Syncing with main. Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into work-desktop-mar23

Author: Heidilohr

.openpublishing.redirection.defender-for-cloud.json

@@ -809,6 +809,11 @@
             "source_path_from_root": "/articles/defender-for-cloud/faq-azure-monitor-logs.yml",
             "redirect_url": "/azure/defender-for-cloud/faq-data-collection-agents",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/defender-for-storage-exclude.md",
+            "redirect_url": "/azure/defender-for-cloud/defender-for-storage-classic-enable#exclude-a-storage-account-from-a-protected-subscription-in-the-per-transaction-plan",
+            "redirect_document_id": true
         }
     ]
 }

.openpublishing.redirection.json

@@ -1,5 +1,15 @@
 {
     "redirections": [
+    {
+      "source_path": "articles/storage/queues/storage-ruby-how-to-use-queue-storage.md",
+      "redirect_url": "/previous-versions/azure/storage/queues/storage-ruby-how-to-use-queue-storage",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/storage/queues/storage-php-how-to-use-queues.md",
+      "redirect_url": "/previous-versions/azure/storage/queues/storage-php-how-to-use-queues",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/storage/tables/table-storage-design-encrypt-data.md",
       "redirect_url": "/previous-versions/azure/storage/tables/table-storage-design-encrypt-data",
@@ -22031,6 +22041,16 @@
             "redirect_url": "/azure/active-directory/develop/zero-trust-for-developers",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/web-app-quickstart-portal-node-js-passport.md",
+            "redirect_url": "/azure/active-directory/develop/web-app-quickstart?pivots=devlang-nodejs-msal",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/quickstart-v2-nodejs-webapp.md",
+            "redirect_url": "/azure/active-directory/develop/web-app-quickstart?pivots=devlang-nodejs-msal",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/networking/azure-orbital-overview.md",
             "redirect_url": "/azure/orbital/overview",

articles/active-directory/app-provisioning/how-provisioning-works.md

@@ -74,8 +74,12 @@ You can use scoping filters to define attribute-based rules that determine which
 
 ### B2B (guest) users
 
-It's possible to use the Azure AD user provisioning service to provision B2B (guest) users in Azure AD to SaaS applications. 
-However, for B2B users to sign in to the SaaS application using Azure AD, the SaaS application must have its SAML-based single sign-on capability configured in a specific way. For more information on how to configure SaaS applications to support sign-ins from B2B users, see [Configure SaaS apps for B2B collaboration](../external-identities/configure-saas-apps.md).
+It's possible to use the Azure AD user provisioning service to provision B2B (guest) users in Azure AD to SaaS applications. However, for B2B users to sign in to the SaaS application using Azure AD, you must manually configure the SaaS application to use Azure AD as a Security Assertion Markup Language (SAML) identity provider. 
+
+Follow these general guidelines when configuring SaaS apps for B2B (guest) users:  
+- For most of the apps, user setup needs to happen manually. Users must be created manually in the app as well.
+- For apps that support automatic setup, such as Dropbox, separate invitations are created from the apps. Users must be sure to accept each invitation.
+- In the user attributes, to mitigate any issues with mangled user profile disk (UPD) in guest users, always set the user identifier to **user.mail**.
 
 > [!NOTE]
 > The userPrincipalName for a B2B user represents the external user's email address alias@theirdomain as "alias_theirdomain#EXT#@yourdomain". When the userPrincipalName attribute is included in your attribute mappings as a source attribute, and a B2B user is being provisioned, the #EXT# and your domain is stripped from the userPrincipalName, so only their original alias@theirdomain is used for matching or provisioning. If you require the full user principal name including #EXT# and your domain to be present, replace userPrincipalName with originalUserPrincipalName as the source attribute. <br />

articles/active-directory/develop/active-directory-optional-claims.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: include
 ms.workload: identity
-ms.date: 01/10/2022
+ms.date: 03/28/2023
 ms.author: owenrichards
 ms.reviewer: jmprieur
 ms.custom: aaddev, identityplatformtop40, devx-track-python, "scenarios:getting-started", "languages:Python", mode-other
@@ -74,7 +74,7 @@ If you try to run the application at this point, you'll receive *HTTP 403 - Forb
 
 ##### Global tenant administrator
 
-If you are a global tenant administrator, go to **API Permissions** page in **App registrations** in the Azure portal and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory).
+If you're a global tenant administrator, go to **API Permissions** page in **App registrations** in the Azure portal and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory).
 
 
 ##### Standard user
@@ -87,8 +87,7 @@ https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_i
 
 Where:
  * `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com)
- * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered.
-
+ * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered previously.
 
 
 #### Step 5: Run the application

articles/active-directory/develop/includes/console-app/quickstart-python.md

@@ -28,8 +28,6 @@ landingContent:
             url: web-app-quickstart.md?pivots=devlang-java
           - text: Node.js with MSAL
             url: web-app-quickstart.md?pivots=devlang-nodejs-msal
-          - text: Node.js with Passport
-            url: web-app-quickstart.md?pivots=devlang-nodejs-passport
           - text: Python
             url: web-app-quickstart.md?pivots=devlang-python
   - title: "Learn by building"

articles/active-directory/develop/index-web-app.yml

@@ -84,6 +84,9 @@ If you're following along with the web API scenario described in this set of art
 - **User consent description**: _Accesses the TodoListService web API as a user_
 - **State**: _Enabled_
 
+> [!TIP] 
+> For the **Application ID URI**, you have the option to set it to the physical authority of the API, for example `https://graph.microsoft.com`. This can be useful if the URL of the API that needs to be called is known.
+
 ### If your web API is called by a service or daemon app
 
 Expose _application permissions_ instead of delegated permissions if your API should be accessed by daemons, services, or other non-interactive (by a human) applications. Because daemon- and service-type applications run unattended and authenticate with their own identity, there is no user to "delegate" their permission.