Merge branch 'master' into repo_sync_working_branch

Author: ktoliver

articles/active-directory/azuread-dev/howto-v1-debug-saml-sso-issues.md

@@ -82,7 +82,7 @@ If no resolution is provided for the sign-in error, we suggest that you use the
 
 You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application does not accept the response.
 
-To resolve the error, follow these steps:
+To resolve the error, follow these steps, or watch this [short video about how to use Azure AD to troubleshoot SAML SSO](https://www.youtube.com/watch?v=poQCJK0WPUk&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0&index=8):
 
 1. If the application is in the Azure AD Gallery, verify that you've followed all the steps for integrating the application with Azure AD. To find the integration instructions for your application, see the [list of SaaS application integration tutorials](../saas-apps/tutorial-list.md).
 1. Retrieve the SAML response.
@@ -100,4 +100,4 @@ To resolve the error, follow these steps:
 
 ## Next steps
 
-Now that single sign-on is working to your application, you could [Automate user provisioning and de-provisioning to SaaS applications](../app-provisioning/user-provisioning.md) or [get started with Conditional Access](../conditional-access/app-based-conditional-access.md).
+Now that single sign-on is working to your application, you could [Automate user provisioning and de-provisioning to SaaS applications](../app-provisioning/user-provisioning.md) or [get started with Conditional Access](../conditional-access/app-based-conditional-access.md).

articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md

@@ -21,11 +21,12 @@ Accounts that are assigned administrative rights are targeted by attackers. Requ
 
 Microsoft recommends you require MFA on the following roles at a minimum:
 
+* Authentication Administrator
 * Billing administrator
 * Conditional Access administrator
 * Exchange administrator
 * Global administrator
-* Helpdesk (Password) administrator
+* Helpdesk administrator
 * Password administrator
 * Security administrator
 * SharePoint administrator
@@ -69,7 +70,7 @@ The following steps will help create a Conditional Access policy to require thos
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
    1. Select **Done**.
 1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**, and select **Done**.
-1. Under **Conditions** > **Client apps (Preview)**, under **Select the client apps this policy will apply to** leave all defaults selected and select **Done**.
+1. Under **Conditions** > **Client apps**, switch **Configure** to **Yes** and under **Select the client apps this policy will apply to** leave all defaults selected and select **Done**.
 1. Under **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and select **Select**.
 1. Confirm your settings and set **Enable policy** to **On**.
 1. Select **Create** to create to enable your policy.

articles/active-directory/develop/active-directory-configurable-token-lifetimes.md

@@ -86,9 +86,9 @@ A token lifetime policy is a type of policy object that contains token lifetime
 | Access Token Lifetime |AccessTokenLifetime<sup>2</sup> |Access tokens, ID tokens, SAML2 tokens |1 hour |10 minutes |1 day |
 | Refresh Token Max Inactive Time |MaxInactiveTime |Refresh tokens |90 days |10 minutes |90 days |
 | Single-Factor Refresh Token Max Age |MaxAgeSingleFactor |Refresh tokens (for any users) |Until-revoked |10 minutes |Until-revoked<sup>1</sup> |
-| Multi-Factor Refresh Token Max Age |MaxAgeMultiFactor |Refresh tokens (for any users) | 180 days |10 minutes |Until-revoked<sup>1</sup> |
+| Multi-Factor Refresh Token Max Age |MaxAgeMultiFactor |Refresh tokens (for any users) | 180 days |10 minutes |180 days<sup>1</sup> |
 | Single-Factor Session Token Max Age |MaxAgeSessionSingleFactor |Session tokens (persistent and nonpersistent) |Until-revoked |10 minutes |Until-revoked<sup>1</sup> |
-| Multi-Factor Session Token Max Age |MaxAgeSessionMultiFactor |Session tokens (persistent and nonpersistent) | 180 days |10 minutes |Until-revoked<sup>1</sup> |
+| Multi-Factor Session Token Max Age |MaxAgeSessionMultiFactor |Session tokens (persistent and nonpersistent) | 180 days |10 minutes | 180 days<sup>1</sup> |
 
 * <sup>1</sup>365 days is the maximum explicit length that can be set for these attributes.
 * <sup>2</sup>To ensure the Microsoft Teams Web client works, it is recommended to keep AccessTokenLifetime to greater than 15 minutes for Microsoft Teams.

articles/active-directory/develop/msal-overview.md

@@ -18,7 +18,7 @@ ms.custom: aaddev, identityplatformtop40
 ---
 
 # Overview of Microsoft Authentication Library (MSAL)
-Microsoft Authentication Library (MSAL) enables developers to acquire [tokens](developer-glossary.md#security-token) from the Microsoft identity platform endpoint in order to access secured web APIs. These web APIs can be the Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL is available for .NET, JavaScript, Android, and iOS, which support many different application architectures and platforms.
+Microsoft Authentication Library (MSAL) enables developers to acquire [tokens](developer-glossary.md#security-token) from the Microsoft identity platform endpoint in order to access secured web APIs. These web APIs can be the Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL is available for .NET, JavaScript, Java, Python, Android, and iOS, which support many different application architectures and platforms.
 
 MSAL gives you many ways to get tokens, with a consistent API for a number of platforms. Using MSAL provides the following benefits:
 

articles/active-directory/develop/quickstart-v2-dotnet-native-aspnet.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: quickstart
 ms.workload: identity
-ms.date: 12/12/2019
+ms.date: 10/05/2020
 ms.author: jmprieur
 ms.custom: "devx-track-csharp, aaddev, identityplatformtop40, scenarios:getting-started, languages:ASP.NET"
 #Customer intent: As an application developer, I want to know how to set up OpenId Connect authentication in a web application that's built by using Node.js with Express.

articles/active-directory/develop/quickstart-v2-ios.md

@@ -177,7 +177,7 @@ self.applicationContext = try MSALPublicClientApplication(configuration: msalCon
 > |Where: | Description |
 > |---------|---------|
 > | `clientId` | The Application ID from the application registered in *portal.azure.com* |
-> | `authority` | The Microsoft identity platform endpoint. In most of cases this will be *https<span/>://login.microsoftonline.com/common* |
+> | `authority` | The Microsoft identity platform endpoint. In most of cases this will be *https://login.microsoftonline.com/common* |
 > | `redirectUri` | The redirect URI of the application. You can pass 'nil' to use the default value, or your custom redirect URI. |
 
 ### For iOS only, additional app requirements
@@ -271,3 +271,4 @@ Move on to the step-by-step tutorial in which you build an iOS or macOS app that
 
 > [!div class="nextstepaction"]
 > [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md)
+

articles/active-directory/develop/scenario-desktop-acquire-token.md

@@ -684,7 +684,7 @@ static async Task GetATokenForGraph()
  if (accounts.Any())
  {
   result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
-                    .ExecuteAync();
+                    .ExecuteAsync();
  }
  else
  {

articles/active-directory/develop/tutorial-v2-javascript-spa.md

@@ -69,7 +69,7 @@ Make sure you have [Node.js](https://nodejs.org/en/download/) installed, and the
    npm install morgan --save
    ```
 
-1. Now, create a .js file named `index.js`, and then add the following code:
+1. Now, create a .js file named `server.js`, and then add the following code:
 
    ```JavaScript
    const express = require('express');
@@ -276,7 +276,7 @@ Before proceeding further with authentication, register your application on **Az
 
 > ### Set a redirect URL for Node.js
 >
-> For Node.js, you can set the web server port in the *index.js* file. This tutorial uses port 3000, but you can use any other available port.
+> For Node.js, you can set the web server port in the *server.js* file. This tutorial uses port 3000, but you can use any other available port.
 >
 > To set up a redirect URL in the application registration information, switch back to the **Application Registration** pane, and do either of the following:
 >
@@ -510,4 +510,5 @@ The Microsoft Graph API requires the *user.read* scope to read a user's profile.
 Delve deeper into single-page application (SPA) development on the Microsoft identity platform in our the multi-part scenario series.
 
 > [!div class="nextstepaction"]
-> [Scenario: Single-page application](scenario-spa-overview.md)
+> [Scenario: Single-page application](scenario-spa-overview.md)
+

articles/active-directory/devices/manage-stale-devices.md

@@ -162,9 +162,9 @@ When configured, BitLocker keys for Windows 10 devices are stored on the device
 ### Why should I worry about Windows Autopilot devices?
 
 When you delete an Azure AD device that was associated with a Windows Autopilot object the following three scenarios can occur if the device will be repurposed in future:
-- With Windows Autopilot user-driven deployments without using white glove, a new Azure AD device will be created, but it won’t be tagged with the ZTDID.
+- With Windows Autopilot user-driven deployments without using pre-provisioning, a new Azure AD device will be created, but it won’t be tagged with the ZTDID.
 - With Windows Autopilot self-deploying mode deployments, they will fail because an associate Azure AD device cannot be found.  (This is a security mechanism to make sure that no “imposter” devices try to join Azure AD with no credentials.) The failure will indicate a ZTDID mismatch.
-- With Windows Autopilot white glove deployments, they will fail because an associated Azure AD device cannot be found. (Behind the scenes, white glove deployments use the same self-deploying mode process, so they enforce the same security mechanisms.)
+- With Windows Autopilot pre-provisioning deployments, they will fail because an associated Azure AD device cannot be found. (Behind the scenes, pre-provisioning deployments use the same self-deploying mode process, so they enforce the same security mechanisms.)
 
 ### How do I know all the type of devices joined?
 

articles/active-directory/external-identities/hybrid-cloud-to-on-premises.md

@@ -40,6 +40,9 @@ To provide B2B users access to on-premises applications that are secured with In
 - **Authentication through Azure AD Application Proxy**. B2B users must be able to authenticate to the on-premises application. To do this, you must publish the on-premises app through the Azure AD Application Proxy. For more information, see [Get started with Application Proxy and install the connector](../manage-apps/application-proxy-enable.md) and [Publish applications using Azure AD Application Proxy](../manage-apps/application-proxy-publish-azure-portal.md).
 - **Authorization via a B2B user object in the on-premises directory**. The application must be able to perform user access checks, and grant access to the correct resources. IWA and KCD require a user object in the on-premises Windows Server Active Directory to complete this authorization. As described in [How single sign-on with KCD works](../manage-apps/application-proxy-configure-single-sign-on-with-kcd.md#how-single-sign-on-with-kcd-works), Application Proxy needs this user object to impersonate the user and get a Kerberos token to the app. 
 
+   > [!NOTE]
+   > When you configure the Azure AD Application Proxy, ensure that **Delegated Logon Identity** is set to **User principal name** (default) for IWA single sign-on.
+
    For the B2B user scenario, there are two methods available that you can use to create the guest user objects that are required for authorization in the on-premises directory:
 
    - Microsoft Identity Manager (MIM) and the MIM management agent for Microsoft Graph.