Merge pull request #207627 from MicrosoftDocs/main

8/10 PM Publish

Author: huypub

articles/active-directory-b2c/application-types.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 06/14/2022
+ms.date: 08/10/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 
@@ -23,7 +23,7 @@ Every application that uses Azure AD B2C must be registered in your [Azure AD B2
 * An **Application ID** that uniquely identifies your application.
 * A **Reply URL** that can be used to direct responses back to your application.
 
-Each request that is sent to Azure AD B2C specifies a **user flow** (a built-in policy) or a **custom policy** that controls the behavior of Azure AD B2C. Both policy types enable you to create a highly customizable set of user experiences.
+Each request that is sent to Azure AD B2C specifies a **[user flow](user-flow-overview.md)** (a built-in policy) or a **[custom policy](user-flow-overview.md)** that controls the behavior of Azure AD B2C. Both policy types enable you to create a highly customizable set of user experiences.
 
 The interaction of every application follows a similar high-level pattern:
 
@@ -73,15 +73,15 @@ In addition to facilitating simple sign in, a web server application might also
 
 ## Single-page applications
 
-Many modern web applications are built as client-side single-page applications ("SPAs"). Developers write them by using JavaScript or a SPA framework such as Angular, Vue, and React. These applications run on a web browser and have different authentication characteristics than traditional server-side web applications.
+Many modern web applications are built as client-side single-page applications ("SPAs"). Developers write them by using JavaScript or a SPA framework such as Angular, Vue, or React. These applications run on a web browser and have different authentication characteristics than traditional server-side web applications.
 
 Azure AD B2C provides **two** options to enable single-page applications to sign in users and get tokens to access back-end services or web APIs:
 
 ### Authorization code flow (with PKCE)
 
 [OAuth 2.0 Authorization code flow (with PKCE)](./authorization-code-flow.md) allows the application to exchange an authorization code for **ID** tokens to represent the authenticated user and **Access** tokens needed to call protected APIs. In addition, it returns **Refresh** tokens that provide long-term access to resources on behalf of users without requiring interaction with those users. 
 
-This is the **recommended** approach. Having limited-lifetime refresh tokens helps your application adapt to [modern browser cookie privacy limitations](../active-directory/develop/reference-third-party-cookies-spas.md), like Safari ITP.
+We **recommended** this approach. Having limited-lifetime refresh tokens helps your application adapt to [modern browser cookie privacy limitations](../active-directory/develop/reference-third-party-cookies-spas.md), like Safari ITP.
 
 To take advantage of this flow, your application can use an authentication library that supports it, like [MSAL.js 2.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser). 
 
@@ -90,7 +90,9 @@ To take advantage of this flow, your application can use an authentication libra
 
 ### Implicit grant flow
 
-Some libraries, like [MSAL.js 1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core), only support the implicit grant flow or your application is implemented to use implicit flow. In these cases, Azure AD B2C supports the [OAuth 2.0 implicit flow](implicit-flow-single-page-application.md). The implicit grant flow allows the application to get **ID** and **Access** tokens. Unlike the authorization code flow, implicit grant flow doesn't return a **Refresh token**. 
+Some libraries, like [MSAL.js 1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core), only support the [implicit grant flow](implicit-flow-single-page-application.md) or your application is implemented to use implicit flow. In these cases, Azure AD B2C supports the [OAuth 2.0 implicit flow](implicit-flow-single-page-application.md). The implicit grant flow allows the application to get **ID** and **Access** tokens. Unlike the authorization code flow, implicit grant flow doesn't return a **Refresh token**.
+
+We **don't recommended** this approach.  
 
 This authentication flow doesn't include application scenarios that use cross-platform JavaScript frameworks such as Electron and React-Native. Those scenarios require further capabilities for interaction with the native platforms.
 

articles/active-directory-b2c/configure-authentication-sample-web-app-with-api.md

@@ -62,7 +62,7 @@ A computer that's running either:
 
 # [Visual Studio](#tab/visual-studio)
 
-* [Visual Studio 2022 17.0 or later](https://visualstudio.microsoft.com/downloads/?utm_medium=microsoft&utm_source=docs.microsoft.com&utm_campaign=inline+link&utm_content=download+vs2019) with the **ASP.NET and web development** workload
+* [Visual Studio 2022 17.0 or later](https://visualstudio.microsoft.com/downloads) with the **ASP.NET and web development** workload
 * [.NET 6.0 SDK](https://dotnet.microsoft.com/download/dotnet)
 
 # [Visual Studio Code](#tab/visual-studio-code)

articles/active-directory-b2c/configure-authentication-sample-web-app.md

@@ -44,7 +44,7 @@ A computer that's running either of the following:
 
 # [Visual Studio](#tab/visual-studio)
 
-* [Visual Studio 2022 17.0 or later](https://visualstudio.microsoft.com/downloads/?utm_medium=microsoft&utm_source=docs.microsoft.com&utm_campaign=inline+link&utm_content=download+vs2019), with the ASP.NET and web development workload
+* [Visual Studio 2022 17.0 or later](https://visualstudio.microsoft.com/downloads), with the ASP.NET and web development workload
 * [.NET 6.0 SDK](https://dotnet.microsoft.com/download/dotnet)
 
 # [Visual Studio Code](#tab/visual-studio-code)

articles/active-directory-b2c/json-transformations.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/16/2022
+ms.date: 08/10/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -59,6 +59,90 @@ Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/c
 | InputParameter | Any string following dot notation | string | The JsonPath of the JSON where the constant string value will be inserted into. |
 | OutputClaim | outputClaim | string | The generated JSON string. |
 
+### JSON Arrays
+
+To add JSON objects to a JSON array, use the format of **array name** and the **index** in the array. The array is zero based. Start with zero to N, without skipping any number. The items in the array can contain any object. For example, the first item contains two objects, *app* and *appId*. The second item contains a single object, *program*. The third item contains four objects, *color*, *language*, *logo* and *background*.
+
+The following example demonstrates how to configure JSON arrays. The **emails** array uses the `InputClaims` with dynamic values. The **values** array uses the `InputParameters` with static values. 
+
+```xml
+<ClaimsTransformation Id="GenerateJsonPayload" TransformationMethod="GenerateJson">
+  <InputClaims>
+    <InputClaim ClaimTypeReferenceId="mailToName1" TransformationClaimType="emails.0.name" />
+    <InputClaim ClaimTypeReferenceId="mailToAddress1" TransformationClaimType="emails.0.address" />
+    <InputClaim ClaimTypeReferenceId="mailToName2" TransformationClaimType="emails.1.name" />
+    <InputClaim ClaimTypeReferenceId="mailToAddress2" TransformationClaimType="emails.1.address" />
+  </InputClaims>
+  <InputParameters>
+    <InputParameter Id="values.0.app" DataType="string" Value="Mobile app" />
+    <InputParameter Id="values.0.appId" DataType="string" Value="123" />
+    <InputParameter Id="values.1.program" DataType="string" Value="Holidays" />
+    <InputParameter Id="values.2.color" DataType="string" Value="Yellow" />
+    <InputParameter Id="values.2.language" DataType="string" Value="Spanish" />
+    <InputParameter Id="values.2.logo" DataType="string" Value="contoso.png" />
+    <InputParameter Id="values.2.background" DataType="string" Value="White" />
+  </InputParameters>
+  <OutputClaims>
+    <OutputClaim ClaimTypeReferenceId="result" TransformationClaimType="outputClaim" />
+  </OutputClaims>
+</ClaimsTransformation>
+```
+
+The result of this claims transformation:
+
+```json
+{
+  "values": [
+    {
+      "app": "Mobile app",
+      "appId": "123"
+    },
+    {
+      "program": "Holidays"
+    },
+    {
+      "color": "Yellow",
+      "language": "Spanish",
+      "logo": "contoso.png",
+      "background": "White"
+    }
+  ],
+  "emails": [
+    {
+      "name": "Joni",
+      "address": "[email protected]"
+    },
+    {
+      "name": "Emily",
+      "address": "[email protected]"
+    }
+  ]
+}
+```
+
+To specify a JSON array in both the input claims and the input parameters, you must start the array in the `InputClaims` element, zero to N. Then, in the `InputParameters` element continue the index from the last index. 
+
+The following example demonstrates an array that is defined in both the input claims and the input parameters. The first item of the *values* array `values.0` is defined in the input claims. The input parameters continue from index one `values.1` through two index  `values.2`. 
+
+```xml
+<ClaimsTransformation Id="GenerateJsonPayload" TransformationMethod="GenerateJson">
+  <InputClaims>
+    <InputClaim ClaimTypeReferenceId="app" TransformationClaimType="values.0.app" />
+    <InputClaim ClaimTypeReferenceId="appId" TransformationClaimType="values.0.appId"  />
+  </InputClaims>
+  <InputParameters>
+    <InputParameter Id="values.1.program" DataType="string" Value="Holidays" />
+    <InputParameter Id="values.2.color" DataType="string" Value="Yellow" />
+    <InputParameter Id="values.2.language" DataType="string" Value="Spanish" />
+    <InputParameter Id="values.2.logo" DataType="string" Value="contoso.png" />
+    <InputParameter Id="values.2.background" DataType="string" Value="White" />
+  </InputParameters>
+  <OutputClaims>
+    <OutputClaim ClaimTypeReferenceId="result" TransformationClaimType="outputClaim" />
+  </OutputClaims>
+</ClaimsTransformation>
+```
+
 ### Example of GenerateJson
 
 The following example generates a JSON string based on the claim value of "email" and "OTP" and constant strings. 

articles/active-directory-b2c/media/troubleshoot-with-application-insights/application-insights-api-access.png

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: troubleshooting
-ms.date: 09/20/2021
+ms.date: 08/04/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -144,7 +144,7 @@ After you set up the Application Insights, and configure the custom policy, you
 To get Application Insights ID and key:
 
 1. In Azure portal, open the Application Insights resource for your application.
-1. Select **Settings**, then select **API Access**.
+1. Select **Configure**, then select **API Access**.
 1. Copy the **Application ID**
 1. Select **Create API Key**
 1. Check the **Read telemetry** box.

articles/active-directory-b2c/troubleshoot-with-application-insights.md

@@ -167,11 +167,11 @@ In some cases, an **All cloud apps** policy could inadvertently block user acces
 
 - Calls to Azure AD Graph and MS Graph, to access user profile, group membership and relationship information that is commonly used by applications excluded from policy. The excluded scopes are listed below. Consent is still required for apps to use these permissions. 
    - For native clients:
-      - Azure AD Graph: User.Read
-      - MS Graph: User.Read, People.Read, and UserProfile.Read
+      - Azure AD Graph: email, offline_access, openid, profile, User.read
+      - MS Graph: User.read, People.read, and UserProfile.read 
    - For confidential / authenticated clients:
-      - Azure AD Graph: User.Read, User.Read.All, and User.ReadBasic.All
-      - MS Graph: User.Read, User.Read.All, User.ReadBasic.All, People.Read, People.Read.All, GroupMember.Read.All, Member.Read.Hidden, and UserProfile.Read 
+      - Azure AD Graph: email, offline_access, openid, profile, User.read, User.read.all, and User.readbasic.all
+      - MS Graph: User.read,User.read.all, User.read.All People.read, People.read.all, GroupMember.Read.All, Member.Read.Hidden, and UserProfile.read 
 
 ## User actions
 

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -16,7 +16,7 @@ ms.collection: M365-identity-device-management
 ---
 # What is a Primary Refresh Token?
 
-A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices.
+A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices. We recommend using the latest versions of Windows 10, Windows 11 and Windows Server 2019+ to get the best SSO experience.
 
 This article assumes that you already understand the different device states available in Azure AD and how single sign-on works in Windows 10 or newer. For more information about devices in Azure AD, see the article [What is device management in Azure Active Directory?](overview.md)
 
@@ -25,7 +25,7 @@ This article assumes that you already understand the different device states ava
 The following Windows components play a key role in requesting and using a PRT:
 
 * **Cloud Authentication Provider** (CloudAP): CloudAP is the modern authentication provider for Windows sign in, that verifies users logging to a Windows 10 or newer device. CloudAP provides a plugin framework that identity providers can build on to enable authentication to Windows using that identity provider’s credentials.
-* **Web Account Manager** (WAM): WAM is the default token broker on Windows 10 or newer devices. WAM also provides a plugin framework that identity providers can build on and enable SSO to their applications relying on that identity provider. (Not included in Windows Server 2016 LTSC builds)
+* **Web Account Manager** (WAM): WAM is the default token broker on Windows 10 or newer devices. WAM also provides a plugin framework that identity providers can build on and enable SSO to their applications relying on that identity provider. 
 * **Azure AD CloudAP plugin**: An Azure AD specific plugin built on the CloudAP framework, that verifies user credentials with Azure AD during Windows sign in.
 * **Azure AD WAM plugin**: An Azure AD specific plugin built on the WAM framework, that enables SSO to applications that rely on Azure AD for authentication.
 * **Dsreg**: An Azure AD specific component on Windows 10 or newer, that handles the device registration process for all device states.

articles/active-directory/devices/concept-primary-refresh-token.md

@@ -232,7 +232,7 @@ With outbound settings, you select which of your users and groups will be able t
    - When you're done selecting the users and groups you want to add, choose **Select**.
 
    > [!NOTE]
-   > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](https://docs.microsoft.com/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.
+   > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.
 
 1. Select the **External applications** tab.
 

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -131,7 +131,7 @@ While that could be a valid reason for using "User assignment required", it does
 
 #### Summary of implementation
 
-On the Azure AD Enterprise Application representing the federation relation with IAS, disable "[User assignment required](../manage-apps/assign-user-or-group-access-portal.md)". This also means you can safely skip [assignment of users as detailed in Microsoft Docs](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md#assign-the-azure-ad-test-user).
+On the Azure AD Enterprise Application representing the federation relation with IAS, disable "[User assignment required](../manage-apps/assign-user-or-group-access-portal.md)". This also means you can safely skip [assignment of users](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md#assign-the-azure-ad-test-user).
 
 ### 3 - Use Azure AD groups for Authorization through Role Collections in IAS/BTP