Merge pull request #250819 from MicrosoftDocs/main

9/8/2023 PM Publish

Author: Taojunshen

articles/active-directory/authentication/concept-authentication-authenticator-app.md

@@ -26,7 +26,7 @@ To use the Authenticator app at a sign-in prompt rather than a username and pass
 
 > [!NOTE]
 > - Users don't have the option to register their mobile app when they enable SSPR. Instead, users can register their mobile app at [https://aka.ms/mfasetup](https://aka.ms/mfasetup) or as part of the combined security info registration at [https://aka.ms/setupsecurityinfo](https://aka.ms/setupsecurityinfo).
-> - The Authenticator app may not be supported on beta versions of iOS and Android.
+> - The Authenticator app may not be supported on beta versions of iOS and Android. In addition, starting October 20th, 2023 the authenticator app on Android will no longer support older verisons of the Android Company Portal. Android users with Company Portal versions below 2111 (5.0.5333.0) will not be able to re-register or register new instances of the authenticator app until they update their Company Portal application to a newer version.
 
 ## Passwordless sign-in
 

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -47,14 +47,14 @@ Now we'll walk through each step:
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-alt.png" alt-text="Screenshot of the Sign-in if FIDO2 is also enabled.":::
 
-1. Once the user selects certificate-based authentication, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us).  
+1. Once the user selects certificate-based authentication, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) or [`https://t<tenant id>.certauth.login.microsoftonline.com`](`https://t<tenant id>.certauth.login.microsoftonline.com`) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us).  
 
    The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the Sign-ins log.
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-ins log in Azure AD." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
 
    >[!NOTE]
-   >The network administrator should allow access to the User sign-in page and certauth endpoint for the customer’s cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
+   >The network administrator should allow access to the User sign-in page and certauth endpoint *.certauth.login.microsoftonline.com for the customer’s cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
 
    Click the log entry to bring up **Activity Details** and click **Authentication Details**. You'll see an entry for the X.509 certificate.
 

articles/active-directory/develop/scenario-mobile-app-configuration.md

@@ -320,7 +320,7 @@ To register a scheme for your app:
 
    Here, `BundleId` uniquely identifies your device. For example, if `BundleId` is `yourcompany.xforms`, your URL scheme is `msauth.com.yourcompany.xforms`.
 
-    This URL scheme will become part of the redirect URI that uniquely identifies your app when it receives the broker's response. Make sure that the redirect URI in the format `msauth.(BundleId)://auth` is registered for your application in the [Azure portal](https://portal.azure.com).
+    This URL scheme will become part of the redirect URI that uniquely identifies your app when it receives the broker's response. Make sure that the redirect URI in the format `msauth.(BundleId)://auth` is registered for your application.
 
    ```xml
    <key>CFBundleURLTypes</key>

articles/active-directory/external-identities/redemption-experience.md

@@ -66,7 +66,7 @@ Sometimes the invited external guest user's email may conflict with an existing
 
 However, the following scenarios should continue to work:
 -	Redeeming an invitation through an invitation email redemption link using [SAML/WS-Fed IdP](./direct-federation.md), [Email One-Time Passcode](./one-time-passcode.md), and [Google Federation](./google-federation.md) accounts.
--	Signing back into an application after redemption process using [SAML/WS-Fed IdP](./direct-federation.md) and [Google Federation](./google-federation.md) accounts.
+-	Signing back into an application after redemption process using [SAML/WS-Fed IdP](./direct-federation.md), [Email One-Time Passcode](./one-time-passcode.md), and [Google Federation](./google-federation.md) accounts.
 
 To unblock users who can't redeem an invitation due to a conflicting [Contact object](/graph/api/resources/contact), follow these steps:
 1. Delete the conflicting Contact object.

articles/active-directory/fundamentals/how-to-customize-branding.md

@@ -1,6 +1,6 @@
 ---
 title: Add company branding to your organization's sign-in page
-description: Instructions about how to add your organization's branding to the sign-in experience.
+description: Instructions about how to add your organization's custom branding to the Azure AD sign-in experience.
 services: active-directory
 author: shlipsey3
 manager: amycolannino
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 08/09/2023
+ms.date: 08/30/2023
 ms.author: sarahlipsey
 ms.reviewer: almars
 ---
@@ -23,8 +23,7 @@ The default sign-in experience is the global look and feel that applies across a
 > [!NOTE]
 > Instructions for how to manage the **'Stay signed in prompt?'** can be found in the **[Manage the 'Stay signed in?' prompt](how-to-manage-stay-signed-in-prompt.md)** article.
 
-
-## License requirements
+## Prerequisites
 
 Adding custom branding requires one of the following licenses:
 
@@ -48,18 +47,23 @@ The **Global Administrator** role is required to customize company branding.
 
 The branding elements are called out in the following example. Text descriptions are provided following the image.
 
-:::image type="content" source="media/how-to-customize-branding/company-branding-map.png" alt-text="Screenshot of the sign-in page, with each of the company branding elements highlighted." lightbox="media/how-to-customize-branding/company-branding-map-large.png":::
+:::image type="content" source="media/how-to-customize-branding/sign-in-page-map.png" alt-text="Screenshot of the sign-in page, with each of the company branding elements highlighted." lightbox="media/how-to-customize-branding/sign-in-page-map-expanded.png":::
 
 1. **Favicon**: Small icon that appears on the left side of the browser tab.
-1. **Header logo**: Space across the top of the web page, below the web browser navigation area.
+1. **Header**: Space across the top of the sign-in page, behind the header log.
+1. **Header logo**: Logo that appears in the upper-left corner of the sign-in page.
 1. **Background image**: The entire space behind the sign-in box.
 1. **Page background color**: The entire space behind the sign-in box.
-1. **Banner logo**: The logo that appears in the upper-left corner of the sign-in box.
+1. **Banner logo**: Logo that appears at the top of the sign-in box
+1. **Sign-in page title**: Larger text that appears below the banner logo.
+1. **Sign-in page description**: Text to describe the sign-in page.
 1. **Username hint and text**: The text that appears before a user enters their information.
-1. **Sign-in page text**: Text you can add below the username field.
 1. **Self-service password reset**: A link you can add below the sign-in page text for password resets.
+1. **Sign-in page text**: Text you can add below the username field.
+1. **Footer link: Privacy & Cookies**: Link you can add to the lower-right corner for privacy information.
+1. **Footer: Terms of Use**: Text in the lower-right corner of the page where you can add Terms of use information.
+1. **Footer**: Space across the bottom of the page for privacy and Terms of Use information.
 1. **Template**: The layout of the page and sign-in boxes.
-1. **Footer**: Text in the lower-right corner of the page where you can add Terms of use or privacy information.
 
 ### User experience
 
@@ -78,16 +82,19 @@ In the following examples, replace the contoso.com with your own tenant name, or
 - For my app portal `https://myapps.microsoft.com/?whr=contoso.com` 
 - Self-service password reset `https://passwordreset.microsoftonline.com/?whr=contoso.com`
 
-> [!NOTE]
-> To manage the settings of the 'Stay signed in?' prompt, go to **Azure AD** > **Users** > **User settings**.
+For B2B collaboration end-users who perform cross-tenant sign-ins, their home tenant branding appears, even if there isn't custom branding specified.
+
+In the following example, the company branding for Woodgrove Groceries appears on the left. The example on the right displays the default branding for the user's home tenant.
+
+![Comparison of the branded sign-in experience and the default sign-in experience](media/how-to-customize-branding/b2b-comparison.png)
 
 ## How to navigate the company branding process
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account for the directory.
+1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator for the directory.
 
-2. Go to **Azure Active Directory** > **Company branding** > **Customize**.
+2. Browse to **Azure Active Directory** > **Company branding** > **Customize**.
     - If you currently have a customized sign-in experience, the **Edit** button is available.
 
     ![Custom branding landing page with 'Company branding' highlighted in the side menu and 'Configure' button highlighted in the center of the page](media/how-to-customize-branding/customize-branding-getting-started.png)
@@ -156,13 +163,10 @@ If you haven't enabled the footer, go to the **Layout** section and select **Sho
 
     To begin a new paragraph, use the enter key twice. You can also change text formatting to include bold, italics, an underline, or clickable link. Use the following syntax to add formatting to text: 
 
-    > Hyperlink: `[text](link)` 
-        
-    > Bold: `**text**` or `__text__` 
-          
-    > Italics: `*text*` or `_text_` 
-          
-    > Underline: `++text++` 
+    - Hyperlink: `[text](link)` 
+    - Bold: `**text**` or `__text__`
+    - Italics: `*text*` or `_text_`
+    - Underline: `++text++` 
 
     > [!IMPORTANT]
     > Hyperlinks that are added to the sign-in page text render as text in native environments, such as desktop and mobile applications.