MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/whats-new-docs.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/whats-new-docs.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/concept-mfa-licensing.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/authentication/concept-mfa-licensing.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md
Lines changed: 30 additions & 32 deletions b/‎articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md
Lines changed: 30 additions & 32 deletions
diff --git a/‎articles/active-directory/develop/media/howto-add-app-roles-in-azure-ad-apps/app-roles-overview-pane.png
-80.5 KB b/‎articles/active-directory/develop/media/howto-add-app-roles-in-azure-ad-apps/app-roles-overview-pane.png
-80.5 KB
diff --git a/‎articles/active-directory/devices/manage-stale-devices.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/devices/manage-stale-devices.md
Lines changed: 4 additions & 4 deletions
@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory business-to-customer (B2C)"
 description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)."
-ms.date: 05/04/2021
+ms.date: 06/04/2021
 ms.service: active-directory
 ms.subservice: B2C
 ms.topic: reference
 
@@ -31,7 +31,7 @@ Azure AD Multi-Factor Authentication can be used, and licensed, in a few differe
 | Azure AD Premium P1 | You can use [Azure AD Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. |
 | Azure AD Premium P2 | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts. |
 | All Microsoft 365 plans | Azure AD Multi-Factor Authentication can be [enabled on a per-user basis](howto-mfa-userstates.md), or enabled or disabled for all users using [security defaults](../fundamentals/concept-fundamentals-security-defaults.md). Management of Azure AD Multi-Factor Authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Microsoft 365 resources with multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication). |
-| Azure AD free | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to enable multi-factor authentication for all users. You don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. |
+| Azure AD free | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to enable multi-factor authentication for all users but you cannot enable Multi-Factor Authentication on per-user basis. You don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. |
 
 ## Feature comparison of versions
 
 
@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: how-to
-ms.date: 11/13/2020
+ms.date: 05/06/2021
 ms.author: kkrishna
 ms.reviewer: marsma, kkrishna, jmprieur
 ms.custom: aaddev
@@ -33,36 +33,34 @@ You define app roles by using the [Azure portal](https://portal.azure.com). App
 
 There are two ways to declare app roles by using the Azure portal:
 
-* [App roles UI](#app-roles-ui--preview) | Preview
-* [App manifest editor](#app-manifest-editor)
+- [App roles UI](#app-roles-ui)
+- [App manifest editor](#app-manifest-editor)
 
-The number of roles you add counts toward application manifest limits enforced by Azure Active Directory. For information about these limits, see the  [Manifest limits](./reference-app-manifest.md#manifest-limits) section of [Azure Active Directory app manifest reference](reference-app-manifest.md).
+The number of roles you add counts toward application manifest limits enforced by Azure Active Directory. For information about these limits, see the [Manifest limits](./reference-app-manifest.md#manifest-limits) section of [Azure Active Directory app manifest reference](reference-app-manifest.md).
 
-### App roles UI | Preview
-
-> [!IMPORTANT]
-> The app roles portal UI feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
+### App roles UI
 
 To create an app role by using the Azure portal's user interface:
 
 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
 1. Select the **Directory + subscription** filter in top menu, and then choose the Azure Active Directory tenant that contains the app registration to which you want to add an app role.
 1. Search for and select **Azure Active Directory**.
 1. Under **Manage**, select **App registrations**, and then select the application you want to define app roles in.
-1. Select **App roles | Preview**, and then select **Create app role**.
+1. Select **App roles**, and then select **Create app role**.
 
    :::image type="content" source="media/howto-add-app-roles-in-azure-ad-apps/app-roles-overview-pane.png" alt-text="An app registration's app roles pane in the Azure portal":::
+
 1. In the **Create app role** pane, enter the settings for the role. The table following the image describes each setting and their parameters.
 
-    :::image type="content" source="media/howto-add-app-roles-in-azure-ad-apps/app-roles-create-context-pane.png" alt-text="An app registration's app roles create context pane in the Azure portal":::
+   :::image type="content" source="media/howto-add-app-roles-in-azure-ad-apps/app-roles-create-context-pane.png" alt-text="An app registration's app roles create context pane in the Azure portal":::
 
-    | Field | Description | Example |
-    |-------|-------------|---------|
-    | **Display name** | Display name for the app role that appears in the admin consent and app assignment experiences. This value may contain spaces. | `Survey Writer` |
-    | **Allowed member types** | Specifies whether this app role can be assigned to users, applications, or both.<br/><br/>When available to `applications`, app roles appear as application permissions in an app registration's **Manage** section > **API permissions > Add a permission > My APIs > Choose an API > Application permissions**. | `Users/Groups` |
-    | **Value** | Specifies the value of the roles claim that the application should expect in the token. The value should exactly match the string referenced in the application's code. The value cannot contain spaces. | `Survey.Create` |
-    | **Description** | A more detailed description of the app role displayed during admin app assignment and consent experiences. | `Writers can create surveys.` |
-    | **Do you want to enable this app role?** | Specifies whether the app role is enabled. To delete an app role, deselect this checkbox and apply the change before attempting the delete operation. | *Checked* |
+   | Field                                    | Description                                                                                                                                                                                                                                                                                                       | Example                       |
+   | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- |
+   | **Display name**                         | Display name for the app role that appears in the admin consent and app assignment experiences. This value may contain spaces.                                                                                                                                                                                    | `Survey Writer`               |
+   | **Allowed member types**                 | Specifies whether this app role can be assigned to users, applications, or both.<br/><br/>When available to `applications`, app roles appear as application permissions in an app registration's **Manage** section > **API permissions > Add a permission > My APIs > Choose an API > Application permissions**. | `Users/Groups`                |
+   | **Value**                                | Specifies the value of the roles claim that the application should expect in the token. The value should exactly match the string referenced in the application's code. The value cannot contain spaces.                                                                                                          | `Survey.Create`               |
+   | **Description**                          | A more detailed description of the app role displayed during admin app assignment and consent experiences.                                                                                                                                                                                                        | `Writers can create surveys.` |
+   | **Do you want to enable this app role?** | Specifies whether the app role is enabled. To delete an app role, deselect this checkbox and apply the change before attempting the delete operation.                                                                                                                                                             | _Checked_                     |
 
 1. Select **Apply** to save your changes.
 
@@ -150,7 +148,7 @@ Confirm that the users and groups you added appear in the **Users and groups** l
 
 Once you've added app roles in your application, you can assign an app role to a client app by using the Azure portal or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments).
 
-When you assign app roles to an application, you create *application permissions*. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API calls as themselves, without the interaction of a user.
+When you assign app roles to an application, you create _application permissions_. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API calls as themselves, without the interaction of a user.
 
 To assign app roles to an application by using the Azure portal:
 
@@ -168,7 +166,7 @@ The newly added roles should appear in your app registration's **API permissions
 
 #### Grant admin consent
 
-Because these are *application permissions*, not delegated permissions, an admin must grant consent to use the app roles assigned to the application.
+Because these are _application permissions_, not delegated permissions, an admin must grant consent to use the app roles assigned to the application.
 
 1. In the app registration's **API permissions** pane, select **Grant admin consent for \<tenant name\>**.
 1. Select **Yes** when prompted to grant consent for the requested permissions.
@@ -185,11 +183,11 @@ To learn how to add authorization to your web API, see [Protected web API: Verif
 
 Though you can use app roles or groups for authorization, key differences between them can influence which you decide to use for your scenario.
 
-| App roles                                                                          | Groups                                                      |
-|------------------------------------------------------------------------------------|-------------------------------------------------------------|
+| App roles                                                                                                    | Groups                                                      |
+| ------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------- |
 | They are specific to an application and are defined in the app registration. They move with the application. | They are not specific to an app, but to an Azure AD tenant. |
-| App roles are removed when their app registration is removed.                      | Groups remain intact even if the app is removed.            |
-| Provided in the `roles` claim.                                                     | Provided in `groups` claim.                                 |
+| App roles are removed when their app registration is removed.                                                | Groups remain intact even if the app is removed.            |
+| Provided in the `roles` claim.                                                                               | Provided in `groups` claim.                                 |
 
 Developers can use app roles to control whether a user can sign in to an app or an app can obtain an access token for a web API. To extend this security control to groups, developers and admins can also assign security groups to app roles.
 
@@ -199,12 +197,12 @@ App roles are preferred by developers when they want to describe and control the
 
 Learn more about app roles with the following resources.
 
-* Code samples on GitHub
-  * [Add authorization using groups and group claims to an ASP.NET Core web app](https://aka.ms/groupssample)
-  * [Angular single-page application (SPA) calling a .NET Core web API and using app roles and security groups](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups/blob/master/README.md)
-* Reference documentation
-  * [Azure AD app manifest](./reference-app-manifest.md)
-  * [Azure AD access tokens](access-tokens.md)
-  * [Azure AD ID tokens](id-tokens.md)
-  * [Provide optional claims to your app](active-directory-optional-claims.md)
-* Video: [Implement authorization in your applications with Microsoft identity platform](https://www.youtube.com/watch?v=LRoc-na27l0) (1:01:15)
+- Code samples on GitHub
+  - [Add authorization using groups and group claims to an ASP.NET Core web app](https://aka.ms/groupssample)
+  - [Angular single-page application (SPA) calling a .NET Core web API and using app roles and security groups](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups/blob/master/README.md)
+- Reference documentation
+  - [Azure AD app manifest](./reference-app-manifest.md)
+  - [Azure AD access tokens](access-tokens.md)
+  - [Azure AD ID tokens](id-tokens.md)
+  - [Provide optional claims to your app](active-directory-optional-claims.md)
+- Video: [Implement authorization in your applications with Microsoft identity platform](https://www.youtube.com/watch?v=LRoc-na27l0) (1:01:15)
@@ -137,14 +137,14 @@ A typical routine consists of the following steps:
 To get all devices and store the returned data in a CSV file:
 
 ```PowerShell
-Get-AzureADDevice -All:$true | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-summary.csv
+Get-AzureADDevice -All:$true | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-summary.csv -NoTypeInformation
 ```
 
-If you have a large number of devices in your directory, use the timestamp filter to narrow down the number of returned devices. To get all devices with a timestamp older than specific date and store the returned data in a CSV file: 
+If you have a large number of devices in your directory, use the timestamp filter to narrow down the number of returned devices. To get all devices that haven't logged on in 90 days and store the returned data in a CSV file: 
 
 ```PowerShell
-$dt = [datetime]’2017/01/01’
-Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-Jan-1-2017-summary.csv
+$dt = (Get-Date).AddDays(-90)
+Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-90days-summary.csv -NoTypeInformation
 ```
 
 #### Set devices to disabled