Merge branch 'master' into azure-vm-create-offer

Author: itechedit

.openpublishing.publish.config.json

@@ -29,7 +29,7 @@
     "[email protected]"
   ],
   "branches_to_filter": [],
-  "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/azure-docs",
+  "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/azure-docs",
   "git_repository_branch_open_to_public_contributors": "master",
   "skip_source_output_uploading": false,
   "need_preview_pull_request": true,
@@ -419,6 +419,11 @@
       "url": "https://github.com/Azure/azure-cosmos-dotnet-v2",
       "branch": "master"
     },
+    {
+      "path_to_root": "samples-cosmosdb-java-v4-web-app",
+      "url": "https://github.com/Azure-Samples/azure-cosmos-java-sql-api-todo-app",
+      "branch": "master"
+    },
     {
       "path_to_root": "samples-cosmosdb-dotnet-change-feed-processor",
       "url": "https://github.com/Azure-Samples/cosmos-dotnet-change-feed-processor",

.openpublishing.redirection.json

@@ -59,7 +59,8 @@
         "YAML"
     ],
     "cSpell.words": [
-        "auditd"
+        "auditd",
+        "covid"
     ],
     "git.ignoreLimitWarning": true
 }

.vscode/settings.json

@@ -6,6 +6,12 @@
 articles/**/policy-samples.md @DCtheGeek
 includes/policy/ @DCtheGeek
 
+# Azure Active Directory
+
+articles/active-directory-b2c/ @msmimart @yoelhor
+articles/active-directory/app-provisioning/ @CelesteDG
+articles/active-directory/manage-apps/ @CelesteDG
+
 # Cognitive Services
 articles/cognitive-services/ @diberry @erhopf @aahill @ievangelist @patrickfarley @nitinme
 

CODEOWNERS

@@ -226,7 +226,9 @@
     - name: Tokens and session management
       items:
       - name: Customize tokens
-        href: custom-policy-manage-sso-and-token-config.md
+        href: configure-tokens-custom-policy.md
+      - name: Configure session behavior
+        href: session-behavior-custom-policy.md
     - name: Pass through external IdP token
       href: idp-pass-through-custom.md
     - name: Adaptive experience

articles/active-directory-b2c/TOC.yml

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/16/2019
+ms.date: 05/12/2020
 ms.author: mimart
 ms.subservice: B2C
 
@@ -81,7 +81,7 @@ https://jwt.ms/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
 After successfully receiving the authorization code, you can use it to request an access token:
 
 ```HTTP
-POST <tenant-name>.onmicrosoft.com/oauth2/v2.0/token?p=<policy-name> HTTP/1.1
+POST <tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token HTTP/1.1
 Host: <tenant-name>.b2clogin.com
 Content-Type: application/x-www-form-urlencoded
 

articles/active-directory-b2c/access-tokens.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 02/27/2020
+ms.date: 05/12/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -36,7 +36,7 @@ The resource owner password credentials (ROPC) flow is an OAuth standard authent
 
    You'll then see an endpoint such as this example:
 
-   `https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_ROPC_Auth`
+   `https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/v2.0/.well-known/openid-configuration`
 
 
 ## Register an application
@@ -46,11 +46,11 @@ The resource owner password credentials (ROPC) flow is an OAuth standard authent
 ## Test the user flow
 
 Use your favorite API development application to generate an API call, and review the response to debug your user flow. Construct a call like this with the information in the following table as the body of the POST request:
-- Replace *\<yourtenant.onmicrosoft.com>* with the name of your B2C tenant.
+- Replace *\<tenant-name>.onmicrosoft.com* with the name of your B2C tenant.
 - Replace *\<B2C_1A_ROPC_Auth>* with the full name of your resource owner password credentials policy.
 - Replace *\<bef2222d56-552f-4a5b-b90a-1988a7d634c3>* with the Application ID from your registration.
 
-`https://yourtenant.b2clogin.com/<yourtenant.onmicrosoft.com>/oauth2/v2.0/token?p=B2C_1_ROPC_Auth`
+`https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token`
 
 | Key | Value |
 | --- | ----- |
@@ -66,8 +66,8 @@ Use your favorite API development application to generate an API call, and revie
 The actual POST request looks like the following:
 
 ```
-POST /yourtenant.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_ROPC_Auth HTTP/1.1
-Host: yourtenant.b2clogin.com
+POST /<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
+Host: <tenant-name>.b2clogin.com
 Content-Type: application/x-www-form-urlencoded
 
 username=leadiocl%40trashmail.ws&password=Passxword1&grant_type=password&scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access&client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&response_type=token+id_token
@@ -90,7 +90,7 @@ A successful response with offline-access looks like the following example:
 
 Construct a POST call like the one shown here with the information in the following table as the body of the request:
 
-`https://yourtenant.b2clogin.com/<yourtenant.onmicrosoft.com>/oauth2/v2.0/token?p=B2C_1_ROPC_Auth`
+`https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token`
 
 | Key | Value |
 | --- | ----- |

articles/active-directory-b2c/configure-ropc.md

@@ -0,0 +1,91 @@
+---
+title: Manage SSO and token customization using custom policies
+titleSuffix: Azure AD B2C
+description: Learn about managing SSO and token customization using custom policies in Azure Active Directory B2C.
+services: active-directory-b2c
+author: msmimart
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 05/07/2020
+ms.author: mimart
+ms.subservice: B2C
+---
+
+# Manage SSO and token customization using custom policies in Azure Active Directory B2C
+
+This article provides information about how you can manage your token, session, and single sign-on (SSO) configurations using [custom policies](custom-policy-overview.md) in Azure Active Directory B2C (Azure AD B2C).
+
+## JTW token lifetimes and claims configuration
+
+To change the settings on your token lifetimes, you add a [ClaimsProviders](claimsproviders.md) element in the relying party file of the policy you want to impact.  The **ClaimsProviders** element is a child of the [TrustFrameworkPolicy](trustframeworkpolicy.md) element.
+
+Insert the ClaimsProviders element between the BasePolicy element and the RelyingParty element of the relying party file.
+
+Inside, you'll need to put the information that affects your token lifetimes. The XML looks like this example:
+
+```XML
+<ClaimsProviders>
+  <ClaimsProvider>
+    <DisplayName>Token Issuer</DisplayName>
+    <TechnicalProfiles>
+      <TechnicalProfile Id="JwtIssuer">
+        <Metadata>
+          <Item Key="token_lifetime_secs">3600</Item>
+          <Item Key="id_token_lifetime_secs">3600</Item>
+          <Item Key="refresh_token_lifetime_secs">1209600</Item>
+          <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
+          <Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
+          <Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
+        </Metadata>
+      </TechnicalProfile>
+    </TechnicalProfiles>
+  </ClaimsProvider>
+</ClaimsProviders>
+```
+
+The following values are set in the previous example:
+
+- **Access token lifetimes** - The access token lifetime value is set with **token_lifetime_secs** metadata item. The default value is 3600 seconds (60 minutes).
+- **ID token lifetime** - The ID token lifetime value is set with the **id_token_lifetime_secs** metadata item. The default value is 3600 seconds (60 minutes).
+- **Refresh token lifetime** - The refresh token lifetime value is set with the **refresh_token_lifetime_secs** metadata item. The default value is 1209600 seconds (14 days).
+- **Refresh token sliding window lifetime** - If you would like to set a sliding window lifetime to your refresh token, set the value of **rolling_refresh_token_lifetime_secs** metadata item. The default value is 7776000 (90 days). If you don't want to enforce a sliding window lifetime, replace the item with `<Item Key="allow_infinite_rolling_refresh_token">True</Item>`.
+- **Issuer (iss) claim** - The Issuer (iss) claim is set with the **IssuanceClaimPattern** metadata item. The applicable values are `AuthorityAndTenantGuid` and `AuthorityWithTfp`.
+- **Setting claim representing policy ID** - The options for setting this value are `TFP` (trust framework policy) and `ACR` (authentication context reference). `TFP` is the recommended value. Set **AuthenticationContextReferenceClaimPattern** with the value of `None`.
+
+    In the **ClaimsSchema** element, add this element:
+
+    ```XML
+    <ClaimType Id="trustFrameworkPolicy">
+      <DisplayName>Trust framework policy name</DisplayName>
+      <DataType>string</DataType>
+    </ClaimType>
+    ```
+
+    In your **OutputClaims** element, add this element:
+
+    ```XML
+    <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
+    ```
+
+    For ACR, remove the **AuthenticationContextReferenceClaimPattern** item.
+
+- **Subject (sub) claim** - This option defaults to ObjectID, if you would like to switch this setting to `Not Supported`, replace this line:
+
+    ```XML
+    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
+    ```
+
+    with this line:
+
+    ```XML
+    <OutputClaim ClaimTypeReferenceId="sub" />
+    ```
+
+## Next steps
+
+- Learn more about [Azure AD B2C session](session-overview.md).
+- Learn how to [configure session behavior in custom policies](session-behavior-custom-policy.md).
+- Reference: [JwtIssuer](jwt-issuer-technical-profile.md).

articles/active-directory-b2c/configure-tokens-custom-policy.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/16/2019
+ms.date: 05/07/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -21,7 +21,7 @@ In this article, you learn how to configure the [lifetime and compatibility of a
 
 [Create a user flow](tutorial-create-user-flows.md) to enable users to sign up and sign in to your application.
 
-## Configure token lifetime
+## Configure JWT token lifetime
 
 You can configure the token lifetime on any user flow.
 
@@ -37,7 +37,7 @@ You can configure the token lifetime on any user flow.
 
 8. Click **Save**.
 
-## Configure token compatibility
+## Configure JWT token compatibility
 
 1. Select **User flows (policies)**.
 2. Open the user flow that you previously created.

articles/active-directory-b2c/configure-tokens.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/20/2020
+ms.date: 05/18/2020
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -19,8 +19,6 @@ ms.custom: fasttrack-edit
 
 In this article, you learn how to configure Azure Active Directory B2C (Azure AD B2C) to act as a Security Assertion Markup Language (SAML) identity provider (IdP) to your applications.
 
-[!INCLUDE [active-directory-b2c-public-preview](../../includes/active-directory-b2c-public-preview.md)]
-
 ## Scenario overview
 
 Organizations that use Azure AD B2C as their customer identity and access management solution might require interaction with identity providers or applications that are configured to authenticate using the SAML protocol.
@@ -367,7 +365,6 @@ The following SAML relying party (RP) scenarios are supported via your own metad
 * Multiple logout URLs or POST binding for logout URL in application/service principal object.
 * Specify signing key to verify RP requests in application/service principal object.
 * Specify token encryption key in application/service principal object.
-* Identity provider-initiated logins are not currently supported in the preview release.
 
 ## Next steps