Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: inward-eye

.openpublishing.redirection.azure-productivity.json

@@ -4,6 +4,31 @@
             "source_path_from_root": "/articles/lab-services/classroom-labs-overview.md",
             "redirect_url": "/azure/lab-services/get-started-manage-labs",
             "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/devtest-labs/scripts/add-external-user-to-lab.md",
+          "redirect_url": "/azure/devtest-labs/samples-powershell",
+          "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/devtest-labs/scripts/add-marketplace-images-to-lab.md",
+          "redirect_url": "/azure/devtest-labs/samples-powershell",
+          "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/devtest-labs/scripts/create-custom-image-from-vhd.md",
+          "redirect_url": "/azure/devtest-labs/samples-powershell",
+          "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/devtest-labs/scripts/create-custom-role-in-lab.md",
+          "redirect_url": "/azure/devtest-labs/samples-powershell",
+          "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/devtest-labs/scripts/set-allowed-vm-sizes-in-lab.md",
+          "redirect_url": "/azure/devtest-labs/samples-powershell",
+          "redirect_document_id": false
         }
     ]
 }

.openpublishing.redirection.json

@@ -29327,6 +29327,11 @@
       "redirect_url": "/azure/vpn-gateway/point-to-site-about",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/security/fundamentals/ddos-best-practices.md",
+      "redirect_url": "/azure/ddos-protection/fundamental-best-practices",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/vpn-gateway/create-vpn-azure-aws-managed-solutions.md",
       "redirect_url": "/azure/vpn-gateway/tutorial-site-to-site-portal",

articles/active-directory-b2c/whats-new-docs.md

@@ -15,6 +15,26 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md).
 
+## January 2022
+
+### Updated articles
+
+- [Tutorial: Secure Hybrid Access to applications with Azure AD B2C and F5 BIG-IP](partner-f5.md)
+- [Set up a force password reset flow in Azure Active Directory B2C](force-password-reset.md)
+- [Boolean claims transformations](boolean-transformations.md)
+- [Date claims transformations](date-transformations.md)
+- [General claims transformations](general-transformations.md)
+- [Integer claims transformations](integer-transformations.md)
+- [JSON claims transformations](json-transformations.md)
+- [Define phone number claims transformations in Azure AD B2C](phone-number-claims-transformations.md)
+- [Social accounts claims transformations](social-transformations.md)
+- [String claims transformations](string-transformations.md)
+- [StringCollection claims transformations](stringcollection-transformations.md)
+- [Billing model for Azure Active Directory B2C](billing.md)
+- [Configure SAML identity provider options with Azure Active Directory B2C](identity-provider-generic-saml-options.md)
+- [About claim resolvers in Azure Active Directory B2C custom policies](claim-resolver-overview.md)
+- [Add AD FS as a SAML identity provider using custom policies in Azure Active Directory B2C](identity-provider-adfs-saml.md)
+
 ## December 2021
 
 ### New articles

articles/active-directory/develop/msal-net-token-cache-serialization.md

@@ -116,7 +116,7 @@ services.Configure<MsalDistributedTokenCacheAdapterOptions>(options =>
 // Then, choose your implementation of distributed cache
 // -----------------------------------------------------
 
-// For instance, the distributed in-memory cache (not cleared when you stop the app)
+// good for prototyping and testing, but this is NOT persisted and it is NOT distributed - do not use in production
 services.AddDistributedMemoryCache();
 
 // Or a Redis cache
@@ -163,10 +163,10 @@ services.AddCosmosCache((CosmosCacheOptions cacheOptions) =>
 ```
 
 For more information, see:
-- [Difference between in-memory and distributed in memory caches](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization#inmemory-vs-distributedmemory-cache-options)
 - [Distributed cache advanced options](https://github.com/AzureAD/microsoft-identity-web/wiki/L1-Cache-in-Distributed-(L2)-Token-Cache)
 - [Handle L2 cache eviction](https://github.com/AzureAD/microsoft-identity-web/wiki/Handle-L2-cache-eviction)
 - [Set up a Redis cache in Docker](https://github.com/AzureAD/microsoft-identity-web/wiki/Set-up-a-Redis-cache-in-Docker)
+- [Troubleshooting](https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Cache-Troubleshooting)
 
 The usage of distributed cache is featured in the [ASP.NET Core web app tutorial](/aspnet/core/tutorials/first-mvc-app/) in the [phase 2-2 token cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-2-TokenCache).
 
@@ -276,7 +276,6 @@ You can also specify options to limit the size of the in-memory token cache:
   );
 ```
 
-
 #### Distributed caches
 
 If you use `app.AddDistributedTokenCache`, the token cache is an adapter against the .NET `IDistributedCache` implementation. So you can choose between a distributed memory cache, a SQL Server cache, a Redis cache, or an Azure Cosmos DB cache. For details about the `IDistributedCache` implementations, see [Distributed memory cache](/aspnet/core/performance/caching/distributed).
@@ -386,10 +385,10 @@ Here's the code for an Azure Cosmos DB cache:
 
 For more information about distributed caches, see:
 
-- [Difference between in-memory and distributed in-memory caches](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization#inmemory-vs-distributedmemory-cache-options)
 - [Distributed cache advanced options](https://github.com/AzureAD/microsoft-identity-web/wiki/L1-Cache-in-Distributed-(L2)-Token-Cache)
 - [Handle L2 cache eviction](https://github.com/AzureAD/microsoft-identity-web/wiki/Handle-L2-cache-eviction)
 - [Set up a Redis cache in Docker](https://github.com/AzureAD/microsoft-identity-web/wiki/Set-up-a-Redis-cache-in-Docker)
+- [Troubleshooting](https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Cache-Troubleshooting)
 
 ### Disabling a legacy token cache
 

articles/active-directory/develop/tutorial-v2-nodejs-desktop.md

@@ -153,7 +153,8 @@ Create a folder to host your application, for example *ElectronDesktopApp*.
             width: 800,
             height: 600,
             webPreferences: {
-            nodeIntegration: true
+            nodeIntegration: true,
+            contextIsolation: false
             }
         });
 

articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md

@@ -54,7 +54,7 @@ This type of authorization is common for daemons and service accounts that need
 
 In order to enable this ACL-based authorization pattern, Azure AD doesn't require that applications be authorized to get tokens for another application. Thus, app-only tokens can be issued without a `roles` claim. Applications that expose APIs must implement permission checks in order to accept tokens.
 
-If you'd like to prevent applications from getting role-less app-only access tokens for your application, [ensure that user assignment requirements are enabled for your app](../manage-apps/what-is-access-management.md#requiring-user-assignment-for-an-app). This will block users and applications without assigned roles from being able to get a token for this application. 
+If you'd like to prevent applications from getting role-less app-only access tokens for your application, [ensure that assignment requirements are enabled for your app](../manage-apps/what-is-access-management.md#requiring-user-assignment-for-an-app). This will block users and applications without assigned roles from being able to get a token for this application. 
 
 ### Application permissions
 
@@ -65,9 +65,9 @@ Instead of using ACLs, you can use APIs to expose a set of **application permiss
 * Send mail as any user
 * Read directory data
 
-To use application permissions with your own API (as opposed to Microsoft Graph), you must first [expose the API](howto-add-app-roles-in-azure-ad-apps.md) by defining scopes in the API's app registration in the Azure portal. Then, [configure access to the API](howto-add-app-roles-in-azure-ad-apps.md#assign-app-roles-to-applications) by selecting those permissions in your client application's app registration. If you haven't exposed any scopes in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal.
+To use app roles (application permissions) with your own API (as opposed to Microsoft Graph), you must first [expose the app roles](howto-add-app-roles-in-azure-ad-apps.md) in the API's app registration in the Azure portal. Then, [configure the required app roles](howto-add-app-roles-in-azure-ad-apps.md#assign-app-roles-to-applications) by selecting those permissions in your client application's app registration. If you haven't exposed any app roles in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal.
 
-When authenticating as an application (as opposed to with a user), you can't use *delegated permissions* - scopes that are granted by a user - because there is no user for your app to act on behalf of. You must use application permissions, also known as roles, that are granted by an admin for the application or via pre-authorization by the web API.
+When authenticating as an application (as opposed to with a user), you can't use *delegated permissions* because there is no user for your app to act on behalf of. You must use application permissions, also known as app roles, that are granted by an admin or by the API's owner.
 
 For more information about application permissions, see [Permissions and consent](v2-permissions-and-consent.md#permission-types).
 

articles/active-directory/develop/whats-new-docs.md

@@ -6,7 +6,7 @@ services: active-directory
 author: mmacy
 manager: CelesteDG
 
-ms.date: 01/03/2022
+ms.date: 02/01/2022
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
@@ -19,6 +19,37 @@ ms.custom: has-adal-ref
 
 Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
 
+## January 2022
+
+### New articles
+
+- [Access Azure AD protected resources from an app in Google Cloud (preview)](workload-identity-federation-create-trust-gcp.md)
+- [Quickstart: Acquire a token and call the Microsoft Graph API by using a console app's identity](console-app-quickstart.md)
+- [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](desktop-app-quickstart.md)
+- [Quickstart: Add sign-in with Microsoft to a web app](web-app-quickstart.md)
+- [Quickstart: Protect a web API with the Microsoft identity platform](web-api-quickstart.md)
+- [Quickstart: Sign in users and call the Microsoft Graph API from a mobile application](mobile-app-quickstart.md)
+
+### Updated articles
+
+- [Confidential client assertions](msal-net-client-assertions.md)
+- [Claims mapping policy type](reference-claims-mapping-policy-type.md)
+- [Configure an app to trust a GitHub repo (preview)](workload-identity-federation-create-trust-github.md)
+- [Configure an app to trust an external identity provider (preview)](workload-identity-federation-create-trust.md)
+- [Exchange a SAML token issued by AD FS for a Microsoft Graph access token](v2-saml-bearer-assertion.md)
+- [Logging in MSAL.js](msal-logging-js.md)
+- [Permissions and consent in the Microsoft identity platform](v2-permissions-and-consent.md)
+- [Quickstart: Acquire a token and call Microsoft Graph API from a Java console app using app's identity](quickstart-v2-java-daemon.md)
+- [Quickstart: Acquire a token and call Microsoft Graph API from a Python console app using app's identity](quickstart-v2-python-daemon.md)
+- [Quickstart: Add sign-in with Microsoft to a Java web app](quickstart-v2-java-webapp.md)
+- [Quickstart: Add sign-in with Microsoft to a Python web app](quickstart-v2-python-webapp.md)
+- [Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app](quickstart-v2-aspnet-core-webapp.md)
+- [Quickstart: ASP.NET web app that signs in Azure AD users](quickstart-v2-aspnet-webapp.md)
+- [Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity](quickstart-v2-netcore-daemon.md)
+- [Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform](quickstart-v2-aspnet-core-web-api.md)
+- [Quickstart: Sign in users and call the Microsoft Graph API from an Android app](quickstart-v2-android.md)
+- [Quickstart: Sign in users and call the Microsoft Graph API from an iOS or macOS app](quickstart-v2-ios.md)
+
 ## December 2021
 
 ### New articles
@@ -50,21 +81,3 @@ Welcome to what's new in the Microsoft identity platform documentation. This art
 - [Token cache serialization in MSAL.NET](msal-net-token-cache-serialization.md)
 - [What's new for authentication?](reference-breaking-changes.md)
 
-## October 2021
-
-### New articles
-
-- [Configure an app to trust a GitHub repo (preview)](workload-identity-federation-create-trust-github.md)
-- [Configure an app to trust an external identity provider (preview)](workload-identity-federation-create-trust.md)
-- [Set up your application's Azure AD test environment](test-setup-environment.md)
-- [Throttling and service limits to consider for testing](test-throttle-service-limits.md)
-- [Workload identity federation (preview)](workload-identity-federation.md)
-
-### Updated articles
-
-- [Considerations for using Xamarin iOS with MSAL.NET](msal-net-xamarin-ios-considerations.md)
-- [Handle ITP in Safari and other browsers where third-party cookies are blocked](reference-third-party-cookies-spas.md)
-- [Initialize client applications using MSAL.js](msal-js-initializing-client-applications.md)
-- [Microsoft Graph API](microsoft-graph-intro.md)
-- [Microsoft identity platform and the OAuth 2.0 client credentials flow](v2-oauth2-client-creds-grant-flow.md)
-- [What's new for authentication?](reference-breaking-changes.md)

articles/active-directory/develop/workload-identity-federation-create-trust-github.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
-ms.date: 10/18/2021
+ms.date: 01/28/2022
 ms.author: ryanwi
 ms.custom: aaddev
 ms.reviewer: keyam, udayh, vakarand
@@ -44,7 +44,7 @@ In the **Federated credential scenario** drop-down box select **GitHub actions d
 
 Specify the **Organization** and **Repository** for your GitHub Actions workflow.  
 
-For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value.
+For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value. The values must exactly match the configuration in the [GitHub workflow](https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions#on).  For more info, read the [examples](#entity-type-examples).
 
 Add a **Name** for the federated credential.
 
@@ -60,6 +60,67 @@ Click **Add** to configure the federated credential.
 > [!IMPORTANT]
 > The **Organization**, **Repository**, and **Entity type** values must exactly match the configuration on the GitHub workflow configuration. Otherwise, Microsoft identity platform will look at the incoming external token and reject the exchange for an access token.  You won't get an error, the exchange fails without error.
 
+### Entity type examples
+
+#### Branch example
+
+For a workflow triggered by a push or pull request event on the main branch:
+
+```yml
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+```
+
+Specify an **Entity type** of **Branch** and a **GitHub branch name** of "main".
+
+#### Environment example
+
+For Jobs tied to an environment named "production":
+
+```yml
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deployment:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - name: deploy
+        # ...deployment-specific steps
+```
+
+Specify an **Entity type** of **Environment** and a **GitHub environment name** of "production".
+
+#### Tag example
+
+For example, for a workflow triggered by a push to the tag named "v2":
+
+```yml
+on:
+  push:
+    # Sequence of patterns matched against refs/heads
+    branches:    
+      - main
+      - 'mona/octocat'
+      - 'releases/**'
+    # Sequence of patterns matched against refs/tags
+    tags:        
+      - v2
+      - v1.*
+```
+
+Specify an **Entity type** of **Tag** and a **GitHub tag name** of "v2".
+
+#### Pull request example
+
+For a workflow triggered by a pull request event, specify an **Entity type** of **Pull request**.
+
 # [Microsoft Graph](#tab/microsoft-graph)
 Launch [Azure Cloud Shell](https://portal.azure.com/#cloudshell/) and sign in to your tenant.
 
@@ -145,6 +206,6 @@ az rest -m DELETE  -u 'https://graph.microsoft.com/beta/applications/f6475511-fd
 Before configuring your GitHub Actions workflow, get the *tenant-id* and *client-id* values of your app registration.  You can find these values in the Azure portal. Go to the list of [registered applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) and select your app registration.  In **Overview**->**Essentials**, find the **Application (client) ID** and **Directory (tenant) ID**. Set these values in your GitHub environment to use in the Azure login action for your workflow.  
 
 ## Next steps
-[Configure a GitHub Actions workflow](/azure/developer/github/connect-from-azure) to get an access token from Microsoft identity provider and access Azure resources.
+For an end-to-end example, read [Deploy to App Service using GitHub Actions](/azure/app-service/deploy-github-actions?tabs=openid).
 
 Read the [GitHub Actions documentation](https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure) to learn more about configuring your GitHub Actions workflow to get an access token from Microsoft identity provider and access Azure resources.