Merge branch 'decouple-outputs' of https://github.com/mamccrea/azure-docs-pr into decouple-outputs

Author: mamccrea

.openpublishing.redirection.json

@@ -2,8 +2,9 @@
 
 # Horizontals
 
-## Azure Policy: Samples
+## Azure Policy: Samples and Compliance Controls
 articles/**/policy-samples.md @DCtheGeek
+articles/**/security-controls-policy.md @DCtheGeek
 includes/policy/ @DCtheGeek
 
 # Azure Active Directory
@@ -21,6 +22,11 @@ articles/chef/ @TomArcherMsft
 articles/jenkins/ @TomArcherMsft
 articles/terraform/ @TomArcherMsft
 
+# compute
+articles/virtual-machines/ @cynthn @mimckitt 
+articles/virtual-machine-scale-sets/ @ju-shim @mimckitt 
+articles/cloud-services/ @mimckitt 
+
 # Requires Internal Review
 articles/best-practices-availability-paired-regions.md @martinekuan @syntaxc4 @snoviking
 

CODEOWNERS

@@ -369,10 +369,14 @@
       href: partner-gallery.md
     - name: Arkose Labs
       href: partner-arkose-labs.md
+    - name: Experian
+      href: partner-experian.md
     - name: IDology
       href: partner-idology.md
     - name: itsme
       href: partner-itsme.md
+    - name: LexisNexis
+      href: partner-lexisnexis.md
     - name: Trusona
       href: partner-trusona.md
     - name: Twilio

articles/active-directory-b2c/TOC.yml

@@ -9,6 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
 ms.date: 05/12/2020
+ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
 

articles/active-directory-b2c/access-tokens.md

@@ -9,6 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
 ms.date: 05/25/2020
+ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
 ---

articles/active-directory-b2c/app-registrations-training-guide.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 12/04/2019
+ms.date: 07/17/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -85,24 +85,42 @@ For migrating Azure API Management APIs protected by Azure AD B2C, see the [Migr
 
 ## Microsoft Authentication Library (MSAL)
 
-### ValidateAuthority property
+### MSAL.NET ValidateAuthority property
 
-If you're using [MSAL.NET][msal-dotnet] v2 or earlier, set the **ValidateAuthority** property to `false` on client instantiation to allow redirects to *b2clogin.com*. This setting is not required for MSAL.NET v3 and above.
+If you're using [MSAL.NET][msal-dotnet] v2 or earlier, set the **ValidateAuthority** property to `false` on client instantiation to allow redirects to *b2clogin.com*. Setting this value to `false` is not required for MSAL.NET v3 and above.
 
 ```csharp
 ConfidentialClientApplication client = new ConfidentialClientApplication(...); // Can also be PublicClientApplication
 client.ValidateAuthority = false; // MSAL.NET v2 and earlier **ONLY**
 ```
 
-If you're using [MSAL for JavaScript][msal-js]:
+### MSAL for JavaScript validateAuthority property
+
+If you're using [MSAL for JavaScript][msal-js] v1.2.2 or earlier, set the **validateAuthority** property to `false`.
+
+```JavaScript
+// MSAL.js v1.2.2 and earlier
+this.clientApplication = new UserAgentApplication(
+  env.auth.clientId,
+  env.auth.loginAuthority,
+  this.authCallback.bind(this),
+  {
+    validateAuthority: false // Required in MSAL.js v1.2.2 and earlier **ONLY**
+  }
+);
+```
+
+If you set `validateAuthority: true` in MSAL.js 1.3.0+ (the default), you must also specify a valid token issuer with `knownAuthorities`:
 
 ```JavaScript
+// MSAL.js v1.3.0+
 this.clientApplication = new UserAgentApplication(
   env.auth.clientId,
   env.auth.loginAuthority,
   this.authCallback.bind(this),
   {
-    validateAuthority: false
+    validateAuthority: true, // Supported in MSAL.js v1.3.0+
+    knownAuthorities: ['tenant-name.b2clogin.com'] // Required if validateAuthority: true
   }
 );
 ```

articles/active-directory-b2c/b2clogin.md

@@ -350,6 +350,51 @@ To complete this tutorial using our [SAML Test Application][samltest]:
 
 Select **Login** and you should be presented with a user sign-in screen. Upon sign-in, a SAML assertion is issued back to the sample application.
 
+## Enable Encypted Assertions
+To Encrypt SAML Assertions sent back to the Service Provider, Azure AD B2C will use the Service providers public key certificate. The public key must exist in the SAML Metadata outlined in the above ["samlMetadataUrl"](#samlmetadataurl) as a KeyDescriptor with a use of 'Encryption'.
+
+The following is an example of the SAML metadata KeyDescriptor with a use set to Encryption:
+
+```xml
+<KeyDescriptor use="encryption">
+  <KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig#">
+    <X509Data>
+      <X509Certificate>valid certificate</X509Certificate>
+    </X509Data>
+  </KeyInfo>
+</KeyDescriptor>
+```
+
+To enable Azure AD B2C to send encrypted assertions set the **WantsEncryptedAssertion** metadata item to true in the Relying Party Technical Profile as shown below;
+
+```xml
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<TrustFrameworkPolicy
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
+  PolicySchemaVersion="0.3.0.0"
+  TenantId="contoso.onmicrosoft.com"
+  PolicyId="B2C_1A_signup_signin_saml"
+  PublicPolicyUri="http://contoso.onmicrosoft.com/B2C_1A_signup_signin_saml">
+ ..
+ ..
+  <RelyingParty>
+    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
+    <TechnicalProfile Id="PolicyProfile">
+      <DisplayName>PolicyProfile</DisplayName>
+      <Protocol Name="SAML2"/>
+      <Metadata>
+          <Item Key="WantsEncryptedAssertions">true</Item>
+      </Metadata>
+     ..
+     ..
+     ..
+    </TechnicalProfile>
+  </RelyingParty>
+</TrustFrameworkPolicy>
+```
+
 ## Sample policy
 
 We provide a complete sample policy that you can use for testing with the SAML Test App.

articles/active-directory-b2c/connect-with-saml-service-providers.md

@@ -10,6 +10,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
 ms.date: 05/19/2020
+ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
 ---

articles/active-directory-b2c/custom-policy-developer-notes.md

@@ -10,6 +10,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
 ms.date: 02/28/2020
+ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -82,7 +83,7 @@ To register an application in your Azure AD B2C tenant, you can use the **App re
 
 Next, expose the API by adding a scope:
 
-1. Under **Manage**, select **Expose an API**.
+1. In the left menu, under **Manage**, select **Expose an API**.
 1. Select **Add a scope**, then select **Save and continue** to accept the default application ID URI.
 1. Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:
     * **Scope name**: `user_impersonation`
@@ -105,13 +106,13 @@ Next, expose the API by adding a scope:
 
 Next, specify that the application should be treated as a public client:
 
-1. Under **Manage**, select **Authentication**.
+1. In the left menu, under **Manage**, select **Authentication**.
 1. Under **Advanced settings**, enable **Treat application as a public client** (select **Yes**). Ensure that **"allowPublicClient": true** is set in the application manifest. 
 1. Select **Save**.
 
 Now, grant permissions to the API scope you exposed earlier in the *IdentityExperienceFramework* registration:
 
-1. Under **Manage**, select **API permissions**.
+1. In the left menu, under **Manage**, select **API permissions**.
 1. Under **Configured permissions**, select **Add a permission**.
 1. Select the **My APIs** tab, then select the **IdentityExperienceFramework** application.
 1. Under **Permission**, select the **user_impersonation** scope that you defined earlier.

articles/active-directory-b2c/custom-policy-get-started.md

@@ -9,6 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
 ms.date: 11/30/2018
+ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
 ---