MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/social-transformations.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/social-transformations.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
Lines changed: 6 additions & 0 deletions b/‎articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
Lines changed: 6 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/verifiable-credentials/media/verifiable-credentials-configure-tenant/add-app-api-permissions-select-service-principal.png
36 KB b/‎articles/active-directory/verifiable-credentials/media/verifiable-credentials-configure-tenant/add-app-api-permissions-select-service-principal.png
36 KB
diff --git a/‎articles/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer.md
Lines changed: 4 additions & 31 deletions b/‎articles/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer.md
Lines changed: 4 additions & 31 deletions
diff --git a/‎articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md
Lines changed: 7 additions & 65 deletions b/‎articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md
Lines changed: 7 additions & 65 deletions
@@ -16,10 +16,10 @@ ms.subservice: B2C
 
 # Social accounts claims transformations
 
-In Azure Active Directory B2C (Azure AD B2C), social account identities are stored in a `userIdentities` attribute of a **alternativeSecurityIdCollection** claim type. Each item in the **alternativeSecurityIdCollection** specifies the issuer (identity provider name, such as facebook.com) and the `issuerUserId`, which is a unique user identifier for the issuer.
+In Azure Active Directory B2C (Azure AD B2C), social account identities are stored in a `alternativeSecurityIds` attribute of a **alternativeSecurityIdCollection** claim type. Each item in the **alternativeSecurityIdCollection** specifies the issuer (identity provider name, such as facebook.com) and the `issuerUserId`, which is a unique user identifier for the issuer.
 
 ```json
-"userIdentities": [{
+"alternativeSecurityIds": [{
     "issuer": "google.com",
     "issuerUserId": "MTA4MTQ2MDgyOTI3MDUyNTYzMjcw"
   },
 
@@ -229,6 +229,12 @@ For the next test scenario, configure the authentication policy where the **poli
 
 - The **Additional Details** tab shows **User certificate subject name** as the attribute name but it is actually "User certificate binding identifier". It is the value of the certificate field that username binding is configured to use.
 
+- There is a double prompt for iOS because iOS only supports pushing certificates to a device storage. When an organization pushes user certificates to an iOS device through Mobile Device Management (MDM) or when a user accesses first-party or native apps, there is no access to device storage. Only Safari can access device storage.
+
+  When an iOS client sees a client TLS challenge and the user clicks **Sign in with certificate**, iOS client knows it cannot handle it and sends a completely new authorization request using the Safari browser. The user clicks **Sign in with certificate** again, at which point Safari which has access to certificates for authentication in device storage. This requires users to click **Sign in with certificate** twice, once in app’s WKWebView and once in Safari’s System WebView.
+
+  We are aware of the UX experience issue and are working to fix this on iOS and to have a seamless UX experience.
+
 ## Next steps
 
 - [Overview of Azure AD CBA](concept-certificate-based-authentication.md)
 
@@ -4,7 +4,7 @@ description: Step-by-step guidance to move from Azure MFA Server on-premises to
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 04/07/2022
+ms.date: 04/21/2022
 ms.author: BaSelden
 author: BarbaraSelden
 manager: martinco
@@ -174,7 +174,7 @@ This section covers final steps before migrating user phone numbers.
 
 ### Set federatedIdpMfaBehavior to enforceMfaByFederatedIdp
 
-For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/federatedIdpMfaBehavior?view=graph-rest-beta&preserve-view=true).
+For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values).
 
 >[!NOTE]
 > The **federatedIdpMfaBehavior** setting is an evolved version of the **SupportsMfa** property of the [Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet](/powershell/module/msonline/set-msoldomainfederationsettings). 
 
@@ -7,7 +7,7 @@ author: barclayn
 manager: karenhoran
 ms.author: barclayn
 ms.topic: tutorial
-ms.date: 10/08/2021
+ms.date: 04/26/2022
 # Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials.
 
 ---
@@ -46,7 +46,7 @@ The following diagram illustrates the Azure AD Verifiable Credentials architectu
 
 ## Create a storage account
 
-Azure Blob Storage is an object storage solution for the cloud. Azure AD Verifiable Credentials uses [Azure Blob Storage](../../storage/blobs/storage-blobs-introduction.md) to store the configuration files when the service is issuing verifiable credentials.
+Azure Blob Storage is an object storage solution for the cloud. Azure AD Verifiable Credentials use [Azure Blob Storage](../../storage/blobs/storage-blobs-introduction.md) to store the configuration files when the service is issuing verifiable credentials.
 
 Create and configure Blob Storage by following these steps:
 
@@ -59,36 +59,9 @@ Create and configure Blob Storage by following these steps:
 
    ![Screenshot that shows how to create a container.](media/verifiable-credentials-configure-issuer/create-container.png)
 
-## Grant access to the container
-
-After you create your container, grant the signed-in user the correct role assignment so they can access the files in Blob Storage.
-
-1. From the list of containers, select **vc-container**.
-
-1. From the menu, select **Access Control (IAM)**.
-
-1. Select **+ Add,** and then select **Add role assignment**.
-
-     ![Screenshot that shows how to add a new role assignment to the blob container.](media/verifiable-credentials-configure-issuer/add-role-assignment.png)
-
-1. In **Add role assignment**:
-
-    1. For the **Role**, select **Storage Blob Data Reader**.
-
-    1. For the **Assign access to**, select **User, group, or service
-        principal**.
-
-    1. Then, search the account that you're using to perform these steps, and
-        select it.
-
-        ![Screenshot that shows how to set up the new role assignment.](media/verifiable-credentials-configure-issuer/add-role-assignment-container.png)
-
->[!IMPORTANT]
->By default, container creators get the owner role assigned. The owner role isn't enough on its own. Your account needs the storage blob data reader role. For more information, see [Use the Azure portal to assign an Azure role for access to blob and queue data](../../storage/blobs/assign-azure-role-data-access.md).
-
 ### Upload the configuration files
 
-Azure AD Verifiable Credentials uses two JSON configuration files, the rules file and the display file. 
+Azure AD Verifiable Credentials service uses two JSON configuration files, the rules file and the display file. 
 
 - The *rules* file describes important properties of verifiable credentials. In particular, it describes the claims that subjects (users) need to provide before a verifiable credential is issued for them. 
 - The *display* file controls the branding of the credential and styling of the claims.
@@ -175,7 +148,7 @@ In this step, you create the verified credential expert card by using Azure AD V
 
     1. For **Subscription**, select your Azure AD subscription where you created Blob Storage.
 
-    1. Under the **Display file**, select **Select display file**. In the Storage accounts section, select **vc-container**. Then select the **VerifiedCredentialExpertDisplay.json** file and click **Select**.
+    1. Under the **Display file**, select **Select display file**. In the Storage accounts section, select **vc-container**. Then select the **VerifiedCredentialExpertDisplay.json** file and select **Select**.
 
     1. Under the **Rules file**, **Select rules file**. In the Storage accounts section, select the **vc-container**. Then select the **VerifiedCredentialExpertRules.json** file, and choose **Select**.
 
 
@@ -7,7 +7,7 @@ author: barclayn
 manager: karenhoran
 ms.author: barclayn
 ms.topic: tutorial
-ms.date: 02/24/2022
+ms.date: 04/26/2022
 # Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials.
 
 ---
@@ -22,10 +22,10 @@ Specifically, you learn how to:
 
 > [!div class="checklist"]
 >
-> - Set up a service principal
-> - Create a key vault in Azure Key Vault
-> - Register an application in Azure AD
-> - Set up the Verifiable Credentials service
+> - Set up a service principal.
+> - Create an Azure Key Vault instance.
+> - Register an application in Azure AD. 
+> - Set up the Verifiable Credentials service.
 
 The following diagram illustrates the Azure AD Verifiable Credentials architecture and the component you configure.
 
@@ -35,36 +35,8 @@ See a [video walkthrough](https://www.youtube.com/watch?v=8jqjHjQo-3c) going ove
 
 ## Prerequisites
 
-- If you don't have Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- Sign up for [Azure Active Directory Premium editions](../../active-directory/fundamentals/active-directory-get-started-premium.md)
-subscription in your tenant.
+- You need an Azure tenant with an active subscription. If you don't have Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 - Ensure that you have the [global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) permission for the directory you want to configure.
-- Ensure that you have [PowerShell](/powershell/scripting/install/installing-powershell) 7.0.6 LTS-x64, PowerShell 7.1.3-x64, or later installed.
-
-## Set up a service principal
-
-Create a service principal for the Request Service API. The service API is the Microsoft service that you use to issue or verify Azure AD Verifiable Credentials.
-
-To create the service principal:
-
-1. Run the following PowerShell commands. These commands install and import the `Az` module. For more information, see [Install the Azure Az PowerShell module](/powershell/azure/install-az-ps#installation).
-
-    ```powershell
-    if ((Get-Module -ListAvailable -Name "Az.Accounts") -eq $null) { Install-Module -Name "Az.Accounts" -Scope CurrentUser }
-    if ((Get-Module -ListAvailable -Name "Az.Resources") -eq $null) { Install-Module "Az.Resources" -Scope CurrentUser }
-    ```
-
-1. Run the following PowerShell command to connect to your Azure AD tenant. Replace \<*your-tenant-ID*> with your [Azure AD tenant ID](../../active-directory/fundamentals/active-directory-how-to-find-tenant.md).
-
-    ```powershell
-    Connect-AzAccount -TenantId <your-tenant-ID>
-    ```
-
-1. Run the following command in the same PowerShell session. The `AppId` `bbb94529-53a3-4be5-a069-7eaf2712b826` refers to the Verifiable Credentials Microsoft service.
-
-    ```powershell
-    New-AzADServicePrincipal -ApplicationId "bbb94529-53a3-4be5-a069-7eaf2712b826" -DisplayName "Verifiable Credential Request Service" 
-    ```
 
 ## Create a key vault
 
@@ -96,36 +68,6 @@ A Key Vault [access policy](../../key-vault/general/assign-access-policy.md) def
 
 1. To save the changes, select **Save**.
 
-### Set access policies for the Verifiable Credentials Issuer and Request services
-
-1. Select **+ Add Access Policy** to add permission to the service principal of the **Verifiable Credential Request Service**.
-
-1. In **Add access policy**:
-
-    1. For **Key permissions**, select **Get** and **Sign**.
-
-    1. For **Select principal**, select **Verifiable Credential Request Service**.
-
-    1. Select **Add**.  
-        
-    :::image type="content" source="media/verifiable-credentials-configure-tenant/request-service-key-vault-access-policy.png" alt-text="Screenshot that demonstrates how to add an access policy for the Verifiable Credential Issuer Service." :::
-
-The access policies for the Verifiable Credentials Issuer service should be added automatically. If the **Verifiable Credential Issuer Service** doesn't appear in the list of access policies, take the following steps to manually add access policies to the service.
-
-1. Select **+ Add Access Policy** to add permission to the service principal of the **Verifiable Credential Issuer Service**.
-
-1. In **Add access policy**:
-
-    1. For **Key permissions**, select **Get** and **Sign**.
-
-    1. For **Select principal**, select **Verifiable Credential Issuer Service**.
-
-    1. Select **Add**.  
-
-     :::image type="content" source="media/verifiable-credentials-configure-tenant/issuer-service-key-vault-access-policy.png" alt-text="Screenshot that demonstrates how to add an access policy for the Verifiable Credential Request Service." :::
-       
-1. Select **Save** to save the new policy you created.
-
 ## Register an application in Azure AD
 
 Azure AD Verifiable Credentials Request Service needs to be able to get access tokens to issue and verify. To get access tokens, register a web application and grant API permission for the API Verifiable Credential Request Service that you set up in the previous step.
@@ -148,7 +90,7 @@ Azure AD Verifiable Credentials Request Service needs to be able to get access t
 
 ### Grant permissions to get access tokens
 
-In this step, you grant permissions to the Verifiable Credential Request Service principal created in [step 1](#set-up-a-service-principal).
+In this step, you grant permissions to the Verifiable Credential Request Service principal.
 
 To add the required permissions, follow these steps: