Merge pull request MicrosoftDocs#112564 from MicrosoftDocs/master

4/23 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -499,6 +499,11 @@
       "path_to_root": "azure-cosmosdb-java-v4-getting-started",
       "url": "https://github.com/Azure-Samples/azure-cosmos-java-getting-started",
       "branch": "master"
+    },
+    {
+      "path_to_root": "azure-storage-snippets",
+      "url": "https://github.com/azure-samples/AzureStorageSnippets",
+      "branch": "master"
     }
   ],
   "branch_target_mapping": {

.openpublishing.redirection.json

@@ -2682,6 +2682,16 @@
       "redirect_url": "/azure/cosmos-db/sql-api-get-started",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/search/search-example-adventureworks-modeling.md",
+      "redirect_url": "/azure/search/search-what-is-data-import",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/search/search-example-adventureworks-multilevel-faceting.md",
+      "redirect_url": "/azure/search/search-filters-facets",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/search/preview-api-resetskills.md",
       "redirect_url": "/rest/api/searchservice/2019-05-06-preview/reset-skills",
@@ -7556,6 +7566,16 @@
       "redirect_url": "/azure/application-gateway/resource-manager-template-samples",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/application-gateway/application-gateway-create-gateway-cli-nodejs.md",
+      "redirect_url": "/azure/application-gateway/quick-create-cli",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/application-gateway/tutorial-create-vmss-cli.md",
+      "redirect_url": "/azure/application-gateway/tutorial-url-redirect-cli",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/application-insights/app-insights-azure-diagnostics.md",
       "redirect_url": "/azure/azure-monitor/platform/diagnostics-extension-to-application-insights",

articles/active-directory/app-provisioning/workday-attribute-reference.md

@@ -18,7 +18,7 @@ ms.author: chmutali
 # Workday attribute reference
 This section provides a list of attributes that you can fetch from Workday using XPATH queries. Based on the Workday Web Services API version, you plan to use, refer to the appropriate section. 
 
-## XPATH values for Workday Web Services version 21.1
+## XPATH values for Workday Web Services (WWS) API v21.1
 
 
 The table below captures the list of Workday attributes and corresponding XPATH expressions that are shipped out of the box with the Workday inbound provisioning app connector. 
@@ -106,7 +106,9 @@ The table below captures the list of Workday attributes and corresponding XPATH
 | 79 | WorkerType                            | wd:Worker/wd:Worker\_Data/wd:Employment\_Data/wd:Position\_Data/wd:Worker\_Type\_Reference/@wd:Descriptor                                                                                                                                                                                                                                                                                                    |
 | 80 | WorkSpaceReference                    | wd:Worker/wd:Worker\_Data/wd:Employment\_Data/wd:Position\_Data/wd:Work\_Space\_\_Reference/@wd:Descriptor                                                                                                                                                                                                                                                                                                   |
 
-## XPATH values for Workday Web Services version 30+
+## XPATH values for Workday Web Services (WWS) API v30+
+
+If you are using a WWS API v30.0 and above, before turning on the provisioning job, please update the **XPATH API expressions** under **Attribute Mapping -> Advanced Options -> Edit attribute list for Workday** to use the values listed below. To configure additional XPATHs, refer to the section [Tutorial: Managing your configuration](../saas-apps/workday-inbound-tutorial.md#managing-your-configuration). 
 
 
 | \# | Name                                  | Workday XPATH API expression                                                                                                                                                                                                                                                                                                                                                |

articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md

@@ -363,7 +363,7 @@ The script performs the following actions:
 
 If you want to use your own certificates, you must associate the public key of your certificate with the service principal on Azure AD, and so on.
 
-To use the script, provide the extension with your Azure Active Directory administrative credentials and the Azure Active Directory tenant ID that you copied earlier. Run the script on each NPS server where you install the NPS extension.
+To use the script, provide the extension with your Azure Active Directory administrative credentials and the Azure Active Directory tenant ID that you copied earlier. The account must be in the same Azure AD tenant as you wish to enable the extension for. Run the script on each NPS server where you install the NPS extension.
 
 1. Run Windows PowerShell as an administrator.
 
@@ -373,6 +373,8 @@ To use the script, provide the extension with your Azure Active Directory admini
 
     ![Running the AzureMfsNpsExtnConfigSetup.ps1 configuration script](./media/howto-mfa-nps-extension-vpn/image38.png)
 
+    If you get a security error due to TLS, enable TLS 1.2 using the `[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12` command from your PowerShell prompt.
+    
     After the script verifies the installation of the PowerShell module, it displays the Azure Active Directory PowerShell module sign-in window.
 
 4. Enter your Azure AD administrator credentials and password, and then select **Sign in**.

articles/active-directory/authentication/howto-mfa-reporting.md

@@ -126,13 +126,13 @@ First, ensure that you have the [MSOnline V1 PowerShell module](https://docs.mic
 Identify users who have registered for MFA using the PowerShell that follows. This set of commands excludes disabled users since these accounts cannot authenticate against Azure AD.
 
 ```powershell
-Get-MsolUser -All | Where-Object {$._StrongAuthenticationMethods -ne $null -and $._BlockCredential -eq $False} | Select-Object -Property UserPrincipalName
+Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods -ne $null -and $_.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName
 ```
 
 Identify users who have not registered for MFA using the PowerShell that follows. This set of commands excludes disabled users since these accounts cannot authenticate against Azure AD.
 
 ```powershell
-Get-MsolUser -All | Where-Object {$._StrongAuthenticationMethods.Count -eq 0 -and $._BlockCredential -eq $False} | Select-Object -Property UserPrincipalName
+Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0 -and $_.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName
 ```
 
 Identify users and output methods registered. 

articles/active-directory/develop/quickstart-v2-aspnet-core-webapp.md

@@ -152,6 +152,19 @@ The line containing `.AddAzureAd` adds the Microsoft identity platform authentic
 > [!NOTE]
 > Setting `ValidateIssuer = false` is a simplification for this quickstart. In real applications you need to validate the issuer.
 > See the samples to understand how to do that.
+>
+> Also note the `Configure` method which contains two important methods: `app.UserCookiePolicy()` and `app.UseAuthentication()`
+
+```csharp
+// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+{
+    // more core
+    app.UseCookiePolicy();
+    app.UseAuthentication();
+    // more core
+}
+```
 
 ### Protect a controller or a controller's method
 

articles/active-directory/develop/quickstart-v2-windows-desktop.md

@@ -38,7 +38,7 @@ In this quickstart, you'll learn how to write a Windows desktop .NET (WPF) appli
 >
 > 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
 > 1. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant.
-> 1. Navigate to the Microsoft identity platform for developers [App registrations](https://aka.ms/MobileAppReg) page.
+> 1. Go to the [App registrations](https://aka.ms/MobileAppReg) blade for Azure Active Directory in the Azure portal.
 > 1. Select **New registration**.
 >      - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `Win-App-calling-MsGraph`.
 >      - In the **Supported account types** section, select **Accounts in any organizational directory and personal Microsoft accounts (for example, Skype, Xbox, Outlook.com)**.

articles/active-directory/develop/scenario-web-app-sign-user-production.md

@@ -23,6 +23,15 @@ Now that you know how to get a token to call web APIs, learn how to move it to p
 
 ## Next steps
 
+### Troubleshooting
+
+> [!NOTE]
+> When users sign-in to the web application for the first time, they will need to consent. However, in some organizations, users can see a message like the following:
+>
+> *AppName needs permissions to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.*
+>
+> This is because your tenant administrator has **disabled** the ability for users to consent. In that case, you need to contact your tenant administrators so that they do an admin-consent for the scopes required by the application.
+
 ### Same site
 
 Make sure you understand possible issues with new versions of the Chrome browser

articles/active-directory/fundamentals/concept-fundamentals-continuous-access-evaluation.md

@@ -19,7 +19,9 @@ ms.collection: M365-identity-device-management
 
 Microsoft services, like Azure Active Directory (Azure AD) and Office 365, use open standards and protocols to maximize interoperability. One of the most critical ones is Open ID Connect (OIDC). When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, those access tokens are valid for one hour. When they expire, the client is redirected back to Azure AD to refresh them. That also provides an opportunity to reevaluate policies for user access – we might choose not to refresh the token because of a Conditional Access policy, or because the user has been disabled in the directory. 
 
-We have heard the overwhelming feedback from our customers: a one-hour lag due to access token lifetime for reapplying Conditional Access policies and changes in user state (for example: disabled due to furlough) is not good enough.
+Token expiration and refresh is a standard mechanism in the industry. That said, customers have expressed concerns about the lag between when risk conditions change for the user (for example: moving from the corporate office to the local coffee shop, or user credentials discovered on the black market) and when policies can be enforced related to that change. We have experimented with the “blunt object” approach of reduced token lifetimes but found they can degrade user experiences and reliability without eliminating risks.
+
+Timely response to policy violations or security issues really requires a “conversation” between the token issuer, like Azure AD, and the relying party, like Exchange Online. This two-way conversation gives us two important capabilities. The relying party can notice when things have changed, like a client coming from a new location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user due to account compromise, disablement, or other concerns. The mechanism for this conversation is Continuous Access Evaluation (CAE).
 
 Microsoft has been an early participant in the Continuous Access Evaluation Protocol (CAEP) initiative as part of the [Shared Signals and Events](https://openid.net/wg/sse/) working group at the OpenID Foundation. Identity providers and relying parties will be able to leverage the security events and signals defined by the working group to reauthorize or terminate access. It is exciting work and will improve security across many platforms and applications.
 

articles/active-directory/hybrid/TOC.yml

@@ -153,6 +153,8 @@
             href: plan-migrate-adfs-pass-through-authentication.md
           - name: Move groups from one forest to another
             href: how-to-connect-migrate-groups.md
+          - name: Migrate to cloud authentication using staged rollout
+            href: how-to-connect-staged-rollout.md
     - name: Hybrid Identity Design Considerations
       items:
           - name: Hybrid Identity Design Considerations Overview

articles/active-directory/hybrid/how-to-connect-staged-rollout.md

@@ -1,19 +1,19 @@
 ---
 title: 'Azure AD Connect: Cloud authentication via staged rollout | Microsoft Docs'
-description: This article explains how to migrate from federated authentication to cloud authentication by using a staged rollout.
+description: This article explains how to migrate from federated authentication, to cloud authentication, by using a staged rollout.
 author: billmath
 manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 11/07/2019
+ms.date: 04/23/2020
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 
-# Migrate to cloud authentication by using staged rollout (preview)
+# Migrate to cloud authentication using staged rollout (preview)
 
 By using a staged rollout approach, you can migrate from federated authentication to cloud authentication. This article discusses how to make the switch. Before you begin the staged rollout, however, you should consider the implications if one or more of the following conditions is true:
 

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -8,7 +8,7 @@ ms.assetid: ef2797d7-d440-4a9a-a648-db32ad137494
 ms.service: active-directory
 ms.topic: reference
 ms.workload: identity
-ms.date: 04/21/2020
+ms.date: 04/23/2020
 ms.subservice: hybrid
 ms.author: billmath
 
@@ -43,6 +43,14 @@ Not all releases of Azure AD Connect will be made available for auto upgrade. Th
 >
 >Please refer to [this article](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-upgrade-previous-version) to learn more about how to upgrade Azure AD Connect to the latest version.
 
+## 1.5.29.0
+
+### Release status
+04/23/2020: Released for download
+
+### Fixed issues
+This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA was not able to enable DSSO.
+
 ## 1.5.22.0
 
 ### Release status

articles/active-directory/privileged-identity-management/pim-getting-started.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.subservice: pim
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 04/21/2020
+ms.date: 04/23/2020
 ms.author: curtand
 ms.custom: pim  
 ms.collection: M365-identity-device-management
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 
 This article describes how to enable Privileged Identity Management (PIM) and get started using it.
 
-Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD, and other Microsoft online services like Office 365 or Microsoft Intune.
+Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD resources, and other Microsoft online services like Office 365 or Microsoft Intune.
 
 ## Prerequisites
 
@@ -35,30 +35,22 @@ For more information, see [License requirements to use Privileged Identity Manag
 
 Once you have enabled Privileged Identity Management for your directory, you can prepare Privileged Identity Management to manage Azure AD roles.
 
-You should get started with Azure AD roles in the following order:
+Here are the tasks we recommend for you to prepare for Azure AD roles, in order:
 
-1. [Configure role settings](pim-how-to-change-default-settings.md).
+1. [Configure Azure AD role settings](pim-how-to-change-default-settings.md).
 1. [Give eligible assignments](pim-how-to-add-role-to-user.md).
-1. [Allow eligible users to activate their role just-in-time](pim-how-to-activate-role.md).
+1. [Allow eligible users to activate their Azure AD role just-in-time](pim-how-to-activate-role.md).
 
 ## Prepare PIM for Azure roles
 
 Once you have enabled Privileged Identity Management for your directory, you can prepare Privileged Identity Management to manage Azure roles for Azure resource access on a subscription.
 
-You should get started with Azure roles in the following order:
+Here are the tasks we recommend for you to prepare for Azure roles, in order:
 
 1. [Discover Azure resources](pim-resource-roles-discover-resources.md)
-1. [Configure role settings](pim-resource-roles-configure-role-settings.md).
+1. [Configure Azure role settings](pim-resource-roles-configure-role-settings.md).
 1. [Give eligible assignments](pim-resource-roles-assign-roles.md).
-1. [Allow eligible users to activate their roles just-in-time](pim-resource-roles-activate-your-roles.md).
-
-I think this is good, can we also add a section for Azure Resource roles. You can add the same three though they will link to the Azure Resource doc. And before these 3 points, Azure Resource will require customers to discover resources
- 
-
-https://review.docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources?branch=pr-en-us-111400
-
-
-
+1. [Allow eligible users to activate their Azure roles just-in-time](pim-resource-roles-activate-your-roles.md).
 
 ## Navigate to your tasks