etherscan-io
diff --git a/‎.openpublishing.redirection.json
Lines changed: 35 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 35 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/active-directory-b2c-reference-language-customization.md
Lines changed: 117 additions & 78 deletions b/‎articles/active-directory-b2c/active-directory-b2c-reference-language-customization.md
Lines changed: 117 additions & 78 deletions
diff --git a/‎articles/active-directory-domain-services/active-directory-ds-ldaps-bind-lockdown.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-domain-services/active-directory-ds-ldaps-bind-lockdown.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/howto-mfaserver-deploy-upgrade.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/authentication/howto-mfaserver-deploy-upgrade.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/develop/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/active-directory-v2-registration-portal.md
Lines changed: 7 additions & 10 deletions b/‎articles/active-directory/develop/active-directory-v2-registration-portal.md
Lines changed: 7 additions & 10 deletions
diff --git a/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/1.png
98.6 KB b/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/1.png
98.6 KB
diff --git a/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/2.png
17.3 KB b/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/2.png
17.3 KB
diff --git a/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/3.png
28.3 KB b/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/3.png
28.3 KB
diff --git a/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/4.png
70 KB b/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/4.png
70 KB
diff --git a/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/5.png
19.5 KB b/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/5.png
19.5 KB
diff --git a/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/6.png
27 KB b/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/6.png
27 KB
diff --git a/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/7.png
21 KB b/‎articles/active-directory/develop/media/v2-saml-bearer-assertion/7.png
21 KB
diff --git a/‎articles/active-directory/develop/quickstart-configure-app-expose-web-apis.md
Lines changed: 4 additions & 3 deletions b/‎articles/active-directory/develop/quickstart-configure-app-expose-web-apis.md
Lines changed: 4 additions & 3 deletions
diff --git a/‎articles/active-directory/develop/v2-saml-bearer-assertion.md
Lines changed: 96 additions & 0 deletions b/‎articles/active-directory/develop/v2-saml-bearer-assertion.md
Lines changed: 96 additions & 0 deletions
diff --git a/‎articles/active-directory/devices/hybrid-azuread-join-plan.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/devices/hybrid-azuread-join-plan.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/devices/troubleshoot-device-dsregcmd.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory/devices/troubleshoot-device-dsregcmd.md
Lines changed: 3 additions & 0 deletions
@@ -15,6 +15,11 @@
       "redirect_url": "/azure/machine-learning/service/how-to-manage-workspace",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/machine-learning/service/concept-accelerate-with-fpgas.md",
+      "redirect_url": "/azure/machine-learning/service/how-to-deploy-fpga-web-service",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/machine-learning/service/quickstart-run-local-notebook.md",
       "redirect_url": "/azure/machine-learning/service/how-to-configure-environment#local",
@@ -1240,6 +1245,16 @@
       "redirect_url": "/azure/cognitive-services/Speech-Service/speech-devices-sdk-android-quickstart",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/cognitive-services/immersive-reader/ios-picture-immersive-reader-tutorial.md",
+      "redirect_url": "/azure/cognitive-services/immersive-reader/tutorial-ios-picture-immersive-reader",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/cognitive-services/immersive-reader/tutorial.md",
+      "redirect_url": "/azure/cognitive-services/immersive-reader/tutorial-nodejs",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/active-directory/active-directory-licensing-ps-examples.md",
       "redirect_url": "/azure/active-directory/users-groups-roles/licensing-ps-examples",
@@ -7479,6 +7494,11 @@
       "source_path": "articles/active-directory/active-directory-saas-cisco-spark-provisioning-tutorial.md",
       "redirect_url": "/azure/active-directory/saas-apps/cisco-spark-provisioning-tutorial",
       "redirect_document_id": true
+    },
+	{
+      "source_path": "articles/active-directory/saas-apps/cisco-spark-provisioning-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/cisco-webex-provisioning-tutorial",
+      "redirect_document_id": false
     },
     {
       "source_path": "articles/active-directory/active-directory-saas-cisco-webex-tutorial.md",
@@ -23742,6 +23762,11 @@
     {
       "source_path": "articles/storage/storage-dotnet-shared-access-signature-part-1.md",
       "redirect_url": "/azure/storage/common/storage-dotnet-shared-access-signature-part-1",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/storage/common/storage-dotnet-shared-access-signature-part-1.md",
+      "redirect_url": "/azure/storage/common/storage-sas-overview",
       "redirect_document_id": true
     },
     {
@@ -30994,6 +31019,16 @@
       "redirect_url": "https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-nodejs",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/cognitive-services/QnAMaker/Quickstarts/publish-kb-nodejs.md",
+      "redirect_url": "/azure/cognitive-services/QnAMaker/Quickstarts/create-knowledge-rest-api-nodejs#publish-a-knowledge-base",
+      "redirect_document_id": false
+    },        
+    {
+      "source_path": "articles/cognitive-services/QnAMaker/Quickstarts/create-new-kb-nodejs.md",
+      "redirect_url": "/azure/cognitive-services/QnAMaker/Quickstarts/create-knowledge-rest-api-nodejs",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "articles/cognitive-services/QnAMaker/faqs.md",
       "redirect_url": "/azure/cognitive-services/QnAMaker/troubleshooting",
 
@@ -32,7 +32,7 @@ First, open LDP and connect to the managed domain. Click **Connection** and clic
 Next, bind to the managed domain. Click **Connection** and click **Bind...** in the menu. Provide the credentials of a user account belonging to the 'AAD DC Administrators' group.
 
 > [!IMPORTANT]
-> Users (and service accounts) cannot perform LDAP simple binds if you have disabled NTLM password hash synchronization on your Azure AD Domain Services instance.  For more information on disabling NTLM password hash synchronization, read [Secure your Azure AD DOmain Services managed domain](secure-your-domain.md).
+> Users (and service accounts) cannot perform LDAP simple binds if you have disabled NTLM password hash synchronization on your Azure AD Domain Services instance.  For more information on disabling NTLM password hash synchronization, read [Secure your Azure AD Domain Services managed domain](secure-your-domain.md).
 >
 >
 
 
@@ -63,7 +63,7 @@ If you have the User Portal on multiple servers, repeat the installation on all
 ## Upgrade the Mobile App Web Service
 
 > [!NOTE]
-> When upgrading from a version of Azure MFA Server older than 8.0 to 8.0+ that the mobile app web service can be uninstalled after the upgrade
+> When upgrading from a version of Azure MFA Server older than 8.0 to 8.0+ then the mobile app web service can be uninstalled after the upgrade
 
 ## Upgrade the AD FS Adapters
 
 
@@ -295,6 +295,8 @@
         href: v2-oauth2-device-code.md
       - name: OAuth 2.0 resource owner password credentials grant
         href: v2-oauth-ropc.md
+      - name: OAuth 2.0 SAML bearer assertion flow
+        href: v2-saml-bearer-assertion.md
       - name: Signing key rollover
         href: active-directory-signing-key-rollover.md
       - name: ID tokens
 
@@ -14,27 +14,24 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 08/28/2018
+ms.date: 08/13/2019
 ms.author: ryanwi
 ms.reviewer: lenalepa
 ms.custom: aaddev
 ms.collection: M365-identity-device-management
 ---
 
 # App registration reference
-This document provides context and descriptions of various features found in the [Application Registration Portal](https://apps.dev.microsoft.com/?referrer=https://azure.microsoft.com/).
-
-> [!NOTE]
-> We will no longer support registering and managing converged and Azure AD applications in the [Application Registration Portal](https://apps.dev.microsoft.com/?referrer=https://azure.microsoft.com/) starting May 2019. We recommend that you manage your existing applications and register new applications by using the [App registrations](https://aka.ms/appregistrations) experience in the Azure portal.
+This document provides context and descriptions of various features found in the [App registrations](https://aka.ms/appregistrations) experience in the Azure portal.
 
 ## My Applications or Converged applications
-This list contains all of your applications registered for use with the Azure AD v2.0 endpoint. These applications have the ability to sign in users with both personal Microsoft accounts and work/school accounts from Azure Active Directory. To learn more about the Azure AD v2.0 endpoint, see the [v2.0 overview](active-directory-appmodel-v2-overview.md). These applications can also be used to integrate with the Microsoft account authentication endpoint, `https://login.live.com`.
+This list contains all of your applications registered for use with the Microsoft identity platform (v2.0) endpoint. These applications have the ability to sign in users with both personal Microsoft accounts and work/school accounts from Azure Active Directory. To learn more about the identity platform endpoint, see the [v2.0 overview](active-directory-appmodel-v2-overview.md). These applications can also be used to integrate with the Microsoft account authentication endpoint, `https://login.live.com`.
 
 ## Azure AD only applications
-This list contains all of your applications registered for use with the Azure AD v1.0 endpoint. These applications only have the ability to sign in users with work/school accounts from Azure Active Directory. This list includes applications that were registered using the **App registrations** experience in the [Azure Portal](https://portal.azure.com).
+This list contains all of your applications registered for use with the Azure AD v1.0 endpoint. These applications only have the ability to sign in users with work/school accounts from Azure Active Directory. This list includes applications that were registered using the **App registrations** experience in the [Azure portal](https://portal.azure.com).
 
 ## Live SDK Applications
-This list contains all of your applications registered for use solely with Microsoft account. They are not enabled for use with Azure Active Directory. This is where you find any applications that were previously registered with the MSA developer portal at `https://account.live.com/developers/applications`. All functions that you previously performed at `https://account.live.com/developers/applications` can now be performed in this new portal, `https://apps.dev.microsoft.com`.
+This list contains all of your applications registered for use solely with Microsoft account. They are not enabled for use with Azure Active Directory. This is where you find any applications that were previously registered with the MSA developer portal at `https://account.live.com/developers/applications`. All functions that you previously performed at `https://account.live.com/developers/applications` can now be performed in [App registrations](https://aka.ms/appregistrations).
 
 ## Application Secrets
 Application secrets are credentials that allow your application to perform reliable [client authentication](https://tools.ietf.org/html/rfc6749#section-2.3) with Azure AD. In OAuth & OpenID Connect, an application secret is commonly referred to as a `client_secret`. In the v2.0 protocol, any application that receives a security token at a web addressable location (using an `https` scheme) must use an application secret to identify itself to Azure AD upon redemption of that security token. Furthermore, any native client that receives tokens on a device will be forbidden from using an application secret to perform client authentication. This discourages the storage of secrets in insecure environments.
@@ -48,9 +45,9 @@ You are required to upload a certificate that contains a public key.
 The profile section of the app registration portal can be used to customize the sign-in page for your application. At this time you can alter the sign-in page's application logo, terms of service URL, and privacy statement URL. The logo must be a transparent 48 x 48 or 50 x 50 pixel image in a GIF, PNG or JPEG file that is 15 KB or smaller. Try changing the values and viewing the resulting sign-in page!
 
 ## Live SDK Support
-When you enable "Live SDK Support", any application secrets you create will be provisioned into both the Azure AD and Microsoft Account data stores. This allows your application to integrate directly with the Microsoft Account service (login.live.com). If you wish to build an app using Microsoft Account directly (as opposed to using the Azure AD v2.0 endpoint), you should make sure Live SDK Support is enabled.
+When you enable "Live SDK Support", any application secrets you create will be provisioned into both the Azure AD and Microsoft Account data stores. This allows your application to integrate directly with the Microsoft Account service (login.live.com). If you wish to build an app using Microsoft Account directly (as opposed to using the v2.0 endpoint), you should make sure Live SDK Support is enabled.
 
 Disabling Live SDK support ensures that the application secret is only written into the Azure AD data store. The Azure AD data store incorporates enterprise-grade regulations that allow it to meet certain standards, such as FISMA compliance. If you enable Live SDK support, your application may not achieve compliance with some of these standards.
 
-If you only ever plan to use the Azure AD v2.0 endpoint, you can safely disable Live SDK support.
+If you only ever plan to use the v2.0 endpoint, you can safely disable Live SDK support.
 
@@ -13,7 +13,7 @@ ms.devlang: na
 ms.topic: quickstart
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 05/08/2019
+ms.date: 08/14/2019
 ms.author: ryanwi
 ms.custom: aaddev
 ms.reviewer: aragra, lenalepa, sureshja
@@ -113,8 +113,9 @@ To expose a new scope through the application manifest:
 ## Verify the web API is exposed to other applications
 
 1. Go back to your Azure AD tenant, select **App registrations**, find and select the client application you want to configure.
-1. Repeat the steps outlined in Configure a client application to access web APIs.
-1. When you get to the **Select an API** step, select your resource. You should see the new scope, available for client permission requests.
+1. Repeat the steps outlined in [Configure a client application to access web APIs](quickstart-configure-app-access-web-apis.md).
+1. When you get to the step to [select an API](quickstart-configure-app-access-web-apis.md#add-permissions-to-access-web-apis
+), select your resource. You should see the new scope, available for client permission requests.
 
 ## More on the application manifest
 
 
@@ -0,0 +1,96 @@
+---
+title: Microsoft identity platform and SAML bearer assertion flow | Azure
+description: Learn how to fetch data from Microsoft Graph without prompting the user for credentials using the SAML bearer assertion flow.
+services: active-directory
+documentationcenter: ''
+author: umeshbarapatre
+manager: CelesteDG
+editor: ''
+
+ms.assetid: 
+ms.service: active-directory
+ms.subservice: develop
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 08/05/2019
+ms.author: ryanwi
+ms.reviewer: hirsin
+ms.custom: aaddev
+ms.collection: M365-identity-device-management
+---
+
+# Microsoft identity platform and OAuth 2.0 SAML bearer assertion flow
+The OAuth 2.0 SAML bearer assertion flow allows you to request an OAuth access token using a SAML assertion when a client needs to use an existing trust relationship. The signature applied to the SAML assertion provides authentication of the authorized app. A SAML assertion is an XML security token issued by an identity provider and consumed by a service provider. The service provider relies on its content to identify the assertion’s subject for security-related purposes.
+
+The SAML assertion is posted to the OAuth token endpoint.  The endpoint processes the assertion and issues an access token based on prior approval of the app. The client isn’t required to have or store a refresh token, nor is the client secret required to be passed to the token endpoint.
+
+SAML Bearer Assertion flow is useful when fetching data from Microsoft Graph APIs (which only support delegated permissions) without prompting the user for credentials. In this scenario the client credentials grant, which is preferred for background processes, does not work.
+
+For applications that do interactive browser-based sign-in to get a SAML assertion and then want to add access to an OAuth protected API (such as Microsoft Graph), you can make an OAuth request to get an access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign-in and the user doesn't need to enter their credentials.
+
+The OAuth SAML Bearer Assertion flow is also supported for users authenticating with identity providers such as Active Directory Federation Services (ADFS) federated to Azure Active Directory.  The SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user.
+
+![OAuth flow](./media/v2-saml-bearer-assertion/1.png)
+
+## Call Graph using SAML bearer assertion
+Now let us understand on how we can actually fetch SAML assertion programatically. This approach is tested with ADFS. However, this works with any identity provider that supports the return of SAML assertion programatically. The basic process is: get a SAML assertion, get an access token, and access Microsoft Graph.
+
+### Prerequisites
+
+Establish a trust relationship between the authorization server/environment (Microsoft 365) and the identity provider, or issuer of the SAML 2.0 bearer assertion (ADFS). To configure ADFS for single sign-on and as an identity provider you may refer to [this article](https://blogs.technet.microsoft.com/canitpro/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365/).
+
+Register the application in the [portal](https://ms.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade):
+1. Sign in to the [app registration blade of the portal](https://ms.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) (Please note that we are using the v2.0 endpoints for Graph API and hence need to register the application in this portal. Otherwise we could have used the registrations in Azure active directory). 
+1. Select **New registration**.
+1. When the **Register an application** page appears, enter your application's registration information: 
+    1. **Name** - Enter a meaningful application name that will be displayed to users of the app.
+    1. **Supported account types** - Select which accounts you would like your application to support.
+    1. **Redirect URI (optional)** - Select the type of app you're building, Web, or Public client (mobile & desktop), and then enter the redirect URI (or reply URL) for your application.
+    1. When finished, select **Register**.
+1. Make a note of the application (client) ID.
+1. In the left pane, select **Certificates & secrets**. Click **New client secret** in the **Client secrets** section. Copy the new client secret, you won't be able to retrieve when you leave the blade.
+1. In the left pane, select **API permissions** and then **Add a permission**. Select **Microsoft Graph**, then **delegated permissions**, and then select **Tasks.read** since we intend to use the Outlook Graph API. 
+
+Install [Postman](https://www.getpostman.com/), a tool required to test the sample requests.  Later, you can convert the requests to code.
+
+### Get the SAML assertion from ADFS
+Create a POST request to the ADFS endpoint using SOAP envelope to fetch the SAML assertion:
+
+![Get SAML assertion](./media/v2-saml-bearer-assertion/2.png)
+
+Header values:
+
+![Header values](./media/v2-saml-bearer-assertion/3.png)
+
+ADFS request body:
+
+![ADFS request body](./media/v2-saml-bearer-assertion/4.png)
+
+Once this request is posted successfully, you should receive a SAML assertion from ADFS. Only the **SAML:Assertion** tag data is required, convert it to base64 encoding to use in further requests.
+
+### Get the OAuth2 token using the SAML assertion 
+In this step, fetch an OAuth2 token using the ADFS assertion response.
+
+1. Create a POST request as shown below with the header values:
+
+    ![POST request](./media/v2-saml-bearer-assertion/5.png)
+1. In the body of the request, replace **client_id**, **client_secret**, and **assertion** (the base64 encoded SAML assertion obtained the previous step):
+
+    ![Request body](./media/v2-saml-bearer-assertion/6.png)
+1. Upon successful request, you will receive an access token from Azure active directory.
+
+### Get the data with the Oauth token
+
+After receiving the access token, call the Graph APIs (Outlook tasks in this example). 
+
+1. Create a GET request with the access token fetched in the previous step:
+
+    ![GET request](./media/v2-saml-bearer-assertion/7.png)
+
+1. Upon successful request, you will receive a JSON response.
+
+## Next steps
+
+Learn about the different [authentication flows and application scenarios](authentication-flows-app-scenarios.md).
@@ -98,7 +98,7 @@ Organizations may want to do a controlled validation of hybrid Azure AD join bef
 
 ## Select your scenario based on your identity infrastructure
 
-Hybrid Azure AD join works with both, managed and federated environments.  
+Hybrid Azure AD join works with both, managed and federated environments depending on whether the UPN is routable or non-routable. See bottom of the page for table on supported scenarios.  
 
 ### Managed environment
 
 
@@ -293,6 +293,9 @@ This section displays the output of sanity checks performed on a device joined t
 
 This section performs the perquisite checks for the provisioning of an NGC key. 
 
+> [!NOTE]
+> You may not see NGC pre-requisite check details in dsregcmd /status if the user already successfully configured NGC credentials.
+
 ### Sample NGC prerequisite check output
 
 ```
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ First, open LDP and connect to the managed domain. Click Connection and clic`
`32`	`32`	`Next, bind to the managed domain. Click Connection and click Bind... in the menu. Provide the credentials of a user account belonging to the 'AAD DC Administrators' group.`
`33`	`33`
`34`	`34`	`> [!IMPORTANT]`
`35`		`-> Users (and service accounts) cannot perform LDAP simple binds if you have disabled NTLM password hash synchronization on your Azure AD Domain Services instance. For more information on disabling NTLM password hash synchronization, read [Secure your Azure AD DOmain Services managed domain](secure-your-domain.md).`
	`35`	`+> Users (and service accounts) cannot perform LDAP simple binds if you have disabled NTLM password hash synchronization on your Azure AD Domain Services instance. For more information on disabling NTLM password hash synchronization, read [Secure your Azure AD Domain Services managed domain](secure-your-domain.md).`
`36`	`36`	`>`
`37`	`37`	`>`
`38`	`38`