Merge pull request #239464 from MicrosoftDocs/main

5/26 PM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -1,5 +1,15 @@
 {
   "redirections": [
+    {
+      "source_path_from_root": "/articles/active-directory/develop/active-directory-schema-extensions.md",
+      "redirect_url": "/azure/active-directory/develop/schema-extensions",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/active-directory-optional-claims.md",
+      "redirect_url": "/azure/active-directory/develop/optional-claims",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-jwt-claims-customization.md",
       "redirect_url": "/azure/active-directory/develop/jwt-claims-customization",

articles/active-directory/app-provisioning/on-premises-custom-connector.md

@@ -25,11 +25,18 @@ Azure AD supports preintegrated connectors for applications that support the fol
 > - [REST](on-premises-ldap-connector-configure.md)
 > - [SOAP](on-premises-ldap-connector-configure.md)
 
-For connectivity to applications that don't support the aforementioned protocols and standards, customers and [partners](https://social.technet.microsoft.com/wiki/contents/articles/1589.fim-2010-mim-2016-management-agents-from-partners.aspx) have built custom [ECMA 2.0](https://learn.microsoft.com/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for Microsoft Identity Manager (MIM) 2016. You can now use those ECMA 2.0 connectors with the lightweight Azure AD provisioning agent, without needing MIM sync deployed.  
+For connectivity to applications that don't support the aforementioned protocols and standards, customers and [partners](https://social.technet.microsoft.com/wiki/contents/articles/1589.fim-2010-mim-2016-management-agents-from-partners.aspx) have built custom [ECMA 2.0](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for Microsoft Identity Manager (MIM) 2016. You can now use those ECMA 2.0 connectors with the lightweight Azure AD provisioning agent, without needing MIM sync deployed.  \
+
+
+
+## Exporting and importing a MIM connector
+If you've got a customer connector in MIM, you can export it by following the instructions [here](on-premises-migrate-microsoft-identity-manager.md#export-a-connector-configuration-from-mim-sync).  You need to save the XML file, the DLL, and related software for your connector.
+
+To import your connector, you can use the instructions [here](on-premises-migrate-microsoft-identity-manager.md#import-a-connector-configuration).  You will need to copy the DLL for your connector, and any of its prerequisite DLLs, to that same ECMA subdirectory of the Service directory.  After the xml has been imported, continue through the wizard and ensure that all the required fields are populated.
 
 ## Limitations 
 
-Custom connectors built for MIM rely on the [ECMA framework](https://learn.microsoft.com/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)). The following table includes capabilities of the ECMA framework that are either partially supported or not supported by the Azure AD provisioning agent. For a list of known limitations for the Azure AD provisioning service and on-premises application provisioning, see [here](https://learn.microsoft.com/azure/active-directory/app-provisioning/known-issues?pivots=app-provisioning#on-premises-application-provisioning).  
+Custom connectors built for MIM rely on the [ECMA framework](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)). The following table includes capabilities of the ECMA framework that are either partially supported or not supported by the Azure AD provisioning agent. For a list of known limitations for the Azure AD provisioning service and on-premises application provisioning, see [here](known-issues.md#on-premises-application-provisioning).  
 
 
 | **Capability / feature**   | **Support**   | **Comments**   | 

articles/active-directory/develop/TOC.yml

@@ -84,7 +84,7 @@
           href: custom-extension-overview.md
         - name: Custom claims provider
           href: custom-claims-provider-overview.md
-    - name: Security best practices
+    - name: Security
       displayName: least privilege, secure app configuration, conditional access
       items:
         - name: Application security
@@ -93,8 +93,22 @@
           href: secure-least-privileged-access.md
         - name: Secure access control using groups
           href: secure-group-access-control.md
-        - name: Validate claims
-          href: claims-validation.md
+        - name: Tokens and claims
+          items:
+            - name: Tokens and claims overview
+              href: security-tokens.md
+            - name: Access tokens
+              href: access-tokens.md
+            - name: Directory extension attributes
+              href: schema-extensions.md
+            - name: ID tokens
+              href: id-tokens.md
+            - name: Refresh tokens
+              href: refresh-tokens.md
+            - name: Token lifetime
+              href: configurable-token-lifetimes.md
+            - name: Validate claims
+              href: claims-validation.md
         - name: Zero Trust
           href: zero-trust-for-developers.md
     - name: Identity platform best practices
@@ -439,7 +453,7 @@
         - name: Customize tokens and claims
           items:
             - name: Configure optional claims
-              href: active-directory-optional-claims.md
+              href: optional-claims.md
             - name: Configure role claim
               href: active-directory-enterprise-app-role-management.md
             - name: Customize JWT claims
@@ -448,8 +462,7 @@
               href: saml-claims-customization.md
             - name: Set an access token lifetime policy
               href: configure-token-lifetimes.md
-            - name: Directory extension attributes
-              href: active-directory-schema-extensions.md
+            
             - name: SAML app multi-instancing
               displayName: Configure SAML app multi-instancing for an application
               href: reference-app-multi-instancing.md
@@ -799,17 +812,6 @@
                   href: v2-oauth-ropc.md
                 - name: OpenID Connect
                   href: v2-protocols-oidc.md
-            - name: Security tokens
-              displayName: bearer, ID token, access token
-              items:
-                - name: Access tokens
-                  href: access-tokens.md
-                - name: ID tokens
-                  href: id-tokens.md
-                - name: Refresh tokens
-                  href: refresh-tokens.md
-                - name: Token lifetime
-                  href: configurable-token-lifetimes.md
             - name: OAuth 2.0 application types
               displayName: App types, OAuth
               href: v2-app-types.md

articles/active-directory/develop/access-tokens.md

@@ -11,7 +11,7 @@ ms.workload: identity
 ms.topic: conceptual
 ms.date: 03/29/2023
 ms.author: davidmu
-ms.custom: aaddev, identityplatformtop40, fasttrack-edit, curation-claims
+ms.custom: aaddev, curation-claims
 ---
 
 # Microsoft identity platform access tokens
@@ -114,6 +114,7 @@ The Microsoft identity platform uses some claims to help secure tokens for reuse
 | `uti` | String | Token identifier claim, equivalent to `jti` in the JWT specification. Unique, per-token identifier that is case-sensitive. | |
 | `rh` | Opaque String | An internal claim used by Azure to revalidate tokens. Resources shouldn't use this claim. | |
 | `ver` | String, either `1.0` or `2.0` | Indicates the version of the access token. | |
+| `xms_cc` | JSON array of strings | Indicates whether the client application that acquired the token is capable of handling claims challenges. This claim is commonly used in Conditional Access and Continuous Access Evaluation scenarios. The resource server that the token is issued for controls the presence of the claim in it. For example, a service application. For more information, see [Claims challenges, claims requests and client capabilities](claims-challenge.md?tabs=dotnet). Resource servers should check this claim in access tokens received from client applications. If this claim is present, resource servers can respond back with a claims challenge. The claims challenge requests more claims in a new access token to authorize access to a protected resource. |
 
 #### Groups overage claim