MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/howto-authentication-temporary-access-pass.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/authentication/howto-authentication-temporary-access-pass.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/develop/msal-js-prompt-behavior.md
Lines changed: 57 additions & 15 deletions b/‎articles/active-directory/develop/msal-js-prompt-behavior.md
Lines changed: 57 additions & 15 deletions
diff --git a/‎articles/active-directory/enterprise-users/directory-delegated-administration-primer.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/enterprise-users/directory-delegated-administration-primer.md
Lines changed: 2 additions & 2 deletions
@@ -71,9 +71,9 @@ To configure the Temporary Access Pass authentication method policy:
 After you enable a policy, you can create a Temporary Access Pass for a user in Azure AD. 
 These roles can perform the following actions related to a Temporary Access Pass.
 
-- Global Administrator can create, delete, view a Temporary Access Pass on any user (except themselves)
-- Privileged Authentication Administrators can create, delete, view a Temporary Access Pass on admins and members (except themselves)
-- Authentication Administrators can create, delete, view a Temporary Access Pass on members  (except themselves)
+- Global Administrators can create, delete, and view a Temporary Access Pass on any user (except themselves)
+- Privileged Authentication Administrators can create, delete, and view a Temporary Access Pass on admins and members (except themselves)
+- Authentication Administrators can create, delete, and view a Temporary Access Pass on members  (except themselves)
 - Global Reader can view the Temporary Access Pass details on the user (without reading the code itself).
 
 1. Sign in to the Azure portal as either a Global administrator, Privileged Authentication administrator, or Authentication administrator. 
 
@@ -1,6 +1,6 @@
 ---
-title: Interactive request prompt behavior (MSAL.js)
-description: Learn to customize prompt behavior in interactive calls using the Microsoft Authentication Library for JavaScript (MSAL.js).
+title: Prompt behavior with MSAL.js
+description: Learn to customize prompt behavior using the Microsoft Authentication Library for JavaScript (MSAL.js).
 services: active-directory
 author: mmacy
 manager: CelesteDG
@@ -16,34 +16,76 @@ ms.custom: aaddev
 #Customer intent: As an application developer, I want to learn about customizing the UI prompt behaviors in MSAL.js library so I can decide if this platform meets my application development needs and requirements.
 ---
 
-# Prompt behavior in MSAL.js interactive requests
+# Prompt behavior with MSAL.js
 
-When a user has established an active Azure AD session with multiple user accounts, the Azure AD sign in page will by default prompt the user to select an account before proceeding to sign in. Users will not see an account selection experience if there is only a single authenticated session with Azure AD.
+MSAL.js allows passing a prompt value as part of its login or token request methods. Based on your application scenario, you can customize the Azure AD prompt behavior for a request by setting the **prompt** parameter in the [request object](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#commonauthorizationurlrequest): 
 
-The MSAL.js library (starting in v0.2.4) does not send a prompt parameter during the interactive requests (`loginRedirect`, `loginPopup`, `acquireTokenRedirect` and `acquireTokenPopup`), and thereby does not enforce any prompt behavior. For silent token requests using the `acquireTokenSilent` method, MSAL.js passes a prompt parameter set to `none`.
+```javascript
+import { PublicClientApplication } from "@azure/msal-browser";
 
-Based on your application scenario, you can control the prompt behavior for the interactive requests by setting the prompt parameter in the request parameters passed to the methods. For example, if you want to invoke the account selection experience:
+const pca = new PublicClientApplication({
+    auth: {
+        clientId: "YOUR_CLIENT_ID"
+    }
+});
 
-```javascript
-var request = {
+const loginRequest = {
     scopes: ["user.read"],
     prompt: 'select_account',
 }
 
-userAgentApplication.loginRedirect(request);
+pca.loginPopup(loginRequest)
+    .then(response => {
+        // do something with the response
+    })
+    .catch(error => {
+        // handle errors
+    });
 ```
 
+## Supported prompt values
+
+The following prompt values can be used when authenticating with the Microsoft identity platform:
+
+| Parameter  | Behavior                                                                         |
+|------------|----------------------------------------------------------------------------------|
+| `login`  | Forces the user to enter their credentials on that request, negating single-sign on. |
+| `none`  | Ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns a *login_required* or *interaction_required* error. |
+| `consent`  | Triggers the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. |
+| `select_account` | Interrupts single sign-on by providing an account selection experience listing all the accounts in session or an option to choose a different account altogether. |
+| `create` | Triggers a sign-up dialog allowing external users to create an account. For more information, see: [Self-service sign-up](../external-identities/self-service-sign-up-overview.md) |
+
+MSAL.js will throw an `invalid_prompt` error for any unsupported prompt values:
+
+```console
+invalid_prompt_value: Supported prompt values are 'login', 'select_account', 'consent', 'create' and 'none'. Please see here for valid configuration options: https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#commonauthorizationurlrequest Given value: my_custom_prompt
+```
+
+## Default prompt values
+
+The following shows default prompt values that MSAL.js uses:
 
-The following prompt values can be passed when authenticating with Azure AD:
+| MSAL.js method         | Default prompt | Allowed prompts |
+|------------------------|----------------|-----------------|
+| `loginPopup`           | N/A            | Any             |
+| `loginRedirect`        | N/A            | Any             |
+| `ssoSilent`            | `none`         | N/A (ignored)   |
+| `acquireTokenPopup`    | N/A            | Any             |
+| `acquireTokenRedirect` | N/A            | Any             |
+| `acquireTokenSilent`   | `none`         | N/A (ignored)   |
 
-**login:** This value will force the user to enter credentials on the authentication request.
+> [!NOTE]
+> Note that **prompt** is a protocol-level parameter and signals the desired authentication behavior to the identity provider. It does not affect MSAL.js behavior and MSAL.js does not have control over how the service will ultimately handle the request. In most circumstances, Azure AD will try to honor the request. If this is not possible, it may return an error response, or completely ignore the given prompt value.
 
-**select_account:** This value will provide the user with an account selection experience listing all the accounts in session.
+## Interactive requests with prompt=none
 
-**consent:** This value will invoke the OAuth consent dialogue that allows users to grant permissions to the app.
+Generally, when you need to make a silent request, use a silent MSAL.js method (`ssoSilent`, `acquireTokenSilent`), and handle any *login_required* or *interaction_required* errors with an interactive method (`loginPopup`, `loginRedirect`, `acquireTokenPopup`, `acquireTokenRedirect`). 
 
-**none:** This value will ensure that the user does not see any interactive prompt. It is recommended not to pass this value to interactive methods in MSAL.js as it can have unexpected behaviors. Instead, use the `acquireTokenSilent` method to achieve silent calls.
+In some cases however, the prompt value `none` can be used together with an interactive MSAL.js method to achieve silent authentication. For instance, due to the third-party cookie restrictions in some browsers, `ssoSilent` requests will fail despite an active user session with Azure AD. As a remedy, you can pass the prompt value `none` to an interactive request such as `loginPopup`. MSAL.js will then open a popup window to Azure AD and Azure AD will honor the prompt value by utilizing the existing session cookie. In this case, the user will see a brief popup window but will not be prompted for a credential entry.
 
 ## Next steps
 
-Read more about the `prompt` parameter in the [OAuth 2.0 implicit grant](v2-oauth2-implicit-grant-flow.md) protocol which MSAL.js library uses.
+- [Single sign-on with MSAL.js](msal-js-sso.md)
+- [Handle errors and exceptions in MSAL.js](msal-error-handling-js.md)
+- [Handle ITP in Safari and other browsers where third-party cookies are blocked](reference-third-party-cookies-spas.md)
+- [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)
@@ -6,7 +6,7 @@ author: barclayn
 manager: amycolannino
 ms.author: barclayn
 ms.reviewer: yuank
-ms.date: 06/23/2022
+ms.date: 09/13/2022
 ms.topic: overview
 ms.service: active-directory
 ms.subservice: enterprise-users
@@ -23,7 +23,7 @@ Managing permissions for external partners is a key part of your security postur
 
 ## Delegated administration relationships
 
-Delegated administration relationships enable technicians at a Microsoft CSP to administer Microsoft services such as Microsoft 365, Dynamics, 365, and Azure on behalf of your organization. These technicians administer these services for you using the same roles and permissions as administrators in your organization. These roles are assigned to security groups in the CSP’s Azure AD tenant, which is why CSP technicians don’t need user accounts in your tenant in order to administer services for you.
+Delegated administration relationships enable technicians at a Microsoft CSP to administer Microsoft services such as Microsoft 365, Dynamics 365, and Azure on behalf of your organization. These technicians administer these services for you using the same roles and permissions as your organization's own administrators. These roles are assigned to security groups in the CSP’s Azure AD tenant, which is why CSP technicians don’t need user accounts in your tenant in order to administer services for you.
 
 There are two types of delegated administration relationships that are visible in the Azure AD admin portal experience. The newer type of delegated admin relationship is known as Granular Delegated Admin Permission. The older type of relationship is known as Delegated Admin Permission. You can see both types of relationship if you sign in to the Azure AD admin portal and then select **Delegated administration**.