merge

articles/active-directory-b2c/configure-ropc.md

@@ -131,6 +131,8 @@ A successful response looks like the following example:
  "refresh_token_expires_in": 1209600
 }
 ```
+> [!NOTE]
+> When creating users via Graph API, the application needs to have "openid", "offline_access", and "profile" permissions from Microsoft Graph.
 
 ## Implement with your preferred native SDK or use App-Auth
 

articles/active-directory/authentication/howto-mfa-nps-extension.md

@@ -228,6 +228,14 @@ You can choose to create this key and set it to FALSE while your users are onboa
 
 ## Troubleshooting
 
+### NPS extension health check script
+
+The following script is available on the TechNet Gallery to perform basic health check steps when troubleshooting the NPS extension.
+
+[MFA_NPS_Troubleshooter.ps1](https://gallery.technet.microsoft.com/Azure-MFA-NPS-Extension-648de6bb)
+
+---
+
 ### How do I verify that the client cert is installed as expected?
 
 Look for the self-signed certificate created by the installer in the cert store, and check that the private key has permissions granted to user **NETWORK SERVICE**. The cert has a subject name of **CN \<tenantid\>, OU = Microsoft NPS Extension**

articles/active-directory/conditional-access/TOC.yml

@@ -44,30 +44,30 @@
  items:
  - name: Require MFA for admins
  href: howto-baseline-protect-administrators.md
- - name: End user protection
+ - name: End-user protection
  href: howto-baseline-protect-end-users.md
  - name: Block legacy authentication
  href: howto-baseline-protect-legacy-auth.md
  - name: Require MFA for service management
  href: howto-baseline-protect-azure.md
  - name: Block legacy authentication
  href: block-legacy-authentication.md
- - name: Migrate classic policies
- href: policy-migration.md
- - name: Sign-in frequency and browser persistence controls
- href: howto-conditional-access-session-lifetime.md
+ - name: Conditional Access for MFA registration
+ href: ../authentication/howto-registration-mfa-sspr-combined.md#conditional-access-policies-for-combined-registration
  - name: Require approved client apps
  href: app-based-conditional-access.md
  - name: Require app protection policy
  href: app-protection-based-conditional-access.md
  - name: Require managed devices
  href: require-managed-devices.md
- - name: Require trusted networks for MFA registration
- href: ../authentication/howto-registration-mfa-sspr-combined.md#conditional-access-policies-for-combined-registration
  - name: Require MFA for access attempts from untrusted networks
  href: untrusted-networks.md
  - name: Require terms of use
  href: terms-of-use.md
+ - name: Sign-in frequency and browser persistence controls
+ href: howto-conditional-access-session-lifetime.md
+ - name: Migrate classic policies
+ href: policy-migration.md
 - name: Reference
  items:
  - name: Technical reference

articles/active-directory/conditional-access/technical-reference.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 03/22/2019
+ms.date: 07/10/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -132,7 +132,7 @@ On Windows 7, iOS, Android, and macOS Azure AD identifies the device using a cli
 
 #### Chrome support
 
-For Chrome support in **Windows 10 Creators Update (version 1703)** or later, install [this extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji).
+For Chrome support in **Windows 10 Creators Update (version 1703)** or later, install the [Windows 10 Accounts extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji). This extension is required when a Conditional Access policy requires device specific details.
 
 To automatically deploy this extension to Chrome browsers, create the following registry key:
 

articles/active-directory/develop/howto-get-appsource-certified.md

@@ -52,19 +52,19 @@ Single-tenant applications can enable the *Contact Me* experience, but if you wa
 
 ## AppSource trial experiences
 
-### Free trial (customer-led trial experience) 
+### Free trial (customer-led trial experience)
 
-The customer-led trial is the experience that AppSource recommends as it offers a single-click access to your application. Below an illustration of how this experience looks like:<br/><br/>
+The customer-led trial is the experience that AppSource recommends as it offers a single-click access to your application. The following example shows what this experience looks like:
 
 <table >
 <tr>
- <td valign="top" width="33%">1.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step1.png" width="85%"/><ul><li>User finds your application in AppSource Web Site</li><li>Selects ‘Free trial’ option</li></ul></td>
- <td valign="top" width="33%">2.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step2.png" width="85%" /><ul><li>AppSource redirects user to a URL in your web site</li><li>Your web site starts the <i>single-sign-on</i> process automatically (on page load)</li></ul></td>
- <td valign="top" width="33%">3.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step3.png" width="85%"/><ul><li>User is redirected to Microsoft Sign-in page</li><li>User provides credentials to sign in</li></ul></td>
+ <td valign="top" width="33%">1.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step1.png" width="85%" alt-text="Shows Free trial for customer-led trial experience"/><ul><li>User finds your application in AppSource Web Site</li><li>Selects ‘Free trial’ option</li></ul></td>
+ <td valign="top" width="33%">2.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step2.png" width="85%" alt-text="Shows how user is redirected to a URL in your web site"/><ul><li>AppSource redirects user to a URL in your web site</li><li>Your web site starts the <i>single-sign-on</i> process automatically (on page load)</li></ul></td>
+ <td valign="top" width="33%">3.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step3.png" width="85%" alt-text="Shows the Microsoft sign-in page"/><ul><li>User is redirected to Microsoft Sign-in page</li><li>User provides credentials to sign in</li></ul></td>
 </tr>
 <tr>
- <td valign="top" width="33%">4.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step4.png" width="85%"/><ul><li>User gives consent for your application</li></ul></td>
- <td valign="top" width="33%">5.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step5.png" width="85%"/><ul><li>Sign-in completes and user is redirected back to your web site</li><li>User starts the free trial</li></ul></td>
+ <td valign="top" width="33%">4.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step4.png" width="85%" alt-text="Example: Consent page for an application"/><ul><li>User gives consent for your application</li></ul></td>
+ <td valign="top" width="33%">5.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step5.png" width="85%" alt-text="Shows the experience the user sees when redirected back to your site"/><ul><li>Sign-in completes and user is redirected back to your web site</li><li>User starts the free trial</li></ul></td>
  <td></td>
 </tr>
 </table>
@@ -75,47 +75,46 @@ You can use the partner trial experience when a manual or a long-term operation
 
 <table valign="top">
 <tr>
- <td valign="top" width="33%">1.<br/><img src="media/active-directory-devhowto-appsource-certified/partner-led-trial-step1.png" width="85%"/><ul><li>User finds your application in AppSource web site</li><li>Selects ‘Contact Me’ option</li></ul></td>
- <td valign="top" width="33%">2.<br/><img src="media/active-directory-devhowto-appsource-certified/partner-led-trial-step2.png" width="85%"/><ul><li>Fills out a form with contact information</li></ul></td>
+ <td valign="top" width="33%">1.<br/><img src="media/active-directory-devhowto-appsource-certified/partner-led-trial-step1.png" width="85%" alt-text="Shows Contact me for partner-led trial experience"/><ul><li>User finds your application in AppSource web site</li><li>Selects ‘Contact Me’ option</li></ul></td>
+ <td valign="top" width="33%">2.<br/><img src="media/active-directory-devhowto-appsource-certified/partner-led-trial-step2.png" width="85%" alt-text="Shows an example form with contact info"/><ul><li>Fills out a form with contact information</li></ul></td>
   <td valign="top" width="33%">3.<br/><br/>
   <table bgcolor="#f7f7f7">
   <tr>
-  <td><img src="media/active-directory-devhowto-appsource-certified/UserContact.png" width="55%"/></td>
+  <td><img src="media/active-directory-devhowto-appsource-certified/UserContact.png" width="55%" alt-text="Shows placeholder for user information"/></td>
   <td>You receive user information</td>
   </tr>
   <tr>
-  <td><img src="media/active-directory-devhowto-appsource-certified/SetupEnv.png" width="55%"/></td>
+  <td><img src="media/active-directory-devhowto-appsource-certified/SetupEnv.png" width="55%" alt-text="Shows placeholder for setup environment info"/></td>
   <td>Setup environment</td>
   </tr>
   <tr>
-  <td><img src="media/active-directory-devhowto-appsource-certified/ContactCustomer.png" width="55%"/></td>
+  <td><img src="media/active-directory-devhowto-appsource-certified/ContactCustomer.png" width="55%" alt-text="Shows placeholder for trial info"/></td>
   <td>Contact user with trial info</td>
   </tr>
   </table><br/><br/>
   <ul><li>You receive user's information and setup trial instance</li><li>You send the hyperlink to access your application to the user</li></ul>
  </td>
 </tr>
 <tr>
- <td valign="top" width="33%">4.<br/><img src="media/active-directory-devhowto-appsource-certified/partner-led-trial-step3.png" width="85%"/><ul><li>User accesses your application and complete the single-sign-on process</li></ul></td>
- <td valign="top" width="33%">5.<br/><img src="media/active-directory-devhowto-appsource-certified/partner-led-trial-step4.png" width="85%"/><ul><li>User gives consent for your application</li></ul></td>
- <td valign="top" width="33%">6.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step5.png" width="85%"/><ul><li>Sign-in completes and user is redirected back to your web site</li><li>User starts the free trial</li></ul></td>
+ <td valign="top" width="33%">4.<br/><img src="media/active-directory-devhowto-appsource-certified/partner-led-trial-step3.png" width="85%" alt-text="Shows the application sign-in screen"/><ul><li>User accesses your application and complete the single-sign-on process</li></ul></td>
+ <td valign="top" width="33%">5.<br/><img src="media/active-directory-devhowto-appsource-certified/partner-led-trial-step4.png" width="85%" alt-text="Shows an example consent page for an application"/><ul><li>User gives consent for your application</li></ul></td>
+ <td valign="top" width="33%">6.<br/><img src="media/active-directory-devhowto-appsource-certified/customer-led-trial-step5.png" width="85%" alt-text="Shows the experience the user sees when redirected back to your site"/><ul><li>Sign-in completes and user is redirected back to your web site</li><li>User starts the free trial</li></ul></td>
 
 </tr>
 </table>
 
 ### More information
 
 For more information about the AppSource trial experience, see [this video](https://aka.ms/trialexperienceforwebapps). 
- 
+
 ## Next Steps
 
 - For more information on building applications that support Azure AD sign-ins, see [Authentication scenarios for Azure AD](https://docs.microsoft.com/azure/active-directory/develop/authentication-scenarios).
 - For information on how to list your SaaS application in AppSource, go see [AppSource Partner Information](https://appsource.microsoft.com/partners)
 
-
 ## Get support
 
-For Azure AD integration, we use [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-active-directory+appsource) with the community to provide support. 
+For Azure AD integration, we use [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-active-directory+appsource) with the community to provide support.
 
 We highly recommend you ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [`[azure-active-directory]` and `[appsource]`](https://stackoverflow.com/questions/tagged/azure-active-directory+appsource).
 
@@ -128,5 +127,4 @@ Use the following comments section to provide feedback and help us refine and sh
 [AAD-Howto-Multitenant-Overview]: howto-convert-app-to-be-multi-tenant.md
 [AAD-QuickStart-Web-Apps]: v1-overview.md#get-started
 
-
 <!--Image references-->

articles/active-directory/develop/msal-authentication-flows.md

@@ -163,7 +163,7 @@ IWA is for apps written for .NET Framework, .NET Core, and Universal Windows Pla
 
 IWA doesn't bypass multi-factor authentication. If multi-factor authentication is configured, IWA might fail if a multi-factor authentication challenge is required. Multi-factor authentication requires user interaction.
 
-You don't control when the identity provider requests two-factor authentication to be performed. The tenant admin does. Typically, two-factor authentication is required when you sign in from a different country, when you're not connected via VPN to a corporate network, and sometimes even when you are connected via VPN. Azure AD uses AI to continuously learn if two-factor authentication is required. If IWA fails, you should fall back to a user prompt (https://aka.ms/msal-net-interactive).
+You don't control when the identity provider requests two-factor authentication to be performed. The tenant admin does. Typically, two-factor authentication is required when you sign in from a different country, when you're not connected via VPN to a corporate network, and sometimes even when you are connected via VPN. Azure AD uses AI to continuously learn if two-factor authentication is required. If IWA fails, you should fall back to an [interactive user prompt] (#interactive).
 
 The authority passed in when constructing the public client application must be one of the following:
 - Tenanted (of the form `https://login.microsoftonline.com/{tenant}/` where `tenant` is either the guid representing the tenant ID or a domain associated with the tenant).

articles/active-directory/devices/TOC.yml

@@ -43,7 +43,7 @@
  href: hybrid-azuread-join-plan.md
  - name: Controlled validation of hybrid Azure AD join
  href: hybrid-azuread-join-control.md
- - name: Manage device identity
+ - name: Manage device identities
  href: device-management-azure-portal.md
  - name: Manage stale devices
  href: manage-stale-devices.md

articles/active-directory/manage-apps/application-proxy-config-how-to.md

@@ -24,7 +24,7 @@ ms.collection: M365-identity-device-management
 
 This article helps you to understand how to configure an Application Proxy application within Azure AD to expose your on-premises applications to the cloud.
 
-## Recommended documents 
+## Recommended documents
 
 To learn about the initial configurations and creation of an Application Proxy application through the Admin Portal, follow the [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md).
 
@@ -36,19 +36,15 @@ For information on uploading certificates and using custom domains, see [Working
 
 If you are following the steps in the [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md) documentation and are getting an error creating the application, see the error details for information and suggestions for how to fix the application. Most error messages include a suggested fix. To avoid common errors, verify:
 
-- You are an administrator with permission to create an Application Proxy application
-
-- The internal URL is unique
-
-- The external URL is unique
-
-- The URLs start with http or https, and end with a “/”
-
-- The URL should be a domain name, not an IP address
+- You are an administrator with permission to create an Application Proxy application
+- The internal URL is unique
+- The external URL is unique
+- The URLs start with http or https, and end with a “/”
+- The URL should be a domain name, not an IP address
 
 The error message should display in the top-right corner when you create the application. You can also select the notification icon to see the error messages.
 
- ![Notification prompt](./media/application-proxy-config-how-to/error-message.png)
+![Shows where to find the Notification prompt in the Azure portal](./media/application-proxy-config-how-to/error-message.png)
 
 ## Configure connectors/connector groups
 
@@ -58,19 +54,16 @@ If your connectors are inactive, this means that they are unable to reach the se
 
 ## Upload certificates for custom domains
 
-Custom Domains allow you to specify the domain of your external URLs. To use custom domains, you need to upload the certificate for that domain. For information on using custom domains and certificates, see [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md). 
+Custom Domains allow you to specify the domain of your external URLs. To use custom domains, you need to upload the certificate for that domain. For information on using custom domains and certificates, see [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md).
 
 If you are encountering issues uploading your certificate, look for the error messages in the portal for additional information on the problem with the certificate. Common certificate problems include:
 
-- Expired certificate
-
-- Certificate is self-signed
-
-- Certificate is missing the private key
+- Expired certificate
+- Certificate is self-signed
+- Certificate is missing the private key
 
 The error message display in the top-right corner as you try to upload the certificate. You can also select the notification icon to see the error messages.
 
- ![Notification prompt](./media/application-proxy-config-how-to/error-message2.png)
-
 ## Next steps
+
 [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md)