Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into eflow-diagnose-nw

Author: PatAltimore

.openpublishing.redirection.active-directory.json

@@ -55,6 +55,11 @@
       "redirect_url": "/azure/active-directory/authentication/how-to-mfa-registration-campaign",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identity-federation-create-trust-github.md",
+      "redirect_url":"/azure/active-directory/develop/workload-identity-federation-create-trust",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-v2-limitations.md",
       "redirect_url": "/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison",

articles/active-directory/authentication/howto-authentication-passwordless-security-key-windows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 05/04/2022
+ms.date: 07/06/2022
 
 ms.author: justinha
 author: justinha
@@ -30,7 +30,7 @@ This document focuses on enabling FIDO2 security key based passwordless authenti
 | [Azure AD joined devices](../devices/concept-azure-ad-join.md) require Windows 10 version 1909 or higher | X |   |
 | [Hybrid Azure AD joined devices](../devices/concept-azure-ad-join-hybrid.md) require Windows 10 version 2004 or higher |   | X |
 | Fully patched Windows Server 2016/2019 Domain Controllers. |   | X |
-| [Azure AD Connect](../hybrid/how-to-connect-install-roadmap.md#install-azure-ad-connect) version 1.4.32.0 or later |   | X |
+| [Azure AD Hybrid Authentication Management module](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement/2.1.1.0) |   | X |
 | [Microsoft Endpoint Manager](/intune/fundamentals/what-is-intune) (Optional) | X | X |
 | Provisioning package (Optional) | X | X |
 | Group Policy (Optional) |   | X |

articles/active-directory/develop/TOC.yml

@@ -148,8 +148,6 @@
           href: workload-identity-federation.md
         - name: Trust an external identity provider (federation)
           href: workload-identity-federation-create-trust.md
-        - name: Configure an app to trust a GitHub repo
-          href: workload-identity-federation-create-trust-github.md
         - name: Access identity platform-protected resources from GCP
           href: workload-identity-federation-create-trust-gcp.md
         - name: Exchange AD FS SAML for Microsoft Graph access token

articles/active-directory/develop/includes/workload-identity-federation-apps-considerations.md

@@ -0,0 +1,42 @@
+---
+title: Workload identity federation for app considerations
+description: Important considerations and restrictions for creating a federated identity credential on an app. 
+services: active-directory
+author: rwike77
+manager: CelesteDG
+
+ms.service: active-directory
+ms.subservice: develop
+ms.workload: identity
+ms.topic: include
+ms.date: 07/29/2022
+ms.author: ryanwi
+ms.reviewer: shkhalid, udayh, vakarand
+ms.custom: aaddev
+---
+
+## Important considerations and restrictions
+
+Anyone with permissions to create an app registration and add a secret or certificate can add a federated identity credential.  If the **Users can register applications** switch in the [User Settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings) blade is set to **No**, however, you won't be able to create an app registration or configure the federated identity credential.  Find an admin to configure the federated identity credential on your behalf.  Anyone in the Application Administrator or Application Owner roles can do this.
+
+A maximum of 20 federated identity credentials can be added to an application.
+
+When you configure a federated identity credential, there are several important pieces of information to provide.
+
+*issuer* and *subject* are the key pieces of information needed to set up the trust relationship. The combination of `issuer` and `subject` must be unique on the app.  When the external software workload requests Microsoft identity platform to exchange the external token for an access token, the *issuer* and *subject* values of the federated identity credential are checked against the `issuer` and `subject` claims provided in the external token. If that validation check passes, Microsoft identity platform issues an access token to the external software workload.
+
+*issuer* is the URL of the external identity provider and must match the `issuer` claim of the external token being exchanged. Required. If the `issuer` claim has leading or trailing whitespace in the value, the token exchange is blocked. This field has a character limit of 600 characters.
+
+*subject* is the identifier of the external software workload and must match the `sub` (`subject`) claim of the external token being exchanged. *subject* has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. This field has a character limit of 600 characters.
+
+> [!IMPORTANT]
+> The *subject* setting values must exactly match the configuration on the GitHub workflow configuration.  Otherwise, Microsoft identity platform will look at the incoming external token and reject the exchange for an access token.  You won't get an error, the exchange fails without error.
+
+> [!IMPORTANT]
+> If you accidentally add the incorrect external workload information in the *subject* setting the federated identity credential is created successfully without error.  The error does not become apparent until the token exchange fails.
+
+*audiences* lists the audiences that can appear in the external token.  Required.  The recommended value is "api://AzureADTokenExchange". It says what Microsoft identity platform must accept in the `aud` claim in the incoming token.  This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your IdP to serve as the audience of this token.  This field can only accept a single value and has a limit of 600 characters.
+
+*name* is the unique identifier for the federated identity credential. Required.  This field has a character limit of 120 characters and must be URL friendly. It is immutable once created. 
+
+*description* is the user-provided description of the federated identity credential.  Optional. The description is not validated or checked by Azure AD. This field has a limit of 600 characters.

articles/active-directory/develop/media/workload-identity-federation-create-trust-github/add-credential.png renamed to articles/active-directory/develop/media/workload-identity-federation-create-trust/add-credential.png

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
-ms.date: 01/06/2022
+ms.date: 07/18/2022
 ms.author: ryanwi
 ms.custom: aaddev
 ms.reviewer: udayh
@@ -59,9 +59,28 @@ The most important fields for creating the federated identity credential are:
 
 The following command configures a federated identity credential:
 
-```http
-az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/41be38fd-caac-4354-aa1e-1fdb20e43bfa/federatedIdentityCredentials' --body '{"name":"GcpFederation","issuer":"https://accounts.google.com","subject":"112633961854638529490","description":"Testing","audiences":["api://AzureADTokenExchange"]}'
+# [Azure CLI](#tab/azure-cli)
+
+```azurecli-interactive
+az ad app federated-credential create --id 41be38fd-caac-4354-aa1e-1fdb20e43bfa --parameters credential.json
+("credential.json" contains the following content)
+{
+    "name": "GcpFederation",
+    "issuer": "https://accounts.google.com",
+    "subject": "112633961854638529490",
+    "description": "Test GCP federation",
+    "audiences": [
+        "api://AzureADTokenExchange"
+    ]
+}
+```
+
+# [Azure PowerShell](#tab/azure-powershell)
+
+```azurepowershell-interactive
+New-AzADappfederatedidentitycredential -ApplicationObjectId $appObjectId -Audience api://AzureADTokenExchange -Issuer 'https://accounts.google.com' -name 'GcpFederation' -Subject '112633961854638529490'
 ```
+---
 
 For more information and examples, see [Create a federated identity credential](workload-identity-federation-create-trust.md).
 
@@ -96,7 +115,7 @@ async function getGoogleIDToken() {
 ```
 
 # [C#](#tab/csharp)
-Here’s an example in TypeScript of how to request an ID token from the Google metadata server:
+Here’s an example in C# of how to request an ID token from the Google metadata server:
 ```csharp
 private string getGoogleIdToken()
 {