Merge pull request MicrosoftDocs#2649 from MicrosoftDocs/FromPrivateRepo

From private repo

articles/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.md

@@ -3,22 +3,22 @@ title: 'Azure Active Directory B2C: Use the Graph API | Microsoft Docs'
 description: How to call the Graph API for a B2C tenant by using an application identity to automate the process.
 services: active-directory-b2c
 documentationcenter: .net
-author: gsacavdm
+author: parakhj
 manager: krassk
-editor: bryanla
+editor: parakhj
 
 ms.assetid: f9904516-d9f7-43b1-ae4f-e4d9eb1c67a0
 ms.service: active-directory-b2c
 ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: dotnet
 ms.topic: article
-ms.date: 03/22/2017
-ms.author: gsacavdm
+ms.date: 08/07/2017
+ms.author: parakhj
 
 ---
 # Azure AD B2C: Use the Graph API
-Azure Active Directory (Azure AD) B2C tenants tend to be very large. This means that many common tenant management tasks need to be performed programmatically. A primary example is user management. You might need to migrate an existing user store to a B2C tenant. You may want to host user registration on your own page and create user accounts in Azure AD behind the scenes. These types of tasks require the ability to create, read, update, and delete user accounts. You can do these tasks by using the Azure AD Graph API.
+Azure Active Directory (Azure AD) B2C tenants tend to be very large. This means that many common tenant management tasks need to be performed programmatically. A primary example is user management. You might need to migrate an existing user store to a B2C tenant. You may want to host user registration on your own page and create user accounts in your Azure AD B2C directory behind the scenes. These types of tasks require the ability to create, read, update, and delete user accounts. You can do these tasks by using the Azure AD Graph API.
 
 For B2C tenants, there are two primary modes of communicating with the Graph API.
 

articles/active-directory-domain-services/active-directory-ds-networking.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 03/06/2017
+ms.date: 08/04/2017
 ms.author: maheshu
 
 ---
@@ -71,6 +71,16 @@ The following ports are required for Azure AD Domain Services to service and mai
 | 5986 |Management of your domain |
 | 636 |Secure LDAP (LDAPS) access to your managed domain |
 
+### Sample NSG for virtual networks with Azure AD Domain Services
+The following table illustrates a sample NSG you can configure for a virtual network with an Azure AD Domain Services managed domain. This rule allows inbound traffic from the above specified ports to ensure your managed domain stays patched, updated and can be monitored by Microsoft. The default 'DenyAll' rule applies to all other inbound traffic from the internet.
+
+Additionally, the NSG also illustrates how to lock down secure LDAP access over the internet. Skip this rule if you have not enabled secure LDAP access to your managed domain over the internet. The NSG contains a set of rules that allow inbound LDAPS access over TCP port 636 only from a specified set of IP addresses. The NSG rule to allow LDAPS access over the internet from specified IP addresses has a higher priority than the DenyAll NSG rule.
+
+![Sample NSG to secure LDAPS access over the internet](./media/active-directory-domain-services-admin-guide/secure-ldap-sample-nsg.png)
+
+**More information** - [Create a Network Security Group](../virtual-network/virtual-networks-create-nsg-arm-pportal.md).
+
+
 ## Network connectivity
 An Azure AD Domain Services managed domain can be enabled only within a single classic virtual network in Azure. Virtual networks created using Azure Resource Manager are not supported.
 
@@ -105,3 +115,4 @@ You can connect a Resource Manager-based virtual network to the Azure classic vi
 * [Azure virtual network peering](../virtual-network/virtual-network-peering-overview.md)
 * [Configure a VNet-to-VNet connection for the classic deployment model](../vpn-gateway/virtual-networks-configure-vnet-to-vnet-connection.md)
 * [Azure Network Security Groups](../virtual-network/virtual-networks-nsg.md)
+* [Create a Network Security Group](../virtual-network/virtual-networks-create-nsg-arm-pportal.md)

articles/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets.md

@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 05/25/2017
+ms.date: 08/04/2017
 ms.author: curtand
 
 ms.reviewer: rodejo
@@ -223,6 +223,22 @@ If you want to remove an owner from a group, use Remove-AzureADGroupOwner:
 
     PS C:\Windows\system32> remove-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -OwnerId e831b3fd-77c9-49c7-9fca-de43e109ef67
 
+## Reserved Aliases 
+When a group is created, certain endpoints allow the end user to specify a mailNickname or alias to be used as part of the email address of the group.   
+Groups with the following highly privileged email aliases can only be created by an Azure AD global administrator. 
+
+* abuse 
+* admin 
+* administrator 
+* hostmaster 
+* majordomo 
+* postmaster 
+* root 
+* secure 
+* security 
+* ssl-admin 
+* webmaster 
+
 ## Next steps
 You can find more Azure Active Directory PowerShell documentation at [Azure Active Directory Cmdlets](/powershell/azure/install-adv2?view=azureadps-2.0).
 

articles/active-directory/active-directory-application-proxy-custom-domains.md

@@ -12,56 +12,65 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 07/17/2017
+ms.date: 08/01/2017
 ms.author: kgremban
 ms.reviewer: harshja
 ms.custom: it-pro
 ---
 
 # Working with custom domains in Azure AD Application Proxy
 
-When you publish an application through Azure Active Directory Application Proxy, you create an external URL for your users to go to when they're working remotely. This URL gets the default domain *yourtenant-msappproxy.net*. If you want to use your own domain name, configure a custom domain for your application. 
+When you publish an application through Azure Active Directory Application Proxy, you create an external URL for your users to go to when they're working remotely. This URL gets the default domain *yourtenant.msappproxy.net*. For example, if you published an app named Expenses and your tenant is named Contoso, then the external URL would be https://expenses-contoso.msappproxy.net. If you want to use your own domain name, configure a custom domain for your application. 
 
 We recommend that you set up custom domains for your applications whenever possible. Some of the benefits of custom domains include:
 
 - Your users can get to the application with the same URL, whether they are working inside or outside of your network.
-- If all of your applications have the same internal and external URLs, then links in one application that point to another continue to work outside the corporate network. 
+- If all of your applications have the same internal and external URLs, then links in one application that point to another continue to work even outside the corporate network. 
 - You control your branding, and create the URLs you want. 
 
 
 ## Configure a custom domain
 
+### Prerequisites
+
 Before you configure a custom domain, make sure that you have the following requirements prepared: 
 - A [verified domain added to Azure Active Directory](active-directory-domains-add-azure-portal.md).
 - A custom certificate for the domain, in the form of a PFX file. 
 - An on-premises app [published through Application Proxy](application-proxy-publish-azure-portal.md).
 
+### Configure your custom domain
+
 When you have those three requirements ready, follow these steps to set up your custom domain:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 2. Navigate to **Azure Active Directory** > **Enterprise applications** > **All applications** and choose the app you want to manage.
 3. Select **Application Proxy**. 
 4. In the External URL field, use the dropdown list to select your custom domain. If you don't see your domain in the list, then it hasn't been verified yet. 
+5. Select **Save**
 5. The **Certificate** field that was disabled becomes enabled. Select this field. 
 
    ![Click to upload a certificate](./media/active-directory-application-proxy-custom-domains/certificate.png)
 
-   If this field stays disabled, it probably means that a certificate already was uploaded for that domain. 
+   If you already uploaded a certificate for this domain, the Certificate field displays the certificate information. 
 
 6. Upload the PFX certificate and enter the password for the certificate. 
 7. Select **Save** to save your changes. 
-8. Add a DNS record that redirects the new external URL to the msappproxy.net domain. 
+8. Add a [DNS record](../dns/dns-operations-recordsets-portal.md) that redirects the new external URL to the msappproxy.net domain. 
 
 >[!TIP] 
 >You only need to upload one certificate per custom domain. Once you upload a certificate, you can choose the custom domain when you publish a new app and not have to do additional configuration except for the DNS record. 
 
 ## Manage certificates
 
 ### Certificate format
-There is no restriction on the certificate signature methods. ECC, SAN, and other common certificate types are all supported. You can also use wildcard certificates. If you use a wildcard certificate, make sure that the wildcard matches the desired external URL. Self-signed certificates are also accepted. If you’re using a private certificate authority, the CDP (certificate revocation point distribution point) for the certificate should be public.
+There is no restriction on the certificate signature methods. Elliptic Curve Cryptography (ECC), Subject Alternative Name (SAN), and other common certificate types are all supported. 
+
+You can use a wildcard certificate as long as the wildcard matches the desired external URL. 
+
+You can use self-signed certificates, as well. If you’re using a private certificate authority, the CDP (certificate revocation point distribution point) for the certificate should be public.
 
 ### Changing the domain
-All verified domains appear in the External URL dropdown list for your application. To change the domain, just update that field for the application. If you select a domain that doesn't have an associated certificate, follow steps 5-7 to add the certificate. If the domain you want isn't in the list, [add it as a verified domain](active-directory-domains-add-azure-portal.md). Then, make sure you update the DNS record to redirect from the new external URL. 
+All verified domains appear in the External URL dropdown list for your application. To change the domain, just update that field for the application. If the domain you want isn't in the list, [add it as a verified domain](active-directory-domains-add-azure-portal.md). If you select a domain that doesn't have an associated certificate yet, follow steps 5-7 to add the certificate. Then, make sure you update the DNS record to redirect from the new external URL. 
 
 ### Certificate management
 You can use the same certificate for multiple applications unless the applications share an external host. 

articles/active-directory/active-directory-application-proxy-enable.md

@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 07/20/2017
+ms.date: 08/02/2017
 ms.author: kgremban
 ms.reviewer: harshja
 ms.custom: it-pro
@@ -52,9 +52,15 @@ To prepare your environment for Azure AD Application Proxy, you first need to en
 
 2. If your firewall or proxy allows DNS whitelisting, you can whitelist connections to msappproxy.net and servicebus.windows.net. If not, you need to allow access to the [Azure DataCenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated each week.
 
-3. Your connector needs access to login.windows.net and login.microsoftonline.net for the registration process, so open your firewall for those URLs as well.
+3. Microsoft uses four addresses to verify certificates. Allow access to the following URLs if you haven't done so for other products:
+   * mscrl.microsoft.com:80
+   * crl.microsoft.com:80
+   * ocsp.msocsp.com:80
+   * www.microsoft.com:80
 
-4. Use the [Azure AD Application Proxy Connector Ports Test Tool](https://aadap-portcheck.connectorporttest.msappproxy.net/) to verify that your connector can reach the Application Proxy service. At a minimum, make sure that the Central US region and the region closest to you have all green checkmarks. Beyond that, more green checkmarks means greater resiliency.
+4. Your connector needs access to login.windows.net and login.microsoftonline.net for the registration process.
+
+5. Use the [Azure AD Application Proxy Connector Ports Test Tool](https://aadap-portcheck.connectorporttest.msappproxy.net/) to verify that your connector can reach the Application Proxy service. At a minimum, make sure that the Central US region and the region closest to you have all green checkmarks. Beyond that, more green checkmarks means greater resiliency.
 
 ## Install and register a connector
 1. Sign in as an administrator in the [Azure portal](https://portal.azure.com/).

articles/active-directory/active-directory-application-proxy-get-started.md

@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 07/13/2017
+ms.date: 08/04/2017
 ms.author: kgremban
 ms.reviewer: harshja
 ms.custom: it-pro
@@ -61,15 +61,14 @@ The connector is a lightweight agent that sits on a Windows Server inside your n
 
 The external endpoint is how your users reach your applications while outside of your network. They can either go directly to an external URL that you determine, or they can access the application through the MyApps portal. When users go to one of these endpoints, they authenticate in Azure AD and then are routed through the connector to the on-premises application.
 
- ![AzureAD Application Proxy diagram](./media/active-directory-appssoaccess-whatis/azureappproxxy.png)
+ ![AzureAD Application Proxy diagram](./media/active-directory-application-proxy-get-started/azureappproxxy.png)
 
-1. The user accesses the application through the Application Proxy and is directed to the Azure AD sign-in page to authenticate.
-2. After a successful sign-in, a token is generated and sent to the user.
-3. The user sends the token to Application Proxy, which retrieves the user principal name (UPN) and security principal name (SPN) from the token, then directs the request to the connector.
-4. On behalf of the user, the connector requests a Kerberos ticket that can be used for internal (Windows) authentication. This step is known as Kerberos Constrained Delegation.
-5. Active Directory retrieves the Kerberos ticket.
-6. The ticket is sent to the application server and verified.
-7. The response is sent through Application Proxy to the user.
+1. The user accesses the application through the Application Proxy service and is directed to the Azure AD sign-in page to authenticate.
+2. After a successful sign-in, a token is generated and sent to the client device.
+3. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token, then directs the request to the Application Proxy connector.
+4. If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.
+5. The connector sends the request to the on-premises application.  
+6. The response is sent through Application Proxy service and connector to the user.
 
 ### Single sign-on
 Azure AD Application Proxy provides single sign-on (SSO) to applications that use Integrated Windows Authentication (IWA), or claims-aware applications. If your application uses IWA, Application Proxy impersonates the user using Kerberos Constrained Delegation to provide SSO. If you have a claims-aware application that trusts Azure Active Directory, SSO works because the user was already authenticated by Azure AD.

articles/active-directory/active-directory-groups-create-azure-portal.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 05/04/2017
+ms.date: 08/04/2017
 ms.author: curtand
 
 ms.custom: H1Hack27Feb2017                          
@@ -49,6 +49,7 @@ This article explains how to create and populate a new group in Azure Active Dir
 
    ![Create group confirmation](./media/active-directory-groups-create-azure-portal/create-group-confirmation.png)
 
+
 ## Next steps
 These articles provide additional information on Azure Active Directory.