Merge pull request MicrosoftDocs#506 from Microsoft/FromPrivateRepo

From private repo

Author: v-anpasi

articles/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 09/21/2016
+ms.date: 01/20/2016
 ms.author: maheshu
 
 ---
@@ -28,43 +28,45 @@ To perform the tasks listed in this article, you need:
 3. **Azure AD Domain Services** must be enabled for the Azure AD directory. If you haven't done so, follow all the tasks outlined in the [Getting Started guide](active-directory-ds-getting-started.md).
 4. A **certificate to be used to enable secure LDAP**.
 
-   * **Recommended** - Obtain a certificate from your enterprise CA or public certification authority. This configuration option is more secure.
+   * **Recommended** - Obtain a certificate from a trusted public certification authority. This configuration option is more secure.
    * Alternately, you may also choose to [create a self-signed certificate](#task-1---obtain-a-certificate-for-secure-ldap) as shown later in this article.
 
 <br>
 
 ### Requirements for the secure LDAP certificate
 Acquire a valid certificate per the following guidelines, before you enable secure LDAP. You encounter failures if you try to enable secure LDAP for your managed domain with an invalid/incorrect certificate.
 
-1. **Trusted issuer** - The certificate must be issued by an authority trusted by computers that need to connect to the domain using secure LDAP. This authority may be your organization's enterprise certification authority or a public certification authority trusted by these computers.
+1. **Trusted issuer** - The certificate must be issued by an authority trusted by computers that need to connect to the domain using secure LDAP. This authority may be a public certification authority trusted by these computers.
 2. **Lifetime** - The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires.
 3. **Subject name** - The subject name on the certificate must be a wildcard for your managed domain. For instance, if your domain is named 'contoso100.com', the certificate's subject name must be '*.contoso100.com'. Set the DNS name (subject alternate name) to this wildcard name.
 4. **Key usage** - The certificate must be configured for the following uses - Digital signatures and key encipherment.
 5. **Certificate purpose** - The certificate must be valid for SSL server authentication.
 
+> [!NOTE]
+> **Enterprise Certification Authorities:** Azure AD Domain Services does not currently support using secure LDAP certificates issued by your organization's enterprise certification authority. This restriction is because the service does not trust your enterprise CA as a root certification authority. We expect to add support for enterprise CAs in the future. If you absolutely must use certificates issued by your enterprise CA, [contact us](active-directory-ds-contact-us.md) for assistance.
+> 
+> 
+
 <br>
 
 ## Task 1 - Obtain a certificate for secure LDAP
 The first task involves obtaining a certificate used for secure LDAP access to the managed domain. You have two options:
 
-* Obtain a certificate from a certification authority. The authority may be your organization's enterprise CA or a public certification authority.
+* Obtain a certificate from a certification authority. The authority may be a public certification authority.
 * Create a self-signed certificate.
 
 ### Option A (Recommended) - Obtain a secure LDAP certificate from a certification authority
-If your organization deploys an enterprise public key infrastructure (PKI), you need to obtain a certificate from the enterprise certification authority (CA) for your organization. If your organization obtains its certificates from a public certification authority, you need to obtain the secure LDAP certificate from that public certification authority.
+If your organization obtains its certificates from a public certification authority, you need to obtain the secure LDAP certificate from that public certification authority.
 
 When requesting a certificate, ensure that you follow the requirements outlined in [Requirement for the secure LDAP certificate](#requirements-for-the-secure-ldap-certificate).
 
 > [!NOTE]
-> Client computers that need to connect to the managed domain using secure LDAP must trust the issuer of the LDAPS certificate.
+> Client computers that need to connect to the managed domain using secure LDAP must trust the issuer of the secure LDAP certificate.
 > 
 > 
 
 ### Option B - Create a self-signed certificate for secure LDAP
-You may choose to create a self-signed certificate for secure LDAP, if:
-
-* certificates in your organization are not issued by an enterprise certification authority or
-* you do not expect to use a certificate from a public certification authority.
+If you do not expect to use a certificate from a public certification authority, you may choose to create a self-signed certificate for secure LDAP.
 
 **Create a self-signed certificate using PowerShell**
 
@@ -81,7 +83,7 @@ In the preceding sample, replace 'contoso100.com' with the DNS domain name of yo
 The newly created self-signed certificate is placed in the local machine's certificate store.
 
 ## Task 2 - Export the secure LDAP certificate to a .PFX file
-Before you start this task, ensure that you have obtained the secure LDAP certificate from your enterprise certification authority or a public certification authority or have created a self-signed certificate.
+Before you start this task, ensure that you have obtained the secure LDAP certificate from a public certification authority or have created a self-signed certificate.
 
 Perform the following steps, to export the LDAPS certificate to a .PFX file.
 
@@ -170,7 +172,7 @@ To enable secure LDAP, perform the following configuration steps:
     ![Secure LDAP - pending state](./media/active-directory-domain-services-admin-guide/secure-ldap-pending-state.png)
 
    > [!NOTE]
-   > It takes about 10 to 15 minutes to enable secure LDAP for your managed domain. If the provided secure LDAP certificate does not match the required criteria, secure LDAP is not enabled for your directory and you see a failure. For example, the domain name is incorrect, the certificate is expired or expires soon etc.
+   > It takes about 10 to 15 minutes to enable secure LDAP for your managed domain. If the provided secure LDAP certificate does not match the required criteria, secure LDAP is not enabled for your directory and you see a failure. For example, the domain name is incorrect, the certificate has already expired or expires soon.
    > 
    > 
 9. When secure LDAP is successfully enabled for your managed domain, the **Pending...** message should disappear. You should see the thumbprint of the certificate displayed.

articles/active-directory/active-directory-faq.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: get-started-article
-ms.date: 10/31/2016
+ms.date: 01/19/2017
 ms.author: markvi
 
 ---
@@ -41,6 +41,18 @@ In fact, all the users you have enabled for Microsoft Online services are define
 
 Additionally, Azure AD paid services (e.g.: Azure AD basic, Premium, EMS, etc.) complement other Online services such as Office 365 and Microsoft Azure with comprehensive enterprise scale management and security solutions.
 
+**Q:  Why can I sign-in to the Azure portal but not the classic portal?**
+**A:**  The new Azure portal does not require a valid subscription whereas the classic portal does require you to have a valid subscription.  If you do not have a subscription, you will not be able to sign-in to the classic portal.
+
+**Q:**  What are the differences between Subscription Administrator and Directory Administrator?**
+
+**A:** By default, you are assigned the Subscription Administrator role when you sign up for Azure. A subscription Administrator can use either a Microsoft account or a work or school account from the directory that the Azure subscription is associated with.  This role is authorized to manage services in the Azure portal.
+If others need to sign in and access services using the same subscription, you can add them as co-administrators. This role has the same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories.  For additional information on Subscription Administrators see [here.](../billing-add-change-azure-subscription-administrator.md) and [here](active-directory-how-subscriptions-associated-directory.md)
+
+Azure AD has a different set of administrative roles to manage the directory and identity-related features.  These administrators will have access to various features in the Azure portal or Azure classic portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains, among other things.  For additional information on Azure AD Directory Administrators and their roles see [here.](active-directory-assign-admin-roles.md)
+
+
+
 - - -
 ## Getting started with Hybrid Azure AD
 **Q: How can I connect my on-premises directory to Azure AD?**
@@ -92,6 +104,18 @@ For more details, see [Getting started with Password Management](active-director
 
 For more answers to password related questions, see [Password Management Frequently Asked Questions](active-directory-passwords-faq.md).
 
+**Q:  What can I do if I cannot remember my existing Office 365/Azure AD password while trying to change my password?**
+
+**A:** For this type of situation there are a couple of options.  If your organization has enabled self-service password reset then you can try this.  This may or may not work depending on how self-serive password reset has been configured.  For more information see [How does the password reset portal work.](active-directory-passwords-learn-more.md#how-does-the-password-reset-portal-work)
+
+For Office 365 users, your administrator can reset the password using the steps outlined [here.](https://support.office.com/en-us/article/Admins-Reset-user-passwords-7A5D073B-7FAE-4AA5-8F96-9ECD041ABA9C?ui=en-US&rs=en-US&ad=US)
+
+For Azure AD accounts, administrators can reset passwords using one of the following:
+
+- [Reset accounts in the Azure portal](active-directory-users-reset-password-azure-portal.md)
+- [Reset accounts in the classic portal](active-directory-create-users-reset-password.md) 
+- [Using PowerShell](https://docs.microsoft.com/en-us/powershell/msonline/v1/Set-MsolUserPassword?redirectedfrom=msdn)
+
 - - -
 ## Application access
 **Q: Where can I find a list of applications that are pre-integrated with Azure AD and their capabilities?**
@@ -154,4 +178,7 @@ For more details, see [Securing access to Office 365 and other apps connected to
 
 For more information, see [Automate User Provisioning and Deprovisioning to SaaS Applications with Azure Active Directory](active-directory-saas-app-provisioning.md)
 
+**Q:  Can I setup a secure LDAP connection with Azure Active Directory?**
+**A:**  No.  Azure AD does not support using the LDAP protocol.
+
 - - -

articles/active-directory/develop/active-directory-devquickstarts-angular.md

@@ -18,7 +18,6 @@ ms.author: dastrock
 
 ---
 # Securing AngularJS Single Page Apps with Azure AD
-[!INCLUDE [active-directory-devquickstarts-switcher](../../../includes/active-directory-devquickstarts-switcher.md)]
 
 [!INCLUDE [active-directory-devguide](../../../includes/active-directory-devguide.md)]
 
@@ -54,6 +53,7 @@ To enable your app to authenticate users and get tokens, you'll first need to re
   * Click the application and choose **Manifest** to open the inline manifest editor.
   * Locate the `oauth2AllowImplicitFlow` property. Set its value to `true`.
   * Click **Save** to save the manifest.
+8. Grant permissions across your tenant for your application. Go to Settings -> Properties -> Required Permissions, and click the **Grant Permissions** button in the top bar. Click **Yes** to confirm. 
 
 ## 2. Install ADAL & Configure the SPA
 Now that you have an application in Azure AD, you can install adal.js and write your identity-related code.

articles/analysis-services/analysis-services-connect.md

@@ -14,7 +14,7 @@ ms.devlang: NA
 ms.topic: article
 ms.tgt_pltfrm: NA
 ms.workload: na
-ms.date: 11/28/2016
+ms.date: 01/20/2017
 ms.author: owend
 
 ---
@@ -77,13 +77,8 @@ Integrated authentication will pick up the Azure Active Directory credential cac
 "Provider=MSOLAP;Data Source=<Azure AS instance name>;User ID=<user name>;Password=<password>;Persist Security Info=True; Impersonation Level=Impersonate;";
 ```
 
-## Client libraries
-When connecting to Azure Analysis Services from Excel or other interfaces such as TOM, AsCmd, ADOMD.NET, you may need to install the latest provider client libraries. Get the latest:  
-
-[MSOLAP (amd64)](https://go.microsoft.com/fwlink/?linkid=829576)</br>
-[MSOLAP (x86)](https://go.microsoft.com/fwlink/?linkid=829575)</br>
-[AMO](https://go.microsoft.com/fwlink/?linkid=829578)</br>
-[ADOMD](https://go.microsoft.com/fwlink/?linkid=829577)</br>
+## Data providers (aka client libraries)
+When connecting to an Azure Analysis Services server from Excel or other interfaces such as TOM, AsCmd, ADOMD.NET, you may need to install the latest data providers. To learn more, see [Data providers](analysis-services-data-providers.md).
 
 ## Next steps
 [Manage your server](analysis-services-manage.md)

articles/analysis-services/analysis-services-create-server.md

@@ -14,7 +14,7 @@ ms.devlang: NA
 ms.topic: article
 ms.tgt_pltfrm: NA
 ms.workload: na
-ms.date: 11/02/2016
+ms.date: 01/20/2017
 ms.author: owend
 
 ---

articles/analysis-services/analysis-services-data-providers.md

@@ -14,7 +14,7 @@ ms.devlang: NA
 ms.topic: article
 ms.tgt_pltfrm: NA
 ms.workload: na
-ms.date: 12/27/2016
+ms.date: 01/20/2016
 ms.author: owend
 
 ---

articles/analysis-services/analysis-services-datasource.md

@@ -14,7 +14,7 @@ ms.devlang: NA
 ms.topic: article
 ms.tgt_pltfrm: NA
 ms.workload: na
-ms.date: 11/28/2016
+ms.date: 01/20/2017
 ms.author: owend
 
 ---

articles/analysis-services/analysis-services-deploy.md

@@ -14,7 +14,7 @@ ms.devlang: NA
 ms.topic: article
 ms.tgt_pltfrm: NA
 ms.workload: na
-ms.date: 11/28/2016
+ms.date: 01/20/2017
 ms.author: owend
 
 ---

articles/analysis-services/analysis-services-gateway.md

@@ -14,7 +14,7 @@ ms.devlang: NA
 ms.topic: article
 ms.tgt_pltfrm: NA
 ms.workload: na
-ms.date: 10/24/2016
+ms.date: 01/20/2017
 ms.author: owend
 
 ---

articles/analysis-services/analysis-services-manage-users.md

@@ -19,16 +19,18 @@ ms.author: owend
 
 ---
 # Manage users in Azure Analysis Services
-In Azure Analysis Services there are two types of users, server administrators and database users. 
+In Azure Analysis Services, there are two types of users, server administrators and database users. 
 
 ## Server administrators
-You can use **Analysis Services Admins** in the control blade for your server in Azure portal or Server Properties in SSMS to manage server administrators. Analysis Services Admins are database server administrators with  rights for common database administration tasks such as adding and removing databases and managing users. By default, the user that creates the server in Azure portal is automatically added as an Analysis Services Admin.
+You can use **Analysis Services Admins** in the control blade for your server in Azure portal, or Server Properties in SSMS to manage server administrators. Analysis Services Admins are database server administrators with rights for common database administration tasks such as adding and removing databases and managing users. By default, the user that creates the server in Azure portal is automatically added as an Analysis Services Admin.
+
+![Server Admins in Azure portal](./media/analysis-services-manage-users/aas-manage-users-admins.png)
 
 You should also know:
 
 * Windows Live ID is not a supported identity type for Azure Analysis Services.  
 * Analysis Services Admins must be valid Azure Active Directory users.
-* If creating an Azure Analysis Services server via Azure Resource Manager  templates, Analysis Services Admins takes a JSON array of users that should be added as admins.
+* If creating an Azure Analysis Services server via Azure Resource Manager templates, Analysis Services Admins takes a JSON array of users that should be added as admins.
 
 Analysis Services Admins can be different from Azure resource administrators, which can manage resources for Azure subscriptions. This maintains compatibility with existing XMLA and TMSL manage behaviors in Analysis Services and to allow you to segregate duties between Azure resource management and Analysis Services database management. To view all roles and access types for your Azure Analysis Services resource, use Access control (IAM) on the control blade.
 
@@ -40,9 +42,9 @@ Analysis Services Admins can be different from Azure resource administrators, wh
 ## Database users
 Database users must be added to database roles. Roles define users and groups that have the same permissions for a database. By default, tabular model databases have a default Users role with Read permissions. To learn more, see [Roles in tabular models](https://msdn.microsoft.com/library/hh213165.aspx).
 
-Azure Analysis Services model database users *must be in your Azure Active Directory*. Usernames specified must be by organizational email address or UPN. This is different from on-premises tabular model databases which support users by Windows domain usernames. 
+Azure Analysis Services model database users *must be in your Azure Active Directory*. Usernames specified must be by organizational email address or UPN. This is different from on-premises tabular model databases, which support users by Windows domain usernames. 
 
-You can create database roles, add users and groups to roles, and configure row-level security in SQL Server Data Tools (SSDT) or in SQL Server Management Studio (SSMS). You can also add or remove users to roles by using  [Analysis Services PowerShell cmdlets](https://msdn.microsoft.com/library/hh758425.aspx), or by using [Tabular Model Scripting Language](https://msdn.microsoft.com/library/mt614797.aspx) (TMSL).
+You can create database roles, add users and groups to roles, and configure row-level security in SQL Server Data Tools (SSDT) or in SQL Server Management Studio (SSMS). You can also add or remove users to roles by using [Analysis Services PowerShell cmdlets](https://msdn.microsoft.com/library/hh758425.aspx) or by using [Tabular Model Scripting Language](https://msdn.microsoft.com/library/mt614797.aspx) (TMSL).
 
 **Sample TMSL script**