Merge pull request #288011 from lynneoconnor/LMO-ADO22013b

prmerger-automator[bot] · web-flow · commit 05c0cb8e7812 · 2024-10-10T12:27:53.000Z
ADO 22013 remove Global Admin mentions
diff --git a/articles/active-directory-b2c/partner-n8identity.md b/articles/active-directory-b2c/partner-n8identity.md
@@ -29,7 +29,7 @@ Use this solution for the following scenarios:
 
 ## Prerequisites
 
-To get started, you'll need:
+To get started, you need:
 
 * An Azure subscription
 
@@ -55,11 +55,11 @@ The TheAccessHub Admin Tool runs in the N8ID Azure subscription or the customer
 6. TheAccessHub Admin Tool syncs user records with Azure AD B2C.
 7. Based on TheAccessHub Admin Tool response, Azure AD B2C sends a customized welcome email to users.
 
-## Create a Global Administrator in your Azure AD B2C tenant
+## Create an External Identity Provider Administrator and B2C User Flow Administrator in your Azure AD B2C tenant
 
-TheAccessHub Admin Tool permissions act on behalf of a Global Administrator to read user information and conduct changes in your Azure AD B2C tenant. Changes to your regular administrators won't affect TheAccessHub Admin Tool interaction with the tenant.
+TheAccessHub Admin Tool permissions act on behalf of an External Identity Provider Administrator and B2C User Flow Administrator to read user information and conduct changes in your Azure AD B2C tenant. Changes to your regular administrators don't affect TheAccessHub Admin Tool interaction with the tenant.
 
-To create a Global Administrator:
+To create an External Identity Provider Administrator and B2C User Flow Administrator:
 
 1. In the Azure portal, sign in to your Azure AD B2C tenant as an Administrator. 
 2. Go to **Microsoft Entra ID** > **Users**.
@@ -70,20 +70,20 @@ To create a Global Administrator:
 * Enter the **account name**, such as TheAccessHub Service Account.
 7. Select **Show Password**.
 8. Copy and save the initial password.
-9. To assign the Global Administrator role, for **User**, select the user's current role.
-10. Select the **Global Administrator** record.
+9. To assign the External Identity Provider Administrator and B2C User Flow Administrator role, for **User**, select the user's current role.
+10. Select the **External Identity Provider Administrator** and **B2C User Flow Administrator** records.
 11. Select **Create**.
 
 ## Connect TheAccessHub Admin Tool to your Azure AD B2C tenant
 
-TheAccessHub Admin Tool uses the Microsoft Graph API to read and make changes to a directory. It acts as a Global Administrator in your tenant. Use the following instructions to add needed permissions. 
+TheAccessHub Admin Tool uses the Microsoft Graph API to read and make changes to a directory. It acts as an External Identity Provider Administrator and B2C User Flow Administrator in your tenant. Use the following instructions to add needed permissions. 
 
 To authorize TheAccessHub Admin Tool to access your directory:
 
 1. Use the credentials N8 Identity provided to sign in to TheAccessHub Admin Tool.
 2. Go to **System Admin** > **Azure AD B2C Config**.
 3. Select **Authorize Connection**.
-4. In the new window, sign in with your Global Administrator account. When you sign in for the first time with the new service account, a prompt to reset your password can appear.
+4. In the new window, sign in with your External Identity Provider Administrator and B2C User Flow Administrator account. When you sign in for the first time with the new service account, a prompt to reset your password can appear.
 5. Follow the prompts and select **Accept**.
 
 ## Configure a new CSR user with your enterprise identity
@@ -189,7 +189,7 @@ With TheAccessHub Admin Tool, you can import data from various databases, LDAPs,
 
 * **Type**: **Database**
 * **Database type**: select a supported database
-* **Connection URL**: enter a JDBC connection string, such as `jdbc:postgresql://myhost.com:5432/databasename`
+* **Connection URL**: enter a Java Database Connectivity (JDBC) connection string, such as `jdbc:postgresql://myhost.com:5432/databasename`
 * **Username**: username to access the database
 * **Password**: password to access the database
 * **Query**: the SQL query to extract customer details, such as `SELECT * FROM mytable;`'
@@ -226,7 +226,7 @@ With TheAccessHub Admin Tool, you can import data from various databases, LDAPs,
 8. Select **Next**.
 9. In **Search-Mapping configuration**, identify load-record correlation with customers in TheAccessHub Admin Tool. 
 10. Select source identifying attributes. Match attributes TheAccessHub Admin Tool attributes with the same values. If there's a match, the record is overridden. Otherwise, a new customer is created. 
-11. Sequence the number of checks. For example, check email first, then first and last name.
+11. Sequence the number of checks. For example, check email first, then first and family name.
 12. On the left-side menu, select **Data Mapping**.
 13. In **Data-Mapping configuration**, assign the TheAccessHub Admin Tool attributes to be populated from your source attributes. Unmapped attributes remain unchanged for customers. If you map the attribute `org_name` with a current organization value, created customers go in the organization.
 15. Select **Next**.
@@ -273,7 +273,7 @@ If you occasionally sync TheAccessHub Admin Tool, it might not be up to date wit
 
 For your sign-up custom policies, the following steps enable a secure certificate to notify TheAccessHub Admin Tool of new accounts.
 
-1. Use the credentials N8ID provided to sign in to TheAccessHub Admin Tool.
+1. To sign in to TheAccessHub Admin Tool, use the credentials N8ID provided.
 2. Go to **System Admin** > **Admin Tools** > **API Security**.
 3. Select **Generate**.
 4. Copy the **Certificate Password**.
@@ -287,7 +287,7 @@ For your sign-up custom policies, the following steps enable a secure certificat
 3. Supply your Azure AD B2C tenant domain and the two Identity Experience Framework IDs from your Identity Experience Framework configuration.
 4. Select **Save**.
 5. Select **Download** to get a .zip file with basic policies that add customers into TheAccessHub Admin Tool as customers sign up.
-6. Use the instructions in [Create user flows](./tutorial-create-user-flows.md?pivots=b2c-custom-policy) to design custom policies in Azure AD B2C.
+6. To design custom policies in Azure AD B2C, use the instructions in [Create user flows](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).
 
 ## Next steps
 
diff --git a/articles/active-directory-b2c/partner-trusona.md b/articles/active-directory-b2c/partner-trusona.md
@@ -60,16 +60,16 @@ In this scenario, Trusona acts as an Identity Provider (IdP) for Azure AD B2C to
 
 | Steps | Description |
 |:------|:------|
-|1. |A user attempts to sign in to the web application via their browser.|
-|2.|The web application redirects to Azure AD B2C sign-up and sign-in policy.|
-|3. |Azure AD B2C redirects the user for authentication to the Trusona Authentication Cloud OpenID Connect (OIDC) IdP.|
-|4. |The user is presented with a sign-in web page that asks for their username – typically an email address.|
-|5. |The user enters their email address and selects the **Continue** button. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process.|
-|6. |The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.|
-|7. |The authentication assertion is returned to the Trusona cloud service for verification.|
-|8. |Once verified, Trusona Authentication Cloud (IdP) creates an OIDC ID token and then forwards it to Azure AD B2C (Service Provider). Azure AD B2C validates the signature of the token and the issuer against the values in the Trusona’s OpenID discovery document. These details were configured during IdP setup. Once verified, Azure AD B2C issues an OIDC id_token (depending on the scope) and redirects the user back to the initiating application with the token.|
-|9. |The web application (or the developer libraries it uses to implement authentication) retrieves the token and verifies the authenticity of the Azure AD B2C token. If that’s the case, it extracts the claims and pass them to the web application to consume.|
-|10. |Upon verification, user is granted/denied access.|
+|1. | A user attempts to sign in to the web application via their browser.|
+|2.| The web application redirects to Azure AD B2C sign-up and sign-in policy.|
+|3. | Azure AD B2C redirects the user for authentication to the Trusona Authentication Cloud OpenID Connect (OIDC) IdP.|
+|4. | The user is presented with a sign-in web page that asks for their username – typically an email address.|
+|5. | The user enters their email address and selects the **Continue** button. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process.|
+|6. | The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.|
+|7. | The authentication assertion is returned to the Trusona cloud service for verification.|
+|8. | Once verified, Trusona Authentication Cloud (IdP) creates an OIDC ID token and then forwards it to Azure AD B2C (Service Provider). Azure AD B2C validates the signature of the token and the issuer against the values in the Trusona’s OpenID discovery document. These details were configured during IdP setup. Once verified, Azure AD B2C issues an OIDC id_token (depending on the scope) and redirects the user back to the initiating application with the token. 
+|9. | The web application (or the developer libraries it uses to implement authentication) retrieves the token and verifies the authenticity of the Azure AD B2C token. If that’s the case, it extracts the claims and pass them to the web application to consume. 
+|10. | Upon verification, user is granted/denied access. |
 
 ## Step 1: Onboard with Trusona Authentication Cloud
 
@@ -98,9 +98,9 @@ To register a web application in your Azure AD B2C tenant, use our new unified a
 1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
 1. Under **Redirect URI**, select **Web**, and then enter `https://jwt.ms` in the URL text box.
 
-   The redirect URI is the endpoint to which the authorization server, Azure AD B2C in this case sends the user to. After completing its interaction with the user, an access token or authorization code is sent upon successful authorization. In a production application, it's typically a publicly accessible endpoint where your app is running, like `https://contoso.com/auth-response`. For testing purposes like this tutorial, you can set it to `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). During app development, you might add the endpoint where your application listens locally, like `https://localhost:5000`. You can add and modify redirect Uniform Resource Identifiers (URI) in your registered applications at any time.
+   The redirect URI is the endpoint to which the authorization server, Azure AD B2C in this case sends the user to. After completing its interaction with the user, an access token or authorization code is sent upon successful authorization. In a production application, it's typically a publicly accessible endpoint where your app is running, like `https://contoso.com/auth-response`. For testing purposes like this tutorial, you can set it to `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). During app development, you might add the endpoint where your application listens locally, like `https://localhost:5000`. You can add and modify redirect URIs in your registered applications at any time.
 
-   The following restrictions apply to redirect URIs:
+   The following restrictions apply to redirect Uniform Resource Identifiers (URI):
 
     * The reply URL must begin with the scheme `https`, unless you use a localhost redirect URL.
     * The reply URL is case-sensitive. Its case must match the case of the URL path of your running application. For example, if your application includes as part of its path `.../abc/response-oidc`,  don't specify `.../ABC/response-oidc` in the reply URL. Because the web browser treats paths as case-sensitive, cookies associated with `.../abc/response-oidc` might be excluded if redirected to the case-mismatched `.../ABC/response-oidc` URL.
@@ -129,7 +129,7 @@ You can enable implicit grant flow to use this app registration to [test a user
 
 ## Step 3: Configure Trusona Authentication Cloud as an IdP in Azure AD B2C
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
+1. Sign in to the [Azure portal](https://portal.azure.com/) as the External Identity Provider Administrator and B2C User Flow Administrator roles in your Azure AD B2C tenant.
 
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 
@@ -160,7 +160,7 @@ You can enable implicit grant flow to use this app registration to [test a user
 
 1. Select **Map this identity provider’s claims**.  
 
-1. Fill out the form to map the IdP:
+1. To map the IdP, fill out the form:
 
    | Property | Value  |
    | :--- | :--- |
@@ -205,7 +205,7 @@ You should now see Trusona as a **new OpenID Connect Identity Provider** listed
  
    b. **Reply URL**: Select the redirect URL, for example, `https://jwt.ms`.
    
-2. Select **Run user flow**. You should be redirected to the Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username – typically an email address. If the user's account isn't found in Trusona Authentication Cloud,  then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential. Azure AD B2C validates the Trusona authentication response and issues an OIDC token. It redirects the user back to the initiating application, for example, `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+2. Select **Run user flow**. You should be redirected to the Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username – typically an email address. If the user's account isn't found in Trusona Authentication Cloud,  then a response is sent to the browser that initiates a WebAuthn registration process on the device.  Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential. Azure AD B2C validates the Trusona authentication response and issues an OIDC token. It redirects the user back to the initiating application, for example, `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
 ::: zone-end
 
 ::: zone pivot="b2c-custom-policy"
@@ -239,7 +239,7 @@ Store the client secret that you previously generated in [step 1](#step-1-onboar
 >[!TIP]
 >You should have the Azure AD B2C policy configured at this point. If not, follow the [instructions](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) on how to set up your Azure AD B2C tenant and configure policies.
 
-To enable users to sign in using Trusona Authentication Cloud, you need to define Trusona as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user authentication using a passkey or a hardware security key available on their device, proving the user’s identity.
+To enable users to sign in using Trusona Authentication Cloud, you need to define Trusona as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user has authenticated using a passkey or a hardware security key available on their device, proving the user’s identity.
 
 Use the following steps to add Trusona as a claims provider: 
 
@@ -481,7 +481,7 @@ In the following example, for the `Trusona Authentication Cloud` user journey, t
 
 2. A sign in screen is shown; at the bottom should be a button to use **Trusona Authentication Cloud** authentication.
 
-1. You should be redirected to Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username – typically an email address. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.
+1. You should be redirected to Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username – typically an email address. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.
 
 1. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
 
