Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into us1741262k

Author: TimShererWithAquent

.openpublishing.redirection.json

@@ -445,6 +445,16 @@
       "redirect_url": "/azure//virtual-machines/windows/disk-encryption-overview",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/virtual-machines/linux/disks-ade-sse-conversion-cli.md",
+      "redirect_url": "/azure//virtual-machines/linux/disk-encryption",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/virtual-machines/windows/disks-ade-sse-conversion-powershell.md",
+      "redirect_url": "/azure//virtual-machines/windows/disk-encryption",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/virtual-machines/linux/cli-manage-nodejs.md",
       "redirect_url": "/azure/virtual-machines/linux/create-cli-complete",

articles/active-directory-domain-services/synchronization.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 02/10/2020
+ms.date: 06/30/2020
 ms.author: iainfou
 
 ---
@@ -60,12 +60,14 @@ The following table illustrates how specific attributes for user objects in Azur
 | country |co |
 | department |department |
 | displayName |displayName |
+| employeedId |employeeId |
 | facsimileTelephoneNumber |facsimileTelephoneNumber |
 | givenName |givenName |
 | jobTitle |title |
 | mail |mail |
 | mailNickname |msDS-AzureADMailNickname |
 | mailNickname |SAMAccountName (may sometimes be autogenerated) |
+| manager |manager |
 | mobile |mobile |
 | objectid |msDS-AzureADObjectId |
 | onPremiseSecurityIdentifier |sidHistory |

articles/active-directory-domain-services/tutorial-configure-ldaps.md

@@ -228,7 +228,7 @@ With secure LDAP access enabled over the internet, update the DNS zone so that c
 
 ![View the secure LDAP external IP address for your managed domain in the Azure portal](./media/tutorial-configure-ldaps/ldaps-external-ip-address.png)
 
-Configure your external DNS provider to create a host record, such as *ldaps*, to resolve to this external IP address. To test locally on your machine first, you can create an entry in the Windows hosts file. To successfully edit the hosts file on your local machine, open *Notepad* as an administrator, then open the file *C:\Windows\System32\drivers\etc*
+Configure your external DNS provider to create a host record, such as *ldaps*, to resolve to this external IP address. To test locally on your machine first, you can create an entry in the Windows hosts file. To successfully edit the hosts file on your local machine, open *Notepad* as an administrator, then open the file *C:\Windows\System32\drivers\etc\hosts*
 
 The following example DNS entry, either with your external DNS provider or in the local hosts file, resolves traffic for *ldaps.aaddscontoso.com* to the external IP address of *168.62.205.103*:
 

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -100,7 +100,7 @@ End users who are subject to a policy that requires mobile application managemen
 
 ## Next steps
 
-[What is passwordless?](concept-authentication-passwordless.md)
+[Learn how passwordless authentication works](concept-authentication-passwordless.md)
 
 [Learn about device registration](../devices/overview.md#getting-devices-in-azure-ad)
 

articles/active-directory/conditional-access/concept-baseline-protection.md

@@ -22,7 +22,7 @@ Baseline policies are a set of predefined policies that help protect organizatio
 Managing customized Conditional Access policies requires an Azure AD Premium license.
 
 > [!IMPORTANT]
-> Baseline policies are being deprecated. See [What's new in Azure Active Directory?](../fundamentals/whats-new.md#replacement-of-baseline-policies-with-security-defaults) for more information.
+> Baseline policies are being deprecated. See [Archive for What's new in Azure Active Directory?](../fundamentals/whats-new-archive.md#replacement-of-baseline-policies-with-security-defaults) for more information.
 
 ## Baseline policies
 

articles/active-directory/develop/app-objects-and-service-principals.md

@@ -10,54 +10,48 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 04/13/2019
+ms.date: 06/29/2020
 ms.author: ryanwi
 ms.custom: aaddev, identityplatformtop40
 ms.reviewer: sureshja
 ---
 
 # Application and service principal objects in Azure Active Directory
 
-Sometimes, the meaning of the term "application" can be misunderstood when used in the context of Azure Active Directory (Azure AD). This article clarifies the conceptual and concrete aspects of Azure AD application integration, with an illustration of registration and consent for a [multi-tenant application](developer-glossary.md#multi-tenant-application).
+This article describes application registration, application objects, and service principals in Azure Active Directory: what they are, how they're used, and how they are related to each other. A multi-tenant example scenario is also presented to illustrate the relationship between an application's application object and corresponding service principal objects.
 
-## Overview
-
-An application that has been integrated with Azure AD has implications that go beyond the software aspect. "Application" is frequently used as a conceptual term, referring to not only the application software, but also its Azure AD registration and role in authentication/authorization "conversations" at runtime.
-
-By definition, an application can function in these roles:
-
-- [Client](developer-glossary.md#client-application) role (consuming a resource)
-- [Resource server](developer-glossary.md#resource-server) role (exposing APIs to clients)
-- Both client role and resource server role
+## Application registration
+In order to delegate Identity and Access Management functions to Azure AD, an application must be registered with an Azure AD [tenant](developer-glossary.md#tenant). When you register your application with Azure AD, you are creating an identity configuration for your application that allows it to integrate with Azure AD. When you register an app in the [Azure portal][AZURE-Portal], you choose whether it's single tenant (only accessible in your tenant) or multi-tenant (accessible to in other tenants) and can optionally set a redirect URI (where the access token is sent to).
 
-An [OAuth 2.0 Authorization Grant flow](developer-glossary.md#authorization-grant) defines the conversation protocol, which allows the client/resource to access/protect a resource's data, respectively.
+When you've completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory.  You also have a globally unique ID for your app (the app or client ID).  In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.
 
-In the following sections, you'll see how the Azure AD application model represents an application at design-time and run-time.
+If you register an application in the portal, an application object as well as a service principal object are automatically created in your home tenant.  If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step.
 
-## Application registration
+## Application object
+An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered (known as the application's "home" tenant).  An application object is used as a template or blueprint to create one or more service principal objects.  A service principal is created in every tenant where the application is used. Similar to a class in object oriented programming, the application object has some static properties which are applied to all the created service principals (or application instances). 
 
-When you register an Azure AD application in the [Azure portal][AZURE-Portal], two objects are created in your Azure AD tenant:
+The application object describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take. 
 
-- An application object, and
-- A service principal object
+The **App registrations** blade in the [Azure portal][AZURE-Portal] is used to list and manage the application objects in your home tenant.
 
-### Application object
+The Microsoft Graph [Application entity][MS-Graph-App-Entity] defines the schema for an application object's properties.
 
-An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. The Microsoft Graph [Application entity][MS-Graph-App-Entity] defines the schema for an application object's properties.
+## Service principal object
+To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
 
-### Service principal object
+A service principal is the local representation, or application instance, of a global application object in a single tenant or directory. A service principal is a concrete instance created from the application object and inherits certain properties from that application object.  A service principal is created in each tenant where the application is used and references the globally unique app object.  The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access. 
 
-To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This is true for both users (user principal) and applications (service principal).
+When an application is given permission to access resources in a tenant (upon registration or [consent](developer-glossary.md#consent)), a service principal object is created. You can also create service principal object in a tenant using [Azure PowerShell](howto-authenticate-service-principal-powershell.md), Azure CLI, [Microsoft Graph](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http), the [Azure portal][AZURE-Portal], and other tools.  When using the portal, a service principal is created automatically when you register an application.
 
-The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
+The **Enterprise applications** blade in the portal is used to list and manage the service principals in a tenant. You can see the a service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.
 
-When an application is given permission to access resources in a tenant (upon registration or [consent](developer-glossary.md#consent)), a service principal object is created. The Microsoft Graph  [ServicePrincipal entity][MS-Graph-Sp-Entity] defines the schema for a service principal object's properties.
+The Microsoft Graph [ServicePrincipal entity][MS-Graph-Sp-Entity] defines the schema for a service principal object's properties.
 
-### Application and service principal relationship
+## Relationship between application objects and service principals
 
-Consider the application object as the *global* representation of your application for use across all tenants, and the service principal as the *local* representation for use in a specific tenant.
+The application object is the *global* representation of your application for use across all tenants, and the service principal is the *local* representation for use in a specific tenant.
 
-The application object serves as the template from which common and default properties are *derived* for use in creating corresponding service principal objects. An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s).
+The application object serves as the template from which common and default properties are *derived* for use in creating corresponding service principal objects. An application object therefore has a 1:1 relationship with the software application, and a 1:many relationship with its corresponding service principal object(s).
 
 A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant. A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration. A multi-tenant Web application/API also has a service principal created in each tenant where a user from that tenant has consented to its use.
 

articles/active-directory/develop/migrate-spa-implicit-to-auth-code.md

@@ -94,4 +94,4 @@ If you'd like to dive deeper into JavaScript single-page application development
 
 <!-- LINKS - external -->
 [msal-js-useragentapplication]: https://azuread.github.io/microsoft-authentication-library-for-js/ref/msal-core/modules/_useragentapplication_.html
-[msal-js-publicclientapplication]: https://azuread.github.io/microsoft-authentication-library-for-js/ref/msal-browser/classes/_app_publicclientapplication_.publicclientapplication.html
+[msal-js-publicclientapplication]: https://azuread.github.io/microsoft-authentication-library-for-js/ref/msal-browser/classes/_src_app_publicclientapplication_.publicclientapplication.html

articles/active-directory/devices/azuread-join-sso.md

@@ -11,13 +11,13 @@ ms.date: 06/28/2019
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: daveba
-ms.reviewer: sandeo
+ms.reviewer: ravenn
 
 ms.collection: M365-identity-device-management
 ---
 # How SSO to on-premises resources works on Azure AD joined devices
 
-It is probably not a surprise that an Azure Active Directory (Azure AD) joined device gives you a single sign-on (SSO) experience to your tenant's cloud apps. If your environment has an on-premises Active Directory (AD), you can extend the SSO experience on these devices to it.
+It is probably not a surprise that an Azure Active Directory (Azure AD) joined device gives you a single sign-on (SSO) experience to your tenant's cloud apps. If your environment has an on-premises Active Directory (AD), you can extend the SSO experience on these devices to resources and applications that rely on on-premises AD as well. 
 
 This article explains how this works.
 
@@ -27,19 +27,19 @@ This article explains how this works.
 
 ## How it works 
 
-Because you need to remember just one single user name and password, SSO simplifies access to your resources and improves the security of your environment. With an Azure AD joined device, your users already have an SSO experience to the cloud apps in your environment. If your environment has an Azure AD and an on-premises AD, you probably want to expand the scope of your SSO experience to your on-premises Line Of Business (LOB) apps, file shares, and printers.
+With an Azure AD joined device, your users already have an SSO experience to the cloud apps in your environment. If your environment has an Azure AD and an on-premises AD, you may want to expand the scope of your SSO experience to your on-premises Line Of Business (LOB) apps, file shares, and printers.
 
 Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect.
 
 An environment that has both, an Azure AD and an on-premises AD, is also known has hybrid environment. If you have a hybrid environment, it is likely that you already have Azure AD Connect deployed to synchronize your on-premises identity information to the cloud. As part of the synchronization process, Azure AD Connect synchronizes on-premises user information to Azure AD. When a user signs in to an Azure AD joined device in a hybrid environment:
 
-1. Azure AD sends the name of the on-premises domain the user is a member of back to the device.
-1. The local security authority (LSA) service enables Kerberos authentication on the device.
+1. Azure AD sends the details of the user's on-premises domain back to the device, along with the [Primary Refresh Token] (concept-primary-refresh-token.md)
+1. The local security authority (LSA) service enables Kerberos and NTLM authentication on the device.
 
-During an access attempt to a resource requesting Kerberos in the user's on-premises environment, the device:
+During an access attempt to a resource requesting Kerberos or NTLM in the user's on-premises environment, the device:
 
 1. Sends the on-premises domain information and user credentials to the located DC to get the user authenticated.
-1. Receives a Kerberos [Ticket-Granting Ticket (TGT)](/windows/desktop/secauthn/ticket-granting-tickets) that is used to access AD-joined resources. If the attempt to get the TGT for the AAD connect domain fails (related DCLocator timeout can cause a delay), Credential Manager entries are attempted, or the user may receive an authentication popup requesting credentials for the target resource.
+1. Receives a Kerberos [Ticket-Granting Ticket (TGT)](/windows/desktop/secauthn/ticket-granting-tickets) or NTLM token based on the protocol the on-premises resource or application supports. If the attempt to get the Kerberos TGT or NTLM token for the domain fails (related DCLocator timeout can cause a delay), Credential Manager entries are attempted, or the user may receive an authentication popup requesting credentials for the target resource.
 
 All apps that are configured for **Windows-Integrated authentication** seamlessly get SSO when a user tries to access them.
 

articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md

@@ -81,7 +81,7 @@ Under certain conditions, Enterprise State Roaming can fail to sync data if Azur
 
 ### Event Viewer
 
-For advanced troubleshooting, Event Viewer can be used to find specific errors. These are documented in the table below. The events can be found under Event Viewer > Applications and Services Logs > **Microsoft** > **Windows** > **SettingSync-Azure** and for identity-related issues with sync **Microsoft** > **Windows** > **AAD**.
+For advanced troubleshooting, Event Viewer can be used to find specific errors. These are documented in the table below. The events can be found under Event Viewer > **Applications and Services Logs** > **Microsoft** > **Windows** > **SettingSync-Azure** and for identity-related issues with sync **Applications and Services Logs** > **Microsoft** > **Windows** > **AAD**.
 
 ## Known issues
 

articles/active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners.md

@@ -8,7 +8,7 @@ manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 09/11/2018
 ms.author: ajburnle
 ms.custom: "it-pro, seodec18"

articles/active-directory/fundamentals/active-directory-faq.md

@@ -9,7 +9,7 @@ ms.assetid: b8207760-9714-4871-93d5-f9893de31c8f
 ms.service: active-directory
 ms.subservice: fundamentals
 ms.workload: identity
-ms.topic: conceptual
+ms.topic: troubleshooting
 ms.date: 11/12/2018
 ms.author: ajburnle
 ms.custom: "it-pro, seodec18"

articles/active-directory/fundamentals/active-directory-get-started-premium.md

@@ -8,7 +8,7 @@ manager: daveba
 ms.service: active-directory
 ms.subservice: fundamentals
 ms.workload: identity
-ms.topic: quickstart
+ms.topic: how-to
 ms.date: 09/07/2017
 ms.author: ajburnle
 ms.reviewer: piotrci

articles/active-directory/fundamentals/active-directory-groups-create-azure-portal.md

@@ -8,7 +8,7 @@ manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 06/05/2020
 ms.author: ajburnle
 ms.reviewer: krbain

articles/active-directory/fundamentals/active-directory-groups-delete-group.md

@@ -8,7 +8,7 @@ manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 08/29/2018
 ms.author: ajburnle
 ms.reviewer: krbain

articles/active-directory/fundamentals/active-directory-groups-members-azure-portal.md

@@ -8,7 +8,7 @@ manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 08/23/2018
 ms.author: ajburnle
 ms.custom: "it-pro, seodec18"