Merge pull request #142545 from MicrosoftDocs/master

1/07 PM Publish
timschps · Jan 7, 2021 · 42a4d0e · 42a4d0e
2 parents 8f0803d + 7f946d9
commit 42a4d0e
Show file tree

Hide file tree

Showing 318 changed files with 2,206 additions and 1,050 deletions.
diff --git a/articles/active-directory-domain-services/migrate-from-classic-vnet.md b/articles/active-directory-domain-services/migrate-from-classic-vnet.md
@@ -152,8 +152,8 @@ The migration to the Resource Manager deployment model and virtual network is sp
 |---------|--------------------|-----------------|-----------|-------------------|
 | [Step 1 - Update and locate the new virtual network](#update-and-verify-virtual-network-settings) | Azure portal | 15 minutes | No downtime required | N/A |
 | [Step 2 - Prepare the managed domain for migration](#prepare-the-managed-domain-for-migration) | PowerShell | 15 – 30 minutes on average | Downtime of Azure AD DS starts after this command is completed. | Roll back and restore available. |
-| [Step 3 - Move the managed domain to an existing virtual network](#migrate-the-managed-domain) | PowerShell | 1 – 3 hours on average | One domain controller is available once this command is completed, downtime ends. | On failure, both rollback (self-service) and restore are available. |
-| [Step 4 - Test and wait for the replica domain controller](#test-and-verify-connectivity-after-the-migration)| PowerShell and Azure portal | 1 hour or more, depending on the number of tests | Both domain controllers are available and should function normally. | N/A. Once the first VM is successfully migrated, there's no option for rollback or restore. |
+| [Step 3 - Move the managed domain to an existing virtual network](#migrate-the-managed-domain) | PowerShell | 1 – 3 hours on average | One domain controller is available once this command is completed. | On failure, both rollback (self-service) and restore are available. |
+| [Step 4 - Test and wait for the replica domain controller](#test-and-verify-connectivity-after-the-migration)| PowerShell and Azure portal | 1 hour or more, depending on the number of tests | Both domain controllers are available and should function normally, downtime ends. | N/A. Once the first VM is successfully migrated, there's no option for rollback or restore. |
 | [Step 5 - Optional configuration steps](#optional-post-migration-configuration-steps) | Azure portal and VMs | N/A | No downtime required | N/A |
 
 > [!IMPORTANT]
@@ -259,16 +259,14 @@ At this stage, you can optionally move other existing resources from the Classic
 
 ## Test and verify connectivity after the migration
 
-It can take some time for the second domain controller to successfully deploy and be available for use in the managed domain.
+It can take some time for the second domain controller to successfully deploy and be available for use in the managed domain. The second domain controller should be available 1-2 hours after the migration cmdlet finishes. With the Resource Manager deployment model, the network resources for the managed domain are shown in the Azure portal or Azure PowerShell. To check if the second domain controller is available, look at the **Properties** page for the managed domain in the Azure portal. If two IP addresses shown, the second domain controller is ready.
 
-With the Resource Manager deployment model, the network resources for the managed domain are shown in the Azure portal or Azure PowerShell. To learn more about what these network resources are and do, see [Network resources used by Azure AD DS][network-resources].
-
-When at least one domain controller is available, complete the following configuration steps for network connectivity with VMs:
+After the second domain controller is available, complete the following configuration steps for network connectivity with VMs:
 
 * **Update DNS server settings** To let other resources on the Resource Manager virtual network resolve and use the managed domain, update the DNS settings with the IP addresses of the new domain controllers. The Azure portal can automatically configure these settings for you.
 
     To learn more about how to configure the Resource Manager virtual network, see [Update DNS settings for the Azure virtual network][update-dns].
-* **Restart domain-joined VMs** - As the DNS server IP addresses for the Azure AD DS domain controllers change, restart any domain-joined VMs so they then use the new DNS server settings. If applications or VMs have manually configured DNS settings, manually update them with the new DNS server IP addresses of the domain controllers that are shown in the Azure portal.
+* **Restart domain-joined VMs (optional)** As the DNS server IP addresses for the Azure AD DS domain controllers change, you can restart any domain-joined VMs so they then use the new DNS server settings. If applications or VMs have manually configured DNS settings, manually update them with the new DNS server IP addresses of the domain controllers that are shown in the Azure portal. Rebooting domain-joined VMs prevents connectivity issues caused by IP addresses that don’t refresh.
 
 Now test the virtual network connection and name resolution. On a VM that's connected to the Resource Manager virtual network, or peered to it, try the following network communication tests:
 
@@ -277,7 +275,7 @@ Now test the virtual network connection and name resolution. On a VM that's conn
 1. Verify name resolution of the managed domain, such as `nslookup aaddscontoso.com`
     * Specify the DNS name for your own managed domain to verify that the DNS settings are correct and resolves.
 
-The second domain controller should be available 1-2 hours after the migration cmdlet finishes. To check if the second domain controller is available, look at the **Properties** page for the managed domain in the Azure portal. If two IP addresses shown, the second domain controller is ready.
+To learn more about other network resources, see [Network resources used by Azure AD DS][network-resources].
 
 ## Optional post-migration configuration steps
 

diff --git a/...active-directory/app-provisioning/functions-for-customizing-application-data.md b/...active-directory/app-provisioning/functions-for-customizing-application-data.md
@@ -357,7 +357,7 @@ The Item function returns one item from a multi-valued string/attribute.
 | **index** |Required |Integer | Index to an item in the multi-valued string|
 
 **Example:**
-`Item([proxyAddresses], 1)`
+`Item([proxyAddresses], 1)` returns the second item in the multi-valued attribute.
 
 ---
 ### Join

diff --git a/articles/active-directory/authentication/concept-authentication-passwordless.md b/articles/active-directory/authentication/concept-authentication-passwordless.md
@@ -137,6 +137,7 @@ The following providers offer FIDO2 security keys of different form factors that
 | VinCSS | [https://passwordless.vincss.net](https://passwordless.vincss.net) |
 | KONA I | [https://konai.com/business/security/fido](https://konai.com/business/security/fido) |
 | Excelsecu | [https://www.excelsecu.com/productdetail/esecufido2secu.html](https://www.excelsecu.com/productdetail/esecufido2secu.html) |
+| Token2 Switzerland | [https://www.token2.swiss/shop/product/token2-t2f2-alu-fido2-u2f-and-totp-security-key](https://www.token2.swiss/shop/product/token2-t2f2-alu-fido2-u2f-and-totp-security-key) |
 
 > [!NOTE]
 > If you purchase and plan to use NFC-based security keys, you need a supported NFC reader for the security key. The NFC reader isn't an Azure requirement or limitation. Check with the vendor for your NFC-based security key for a list of supported NFC readers.

diff --git a/articles/active-directory/authentication/concept-authentication-phone-options.md b/articles/active-directory/authentication/concept-authentication-phone-options.md
@@ -57,6 +57,8 @@ If you have problems with phone authentication for Azure AD, review the followin
 
 * “You've hit our limit on verification calls” or “You’ve hit our limit on text verification codes” error messages during sign-in
    * Microsoft may limit repeated authentication attempts that are perform by the same user in a short period of time. This limitation does not apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes.
+* "Sorry, we're having trouble verifying your account" error message during sign-in
+   * Microsoft may limit or block voice or SMS authentication attempts that are performed by the same user, phone number, or organization due to high number of failed voice or SMS authentication attempts. If you are experiencing this error, you can try another method, such as Authenticator App or verification code, or reach out to your admin for support.
 * Blocked caller ID on a single device.
    * Review any blocked numbers configured on the device.
 * Wrong phone number or incorrect country/region code, or confusion between personal phone number versus work phone number.

diff --git a/...les/active-directory/develop/active-directory-enterprise-app-role-management.md b/...les/active-directory/develop/active-directory-enterprise-app-role-management.md
@@ -30,7 +30,7 @@ If your application expects custom roles to be passed in a SAML response, you ne
 
 ## Create roles for an application
 
-1. In the [Azure portal](https://portal.azure.com), in the left pane, select the **Azure Active Directory** icon.
+1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>, in the left pane, select the **Azure Active Directory** icon.
 
     ![Azure Active Directory icon][1]
 

diff --git a/articles/active-directory/develop/active-directory-optional-claims.md b/articles/active-directory/develop/active-directory-optional-claims.md
@@ -132,7 +132,7 @@ This OptionalClaims object causes the ID token returned to the client to include
 
 You can configure optional claims for your application through the UI or application manifest.
 
-1. Go to the [Azure portal](https://portal.azure.com). 
+1. Go to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>. 
 1. Search for and select **Azure Active Directory**.
 1. Under **Manage**, select **App registrations**.
 1. Select the application you want to configure optional claims for in the list.
@@ -241,7 +241,7 @@ This section covers the configuration options under optional claims for changing
 
 **Configuring groups optional claims through the UI:**
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page.
 1. Search for and select **Azure Active Directory**.
 1. Under **Manage**, select **App registrations**.
@@ -254,7 +254,7 @@ This section covers the configuration options under optional claims for changing
 
 **Configuring groups optional claims through the application manifest:**
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page.
 1. Search for and select **Azure Active Directory**.
 1. Select the application you want to configure optional claims for in the list.
@@ -385,7 +385,7 @@ In the example below, you will use the **Token configuration** UI and **Manifest
 
 **UI configuration:**
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page.
 
 1. Search for and select **Azure Active Directory**.
@@ -408,7 +408,7 @@ In the example below, you will use the **Token configuration** UI and **Manifest
 
 **Manifest configuration:**
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page.
 1. Search for and select **Azure Active Directory**.
 1. Find the application you want to configure optional claims for in the list and select it.

diff --git a/articles/active-directory/develop/active-directory-saml-claims-customization.md b/articles/active-directory/develop/active-directory-saml-claims-customization.md
@@ -76,7 +76,7 @@ For more info, see [Table 3: Valid ID values per source](active-directory-claims
 
 You can also assign any constant (static) value to any claims which you define in Azure AD. Please follow the below steps to assign a constant value:
 
-1. In the [Azure portal](https://portal.azure.com/), on the **User Attributes & Claims** section, click on the **Edit** icon to edit the claims.
+1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>, on the **User Attributes & Claims** section, click on the **Edit** icon to edit the claims.
 
 1. Click on the required claim which you want to modify.
 

diff --git a/articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md b/articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md
@@ -45,7 +45,7 @@ The number of roles you add counts toward application manifest limits enforced b
 
 To create an app role by using the Azure portal's user interface:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. Select the **Directory + subscription** filter in top menu, and then choose the Azure Active Directory tenant that contains the app registration to which you want to add an app role.
 1. Search for and select **Azure Active Directory**.
 1. Under **Manage**, select **App registrations**, and then select the application you want to define app roles in.
@@ -70,7 +70,7 @@ To create an app role by using the Azure portal's user interface:
 
 To add roles by editing the manifest directly:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. Select the **Directory + subscription** filter in top menu, and then choose the Azure Active Directory tenant that contains the app registration to which you want to add an app role.
 1. Search for and select **Azure Active Directory**.
 1. Under **Manage**, select **App registrations**, and then select the application you want to define app roles in.
@@ -132,7 +132,7 @@ Once you've added app roles in your application, you can assign users and groups
 
 To assign users and groups to roles by using the Azure portal:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. In **Azure Active Directory**, select **Enterprise applications** in the left-hand navigation menu.
 1. Select **All applications** to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the **All applications** list to restrict the list, or scroll down the list to locate your application.
 1. Select the application in which you want to assign users or security group to roles.
@@ -154,7 +154,7 @@ When you assign app roles to an application, you create *application permissions
 
 To assign app roles to an application by using the Azure portal:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. In **Azure Active Directory**, select **App registrations** in the left-hand navigation menu.
 1. Select **All applications** to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the **All applications** list to restrict the list, or scroll down the list to locate your application.
 1. Select the application to which you want to assign an app role.

diff --git a/articles/active-directory/develop/howto-add-terms-of-service-privacy-statement.md b/articles/active-directory/develop/howto-add-terms-of-service-privacy-statement.md
@@ -54,7 +54,7 @@ When the terms of service and privacy statement are ready, you can add links to
 ### <a name="azure-portal"></a>Using the Azure portal
 Follow these steps in the Azure portal.
 
-1. Sign in to the [Azure portal](https://portal.azure.com/), select the correct AzureAD tenant(not B2C).
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>, select the correct AzureAD tenant(not B2C).
 2. Navigate to the **App Registrations** section and select your app.
 3. Open the **Branding** pane.
 4. Fill out the **Terms of Service URL** and **Privacy Statement URL** fields.

diff --git a/articles/active-directory/develop/howto-configure-publisher-domain.md b/articles/active-directory/develop/howto-configure-publisher-domain.md
@@ -44,7 +44,7 @@ If your app was registered before May 21, 2019, your application's consent promp
 
 To set your app's publisher domain, follow these steps.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a> using either a work or school account, or a personal Microsoft account.
 
 1. If your account is present in more than one Azure AD tenant:
    1. Select your profile from the menu on the top-right corner of the page, and then **Switch directory**.

diff --git a/articles/active-directory/develop/howto-create-service-principal-portal.md b/articles/active-directory/develop/howto-create-service-principal-portal.md
@@ -71,7 +71,7 @@ To check your subscription permissions:
 
 Let's jump straight into creating the identity. If you run into a problem, check the [required permissions](#permissions-required-for-registering-an-app) to make sure your account can create the identity.
 
-1. Sign in to your Azure Account through the [Azure portal](https://portal.azure.com).
+1. Sign in to your Azure Account through the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
 1. Select **Azure Active Directory**.
 1. Select **App registrations**.
 1. Select **New registration**.
@@ -177,7 +177,7 @@ If you choose not to use a certificate, you can create a new application secret.
 ## Configure access policies on resources
 Keep in mind, you might need to configure additional permissions on resources that your application needs to access. For example, you must also [update a key vault's access policies](../../key-vault/general/secure-your-key-vault.md#data-plane-and-access-policies) to give your application access to keys, secrets, or certificates.
 
-1. In the [Azure portal](https://portal.azure.com), navigate to your key vault and select **Access policies**.
+1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>, navigate to your key vault and select **Access policies**.
 1. Select **Add access policy**, then select the key, secret, and certificate permissions you want to grant your application.  Select the service principal you created previously.
 1. Select **Add** to add the access policy, then **Save** to commit your changes.
     ![Add access policy](./media/howto-create-service-principal-portal/add-access-policy.png)

diff --git a/articles/active-directory/develop/migrate-spa-implicit-to-auth-code.md b/articles/active-directory/develop/migrate-spa-implicit-to-auth-code.md
@@ -36,7 +36,7 @@ If you'd like to continue using your existing app registration for your applicat
 
 Follow these steps for app registrations that are currently configured with **Web** platform redirect URIs:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and select your **Azure Active Directory** tenant.
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a> and select your **Azure Active Directory** tenant.
 1. In **App registrations**, select your application, and then **Authentication**.
 1. In the **Web** platform tile under **Redirect URIs**, select the warning banner indicating that you should migrate your URIs.
 

diff --git a/articles/active-directory/develop/msal-android-single-sign-on.md b/articles/active-directory/develop/msal-android-single-sign-on.md
@@ -115,7 +115,7 @@ keytool -exportcert -alias androiddebugkey -keystore %HOMEPATH%\.android\debug.k
 
 Once you've generated a signature hash with *keytool*, use the Azure portal to generate the redirect URI:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and select your Android app in **App registrations**.
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a> and select your Android app in **App registrations**.
 1. Select **Authentication** > **Add a platform** > **Android**.
 1. In the **Configure your Android app** pane that opens, enter the **Signature hash** that you generated earlier and a **Package name**.
 1. Select the **Configure** button.