MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 10 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/authorization-code-flow.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/authorization-code-flow.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md
Lines changed: 7 additions & 9 deletions b/‎articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md
Lines changed: 7 additions & 9 deletions
diff --git a/‎articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/app-provisioning/customize-application-attributes.md
Lines changed: 90 additions & 83 deletions b/‎articles/active-directory/app-provisioning/customize-application-attributes.md
Lines changed: 90 additions & 83 deletions
@@ -13338,6 +13338,16 @@
             "redirect_url": "/azure/governance/policy/samples/index",
             "redirect_document_id": false
         },
+        {
+          "source_path_from_root": "/articles/governance/policy/samples/PCIv3_2_1_2018_audit.md",
+          "redirect_url": "/azure/governance/policy/samples/pci-dss-3-2-1",
+          "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/governance/policy/samples/pci_dss_v4.0.md",
+          "redirect_url": "/azure/governance/policy/samples/pci-dss-4-0",
+          "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-policy/create-manage-policy.md",
             "redirect_url": "/azure/governance/policy/tutorials/create-and-manage",
 
@@ -124,7 +124,7 @@ grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&sco
 | client_id |Required |The application ID assigned to your app in the [Azure portal](https://portal.azure.com).|
 | client_secret | Yes, in Web Apps | The application secret that was generated in the [Azure portal](https://portal.azure.com/). Client secrets are used in this flow for Web App scenarios, where the client can securely store a client secret. For Native App (public client) scenarios, client secrets cannot be securely stored, and therefore are not used in this call. If you use a client secret, please change it on a periodic basis. |
 | grant_type |Required |The type of grant. For the authorization code flow, the grant type must be `authorization_code`. |
-| scope |Required |A space-separated list of scopes. A single scope value indicates to Azure AD both of the permissions that are being requested. Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID.  The `offline_access` scope indicates that your app needs a refresh token for long-lived access to resources.  You also can use the `openid` scope to request an ID token from Azure AD B2C. |
+| scope |Recommended |A space-separated list of scopes. A single scope value indicates to Azure AD both of the permissions that are being requested. Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID.  The `offline_access` scope indicates that your app needs a refresh token for long-lived access to resources.  You also can use the `openid` scope to request an ID token from Azure AD B2C. |
 | code |Required |The authorization code that you acquired in from the `/authorize` endpoint. |
 | redirect_uri |Required |The redirect URI of the application where you received the authorization code. |
 | code_verifier | recommended | The same `code_verifier` used to obtain the authorization code. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). |
 
@@ -24,7 +24,7 @@ This article describes current and past issues with the Azure AD user provisioni
 ## Understanding the provisioning job
 The provisioning service uses the concept of a job to operate against an application. The jobID can be found in the [progress bar](application-provisioning-when-will-provisioning-finish-specific-user.md#view-the-provisioning-progress-bar). All new provisioning applications are created with a jobID starting with "scim". The scim job represents the current state of the service. Older jobs have the ID "customappsso". This job represents the state of the service in 2018. 
 
-If you are using an application in the gallery, the job generally contains the name of the app (e.g. zoom snowFlake, dataBricks, etc.). You can skip this documentation when using a gallery application. This primarily applies for non-gallery applications with jobID SCIM or customAppSSO.
+If you are using an application in the gallery, the job generally contains the name of the app (such as zoom snowFlake or dataBricks). You can skip this documentation when using a gallery application. This primarily applies for non-gallery applications with jobID SCIM or customAppSSO.
 
 ## SCIM 2.0 compliance issues and status
 In the table below, any item marked as fixed means that the proper behavior can be found on the SCIM job. We have worked to ensure backwards compatibility for the changes we have made. We recommend using the new behavior for any new implementations and updating existing implementations. Please note that the customappSSO behavior that was the default prior to December 2018 is not supported anymore. 
@@ -234,13 +234,12 @@ Below are sample requests to help outline what the sync engine currently sends v
 
 
 ## Upgrading from the older customappsso job to the SCIM job
-Following the steps below will delete your existing customappsso job and create a new scim job. 
+Following the steps below will delete your existing customappsso job and create a new SCIM job.
 
-1. Sign into the Azure portal at https://portal.azure.com.
+1. Sign into the [Azure portal](https://portal.azure.com).
 2. In the **Azure Active Directory > Enterprise Applications** section of the Azure portal, locate and select your existing SCIM application.
 3. In the **Properties** section of your existing SCIM app, copy the **Object ID**.
-4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer 
-   and sign in as the administrator for the Azure AD tenant where your app is added.
+4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.
 5. In the Graph Explorer, run the command below to locate the ID of your provisioning job. Replace "[object-id]" with the service principal ID (object ID) copied from the third step.
 
    `GET https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs` 
@@ -276,11 +275,10 @@ Following the steps below will delete your existing customappsso job and create
 ## Downgrading from the SCIM job to the customappsso job (not recommended)
  We allow you to downgrade back to the old behavior but don't recommend it as the customappsso does not benefit from some of the updates we make, and may not be supported forever. 
 
-1. Sign into the Azure portal at https://portal.azure.com.
-2. in the **Azure Active Directory > Enterprise Applications > Create application** section of the Azure portal, create a new **Non-gallery** application.
+1. Sign into the [Azure portal](https://portal.azure.com).
+2. In the **Azure Active Directory > Enterprise Applications > Create application** section of the Azure portal, create a new **Non-gallery** application.
 3. In the **Properties** section of your new custom app, copy the **Object ID**.
-4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer 
-   and sign in as the administrator for the Azure AD tenant where your app is added.
+4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.
 5. In the Graph Explorer, run the command below to initialize the provisioning configuration for your app.
    Replace "[object-id]" with the service principal ID (object ID) copied from the third step.
 
 
@@ -24,7 +24,7 @@ This article describes the general steps for managing automatic user account pro
 
 Use the Azure portal to view and manage all applications that are configured for single sign-on in a directory. Enterprise apps are apps that are deployed and used within your organization. Follow these steps to view and manage your enterprise applications:
 
-1. Open the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Browse to **Azure Active Directory** > **Enterprise applications**.
 1. A list of all configured apps is shown, including apps that were added from the gallery.
 1. Select any app to load its resource pane, where you can view reports and manage app settings.
 
@@ -118,7 +118,7 @@ Applications and systems that support customization of the attribute list includ
 
 
 > [!NOTE]
-> Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Azure Portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes). 
+> Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Azure portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes). 
 
 > [!NOTE]
 > When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list".  When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory.     
@@ -157,60 +157,63 @@ Custom attributes can't be referential attributes, multi-value or complex-typed
 **Example representation of a user with an extension attribute:**
 
 ```json
-   {
-     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
-     "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
-     "userName":"bjensen",
-     "id": "48af03ac28ad4fb88478",
-     "externalId":"bjensen",
-     "name":{
-       "formatted":"Ms. Barbara J Jensen III",
-       "familyName":"Jensen",
-       "givenName":"Barbara"
-     },
-     "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
-     "employeeNumber": "701984",
-     "costCenter": "4130",
-     "organization": "Universal Studios",
-     "division": "Theme Park",
-     "department": "Tour Operations",
-     "manager": {
-       "value": "26118915-6090-4610-87e4-49d8ca9f808d",
-       "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d",
-       "displayName": "John Smith"
-     }
-   },
-     "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
-     "CustomAttribute": "701984",
-   },
-   "meta": {
-     "resourceType": "User",
-     "created": "2010-01-23T04:56:22Z",
-     "lastModified": "2011-05-13T04:42:34Z",
-     "version": "W\/\"3694e05e9dff591\"",
-     "location":
- "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
-   }
- }
+{
+  "schemas":[
+    "urn:ietf:params:scim:schemas:core:2.0:User",
+      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+  ],
+  "userName":"bjensen",
+  "id": "48af03ac28ad4fb88478",
+  "externalId":"bjensen",
+  "name":{
+    "formatted":"Ms. Barbara J Jensen III",
+    "familyName":"Jensen",
+    "givenName":"Barbara"
+  },
+  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
+    "employeeNumber": "701984",
+    "costCenter": "4130",
+    "organization": "Universal Studios",
+    "division": "Theme Park",
+    "department": "Tour Operations",
+    "manager": {
+      "value": "26118915-6090-4610-87e4-49d8ca9f808d",
+      "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d",
+      "displayName": "John Smith"
+    }
+  },
+  "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
+    "CustomAttribute": "701984",
+  },
+  "meta": {
+    "resourceType": "User",
+    "created": "2010-01-23T04:56:22Z",
+    "lastModified": "2011-05-13T04:42:34Z",
+    "version": "W\/\"3694e05e9dff591\"",
+    "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
+  }
+}
 ```
 
-
 ## Provisioning a role to a SCIM app
 Use the steps in the example to provision roles for a user to your application. The description is specific to custom SCIM applications. For gallery applications such as Salesforce and ServiceNow, use the predefined role mappings. The bullets describe how to transform the AppRoleAssignments attribute to the format your application expects.
 
 - Mapping an appRoleAssignment in Azure AD to a role in your application requires that you transform the attribute using an [expression](../app-provisioning/functions-for-customizing-application-data.md). The appRoleAssignment attribute **shouldn't be mapped directly** to a role attribute without using an expression to parse the role details. 
 
-- **SingleAppRoleAssignment** 
+- **SingleAppRoleAssignment**
+
   - **When to use:** Use the SingleAppRoleAssignment expression to provision a single role for a user and to specify the primary role. 
   - **How to configure:** Use the steps described to navigate to the attribute mappings page and use the SingleAppRoleAssignment expression to map to the roles attribute. There are three role attributes to choose from (`roles[primary eq "True"].display`, `roles[primary eq "True"].type`, and `roles[primary eq "True"].value`). You can choose to include any or all of the role attributes in your mappings. If you would like to include more than one, just add a new mapping and include it as the target attribute.
 
-  ![Add SingleAppRoleAssignment](./media/customize-application-attributes/edit-attribute-singleapproleassignment.png)
+    ![Add SingleAppRoleAssignment](./media/customize-application-attributes/edit-attribute-singleapproleassignment.png)
+
   - **Things to consider**
     - Ensure that multiple roles aren't assigned to a user. There's no guarantee which role is provisioned.
     - SingleAppRoleAssignments isn't compatible with setting scope to "Sync All users and groups." 
+
   - **Example request (POST)** 
 
-   ```json
+    ```json
     {
       "schemas": [
           "urn:ietf:params:scim:schemas:core:2.0:User"
@@ -229,25 +232,29 @@ Use the steps in the example to provision roles for a user to your application.
                "value": "Admin"
          }
       ]
-   }
-   ```
-  
+    }
+    ```
+
   - **Example output (PATCH)** 
-    
-   ```json
-   "Operations": [
-     {
-       "op": "Add",
-       "path": "roles",
-       "value": [
-         {
-           "value": "{\"id\":\"06b07648-ecfe-589f-9d2f-6325724a46ee\",\"value\":\"25\",\"displayName\":\"Role1234\"}"
-         }
-       ]
-   ```  
+
+    ```json
+    "Operations": [
+      {
+        "op": "Add",
+        "path": "roles",
+        "value": [
+          {
+            "value": "{\"id\":\"06b07648-ecfe-589f-9d2f-6325724a46ee\",\"value\":\"25\",\"displayName\":\"Role1234\"}"
+          }
+        ]
+      }
+    ]
+    ```
+
 The request formats in the PATCH and POST differ. To ensure that POST and PATCH are sent in the same format, you can use the feature flag described [here](./application-provisioning-config-problem-scim-compatibility.md#flags-to-alter-the-scim-behavior). 
 
-- **AppRoleAssignmentsComplex** 
+- **AppRoleAssignmentsComplex**
+
   - **When to use:** Use the AppRoleAssignmentsComplex expression to provision multiple roles for a user. 
   - **How to configure:** Edit the list of supported attributes as described to include a new attribute for roles: 
 
@@ -256,16 +263,18 @@ The request formats in the PATCH and POST differ. To ensure that POST and PATCH
     Then use the AppRoleAssignmentsComplex expression to map to the custom role attribute as shown in the image:
 
     ![Add AppRoleAssignmentsComplex](./media/customize-application-attributes/edit-attribute-approleassignmentscomplex.png)<br>
+
   - **Things to consider**
+
     - All roles are provisioned as primary = false.
     - The POST contains the role type. The PATCH request doesn't contain type. We're working on sending the type in both POST and PATCH requests.
     - AppRoleAssignmentsComplex isn't compatible with setting scope to "Sync All users and groups."
     - The AppRoleAssignmentsComplex only supports the PATCH add function. For multi-role SCIM applications, roles deleted in Azure Active Directory will therefore not be deleted from the application. We're working to support additional PATCH functions and address the limitation. 
 
-  - **Example output** 
+  - **Example output**
 
-   ```json
-   {
+    ```json
+    {
        "schemas": [
            "urn:ietf:params:scim:schemas:core:2.0:User"
       ],
@@ -290,35 +299,33 @@ The request formats in the PATCH and POST differ. To ensure that POST and PATCH
              "value": "User"
          }
       ]
-   }
-   ```
-
-  
-
+    }
+    ```
 
 ## Provisioning a multi-value attribute
+
 Certain attributes such as phoneNumbers and emails are multi-value attributes where you may need to specify different types of phone numbers or emails. Use the expression for multi-value attributes. It allows you to specify the attribute type and map that to the corresponding Azure AD user attribute for the value. 
 
-* phoneNumbers[type eq "work"].value
-* phoneNumbers[type eq "mobile"].value
-* phoneNumbers[type eq "fax"].value
+* `phoneNumbers[type eq "work"].value`
+* `phoneNumbers[type eq "mobile"]`.value
+* `phoneNumbers[type eq "fax"].value`
 
-   ```json
-   "phoneNumbers": [
-       {
-         "value": "555-555-5555",
-         "type": "work"
-      },
-      {
-         "value": "555-555-5555",
-         "type": "mobile"
-      },
-      {
-         "value": "555-555-5555",
-         "type": "fax"
-      }
-   ]
-   ```
+  ```json
+  "phoneNumbers": [
+     {
+        "value": "555-555-5555",
+        "type": "work"
+     },
+     {
+        "value": "555-555-5555",
+        "type": "mobile"
+     },
+     {
+        "value": "555-555-5555",
+        "type": "fax"
+     }
+  ]
+  ```
 
 ## Restoring the default attributes and attribute-mappings