Merge pull request #261254 from MicrosoftDocs/main

12/14/2023 AM Publish

Author: Taojunshen

articles/active-directory-b2c/add-ropc-policy.md

@@ -9,11 +9,13 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: how-to
-ms.date: 12/16/2022
+ms.date: 12/16/2023
 ms.custom: 
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
+
+#Customer intent: As a developer integrating Azure AD B2C into my application, I want to set up the resource owner password credentials flow, so that my application can exchange valid credentials for tokens and authenticate users.
 ---
 
 # Set up a resource owner password credentials flow in Azure Active Directory B2C
@@ -38,9 +40,9 @@ The following flows aren't supported:
 - **Server-to-server**: The identity protection system needs a reliable IP address gathered from the caller (the native client) as part of the interaction. In a server-side API call, only the server’s IP address is used. If a dynamic threshold of failed authentications is exceeded, the identity protection system may identify a repeated IP address as an attacker.
 - **Confidential client flow**: The application client ID is validated, but the application secret isn't validated.
 
-When using the ROPC flow, consider the following:
+When using the ROPC flow, consider the following limitations:
 
-- ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, [multifactor authentication](multi-factor-authentication.md) is required, or when more information needs to be collected during sign-in (for example, user consent).
+- ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password expires or needs to be changed, [multifactor authentication](multi-factor-authentication.md) is required, or when more information needs to be collected during sign-in (for example, user consent).
 - ROPC supports local accounts only. Users can’t sign in with [federated identity providers](add-identity-provider.md) like Microsoft, Google+, Twitter, AD-FS, or Facebook.
 - [Session Management](session-behavior.md), including [keep me signed-in (KMSI)](session-behavior.md#enable-keep-me-signed-in-kmsi), isn't applicable.
 
@@ -68,13 +70,14 @@ When using the ROPC flow, consider the following:
 
 ::: zone pivot="b2c-custom-policy"
 
-## Pre-requisite 
-If you've not done so, learn about custom policy starter pack in [Get started with custom policies in Active Directory B2C](tutorial-create-user-flows.md).
+## Prerequisite 
+If you've not done so, learn how to use the custom policy starter pack in [Get started with custom policies in Active Directory B2C](tutorial-create-user-flows.md).
 
 ##  Create a resource owner policy
 
 1. Open the *TrustFrameworkExtensions.xml* file.
-2. If it doesn't exist already, add a **ClaimsSchema** element and its child elements as the first element under the **BuildingBlocks** element:
+ 
+1. Under the **BuildingBlocks** element, locate the **ClaimsSchema** element, then add the following claims types:  
 
     ```xml
     <ClaimsSchema>
@@ -372,12 +375,8 @@ A successful response looks like the following example:
 
 * **Symptom** - You run the ROPC flow, and get the following message: *AADB2C90057: The provided application isn't configured to allow the 'OAuth' Implicit flow*.
 * **Possible causes** - The implicit flow isn't allowed for your application.
-* **Resolution**: When creating your [app registration](#register-an-application) in Azure AD B2C, you need to manually edit the application manifest and set the value of the `oauth2AllowImplicitFlow` property to `true`. After you configure the `oauth2AllowImplicitFlow` property, it can take a few minutes (typically no more than five) for the change to take affect. 
+* **Resolution**: When creating your [app registration](#register-an-application) in Azure AD B2C, you need to manually edit the application manifest and set the value of the `oauth2AllowImplicitFlow` property to `true`. After you configure the `oauth2AllowImplicitFlow` property, it can take a few minutes (typically no more than five) for the change to take effect. 
 
 ## Use a native SDK or App-Auth
 
-Azure AD B2C meets OAuth 2.0 standards for public client resource owner password credentials and should be compatible with most client SDKs. For the latest information, see [Native App SDK for OAuth 2.0 and OpenID Connect implementing modern best practices](https://appauth.io/).
-
-## Next steps
-
-Download working samples that have been configured for use with Azure AD B2C from GitHub, [for Android](https://aka.ms/aadb2cappauthropc) and [for iOS](https://aka.ms/aadb2ciosappauthropc).
+Azure AD B2C meets OAuth 2.0 standards for public client resource owner password credentials and should be compatible with most client SDKs. For the latest information, see [Native App SDK for OAuth 2.0 and OpenID Connect implementing modern best practices](https://appauth.io/).

articles/active-directory-b2c/api-connectors-overview.md

@@ -5,13 +5,15 @@ description: Use Microsoft Entra API connectors to customize and extend your use
 ms.service: active-directory
 ms.subservice: B2C
 ms.topic: how-to
-ms.date: 12/16/2022
+ms.date: 12/13/2023
 
 ms.author: kengaderdus
 author: kengaderdus
 manager: CelesteDG
 ms.custom: "it-pro"
 zone_pivot_groups: b2c-policy-type
+
+#Customer intent: As a developer or IT administrator, I want to use API connectors to integrate your sign-up user flows with REST APIs.
 ---
 
 # Use API connectors to customize and extend sign-up user flows and custom policies with external identity data sources 
@@ -27,7 +29,7 @@ As a developer or IT administrator, you can use API connectors to integrate your
 - **Validate user input data**. Validate against malformed or invalid user data. For example, you can validate user-provided data against existing data in an external data store or list of permitted values. If invalid, you can ask a user to provide valid data or block the user from continuing the sign-up flow.
 - **Verify user identity**. Use an identity verification service or external identity data sources to add an extra level of security to account creation decisions.
 - **Integrate with a custom approval workflow**. Connect to a custom approval system for managing and limiting account creation.
-- **Augment tokens with attributes from external sources**. Enrich tokens with attributes about the user from sources that are external to Azure AD B2C such as cloud systems, custom user stores, custom permission systems, legacy identity services, and more.
+- **Augment tokens with attributes from external sources**. Enrich tokens with user attributes from sources that are external to Azure AD B2C such as cloud systems, custom user stores, custom permission systems, legacy identity services, and more.
 - **Overwrite user attributes**. Reformat or assign a value to an attribute collected from the user. For example, if a user enters the first name in all lowercase or all uppercase letters, you can format the name with only the first letter capitalized. 
 - **Run custom business logic**. You can trigger downstream events in your cloud systems to send push notifications, update corporate databases, manage permissions, audit databases, and perform other custom actions.
 
@@ -45,7 +47,7 @@ There are three places in a user flow where you can enable an API connector:
 
 An API connector at this step in the sign-up process is invoked immediately after the user authenticates with an identity provider (like Google, Facebook, and Microsoft Entra ID). This step precedes the ***attribute collection page***, which is the form presented to the user to collect user attributes. This step isn't invoked if a user is registering with a local account. The following are examples of API connector scenarios you might enable at this step:
 
-- Use the email or federated identity that the user provided to look up claims in an existing system. Return these claims from the existing system, pre-fill the attribute collection page, and make them available to return in the token.
+- Use the email or federated identity that the user provided to look up claims in an existing system. Return these claims from the existing system, prefill the attribute collection page, and make them available to return in the token.
 - Implement an allow or blocklist based on social identity.
 
 ### Before creating the user
@@ -243,7 +245,7 @@ If you reference a REST API technical profile directly from a user journey, the
 
 Your REST API can be developed on any platform and written in any programing language, as long as it's secure and can send and receive claims in JSON format.
 
-The request to your REST API service comes from Azure AD B2C servers. The REST API service must be published to a publicly accessible HTTPS endpoint. The REST API calls will arrive from an Azure data center IP address.
+The request to your REST API service comes from Azure AD B2C servers. The REST API service must be published to a publicly accessible HTTPS endpoint. The REST API call arrives from an Azure data center IP address.
 
 You can use serverless cloud functions, like [HTTP triggers in Azure Functions](../azure-functions/functions-bindings-http-webhook-trigger.md) for ease of development.
 
@@ -269,7 +271,7 @@ See the following articles for examples of using a RESTful technical profile:
 - [Walkthrough: Add an API connector to a sign-up user flow](add-api-connector.md)
 - [Walkthrough: Add REST API claims exchanges to custom policies in Azure Active Directory B2C](add-api-connector-token-enrichment.md)
 - [Secure your REST API services](secure-rest-api.md)
-- [Reference: RESTful technical profile](restful-technical-profile.md)
+- [Call a REST API by using Azure Active Directory B2C custom policy](custom-policies-series-call-rest-api.md)
 
 ::: zone-end
 

articles/active-directory-b2c/configure-user-input.md

@@ -9,17 +9,20 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: how-to
-ms.date: 12/28/2022
+ms.date: 12/13/2023
 ms.custom: 
 ms.author: godonnell
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
+
+#Customer intent: As a developer or IT administrator, I want to add a new attribute to the sign-up journey, customize it's input type, and define whether it's mandatory or optional.
+
 ---
 #  Add user attributes and customize user input in Azure Active Directory B2C
 
 [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
 
-In this article, you collect a new attribute during your sign-up journey in Azure Active Directory B2C (Azure AD B2C). You'll obtain the users' city, configure it as a drop-down, and define whether it's required to be provided.
+In this article, you collect a new attribute, such as city, during your sign-up journey in Azure Active Directory B2C (Azure AD B2C). You obtain the users' city, configure it as a drop-down, and define whether it's required to be provided.
 
 > [!IMPORTANT]
 > This sample uses the built-in claim 'city'. Instead, you can choose one of the supported [Azure AD B2C built-in attributes](user-profile-attributes.md) or a custom attribute. To use a custom attribute, [enable custom attributes](user-flow-custom-attributes.md). To use a different built-in or custom attribute, replace 'city' with the attribute of your choice, for example the built-in attribute *jobTitle* or a custom attribute like *extension_loyaltyId*.  
@@ -42,11 +45,11 @@ In this article, you collect a new attribute during your sign-up journey in Azur
 
 ## Provide optional claims to your app
 
-The application claims are values that are returned to the application. Update your user flow to contain the desired claims.
+The application claims are values that are returned to the application. Update your user flow to contain the desired claims:
 
 1. Select your policy (for example, "B2C_1_SignupSignin") to open it.
 1. Select **Application claims**.
-1. Select attributes that you want send back to your application (for example, "City")..
+1. Select attributes that you want send back to your application (for example, "City").
 1. Select **Save**.
 
 ## Configure user attributes input type
@@ -72,10 +75,10 @@ To provide a set list of values for the city attribute:
 1. Select your policy (for example, "B2C_1_SignupSignin") to open it.
 1. On the **Languages** page for the user flow, select the language that you want to customize.
 1. Under **Page-level resources files**, select **Local account sign up page**.
-1. Select **Download defaults** (or **Download overrides** if you have previously edited this language).
+1. Select **Download defaults** (or **Download overrides** if you previously edited this language).
 1. Create a `LocalizedCollections` attribute.
 
-The `LocalizedCollections` is an array of `Name` and `Value` pairs. The order for the items will be the order they are displayed. 
+The `LocalizedCollections` is an array of `Name` and `Value` pairs. The order for the items is the order they are displayed. 
 
 * `ElementId` is the user attribute that this `LocalizedCollections` attribute is a response to.
 * `Name` is the value that's shown to the user.
@@ -123,15 +126,15 @@ The `LocalizedCollections` is an array of `Name` and `Value` pairs. The order fo
 1. Select your policy (for example, "B2C_1_SignupSignin") to open it.
 1. To test your policy, select **Run user flow**.
 1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
-1. Click **Run user flow**
+1. Select **Run user flow**
 
 ::: zone-end
 
 ::: zone pivot="b2c-custom-policy"
 
 ## Overview
 
-You can gather initial data from your users by using the sign-up or sign-in user journey. Additional claims can be gathered later by using a profile edit user journey. Anytime Azure AD B2C gathers information directly from the user interactively, it uses the [self-asserted technical profile](self-asserted-technical-profile.md). In this sample, you:
+You can gather initial data from your users by using the sign-up or sign-in user journey. You can gather more claims later by using a profile edit user journey. Anytime Azure AD B2C gathers information directly from the user interactively, it uses the [self-asserted technical profile](self-asserted-technical-profile.md). In this sample, you:
 
 1. Define a "city" claim. 
 1. Ask the user for their city.
@@ -336,7 +339,7 @@ To return the city claim back to the relying party application, add an output cl
 1. Select your relying party policy, for example `B2C_1A_signup_signin`.
 1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
 1. Select the **Run now** button.
-1. From the sign-up or sign-in page, select **Sign up now** to sign up. Finish entering the user information including the city name, and then click **Create**. You should see the contents of the token that was returned.
+1. From the sign-up or sign-in page, select **Sign up now** to sign up. Finish entering the user information including the city name, and then select **Create**. You should see the contents of the token that was returned.
 
 ::: zone-end
 
@@ -442,4 +445,4 @@ After you add the localization element, [edit the content definition with the lo
 - [Customize the user interface with HTML templates in Azure Active Directory B2C](customize-ui-with-html.md).
 - [Enable JavaScript](javascript-and-page-layout.md).
 
-::: zone-end
+::: zone-end

articles/active-directory-b2c/custom-policies-series-collect-user-input.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 
 ms.topic: how-to
 ms.custom: b2c-docs-improvements
-ms.date: 11/06/2023
+ms.date: 12/13/2023
 ms.author: kengaderdus
 ms.reviewer: yoelh
 ms.subservice: B2C
@@ -467,12 +467,12 @@ After you complete [step 6](#step-6---update-relying-party), the `ContosoCustomP
 ```
 If you haven't already done so, replace `yourtenant` with the subdomain part of your tenant name, such as `contoso`. Learn how to [Get your tenant name](tenant-management-read-tenant-name.md#get-your-tenant-name).
 
-## Step 3 - Upload custom policy file
+## Step 7 - Upload custom policy file
 
 Follow the steps in [Upload custom policy file](custom-policies-series-hello-world.md#step-3---upload-custom-policy-file). If you're uploading a file with same name as the one already in the portal, make sure you select **Overwrite the custom policy if it already exists**.
 
 
-## Step 4 - Test the custom policy
+## Step 8 - Test the custom policy
 
 1. Under **Custom policies**, select **B2C_1A_CONTOSOCUSTOMPOLICY**.
 1. For **Select application** on the overview page of the custom policy, select the web application such as *webapp1* that you previously registered. Make sure that the **Select reply URL** value is set to`https://jwt.ms`.

articles/active-directory-b2c/customize-ui.md

@@ -9,11 +9,13 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: how-to
-ms.date: 12/16/2022
+ms.date: 12/13/2023
 ms.custom: "b2c-support"
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
+
+#Customer intent: As a developer, I want to customize the user interface of my application, so that I can provide a seamless and branded user experience for sign-up, sign-in, profile editing, and password resetting.
 ---
 
 # Customize the user interface in Azure Active Directory B2C
@@ -38,27 +40,27 @@ Azure AD B2C provide several built-in templates you can choose from to give your
 
 ### Ocean Blue
 
-Example of the Ocean Blue template rendered on sign up and sign in page:
+Example of the Ocean Blue template rendered on sign-up and sign-in page:
 
 ![Ocean Blue template screenshot](media/customize-ui/template-ocean-blue.png)
 
 ### Slate Gray
 
-Example of the Slate Gray template rendered on sign up sign in page:
+Example of the Slate Gray template rendered on sign-up sign-in page:
 
 ![Slate Gray template screenshot](media/customize-ui/template-slate-gray.png)
 
 ### Classic
 
-Example of the Classic template rendered on sign up sign in page:
+Example of the Classic template rendered on sign-up sign-in page:
 
 ![Classic template screenshot](media/customize-ui/template-classic.png)
 
 ### Company branding
 
 You can customize your Azure AD B2C pages with a banner logo, background image, and background color by using Microsoft Entra ID [Company branding](../active-directory/fundamentals/how-to-customize-branding.md). The company branding includes signing up, signing in, profile editing, and password resetting. 
 
-The following example shows a *Sign up and sign in* page with a custom logo, background image, using Ocean Blue template:
+The following example shows a *Sign-up and sign-in* page with a custom logo, background image, using Ocean Blue template:
 
 ![Branded sign-up/sign-in page served by Azure AD B2C](media/customize-ui/template-ocean-blue-branded.png)
 
@@ -296,4 +298,4 @@ To rearrange the input fields on the sign-up page for local accounts form, follo
 
 ## Next steps
 
-Find more information about how you can customize the user interface of your applications in [Customize the user interface of your application in Azure Active Directory B2C](customize-ui-with-html.md).
+Find more information about how you can customize the user interface of your applications in [Customize the user interface of your application in Azure Active Directory B2C](customize-ui-with-html.md).