Merge pull request MicrosoftDocs#285 from Microsoft/FromPrivateRepo

From private repo

Author: v-anpasi

articles/active-directory/active-directory-aadconnect-design-concepts.md

@@ -56,7 +56,7 @@ If you have multiple forests and do not move users between forests and domains,
 
 If you move users between forests and domains, then you must find an attribute that does not change or can be moved with the users during the move. A recommended approach is to introduce a synthetic attribute. An attribute that could hold something that looks like a GUID would be suitable. During object creation, a new GUID is created and stamped on the user. A custom sync rule can be created in the sync engine server to create this value based on the **objectGUID** and update the selected attribute in ADDS. When you move the object, make sure to also copy the content of this value.
 
-Another solution is to pick an existing attribute you know does not change. Commonly used attributes include **employeeID**. If you consider an attribute that contains letters, make sure there is no chance the case (upper case vs. lower case) can change for the attribute's value. Bad attributes that should not be used include those attributes with the name of the user. In a marriage or divorce, the name is expected to change, which is not allowed for this attribute. This is also one reason why attributes such as **userPrincipalName**, **mail**, and **targetAddress** are not even possible to select in the Azure AD Connect installation wizard. Those attributes also contain the @-character, which is not allowed in the sourceAnchor.
+Another solution is to pick an existing attribute you know does not change. Commonly used attributes include **employeeID**. If you consider an attribute that contains letters, make sure there is no chance the case (upper case vs. lower case) can change for the attribute's value. Bad attributes that should not be used include those attributes with the name of the user. In a marriage or divorce, the name is expected to change, which is not allowed for this attribute. This is also one reason why attributes such as **userPrincipalName**, **mail**, and **targetAddress** are not even possible to select in the Azure AD Connect installation wizard. Those attributes also contain the "@" character, which is not allowed in the sourceAnchor.
 
 ### Changing the sourceAnchor attribute
 The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the identity is synchronized.

articles/active-directory/active-directory-certificate-based-authentication-android.md

@@ -12,11 +12,11 @@ ms.devlang: na
 ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 10/10/2016
+ms.date: 12/14/2016
 ms.author: markvi
 
 ---
-# Get started with certificate based authentication on Android - Public Preview
+# Get started with certificate based authentication on Android
 > [!div class="op_single_selector"]
 > * [iOS](active-directory-certificate-based-authentication-ios.md)
 > * [Android](active-directory-certificate-based-authentication-android.md)
@@ -47,7 +47,7 @@ For all scenarios in this topic, the following tasks are required:
 | Apps | Support |
 | --- | --- |
 | Word / Excel / PowerPoint |![Check][1] |
-| OneNote |Coming soon |
+| OneNote |![Check][1] |
 | OneDrive |![Check][1] |
 | Outlook |![Check][1] |
 | Yammer |![Check][1] |
@@ -67,10 +67,16 @@ For Azure Active Directory to revoke a client certificate, the ADFS token must h
 
 Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation. 
 
-As a best practice, you should update the ADFS error pages with instructions on how to get a user certificate. 
-
+As a best practice, you should update the ADFS error pages with instructions on how to get a user certificate.  
 For more details, see [Customizing the AD FS Sign-in Pages](https://technet.microsoft.com/library/dn280950.aspx).  
 
+Some Office apps (with modern authentication enabled) send ‘*prompt=login*’ to Azure AD in their request. By default, Azure AD translates this in the request to ADFS to ‘*wauth=usernamepassworduri*’ (asks ADFS to do U/P auth) and ‘*wfresh=0*’ (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Just set the ‘*PromptLoginBehavior*’ in your federated domain settings to ‘*Disabled*‘. 
+You can use the [MSOLDomainFederationSettings](https://docs.microsoft.com/en-us/powershell/msonline/v1/set-msoldomainfederationsettings) cmdlet to perform this task:
+
+`Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled`
+
+
+
 ### Exchange ActiveSync clients support
 Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are supported. To determine if your email application does support this feature, please contact your application developer. 
 

articles/active-directory/active-directory-certificate-based-authentication-ios.md

@@ -12,11 +12,11 @@ ms.devlang: na
 ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 10/21/2016
+ms.date: 12/14/2016
 ms.author: markvi
 
 ---
-# Get started with certificate based authentication on iOS - Public Preview
+# Get started with certificate based authentication on iOS
 > [!div class="op_single_selector"]
 > * [iOS](active-directory-certificate-based-authentication-ios.md)
 > * [Android](active-directory-certificate-based-authentication-android.md)
@@ -74,7 +74,13 @@ As a best practice, you should update the ADFS error pages with the following:
 * The requirement for installing the Azure Authenticator on iOS
 * Instructions on how to get a user certificate. 
 
-For more details, see [Customizing the AD FS Sign-in Pages](https://technet.microsoft.com/library/dn280950.aspx).  
+For more details, see [Customizing the AD FS Sign-in Pages](https://technet.microsoft.com/library/dn280950.aspx).
+
+Some Office apps (with modern authentication enabled) send ‘*prompt=login*’ to Azure AD in their request. By default, Azure AD translates this in the request to ADFS to ‘*wauth=usernamepassworduri*’ (asks ADFS to do U/P auth) and ‘*wfresh=0*’ (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Just set the ‘*PromptLoginBehavior*’ in your federated domain settings to ‘*Disabled*‘. 
+You can use the [MSOLDomainFederationSettings](https://docs.microsoft.com/en-us/powershell/msonline/v1/set-msoldomainfederationsettings) cmdlet to perform this task:
+
+`Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled`
+  
 
 ### Exchange ActiveSync clients support
 On iOS 9 or later, the native iOS mail client is supported. For all other Exchange ActiveSync applications, to determine if this feature is supported, contact your application developer.  

articles/active-directory/active-directory-conditional-access-automatic-device-registration-setup.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 12/05/2016
+ms.date: 12/14/2016
 ms.author: markvi
 
 ---

articles/active-directory/active-directory-saas-allocadia-tutorial.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 09/19/2016
+ms.date: 12/12/2016
 ms.author: jeedes
 
 ---
@@ -59,19 +59,25 @@ To configure the integration of Allocadia into Azure AD, you need to add Allocad
 1. In the **Azure classic portal**, on the left navigation pane, click **Active Directory**. 
 
     ![Active Directory][1]
+
 2. From the **Directory** list, select the directory for which you want to enable directory integration.
+
 3. To open the applications view, in the directory view, click **Applications** in the top menu.
 
     ![Applications][2]
+
 4. Click **Add** at the bottom of the page.
 
     ![Applications][3]
+
 5. On the **What do you want to do** dialog, click **Add an application from the gallery**.
 
     ![Applications][4]
+
 6. In the search box, type **Allocadia**.
 
     ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/tutorial_allocadia_01.png)
+
 7. In the results pane, select **Allocadia**, and then click **Complete** to add the application.
 
     ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/tutorial_allocadia_06.png)
@@ -102,19 +108,19 @@ Allocadia application expects the SAML assertions in a specific format. Please c
 1. In the Azure classic portal, on the **Allocadia** application integration page, in the menu on the top, click **Attributes**.
 
     ![Configure Single Sign-On](./media/active-directory-saas-allocadia-tutorial/tutorial_general_80.png) 
+
 2. On the **SAML token attributes** dialog, for each row shown in the table below, perform the following steps:
 
-   | Attribute Name | Attribute Value |
-   | --- | --- |
-   | firstname |user.givenname |
-   | lastname |user.surname |
-   | email |user.mail |
+    | Attribute Name | Attribute Value |
+    | --- | --- |
+    | firstname |user.givenname |
+    | lastname |user.surname |
+    | email |user.mail |
 
     a. Click **add user attribute** to open the **Add User Attribure** dialog.
 
     ![Configure Single Sign-On](./media/active-directory-saas-allocadia-tutorial/tutorial_general_81.png) 
 
-
     b. In the **Attrubute Name** textbox, type the attribute name shown for that row.
 
     c. From the **Attribute Value** list, selsect the attribute value shown for that row.
@@ -125,32 +131,38 @@ Allocadia application expects the SAML assertions in a specific format. Please c
 1. In the menu on the top, click **Quick Start**.
 
     ![Configure Single Sign-On](./media/active-directory-saas-allocadia-tutorial/tutorial_general_83.png)  
+
 2. On the **How would you like users to sign on to Allocadia** page, select **Azure AD Single Sign-On**, and then click **Next**.
 
     ![Configure Single Sign-On](./media/active-directory-saas-allocadia-tutorial/tutorial_allocadia_03.png) 
+
 3. On the **Configure App Settings** dialog page, perform the following steps:.
 
     ![Configure Single Sign-On](./media/active-directory-saas-allocadia-tutorial/tutorial_allocadia_04.png) 
 
     a. In the IDENTIFER box type the URL in the following pattern: For test environment use the URL as **"https://na2standby.allocadia.com"** and for production environment use **"https://na2.allocadia.com"**
 
     b. In the Reply URL type the URL in the following pattern: For test environment use the URL pattern as  **"https://na2standby.allocadia.com/allocadia/saml/SSO"** and for production environment use **"https://na2.allocadia.com/allocadia/saml/SSO"**
+
 4. On the **Configure single sign-on at Allocadia** page, perform the following steps:
 
     ![Configure Single Sign-On](./media/active-directory-saas-allocadia-tutorial/tutorial_allocadia_05.png) 
 
     a. Click **Download metadata**, and then save the file on your computer.
 
     b. Click **Next**.
+
 5. To get SSO configured for your application, contact [Allocadia Support](mailTo:[email protected]) team and they will assist to configure SSO. Please note that you have to send email and attach downloaded metadata file to configure SSO on the Allocadia side.
 
-   > [!NOTE]
-   > Please make sure that Allocadia team set the Identifier value in the test environment as **"https://na2standby.allocadia.com"** and for production environment, it should be: **"https://na2.allocadia.com"**
-   > 
-   > 
+    > [!NOTE]
+    > Please make sure that Allocadia team set the Identifier value in the test environment as **"https://na2standby.allocadia.com"** and for production environment, it should be: **"https://na2.allocadia.com"**
+    > 
+    > 
+
 6. In the classic portal, select the single sign-on configuration confirmation, and then click **Next**.
 
     ![Azure AD Single Sign-On][10]
+
 7. On the **Single sign-on confirmation** page, click **Complete**.  
 
     ![Azure AD Single Sign-On][11]
@@ -166,13 +178,17 @@ In the Users list, select **Britta Simon**.
 1. In the **Azure classic portal**, on the left navigation pane, click **Active Directory**.
 
     ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/create_aaduser_09.png) 
+
 2. From the **Directory** list, select the directory for which you want to enable directory integration.
+
 3. To display the list of users, in the menu on the top, click **Users**.
 
     ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/create_aaduser_03.png) 
+
 4. To open the **Add User** dialog, in the toolbar on the bottom, click **Add User**.
 
     ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/create_aaduser_04.png) 
+
 5. On the **Tell us about this user** dialog page, perform the following steps:
 
     ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/create_aaduser_05.png) 
@@ -182,22 +198,25 @@ In the Users list, select **Britta Simon**.
     b. In the User Name **textbox**, type **BrittaSimon**.
 
     c. Click **Next**.
+
 6. On the **User Profile** dialog page, perform the following steps:
 
-   ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/create_aaduser_06.png) 
+    ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/create_aaduser_06.png) 
 
-   a. In the **First Name** textbox, type **Britta**.  
+    a. In the **First Name** textbox, type **Britta**.  
 
-   b. In the **Last Name** textbox, type, **Simon**.
+    b. In the **Last Name** textbox, type, **Simon**.
 
-   c. In the **Display Name** textbox, type **Britta Simon**.
+    c. In the **Display Name** textbox, type **Britta Simon**.
 
-   d. In the **Role** list, select **User**.
+    d. In the **Role** list, select **User**.
 
-   e. Click **Next**.
+    e. Click **Next**.
+
 7. On the **Get temporary password** dialog page, click **create**.
 
     ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/create_aaduser_07.png) 
+
 8. On the **Get temporary password** dialog page, perform the following steps:
 
     ![Creating an Azure AD test user](./media/active-directory-saas-allocadia-tutorial/create_aaduser_08.png) 
@@ -224,13 +243,17 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
 1. On the classic portal, to open the applications view, in the directory view, click **Applications** in the top menu.
 
     ![Assign User][201] 
+
 2. In the applications list, select **Allocadia**.
 
     ![Configure Single Sign-On](./media/active-directory-saas-allocadia-tutorial/tutorial_allocadia_50.png) 
+
 3. In the menu on the top, click **Users**.
 
     ![Assign User][203] 
+
 4. In the Users list, select **Britta Simon**.
+
 5. In the toolbar on the bottom, click **Assign**.
 
     ![Assign User][205]