Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

.openpublishing.publish.config.json

@@ -878,6 +878,12 @@
       "branch": "docs-snippets",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "ms-identity-python-webapp",
+      "url": "https://github.com/Azure-Samples/ms-identity-python-webapp",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "ms-identity-node",
       "url": "https://github.com/Azure-Samples/ms-identity-node",

articles/active-directory-domain-services/concepts-custom-attributes.md

@@ -23,13 +23,13 @@ Azure AD supports adding custom data to resources using [extensions](/graph/exte
 - [onPremisesExtensionAttributes](/graph/extensibility-overview?tabs=http#extension-attributes) are a set of 15 attributes that can store extended user string attributes. 
 - [Directory extensions](/graph/extensibility-overview?tabs=http#directory-azure-ad-extensions) allow the schema extension of specific directory objects, such as users and groups, with strongly typed attributes through registration with an application in the tenant. 
 
-Both types of extensions can be configured By using Azure AD Connect for users who are managed on-premises, or MSGraph APIs for cloud-only users. 
+Both types of extensions can be configured by using Azure AD Connect for users who are managed on-premises, or Microsoft Graph APIs for cloud-only users. 
 
 >[!Note] 
 >The following types of extensions aren't supported for synchronization:  
->- Custom Security Attributes in Azure AD (Preview)
->- MSGraph Schema Extensions
->- MSGraph Open Extensions
+>- Custom security attributes in Azure AD (Preview)
+>- Microsoft Graph schema extensions
+>- Microsoft Graph open extensions
 
 
 ## Requirements 
@@ -72,4 +72,4 @@ To check the backfilling status, click **Azure AD DS Health** and verify the **S
 
 To configure onPremisesExtensionAttributes or directory extensions for cloud-only users in Azure AD, see [Custom data options in Microsoft Graph](/graph/extensibility-overview?tabs=http#custom-data-options-in-microsoft-graph). 
 
-To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md). 
+To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md). 

articles/active-directory/authentication/how-to-certificate-based-authentication.md

@@ -72,7 +72,10 @@ To enable the certificate-based authentication and configure user bindings in th
 1. To delete a CA certificate, select the certificate and click **Delete**.
 1. Click **Columns** to add or delete columns.
 
-### Configure certification authorities using PowerShell
+>[!NOTE]
+>Upload of new CAs will fail when any of the existing CAs are expired. Tenant Admin should delete the expired CAs and then upload the new CA.
+
+### Configure certification authorities(CA) using PowerShell
 
 Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can only be HTTP URLs. Online Certificate Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs aren't supported.
 
@@ -87,6 +90,9 @@ Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can
 [!INCLUDE [Get-AzureAD](../../../includes/active-directory-authentication-get-trusted-azuread.md)]
 ### Add
 
+>[!NOTE]
+>Upload of new CAs will fail when any of the existing CAs are expired. Tenant Admin should delete the expired CAs and then upload the new CA.
+
 [!INCLUDE [New-AzureAD](../../../includes/active-directory-authentication-new-trusted-azuread.md)]
 
 **AuthorityType**

articles/active-directory/develop/access-tokens.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/13/2023
+ms.date: 03/31/2023
 ms.author: davidmu
 ms.reviewer: JasSuri
 ms.custom: aaddev 
@@ -42,3 +42,4 @@ For an example using a custom claims provider with the **token issuance start**
 
 - Learn how to [create and register a custom claims provider](custom-extension-get-started.md) with a sample Open ID Connect application.
 - If you already have a custom claims provider registered, you can configure a [SAML application](custom-extension-configure-saml-app.md) to receive tokens with claims sourced from an external store.
+- Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.

articles/active-directory/develop/custom-claims-provider-overview.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
-ms.date: 03/13/2023
+ms.date: 03/31/2023
 ms.author: davidmu
 ms.custom: aaddev
 ms.reviewer: JasSuri
@@ -147,7 +147,7 @@ The following screenshot demonstrates how to configure the Azure HTTP trigger fu
     }
     ```
 
-    The code starts with reading the incoming JSON object. Azure AD sends the JSON object to your API. In this example, it reads the correlation ID value. Then, the code returns a collection of claims, including the original correlation ID, the version of your Azure Function, date of birth and custom role that is returned to Azure AD.
+    The code starts with reading the incoming JSON object. Azure AD sends the [JSON object](./custom-claims-provider-reference.md) to your API. In this example, it reads the correlation ID value. Then, the code returns a collection of claims, including the original correlation ID, the version of your Azure Function, date of birth and custom role that is returned to Azure AD.
 
 1. From the top menu, select **Get Function Url**, and copy the URL. In the next step, the function URL will be used and referred to as `{Function_Url}`.
 

articles/active-directory/develop/custom-extension-get-started.md

@@ -74,15 +74,11 @@ You can also use an integrated development environment to open the folder.
 
 1. Create a *.env* file in the root folder of the project using *.env.sample* as a guide.
 
-    ```python
-    TENANT_ID=<tenant id>
-    CLIENT_ID=<client id>
-    CLIENT_SECRET=<client secret>
-    ```
+    :::code language="python" source="~/ms-identity-python-webapp/.env.sample":::
 
-    * Set the value of `TENANT_ID` to the **Directory (tenant) ID** of the registered application, also available on the overview page.
     * Set the value of `CLIENT_ID` to the **Application (client) ID** for the registered application, available on the overview page.
     * Set the value of `CLIENT_SECRET` to the client secret you created in **Certificates & Secrets** for the registered application.
+    * Set the value of `TENANT_ID` to the **Directory (tenant) ID** of the registered application, also available on the overview page.
 
     The environment variables are referenced in *app_config.py*, and are kept in a separate *.env* file to keep them out of source control. The provided *.gitignore* file prevents the *.env* file from being checked in.
 
@@ -101,7 +97,7 @@ You can also use an integrated development environment to open the folder.
 2. Run the app from the command line, specifying the host and port to match the redirect URI:
 
     ```shell
-    python3 -m flask run --host=localhost --port=5000
+    python3 -m flask run --debug --host=localhost --port=5000
     ```
 
    > [!IMPORTANT]