Merge pull request #239303 from davidmu1/optionalclaimsupdate1

Added optional claims from Yuan

Author: v-regandowner

.openpublishing.redirection.active-directory.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+    {
+      "source_path_from_root": "/articles/active-directory/develop/active-directory-optional-claims.md",
+      "redirect_url": "/azure/active-directory/develop/optional-claims",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-jwt-claims-customization.md",
       "redirect_url": "/azure/active-directory/develop/jwt-claims-customization",

articles/active-directory/develop/TOC.yml

@@ -439,7 +439,7 @@
         - name: Customize tokens and claims
           items:
             - name: Configure optional claims
-              href: active-directory-optional-claims.md
+              href: optional-claims.md
             - name: Configure role claim
               href: active-directory-enterprise-app-role-management.md
             - name: Customize JWT claims

articles/active-directory/develop/access-tokens.md

@@ -11,7 +11,7 @@ ms.workload: identity
 ms.topic: conceptual
 ms.date: 03/29/2023
 ms.author: davidmu
-ms.custom: aaddev, identityplatformtop40, fasttrack-edit, curation-claims
+ms.custom: aaddev, curation-claims
 ---
 
 # Microsoft identity platform access tokens
@@ -114,6 +114,7 @@ The Microsoft identity platform uses some claims to help secure tokens for reuse
 | `uti` | String | Token identifier claim, equivalent to `jti` in the JWT specification. Unique, per-token identifier that is case-sensitive. | |
 | `rh` | Opaque String | An internal claim used by Azure to revalidate tokens. Resources shouldn't use this claim. | |
 | `ver` | String, either `1.0` or `2.0` | Indicates the version of the access token. | |
+| `xms_cc` | JSON array of strings | Indicates whether the client application that acquired the token is capable of handling claims challenges. This claim is commonly used in Conditional Access and Continuous Access Evaluation scenarios. The resource server that the token is issued for controls the presence of the claim in it. For example, a service application. For more information, see [Claims challenges, claims requests and client capabilities](claims-challenge.md?tabs=dotnet). Resource servers should check this claim in access tokens received from client applications. If this claim is present, resource servers can respond back with a claims challenge. The claims challenge requests more claims in a new access token to authorize access to a protected resource. |
 
 #### Groups overage claim