Merge pull request #116614 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

.openpublishing.publish.config.json

@@ -163,6 +163,11 @@
       "url": "https://github.com/Azure/azure-functions-templates",
       "branch": "dev"
     },
+    {
+        "path_to_root": "azure-functions-samples-java",
+        "url": "https://github.com/Azure-Samples/azure-functions-samples-java",
+        "branch": "master"
+    },
     {
       "path_to_root": "functions-quickstart-java",
       "url": "https://github.com/Azure-Samples/functions-quickstarts-java",

.openpublishing.redirection.json

@@ -39856,6 +39856,11 @@
       "redirect_url": "/azure/dev-spaces/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/dev-spaces/how-to/helm-3.md",
+      "redirect_url": "/azure/dev-spaces/",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/monitoring/monitoring-overview.md",
       "redirect_url": "/azure/azure-monitor/overview",
@@ -48505,6 +48510,11 @@
       "redirect_url": "/azure/cognitive-services/form-recognizer/quickstarts/python-receipts",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/cognitive-services/form-recognizer/quickstarts/dotnet-sdk.md",
+      "redirect_url": "/azure/cognitive-services/form-recognizer/quickstarts/client-library?pivots=programming-language-csharp",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/Upload-Images.md",
       "redirect_url": "/azure/cognitive-services/content-moderator",

articles/active-directory-domain-services/TOC.yml

@@ -47,6 +47,8 @@
       href: synchronization.md
     - name: How password hash synchronization works
       href: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md?context=/azure/active-directory-domain-services/context/azure-ad-ds-context
+    - name: Classic deployment migration benefits
+      href: concepts-migration-benefits.md
     - name: What is Azure Active Directory?
       href: ../active-directory/fundamentals/active-directory-whatis.md?context=/azure/active-directory-domain-services/context/azure-ad-ds-context
     - name: Azure Active Directory architecture

articles/active-directory-domain-services/concepts-migration-benefits.md

@@ -0,0 +1,62 @@
+---
+title: Benefits of Classic deployment migration in Azure AD Domain Services | Microsoft Docs
+description: Learn more about the benefits of migrating a Classic deployment of Azure Active Directory Domain Services to the Resource Manager deployment model
+services: active-directory-ds
+author: iainfoulds
+manager: daveba
+
+ms.service: active-directory
+ms.subservice: domain-services
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 05/26/2020
+ms.author: iainfou
+---
+
+# Benefits of migration from the Classic to Resource Manager deployment model in Azure Active Directory Domain Services
+
+Azure Active Directory Domain Services (AD DS) lets you migrate an existing managed domain that uses the Classic deployment model to the Resource Manager deployment model. Azure AD DS managed domains that use the Resource Manager deployment model provide additional features such as fine-grained password policy, audit logs, and account lockout protection.
+
+This article outlines the benefits for migration. To get started, see [Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager][howto-migrate].
+
+> [!NOTE]
+> In 2017, Azure AD Domain Services became available to host in an Azure Resource Manager network. Since then, we have been able to build a more secure service using the Azure Resource Manager's modern capabilities. Because Azure Resource Manager deployments fully replace classic deployments, Azure AD DS classic virtual network deployments will be retired on March 1, 2023.
+>
+> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/)
+
+## Migration benefits
+
+The migration process takes an existing Azure AD DS instance that uses the Classic deployment model and moves to use the Resource Manager deployment model. When you migrate an Azure AD DS managed domain from the Classic to Resource Manager deployment model, you avoid the need to rejoin machines to the managed domain or delete the Azure AD DS instance and create one from scratch. VMs continue to be joined to the Azure AD DS managed domain at the end of the migration process.
+
+After migration, Azure AD DS provides many features that are only available for domains using Resource Manager deployment model, such as the following:
+
+* [Fine-grained password policy support][password-policy].
+* Faster synchronization speeds between Azure AD and Azure AD Domain Services.
+* Two new [attributes that synchronize from Azure AD][attributes] - *manager* and *employeeID*.
+* Access to higher-powered domain controllers when you [upgrade the SKU][skus].
+* AD account lockout protection.
+* [Email notifications for alerts on your managed domain][email-alerts].
+* [Use Azure Workbooks and Azure monitor to view audit logs and sign-in activity][workbooks].
+* In supported regions, [Azure Availability Zones][availability-zones].
+* Integrations with other Azure products such as [Azure Files][azure-files], [HD Insights][hd-insights], and [Windows Virtual Desktop][wvd].
+* Support has access to more telemetry and can help troubleshoot more effectively.
+* Encryption at rest using [Azure Managed Disks][managed-disks] for the data on the managed domain controllers.
+
+Azure AD DS managed domains that use a Resource Manager deployment model help you stay up-to-date with the latest new features. New features aren't available for Azure AD DS managed domains that use the Classic deployment model.
+
+## Next steps
+
+To get started, see [Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager[howto-migrate].
+
+<!-- LINKS - INTERNAL -->
+[password-policy]: password-policy.md
+[skus]: change-sku.md
+[email-alerts]: notifications.md
+[workbooks]: use-azure-monitor-workbooks.md
+[azure-files]: ../storage/files/storage-files-identity-auth-active-directory-domain-service-enable.md
+[hd-insights]: ../hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds.md
+[wvd]: ../virtual-desktop/overview.md
+[availability-zones]: ../availability-zones/az-overview.md
+[howto-migrate]: migrate-from-classic-vnet.md
+[attributes]: synchronization.md#attribute-synchronization-and-mapping-to-azure-ad-ds
+[managed-disks]: ../virtual-machines/windows/managed-disks-overview.md

articles/active-directory-domain-services/migrate-from-classic-vnet.md

@@ -17,16 +17,16 @@ ms.author: iainfou
 
 Azure Active Directory Domain Services (AD DS) supports a one-time move for customers currently using the Classic virtual network model to the Resource Manager virtual network model. Azure AD DS managed domains that use the Resource Manager deployment model provide additional features such as fine-grained password policy, audit logs, and account lockout protection.
 
-This article outlines the benefits and considerations for migration, then the required steps to successfully migrate an existing Azure AD DS instance.
+This article outlines considerations for migration, then the required steps to successfully migrate an existing Azure AD DS instance. For some of the benefits, see [Benefits of migration from the Classic to Resource Manager deployment model in Azure AD DS][migration-benefits].
 
 > [!NOTE]
 > In 2017, Azure AD Domain Services became available to host in an Azure Resource Manager network. Since then, we have been able to build a more secure service using the Azure Resource Manager's modern capabilities. Because Azure Resource Manager deployments fully replace classic deployments, Azure AD DS classic virtual network deployments will be retired on March 1, 2023.
 >
-> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/)
+> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/).
 
 ## Overview of the migration process
 
-The migration process takes an existing Azure AD DS instance that runs in a Classic virtual network and moves it to an existing Resource Manager virtual network. The migration is performed using PowerShell, and has two main stages of execution - *preparation* and *migration*.
+The migration process takes an existing Azure AD DS instance that runs in a Classic virtual network and moves it to an existing Resource Manager virtual network. The migration is performed using PowerShell, and has two main stages of execution: *preparation* and *migration*.
 
 ![Overview of the migration process for Azure AD DS](media/migrate-from-classic-vnet/migration-overview.png)
 
@@ -38,21 +38,6 @@ In the *migration* stage, the underlying virtual disks for the domain controller
 
 ![Migration of Azure AD DS](media/migrate-from-classic-vnet/migration-process.png)
 
-## Migration benefits
-
-When you move an Azure AD DS managed domain using this migration process, you avoid the need to rejoin machines to the managed domain or delete the Azure AD DS instance and create one from scratch. VMs continue to be joined to the Azure AD DS managed domain at the end of the migration process.
-
-After migration, Azure AD DS provides many features that are only available for domains using Resource Manager virtual networks, such as:
-
-* Fine-grained password policy support.
-* AD account lockout protection.
-* Email notifications of alerts on the Azure AD DS managed domain.
-* Audit logs using Azure Monitor.
-* Azure Files integration
-* HD Insights integration
-
-Azure AD DS managed domains that use a Resource Manager virtual network help you stay up-to-date with the latest new features. Support for Azure AD DS using Classic virtual networks is to be deprecated in the future.
-
 ## Example scenarios for migration
 
 Some common scenarios for migrating an Azure AD DS managed domain include the following examples.
@@ -364,6 +349,7 @@ With your Azure AD DS managed domain migrated to the Resource Manager deployment
 [troubleshoot-sign-in]: troubleshoot-sign-in.md
 [tshoot-ldaps]: tshoot-ldaps.md
 [get-credential]: /powershell/module/microsoft.powershell.security/get-credential
+[migration-benefits]: concepts-migration-benefits.md
 
 <!-- EXTERNAL LINKS -->
 [powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -744,6 +744,17 @@ TLS 1.2 Cipher Suites minimum bar:
 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 
+### IP Ranges
+The Azure AD Provisionong service currently operates under the following IP ranges. 
+
+13.86.239.205; 52.188.178.195; 13.86.61.156; 40.67.254.206; 51.105.237.71; 20.44.38.166; 40.81.88.68; 52.184.94.250;
+20.43.180.59; 20.193.16.105; 20.40.167.232; 13.86.3.57; 52.188.72.113; 13.88.140.233; 52.142.121.156; 51.124.0.213;
+40.81.92.36; 20.44.39.175; 20.189.114.130; 20.44.193.163; 20.193.23.17; 20.40.173.237; 13.86.138.128; 52.142.29.23;
+13.86.2.238; 40.127.246.167; 51.136.72.4; 20.44.39.244; 40.81.92.186; 20.189.114.131; 20.44.193.210; 20.193.2.21; 20.40.174.46;
+13.86.219.18; 40.71.13.10; 20.44.16.38; 13.89.174.16; 13.69.66.182; 13.69.229.118; 104.211.147.176; 40.78.195.176;
+13.67.9.240; 13.75.38.48; 13.70.73.48; 13.77.52.176;
+
+
 
 ## Step 3: Build a SCIM endpoint
 

articles/active-directory/conditional-access/concept-conditional-access-session.md

@@ -45,7 +45,7 @@ Conditional Access App Control enables user app access and sessions to be monito
 
 For more information, see the article [Deploy Conditional Access App Control for featured apps](/cloud-app-security/proxy-deployment-aad).
 
-## Sign-in frequency (Preview)
+## Sign-in frequency
 
 Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.
 
@@ -63,7 +63,7 @@ Sign-in frequency setting works with apps that have implemented OAUTH2 or OIDC p
 
 For more information, see the article [Configure authentication session management with Conditional Access](howto-conditional-access-session-lifetime.md#user-sign-in-frequency).
 
-## Persistent browser session (Preview)
+## Persistent browser session
 
 A persistent browser session allows users to remain signed in after closing and reopening their browser window.
 

articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md

@@ -96,6 +96,19 @@ You can also investigate the sign-ins of a specific user by searching for sign-i
 
 ## Troubleshooting
 
+### Why are queries failing due to a permissions error?
+
+In order to access the workbook, you need the proper Azure AD permissions as well as Log Analytics workspace permissions. To test whether you have the proper workspace permissions by running a sample log analytics query:
+
+1. Sign in to the **Azure portal**.
+1. Browse to **Azure Active Directory** > **Logs**.
+1. Type `SigninLogs` into the query box and select **Run**.
+1. If the query does not return any results, your workspace may not have been configured correctly. 
+
+![Troubleshoot failing queries](./media/howto-conditional-access-insights-reporting/query-troubleshoot-sign-in-logs.png)
+
+For more information about how to stream Azure AD sign-in logs to a Log Analytics workspace, see the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
+
 ### Why is the workbook taking a long time to load?  
 
 Depending on the time range selected and the size of your tenant, the workbook may be evaluating an extraordinarily large number of sign-in events. For large tenants, the volume of sign-ins may exceed the query capacity of Log Analytics. Try shortening the time range to 4 hours to see if the workbook loads.  

articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md

@@ -5,8 +5,8 @@ description: Create a custom Conditional Access policy to require administrators
 services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
-ms.topic: conceptual
-ms.date: 04/02/2020
+ms.topic: how-to
+ms.date: 05/26/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo

articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md

@@ -5,8 +5,8 @@ description: Create a custom Conditional Access policy to require all users to p
 services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
-ms.topic: conceptual
-ms.date: 04/02/2020
+ms.topic: how-to
+ms.date: 05/26/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -50,7 +50,7 @@ The following steps will help create a Conditional Access policy to require All
    1. Select **Done**.
 1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
    1. Under **Exclude**, select any applications that do not require multi-factor authentication.
-1. Under **Conditions** > **Client apps (Preview)**, set **Configure** to **Yes**, and select **Done**.
+1. Under **Conditions** > **Client apps (Preview)**, set **Configure** to **Yes**. Under **Select the client apps this policy will apply to** leave all defaults selected and select **Done**.
 1. Under **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and select **Select**.
 1. Confirm your settings and set **Enable policy** to **On**.
 1. Select **Create** to create to enable your policy.