:Merge branch 'master' of https://github.com/microsoftdocs/azure-docs-pr into resiliancy

Author: msmbaldwin

.github/workflows/stale.yml

@@ -19,7 +19,8 @@ jobs:
         close-pr-label: auto-close
         exempt-pr-labels: keep-open
         operations-per-run: 1200
-        ascending: false
+        ascending: true
+        start-date: '2021-04-12'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
           If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.

.openpublishing.publish.config.json

@@ -845,6 +845,7 @@
     "articles/purview/.openpublishing.redirection.purview.json",
     "articles/service-bus-messaging/.openpublishing.redirection.service-bus-messaging.json",
     "articles/stream-analytics/.openpublishing.redirection.stream-analytics.json",
-    "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json"
+    "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json",
+    "articles/mysql/.openpublishing.redirection.mysql.json"
   ]
 }

articles/active-directory-b2c/configure-tokens.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/15/2021
+ms.date: 10/08/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -58,6 +58,11 @@ To configure your user flow token lifetime:
 1. Under **Token lifetime**, adjust the properties to fit the needs of your application.
 1. Click **Save**.
 
+
+
+:::image type="content" source="./media/configure-tokens/configure-tokens.png" alt-text="configure user flows tokens in Azure portal.":::
+
+
 ::: zone-end
 
 ::: zone pivot="b2c-custom-policy"

articles/active-directory-b2c/implicit-flow-single-page-application.md

@@ -218,7 +218,7 @@ error=user_authentication_required
 If you receive this error in the iframe request, the user must interactively sign in again to retrieve a new token.
 
 ## Refresh tokens
-ID tokens and access tokens both expire after a short period of time. Your app must be prepared to refresh these tokens periodically.  To refresh either type of token, perform the same hidden iframe request we used in an earlier example, by using the `prompt=none` parameter to control Azure AD steps.  To receive a new `id_token` value, be sure to use `response_type=id_token` and `scope=openid`, and a `nonce` parameter.
+ID tokens and access tokens both expire after a short period of time. Your app must be prepared to refresh these tokens periodically. Implicit flows do not allow you to obtain a refresh token due to security reasons. To refresh either type of token, use the implicit flow in a hidden HTML iframe element. In the authorization request include the  `prompt=none` parameter. To receive a new id_token value, be sure to use `response_type=id_token` and `scope=openid`, and a `nonce` parameter.
 
 ## Send a sign-out request
 When you want to sign the user out of the app, redirect the user to Azure AD to sign out. If you don't redirect the user, they might be able to reauthenticate to your app without entering their credentials again because they have a valid single sign-on session with Azure AD.

articles/active-directory-b2c/media/configure-tokens/configure-tokens.png

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 06/22/2021
+ms.date: 10/08/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -134,6 +134,7 @@ The top-level resource for policy keys in the Microsoft Graph API is the [Truste
 ## Application extension properties
 
 - [List extension properties](/graph/api/application-list-extensionproperty)
+- [Delete extension property](/graph/api/application-delete-extensionproperty)
 
 Azure AD B2C provides a directory that can hold 100 custom attributes per user. For user flows, these extension properties are [managed by using the Azure portal](user-flow-custom-attributes.md). For custom policies, Azure AD B2C creates the property for you, the first time the policy writes a value to the extension property.
 

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/20/2021
+ms.date: 10/08/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -44,7 +44,7 @@ Azure AD B2C allows you to extend the set of attributes stored on each user acco
 1. Provide a **Name** for the custom attribute (for example, "ShoeSize")
 1. Choose a **Data Type**. Only **String**, **Boolean**, and **Int** are available.
 1. Optionally, enter a **Description** for informational purposes.
-1. Click **Create**.
+1. Select **Create**.
 
 The custom attribute is now available in the list of **User attributes** and for use in your user flows. A custom attribute is only created the first time it is used in any user flow, and not when you add it to the list of **User attributes**.
 
@@ -54,9 +54,9 @@ The custom attribute is now available in the list of **User attributes** and for
 
 1. In your Azure AD B2C tenant, select **User flows**.
 1. Select your policy (for example, "B2C_1_SignupSignin") to open it.
-1. Select **User attributes** and then select the custom attribute (for example, "ShoeSize"). Click **Save**.
+1. Select **User attributes** and then select the custom attribute (for example, "ShoeSize"). Select **Save**.
 1. Select **Application claims** and then select the custom attribute.
-1. Click **Save**.
+1. Select **Save**.
 
 Once you've created a new user using a user flow, which uses the newly created custom attribute, the object can be queried in [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). Alternatively you can use the [Run user flow](./tutorial-create-user-flows.md) feature on the user flow to verify the customer experience. You should now see **ShoeSize** in the list of attributes collected during the sign-up journey, and see it in the token sent back to your application.
 
@@ -68,7 +68,7 @@ Extension attributes can only be registered on an application object, even thoug
 
 ::: zone pivot="b2c-user-flow"
 
-To get the application ID:
+### Get extensions app's application ID
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
@@ -82,7 +82,7 @@ To get the application ID:
 
 ::: zone pivot="b2c-custom-policy"
 
-Get the application properties:
+### Get extensions app's application properties
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
@@ -185,6 +185,36 @@ Microsoft Graph API supports creating and updating a user with extension attribu
 "extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyId": "212342" 
 ``` 
 
+## Remove extension attribute
+
+Unlike built-in attributes, extension/custom attributes can be removed. The extension attributes' values can also be removed. 
+
+> [!Important]
+> Before you remove the extension/custom attribute, for each account in the directory, set the extension attribute value to null.  In this way you explicitly remove the extension attributes’s values. Then continue to remove the extension attribute itself. Extension/custom attribute is queryable using MS Graph API. 
+
+::: zone pivot="b2c-user-flow"
+
+Use the following steps to remove extension/custom attribute from a user flow:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
+2. Make sure you're using the directory that contains your Azure AD B2C tenant:
+    1.  Select the **Directories + subscriptions** icon in the portal toolbar.
+    1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select **Switch**
+1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
+1. Select **User attributes**, and then select the attribute you want to delete.
+1. Select **Delete**
+
+::: zone-end
+
+::: zone pivot="b2c-custom-policy"
+
+To remove a custom attribute, use [MS Graph API](microsoft-graph-operations.md), and use the [Delete](/graph/api/application-delete-extensionproperty) command.
+
+::: zone-end
+
+ 
+
+
 ## Next steps
 
 Follow the guidance for how to [add claims and customize user input using custom policies](configure-user-input.md). This sample uses a built-in claim 'city'. To use a custom attribute, replace 'city' with your own custom attributes.

articles/active-directory-b2c/user-flow-custom-attributes.md

@@ -55,7 +55,7 @@ sections:
           
               To manually upgrade a connector:
           
-              - Download the latest version of the connector. (You will find it under Application Proxy on the Azure Portal. You can also find the link at [Azure AD Application Proxy: Version release history](./application-proxy-release-version-history.md).
+              - Download the latest version of the connector. (You will find it under Application Proxy on the Azure portal. You can also find the link at [Azure AD Application Proxy: Version release history](./application-proxy-release-version-history.md).
               -	The installer restarts the Azure AD Application Proxy Connector services. In some cases, a reboot of the server might be required if the installer cannot replace all files. Therefore we recommend closing all applications (i.e. Event Viewer) before you start the upgrade.
               -	Run the installer. The upgrade process is quick and does not require providing any credentials and the connector will not be re-registered.
           
@@ -158,7 +158,19 @@ sections:
          How do I change the landing page my application loads?
         answer: |
               From the Application Registrations page, you can change the homepage URL to the desired external URL of the landing page. The specified page will load when the application is launched from My Apps or the Office 365 Portal. For configuration steps, see [Set a custom home page for published apps by using Azure AD Application Proxy](application-proxy-configure-custom-home-page.md)
-          
+
+      - question: |
+         Why do I get redirected to a truncated URL when I try to access my published application whenever the  URL contains a "#"  (hashtag) character?
+        answer: |
+              If Azure AD pre-authentication is configured, and the application URL contains a “#” character when you try to access the application for the first time, you get redirected to Azure AD (login.microsoftonline.com) for the authentication. Once you complete the authentication you get redirected to the URL part prior to the ”#” character and everything that comes after the “#“ seems to be ignored/ removed. For example if the URL is `https://www.contoso.com/#/home/index.html`, once the Azure AD authentication is done the user will be redirected to `https://www.contoso.com/`.
+              This behavior is by design due to how the “#” character is handled by the browser.
+              
+              Possible solutions/  alternatives:
+
+              - Setup a redirection from `https://www.contoso.com` to `https://contoso.com/#/home/index.html`. The user must first access `https://www.contoso.com`.
+              - The URL used for the first access attempt must include the “#” character in encoded form (%23). The published server might not accept this.
+              - Configure passthrough pre-authentication type (not recommended).
+              
       - question: |
          Can only IIS-based applications be published? What about web applications running on non-Windows web servers? Does the connector have to be installed on a server with IIS installed?
         answer: |

articles/active-directory/app-proxy/application-proxy-faq.yml

@@ -53,8 +53,9 @@ From the **Choose name identifier format** dropdown, you can select one of the f
 |---------------|-------------|
 | **Default** | Microsoft identity platform will use the default source format. |
 | **Persistent** | Microsoft identity platform will use Persistent as the NameID format. |
-| **EmailAddress** | Microsoft identity platform will use EmailAddress as the NameID format. |
+| **Email address** | Microsoft identity platform will use EmailAddress as the NameID format. |
 | **Unspecified** | Microsoft identity platform will use Unspecified as the NameID format. |
+|**Windows domain qualified name**| Microsoft identity platform will use the WindowsDomainQualifiedName format.|
 
 Transient NameID is also supported, but is not available in the dropdown and cannot be configured on Azure's side. To learn more about the NameIDPolicy attribute, see [Single Sign-On SAML protocol](single-sign-on-saml-protocol.md).
 

articles/active-directory/develop/active-directory-saml-claims-customization.md

@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: how-to
 ms.subservice: compliance
-ms.date: 04/12/2021
+ms.date: 10/05/2021
 ms.author: ajburnle
 ms.reviewer: 
 ms.collection: M365-identity-device-management
@@ -70,7 +70,7 @@ $assignments = Get-MgEntitlementManagementAccessPackageAssignment -AccessPackage
 $assignments | ft Id,AssignmentState,TargetId,{$_.Target.DisplayName}
 ```
 
-## Directly assign a user
+## Directly assign a user 
 
 In some cases, you might want to directly assign specific users to an access package so that users don't have to go through the process of requesting the access package. To directly assign users, the access package must have a policy that allows administrator direct assignments.
 
@@ -110,6 +110,35 @@ In some cases, you might want to directly assign specific users to an access pac
 > [!NOTE]
 > When assigning users to an access package, administrators will need to verify that the users are eligible for that access package based on the existing policy requirements. Otherwise, the users won't successfully be assigned to the access package. If the access package contains a policy that requires user requests to be approved, users can't be directly assigned to the package without necessary approval(s) from the designated approver(s).
 
+## Directly assign any user (Preview)
+Azure AD Entitlement Management also allows you to directly assign external users to an access package to make collaborating with partners easier. To do this, the access package must have a policy that allows users not yet in your directory to request access.
+
+**Prerequisite role:** Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager
+
+1.	In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+
+1.	In the left menu, click **Access packages** and then open the access package in which you want to add a user.
+
+1.	In the left menu, click **Assignments**.
+
+1.	Select **New assignment** to open **Add user to access package**.
+
+1.	In the **Select policy** list, select a policy that allows that is set to **For users not in your directory**
+
+1. Select **Any user**. You’ll be able to specify which users you want to assign to this access package.
+    ![Assignments - Add any user to access package](./media/entitlement-management-access-package-assignments/assignments-add-any-user.png)
+
+1. Enter the user’s **Name** (optional) and the user’s **Email address** (required).
+
+    > [!NOTE]
+    > - The user you want to add must be within the scope of the policy. For example, if your policy is set to **Specific connected organizations**, the user’s email address must be from the domain(s) of the selected organization(s). If the user you are trying to add has an email address of jen@*foo.com* but the selected organization’s domain is *bar.com*, you won't be able to add that user to the access package.
+    > - Similarly, if you set your policy to include **All configured connected organizations**, the user’s email address must be from one of your configured connected organizations. Otherwise, the user won't be added to the access package.
+    > - If you wish to add any user to the access package, you'll need to ensure that you select **All users (All connected organizations + any external user)** when configuring your policy.
+
+1.	Set the date and time you want the selected users' assignment to start and end. If an end date is not provided, the policy's lifecycle settings will be used.
+1.	Click **Add** to directly assign the selected users to the access package.
+1.	After a few moments, click **Refresh** to see the users in the Assignments list.
+
 ## Directly assigning users programmatically
 ### Assign a user to an access package with Microsoft Graph
 You can also directly assign a user to an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application with that application permission, can call the API to [create an accessPackageAssignmentRequest](/graph/api/accesspackageassignmentrequest-post?view=graph-rest-beta&preserve-view=true). In this request, the value of the `requestType` property should be `AdminAdd`, and the `accessPackageAssignment` property is a structure that contains the `targetId` of the user being assigned.