Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-aadroles-role-assignable-groups-note

Author: rolyon

.gitignore

@@ -24,4 +24,3 @@ AzureMigration.ps1
 .gitignore
 **/.vscode/settings.json
 *.pdn
-articles/azure-cache-for-redis/media/cache-managed-identity/Screenshot 2022-01-20 092913.pdn

.openpublishing.publish.config.json

@@ -861,6 +861,7 @@
       "branch": "main",
       "branch_mapping": {}
     }
+
   ],
   "branch_target_mapping": {
     "live": [

.openpublishing.redirection.azure-monitor.json

@@ -42,12 +42,17 @@
         },
         {
             "source_path_from_root": "/articles/azure-monitor/app/pricing.md",
-            "redirect_url": "/azure/azure-monitor/logs/cost-logs.md",
+            "redirect_url": "/azure/azure-monitor/logs/cost-logs",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/azure-monitor/logs/manage-cost-storage.md",
-            "redirect_url": "/azure/azure-monitor/logs/cost-logs.md",
+            "redirect_url": "/azure/azure-monitor/logs/cost-logs",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/logs/data-ingestion-from-file.md",
+            "redirect_url": "/azure/azure-monitor/agents/data-sources-custom-logs",
             "redirect_document_id": false
         }
     ]

articles/active-directory-b2c/TOC.yml

@@ -273,6 +273,8 @@
       href: identity-provider-linkedin.md
     - name: Microsoft Account
       href: identity-provider-microsoft-account.md
+    - name: Mobile ID
+      href: identity-provider-mobile-id.md
     - name: PingOne (PingIdentity)
       href: identity-provider-ping-one.md
       displayName: Ping identity

articles/active-directory-b2c/add-identity-provider.md

@@ -6,7 +6,7 @@ author: kengaderdus
 manager: CelesteDG
 
 ms.author: kengaderdus
-ms.date: 12/02/2021
+ms.date: 04/08/2022
 ms.custom: mvc
 ms.topic: how-to
 ms.service: active-directory
@@ -43,6 +43,7 @@ You typically use only one identity provider in your applications, but you have
 * [Google](identity-provider-google.md)
 * [LinkedIn](identity-provider-linkedin.md)
 * [Microsoft Account](identity-provider-microsoft-account.md)
+* [Mobile ID](identity-provider-mobile-id.md)
 * [PingOne](identity-provider-ping-one.md) (PingIdentity)
 * [QQ](identity-provider-qq.md)
 * [Salesforce](identity-provider-salesforce.md)

articles/active-directory-b2c/identity-provider-mobile-id.md

@@ -0,0 +1,201 @@
+---
+title: Set up sign-up and sign-in with Mobile ID 
+titleSuffix: Azure AD B2C
+description: Provide sign-up and sign-in to customers with Mobile ID in your applications using Azure Active Directory B2C.
+services: active-directory-b2c
+author: kengaderdus
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 04/08/2022
+ms.author: kengaderdus
+ms.subservice: B2C
+zone_pivot_groups: b2c-policy-type
+---
+
+# Set up sign-up and sign-in with Mobile ID using Azure Active Directory B2C
+
+[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
+
+In this article, you learn how to provide sign-up and sign-in to customers with [Mobile ID](https://www.mobileid.ch) in your applications using Azure Active Directory B2C (Azure AD B2C). The Mobile ID solution protects access to your company data and applications with a comprehensive end-to- end solution for a strong multi-factor authentication (MFA). You add the Mobile ID to your user flows or custom policy using OpenID Connect protocol. 
+
+## Prerequisites
+
+[!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
+
+## Create a Mobile ID application
+
+To enable sign-in for users with Mobile ID in Azure AD B2C, you need to create an application. To create Mobile ID application, follow these steps:
+
+1. Contact [Mobile ID support](https://www.mobileid.ch/en/contact).
+1. Provide the Mobile ID the information about your Azure AD B2C tenant:
+
+
+    |Key  |Note  |
+    |---------|---------|
+    |Redirect URI     | Provide the `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp` URI. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain. |
+    |Token endpoint authentication method|  `client_secret_post`|
+
+
+1. After the app is registered, the following information will be provided by the Mobile ID. Use this information to configure your user flow, or custom policy.
+
+    |Key  |Note  |
+    |---------|---------|
+    | Client ID | The Mobile ID client ID. For example, 11111111-2222-3333-4444-555555555555. |
+    | Client Secret| The Mobile ID client secret.| 
+
+
+::: zone pivot="b2c-user-flow"
+
+## Configure Mobile ID as an identity provider
+
+1. Make sure you're using the directory that contains Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your Azure AD B2C tenant.
+1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+1. Select **Identity providers**, and then select **New OpenID Connect provider**.
+1. Enter a **Name**. For example, enter *Mobile ID*.
+1. For **Metadata url**, enter the URL Mobile ID OpenId well-known configuration endpoint. For example:
+
+    ```http
+    https://openid.mobileid.ch/.well-known/openid-configuration
+    ```
+
+1. For **Client ID**, enter the Mobile ID Client ID.
+1. For **Client secret**, enter the Mobile ID client secret.
+1. For the **Scope**, enter the `openid, profile, phone, mid_profile`.
+1. Leave the default values for **Response type** (`code`), and **Response mode** (`form_post`).
+1. (Optional) For the **Domain hint**, enter `mobileid.ch`. For more information, see [Set up direct sign-in using Azure Active Directory B2C](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. Under **Identity provider claims mapping**, select the following claims:
+
+    - **User ID**: *sub*
+    - **Display name**: *name*
+
+
+1. Select **Save**.
+
+## Add Mobile ID identity provider to a user flow 
+
+At this point, the Mobile ID identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Mobile ID identity provider to a user flow:
+
+1. In your Azure AD B2C tenant, select **User flows**.
+1. Select the user flow that you want to add the Mobile ID identity provider.
+1. Under the **Social identity providers**, select **Mobile ID**.
+1. Select **Save**.
+1. To test your policy, select **Run user flow**.
+1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
+1. Select the **Run user flow** button.
+1. From the sign-up or sign-in page, select **Mobile ID** to sign in with Mobile ID.
+
+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+
+::: zone-end
+
+::: zone pivot="b2c-custom-policy"
+
+## Create a policy key
+
+You need to store the client secret that you received from Mobile ID in your Azure AD B2C tenant.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your tenant.
+3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+4. On the Overview page, select **Identity Experience Framework**.
+5. Select **Policy Keys** and then select **Add**.
+6. For **Options**, choose `Manual`.
+7. Enter a **Name** for the policy key. For example, `Mobile IDSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.
+8. In **Secret**, enter your Mobile ID client secret.
+9. For **Key usage**, select `Signature`.
+10. Select **Create**.
+
+## Configure Mobile ID as an identity provider
+
+To enable users to sign in using a Mobile ID, you need to define the Mobile ID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.
+
+You can define a Mobile ID as a claims provider by adding it to the **ClaimsProviders** element in the extension file of your policy.
+
+1. Open the *TrustFrameworkExtensions.xml*.
+2. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element.
+3. Add a new **ClaimsProvider** as follows:
+
+    ```xml
+    <ClaimsProvider>
+    <Domain>mobileid.ch</Domain>
+    <DisplayName>Mobile-ID</DisplayName>
+    <TechnicalProfiles>
+      <TechnicalProfile Id="MobileID-OAuth2">
+      <DisplayName>Mobile-ID</DisplayName>
+      <Protocol Name="OAuth2" />
+      <Metadata>
+        <Item Key="ProviderName">Mobile-ID</Item>
+         <Item Key="authorization_endpoint">https://m.mobileid.ch/oidc/authorize</Item>
+          <Item Key="AccessTokenEndpoint">https://openid.mobileid.ch/token</Item>
+          <Item Key="ClaimsEndpoint">https://openid.mobileid.ch/userinfo</Item>
+          <Item Key="scope">openid, profile, phone, mid_profile</Item>
+          <Item Key="HttpBinding">POST</Item>
+          <Item Key="UsePolicyInRedirectUri">false</Item>
+          <Item Key="token_endpoint_auth_method">client_secret_post</Item>
+          <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
+          <Item Key="client_id">Your application ID</Item>
+        </Metadata>
+        <CryptographicKeys>
+          <Key Id="client_secret" StorageReferenceId="B2C_1A_MobileIdSecret" />
+        </CryptographicKeys>
+        <OutputClaims>
+          <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
+          <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
+          <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="mobileid.ch" />
+          <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
+        </OutputClaims>
+        <OutputClaimsTransformations>
+          <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
+          <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
+          <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
+          <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
+        </OutputClaimsTransformations>
+        <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
+        </TechnicalProfile>
+      </TechnicalProfiles>
+    </ClaimsProvider>
+    ```
+
+4. Set **client_id** to the Mobile ID client ID.
+5. Save the file.
+
+[!INCLUDE [active-directory-b2c-add-identity-provider-to-user-journey](../../includes/active-directory-b2c-add-identity-provider-to-user-journey.md)]
+
+
+```xml
+<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
+  <ClaimsProviderSelections>
+    ...
+    <ClaimsProviderSelection TargetClaimsExchangeId="MobileIDExchange" />
+  </ClaimsProviderSelections>
+  ...
+</OrchestrationStep>
+
+<OrchestrationStep Order="2" Type="ClaimsExchange">
+  ...
+  <ClaimsExchanges>
+    <ClaimsExchange Id="MobileIDExchange" TechnicalProfileReferenceId="MobileID-OAuth2" />
+  </ClaimsExchanges>
+</OrchestrationStep>
+```
+
+[!INCLUDE [active-directory-b2c-configure-relying-party-policy](../../includes/active-directory-b2c-configure-relying-party-policy-user-journey.md)]
+
+## Test your custom policy
+
+1. Select your relying party policy, for example `B2C_1A_signup_signin`.
+1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
+1. Select the **Run now** button.
+1. From the sign-up or sign-in page, select **Mobile ID** to sign in with Mobile ID.
+
+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+
+
+::: zone-end
+
+## Next steps
+
+Learn how to [pass Mobile ID token to your application](idp-pass-through-user-flow.md).

articles/active-directory-b2c/page-layout.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/22/2021
+ms.date: 04/08/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -52,6 +52,10 @@ Azure AD B2C page layout uses the following versions of the [jQuery library](htt
 
 ## Self-asserted page (selfasserted)
 
+**2.1.9**
+
+- TOTP multifactor authentication support. Adding links that allows users to download and install the Microsoft authenticator app to complete the enrollment of the TOTP on the authenticator.
+
 **2.1.8**
 
 - The claim name is added to the `class` attribute of the `<li>` HTML element that surrounding the user's attribute input elements. The class name allows you to create a CSS selector to select the parent `<li>` for a certain user attribute input element. The following HTML markup shows the class attribute for the sign-up page:
@@ -139,6 +143,16 @@ Azure AD B2C page layout uses the following versions of the [jQuery library](htt
 > [!TIP]
 > If you localize your page to support multiple locales, or languages in a user flow. The [localization IDs](localization-string-ids.md) article provides the list of localization IDs that you can use for the page version you select.
 
+
+**2.1.7**
+
+- Accessibility fix - correcting to the tab index
+
+**2.1.6**
+
+- Accessibility fix - set the focus on the input field for verification. 
+- Updates to the UI elements and CSS classes
+
 **2.1.5**
 - Fixed an issue on tab order when idp selector template is used on sign in page.
 - Fixed an encoding issue on sign-in link text.

articles/active-directory-b2c/saml-issuer-technical-profile.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 10/12/2020
+ms.date: 04/08/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -67,6 +67,7 @@ The CryptographicKeys element contains the following attributes:
 | --------- | -------- | ----------- |
 | MetadataSigning | Yes | The X509 certificate (RSA key set) to use to sign SAML metadata. Azure AD B2C uses this key to sign the metadata. |
 | SamlMessageSigning| Yes| Specify the X509 certificate (RSA key set) to use to sign SAML messages. Azure AD B2C uses this key to signing the response `<samlp:Response>` send to the relying party.|
+| SamlAssertionSigning| No| Specify the X509 certificate (RSA key set) to use to sign SAML assertion `<saml:Assertion>` element of the SAML token. If not provided, the `SamlMessageSigning` cryptographic key is used instead.|
 
 ## Session management
 

articles/active-directory/verifiable-credentials/whats-new.md

@@ -20,14 +20,15 @@ This article lists the latest features, improvements, and changes in the Azure A
 
 ## March 2022
 - Azure AD Verifiable Credentials customers can now change the [domain linked](how-to-dnsbind.md) to their DID easily from the Azure Portal.
+- We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for iOS. [More information](whats-new.md?#microsoft-authenticator-did-generation-update)
 
 ## February 2022
 
 We are rolling out some breaking changes to our service. These updates require Azure AD Verifiable Credentials service reconfiguration. End-users need to have their verifiable credentials reissued.
 
 - The Azure AD Verifiable Credentials service can now store and handle data processing in the Azure European region. [More information](whats-new.md?#azure-ad-verifiable-credentials-available-in-europe)
 - Azure AD Verifiable Credentials customers can take advantage of enhancements to credential revocation. These changes add a higher degree of privacy through the implementation of the [W3C Status List 2021](https://w3c-ccg.github.io/vc-status-list-2021/) standard. [More information](whats-new.md?#credential-revocation-with-enhanced-privacy)
-- We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for Android. [More information](whats-new.md?#microsoft-authenticator-android-did-generation-update)
+- We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for Android. [More information](whats-new.md?#microsoft-authenticator-did-generation-update)
 
 >[!IMPORTANT]
 > All Azure AD Verifiable Credential customers receiving a banner notice in the Azure portal need to go through a service reconfiguration before March 31st 2022. On March 31st 2022 tenants that have not been reconfigured will lose access to any previous configuration. Administrators will have to set up a new instance of the Azure AD Verifiable Credential service. Learn more about how to [reconfigure your tenant](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service).
@@ -100,9 +101,9 @@ Sample contract file:
 >[!IMPORTANT]
 > You have to reconfigure your Azure AD Verifiable Credential service instance to create your new Identity hub endpoint. You have until March 31st 2022, to schedule and manage the reconfiguration of your deployment. On March 31st, 2022 deployments that have not been reconfigured will lose access to any previous Azure AD Verifiable Credentials service configuration. Administrators will need to set up a new service instance.
 
-### Microsoft Authenticator Android DID Generation Update
+### Microsoft Authenticator DID Generation Update
 
-We are making protocol updates in Microsoft Authenticator to support Single Long Form DID, thus deprecating the use of pairwise. With this update, your DID in Microsoft Authenticator will be used of every issuer and relaying party exchange. Holders of verifiable credentials using Microsoft Authenticator for Android must get their verifiable credentials reissued as any previous credentials aren't going to continue working.
+We are making protocol updates in Microsoft Authenticator to support Single Long Form DID, thus deprecating the use of pairwise. With this update, your DID in Microsoft Authenticator will be used of every issuer and relaying party exchange. Holders of verifiable credentials using Microsoft Authenticator must get their verifiable credentials reissued as any previous credentials aren't going to continue working.
 
 ## December 2021
 

articles/advisor/advisor-overview.md

@@ -2,7 +2,7 @@
 title: Introduction to Azure Advisor
 description: Use Azure Advisor to optimize your Azure deployments.
 ms.topic: overview
-ms.date: 09/27/2020
+ms.date: 04/07/2022
 ---
 
 # Introduction to Azure Advisor
@@ -25,7 +25,7 @@ The Advisor dashboard displays personalized recommendations for all your subscri
 * **Security**: To detect threats and vulnerabilities that might lead to security breaches. For more information, see [Advisor Security recommendations](advisor-security-recommendations.md).
 * **Performance**: To improve the speed of your applications. For more information, see [Advisor Performance recommendations](advisor-performance-recommendations.md).
 * **Cost**: To optimize and reduce your overall Azure spending. For more information, see [Advisor Cost recommendations](advisor-cost-recommendations.md).
-* **Operational Excellence**: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. . For more information, see [Advisor Operational Excellence recommendations](advisor-operational-excellence-recommendations.md).
+* **Operational Excellence**: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. For more information, see [Advisor Operational Excellence recommendations](advisor-operational-excellence-recommendations.md).
 
   ![Advisor recommendation types](./media/advisor-overview/advisor-dashboard.png)