-setup",
             "redirect_document_id": false
         },
         {
@@ -15417,7 +15417,7 @@
         },
         {
             "source_path": "articles/virtual-machines/virtual-machines-linux-mac-create-ssh-keys.experimental.md",
-            "redirect_url": "/azure/virtual-machines/linux/mac-create-ssh-keys.experimental",
+            "redirect_url": "/azure/virtual-machines/linux/mac-create-ssh-keys",
             "redirect_document_id": false
         },
         {
@@ -18942,7 +18942,7 @@
         },
         {
             "source_path": "articles/sql-database/sql-database-geo-replication-failover-transact-sql.md",
-            "redirect_url": "/sql/t-sql/statements/alter-database-azure-sql-database",
+            "redirect_url": "/sql/t-sql/statements/alter-database-transact-sql",
             "redirect_document_id": true
         },
         {
@@ -19387,12 +19387,12 @@
         },
         {
             "source_path": "articles/active-directory/active-directory-azureadjoin-personal-device.md",
-            "redirect_url": "/azure/active-directory/device-management-azuread-joined-devices-setup",
+            "redirect_url": "/azure/active-directory/user-help/device-management-azuread-joined-devices-setup",
             "redirect_document_id": false
         },
         {
             "source_path": "articles/active-directory/active-directory-azureadjoin-user-upgrade.md",
-            "redirect_url": "/azure/active-directory/device-management-azuread-registered-devices-windows10-setup",
+            "redirect_url": "/azure/active-directory/user-help/device-management-azuread-registered-devices-windows10-setup",
             "redirect_document_id": false
         },
         {
@@ -22132,7 +22132,7 @@
         },
         {
             "source_path": "articles/cognitive-services/Translator/speech-overview.md",
-            "redirect_url": "https://docs.microsofttranslator.com/speech-translate.html",
+            "redirect_url": "/azure/cognitive-services/speech-service/speech-translation",
             "redirect_document_id": false
         },
         {
@@ -25992,7 +25992,7 @@
         },
         {
             "source_path": "articles/active-directory/active-directory/migrate-adfs-apps-to-azure.md",
-            "redirect_url": "/azure/active-directory/manage-apps/active-directory/migrate-adfs-apps-to-azure",
+            "redirect_url": "/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure",
             "redirect_document_id": true
         },
         {
@@ -26257,17 +26257,17 @@
         },
         {
             "source_path": "articles/multi-factor-authentication/end-user/multi-factor-authentication-end-user-app-passwords.experimental.md",
-            "redirect_url": "/azure/active-directory/authentication/end-user/multi-factor-authentication-end-user-app-passwords",
+            "redirect_url": "/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords",
             "redirect_document_id": false
         },
         {
             "source_path": "articles/multi-factor-authentication/end-user/multi-factor-authentication-end-user-first-time.experimental.md",
-            "redirect_url": "/azure/active-directory/authentication/end-user/multi-factor-authentication-end-user-first-time",
+            "redirect_url": "/azure/active-directory/user-help/multi-factor-authentication-end-user-first-time",
             "redirect_document_id": false
         },
         {
             "source_path": "articles/multi-factor-authentication/end-user/multi-factor-authentication-end-user-troubleshoot.experimental.md",
-            "redirect_url": "/azure/active-directory/authentication/end-user/multi-factor-authentication-end-user-troubleshoot",
+            "redirect_url": "/azure/active-directory/user-help/multi-factor-authentication-end-user-troubleshoot",
             "redirect_document_id": false
         },
         {

articles/active-directory-b2c/active-directory-b2c-apps.md

@@ -56,7 +56,13 @@ Learn more about the types of tokens and claims available to an application in t
 
 In a web application, each execution of a [policy](active-directory-b2c-reference-policies.md) takes these high-level steps:
 
-![Web App Swimlanes Image](./media/active-directory-b2c-apps/webapp.png)
+1. The user browses to the web application.
+2. The web application redirects the user to Azure AD B2C indicating the policy to execute.
+3. The user completes policy.
+4. Azure AD B2C returns an `id_token` to the browser.
+5. The `id_token` is posted to the redirect URI.
+6. The `id_token` is validated and a session cookie is set.
+7. A secure page is returned to the user.
 
 Validation of the `id_token` by using a public signing key that is received from Azure AD is sufficient to verify the identity of the user. This also sets a session cookie that can be used to identify the user on subsequent page requests.
 
@@ -85,7 +91,15 @@ The web API can then use the token to verify the API caller's identity and to ex
 
 A web API can receive tokens from many types of clients, including web applications, desktop and mobile applications, single page applications, server-side daemons, and other web APIs. Here's an example of the complete flow for a web application that calls a web API:
 
-![Web App Web API Swimlanes Image](./media/active-directory-b2c-apps/webapi.png)
+1. The web application executes a policy and the user completes the user experience.
+2. Azure AD B2C returns an `access_token` and an authorization code to the browser.
+3. The browser posts the `access_token` and authorization code to the redirect URI.
+4. The web server validates the `access token` and sets a session cookie.
+5. The `access_token` is provided to Azure AD B2C with the authorization code, application client ID, and credentials.
+6. The `access_token` and `refresh_token` are returned to the web server.
+7. The web API is called with the `access_token` in an authorization header.
+8. The web API validates the token.
+9. Secure data is returned to the web server.
 
 To learn more about authorization codes, refresh tokens, and the steps for getting tokens, read about the [OAuth 2.0 protocol](active-directory-b2c-reference-oauth-code.md).
 
@@ -102,8 +116,6 @@ In this flow, the application executes [policies](active-directory-b2c-reference
 >
 >
 
-![Native App Swimlanes Image](./media/active-directory-b2c-apps/native.png)
-
 ## Current limitations
 
 Azure AD B2C does not currently support the following types of apps, but they are on the roadmap. 

articles/active-directory-b2c/active-directory-b2c-reference-oauth-code.md

@@ -19,7 +19,7 @@ and other identity management tasks to your mobile and desktop apps. This articl
 
 <!-- TODO: Need link to libraries -->
 
-The OAuth 2.0 authorization code flow is described in [section 4.1 of the OAuth 2.0 specification](http://tools.ietf.org/html/rfc6749). You can use it for authentication and authorization in most [application types](active-directory-b2c-apps.md), including web applications and natively installed applications. You can use the OAuth 2.0 authorization code flow to securely acquire access tokens for your applicationss, which can be used to access resources that are secured by an [authorization server](active-directory-b2c-reference-protocols.md).
+The OAuth 2.0 authorization code flow is described in [section 4.1 of the OAuth 2.0 specification](http://tools.ietf.org/html/rfc6749). You can use it for authentication and authorization in most [application types](active-directory-b2c-apps.md), including web applications and natively installed applications. You can use the OAuth 2.0 authorization code flow to securely acquire access tokens and refresh tokens for your applications, which can be used to access resources that are secured by an [authorization server](active-directory-b2c-reference-protocols.md).  The refresh token allows the client to acquire new access (and refresh) tokens once the access token expires, typically after one hour.
 
 This article focuses on the **public clients** OAuth 2.0 authorization code flow. A public client is any client application that cannot be trusted to securely maintain the integrity of a secret password. This includes mobile apps, desktop applications, and essentially any application that runs on a device and needs to get access tokens. 
 

articles/active-directory-b2c/manage-user-access.md

@@ -8,12 +8,12 @@ manager: mtillman
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 05/04/2018
+ms.date: 07/24/2018
 ms.author: davidmu
 ms.component: B2C
 ---
 
-# Manage user access in Azure AD B2C
+# Manage user access in Azure Active Directory B2C
 
 This article discusses how to manage user access to your applications by using Azure Active Directory (Azure AD) B2C. Access management in your application includes:
 
@@ -24,9 +24,6 @@ This article discusses how to manage user access to your applications by using A
 
 [!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
 
->[!Note] 
->This article provides information that you can use to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the [GDPR section of the Service Trust portal](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
-
 ## Control minor access
 
 Applications and organizations may decide to block minors from using applications and services that are not targeted to this audience. Alternatively, applications and organizations may decide to accept minors and subsequently manage the parental consent, and deliver permissible experiences for minors as dictated by business rules and allowed by regulation. 

articles/active-directory-b2c/media/manage-user-access/user-flow.png

@@ -59,14 +59,14 @@ After setting up RDS and Azure AD Application Proxy for your environment, follow
 ### Publish the RD host endpoint
 
 1. [Publish a new Application Proxy application](application-proxy-publish-azure-portal.md) with the following values:
-   - Internal URL: https://\<rdhost\>.com/, where \<rdhost\> is the common root that RD Web and RD Gateway share.
+   - Internal URL: `https://\<rdhost\>.com/`, where `\<rdhost\>` is the common root that RD Web and RD Gateway share.
    - External URL: This field is automatically populated based on the name of the application, but you can modify it. Your users will go to this URL when they access RDS.
    - Preauthentication method: Azure Active Directory
    - Translate URL headers: No
 2. Assign users to the published RD application. Make sure they all have access to RDS, too.
 3. Leave the single sign-on method for the application as **Azure AD single sign-on disabled**. Your users are asked to authenticate once to Azure AD and once to RD Web, but have single sign-on to RD Gateway.
 4. Go to **Azure Active Directory** > **App Registrations** > *Your application* > **Settings**.
-5. Select **Properties** and update the **Home-page URL** field to point to your RD Web endpoint (like https://\<rdhost\>.com/RDWeb).
+5. Select **Properties** and update the **Home-page URL** field to point to your RD Web endpoint (like `https://\<rdhost\>.com/RDWeb`).
 
 ### Direct RDS traffic to Application Proxy
 

articles/active-directory/manage-apps/application-proxy-integrate-with-remote-desktop-services.md

@@ -23,12 +23,15 @@ ms.custom: it-pro
 Using Azure Active Directory (Azure AD), you can designate separate administrators to serve different functions. Administrators can be designated in the Azure AD portal to perform tasks such as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names.
 
 ## Details about the global administrator role
+
 The global administrator has access to all administrative features. By default, the person who signs up for an Azure subscription is assigned the global administrator role for the directory. Only global administrators can assign other administrator roles.
 
 ## Assign or remove administrator roles
+
 To learn how to assign administrative roles to a user in Azure Active Directory, see [Assign a user to administrator roles in Azure Active Directory](../fundamentals/active-directory-users-assign-role-azure-portal.md).
 
 ## Available roles
+
 The following administrator roles are available:
 
 * **[Application Administrator](#application-administrator)**: Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. Members of this role are not added as owners when creating new application registrations or enterprise applications.
@@ -45,7 +48,7 @@ The following administrator roles are available:
   > [!NOTE]
   > To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be a Global Administrator.
   
-* **[Device Administrators](#device-administrators)**: Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage device objects in Azure Active Directory.
+* **[Device Administrators](#device-administrators)**: This role is available for assignment only as an additional local administrator in [Device settings](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/DeviceSettings/menuId/). Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory. 
 
 * **[Directory Readers](#directory-readers)**: This is a legacy role that is to be assigned to applications that do not support the [Consent Framework](../develop/active-directory-integrating-applications.md). It should not be assigned to any users.
 
@@ -350,16 +353,14 @@ Can manage conditional access capabilities.
 | microsoft.aad.directory/ConditionalAccessPolicy/Update/Owners | Update ConditionalAccessPolicys.Owners property in Azure Active Directory. |
 
 ### Device Administrators
-Members of this role are added to the local administrators group on Azure AD-joined devices.
+
+Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage device objects in Azure Active Directory.
 
   > [!NOTE]
   > This role inherits additional permissions from the [User role](https://docs.microsoft.com/en-us/azure/active-directory/users-default-permissions).
   >
   >
 
-| **Actions** | **Description** |
-| --- | --- |
-
 ### Directory Readers
 Can read basic directory information. For granting access to applications.
 

articles/active-directory/users-groups-roles/directory-assign-admin-roles.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.component: users-groups-roles
 ms.topic: article
-ms.date: 08/01/2018
+ms.date: 08/02/2018
 ms.author: curtand
 ms.reviewer: krbain
 
@@ -20,7 +20,7 @@ ms.custom: it-pro
 
 # Create a dynamic group and check status
 
-In Azure Active Directory (Azure AD), you can create groups by applying a rule to determine mebership based on user or device properties. When the attributes of a user or device changes, Azure AD evaluates all dynamic group rules in the Azure AD tenant and performs any adds or removes. If a user or device satisfies a rule for a group, they are added as a member, and when they no longer satisfy the rule, they are removed.
+In Azure Active Directory (Azure AD), you can create groups by applying a rule to determine membership based on user or device properties. When the attributes of a user or device changes, Azure AD evaluates all dynamic group rules in the Azure AD tenant and performs any adds or removes. If a user or device satisfies a rule for a group, they are added as a member, and when they no longer satisfy the rule, they are removed.
 
 This article details how to set up a rule in the Azure portal for dynamic membership on security groups or Office 365 groups. For examples of rule syntax and a complete list of the supported properties, operators, and values for a membership rule, see [Dynamic membership rules for groups in Azure Active Directory](groups-dynamic-membership.md).