MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 3 additions & 8 deletions b/‎.openpublishing.redirection.json
Lines changed: 3 additions & 8 deletions
diff --git a/‎articles/active-directory-b2c/saml-service-provider.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/saml-service-provider.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory-b2c/tokens-overview.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory-b2c/tokens-overview.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/active-directory/app-provisioning/customize-application-attributes.md
Lines changed: 2 additions & 1 deletion b/‎articles/active-directory/app-provisioning/customize-application-attributes.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎articles/active-directory/conditional-access/block-legacy-authentication.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/conditional-access/block-legacy-authentication.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/develop/msal-net-token-cache-serialization.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/msal-net-token-cache-serialization.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/security-operations-privileged-accounts.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/security-operations-privileged-accounts.md
Lines changed: 1 addition & 1 deletion
@@ -3450,22 +3450,17 @@
     },
     {
       "source_path_from_root": "/articles/app-service/app-service-app-service-environments-readme.md",
-      "redirect_url": "/azure/app-service/environment/intro",
+      "redirect_url": "/azure/app-service/environment/overview",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/app-service/app-service-environment/intro.md",
-      "redirect_url": "/azure/app-service/environment/intro",
+      "redirect_url": "/azure/app-service/environment/overview",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/app-service/app-service-environment/readme.md",
-      "redirect_url": "/azure/app-service/environment/intro",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/app-service/environment/index.md",
-      "redirect_url": "/azure/app-service/environment/intro",
+      "redirect_url": "/azure/app-service/environment/overview",
       "redirect_document_id": false
     },
     {
 
@@ -327,7 +327,7 @@ The following example shows the `entityID` value in the SAML metadata:
 The `identifierUris` property will accept URLs only on the domain `tenant-name.onmicrosoft.com`.
 
 ```json
-"identifierUris":"https://samltestapp2.azurewebsites.net",
+"identifierUris":"https://tenant-name.onmicrosoft.com",
 ```
 
 #### Share the application's metadata with Azure AD B2C
 
@@ -11,6 +11,7 @@ ms.topic: conceptual
 ms.date: 10/1/2021
 ms.author: kengaderdus
 ms.subservice: B2C
+ms.custom: b2c-support
 ---
 
 # Overview of tokens in Azure Active Directory B2C
@@ -134,6 +135,8 @@ https://contoso.b2clogin.com/contoso.onmicrosoft.com/b2c_1_signupsignin1/v2.0/.w
 
 To determine which policy was used to sign a token (and where to go to request the metadata), you have two options. First, the policy name is included in the `tfp` (default) or `acr` claim (as configured) in the token. You can parse claims out of the body of the JWT by base-64 decoding the body and deserializing the JSON string that results. The `tfp` or `acr` claim is the name of the policy that was used to issue the token. The other option is to encode the policy in the value of the `state` parameter when you issue the request, and then decode it to determine which policy was used. Either method is valid.
 
+Azure AD B2C uses the RS256 algorithm, which is based on the [RFC 3447](https://www.rfc-editor.org/rfc/rfc3447#section-3.1) specification. The public key consists of two components: the RSA modulus (`n`) and the RSA public exponent (`e`). You can programmatically convert `n` and `e` values to a certificate format for token validation.
+
 A description of how to perform signature validation is outside the scope of this document. Many open-source libraries are available to help you validate a token.
 
 ### Validate claims
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 07/07/2021
+ms.date: 11/15/2021
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -253,6 +253,7 @@ The request format in the PATCH and POST differ. To ensure that POST and PATCH a
   - **Things to consider**
     - All roles will be provisioned as primary = false.
     - The POST contains the role type. The PATCH request does not contain type. We are working on sending the type in both POST and PATCH requests.
+    - AppRoleAssignmentsComplex is not compatible with setting scope to "Sync All users and groups." 
 
   - **Example output** 
 
 
@@ -127,9 +127,9 @@ Configuring a policy for **Other clients** blocks the entire organization from c
 
 You can select all available grant controls for the **Other clients** condition; however, the end-user experience is always the same - blocked access.
 
-### SharePoint Online and B2B guest users
+### SharePoint Online
 
-To block B2B user access via legacy authentication to SharePoint Online, organizations must disable legacy authentication on SharePoint using the `Set-SPOTenant` PowerShell command and setting the `-LegacyAuthProtocolsEnabled` parameter to `$false`. More information about setting this parameter can be found in the SharePoint PowerShell reference document regarding [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant)
+To block user access via legacy authentication to SharePoint Online, organizations must disable legacy authentication on SharePoint using the `Set-SPOTenant` PowerShell command and setting the `-LegacyAuthProtocolsEnabled` parameter to `$false`. More information about setting this parameter can be found in the SharePoint PowerShell reference document regarding [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant)
 
 ## Next steps
 
 
@@ -265,7 +265,7 @@ You can also specify options to limit the size of the in memory token cache:
       // Configure the memory cache options
       services.Configure<MemoryCacheOptions>(options =>
       {
-          options.SizeLimit = 5000000; // in bytes (5 Mb)
+          options.SizeLimit = 500 * 1024 * 1024; // in bytes (500 Mb)
       });
   }
   );
 
@@ -135,7 +135,7 @@ You can monitor privileged account sign-in events in the Azure AD Sign-in logs.
 | Privileged accounts that don't follow naming policy.| | Azure Subscription | [List Azure role assignments using the Azure portal - Azure RBAC](../../role-based-access-control/role-assignments-list-portal.md)| List role assignments for subscriptions and alert where sign in name doesn't match your organizations format. For example, ADM_ as a prefix. |
 | Interrupt |  High/Medium | Azure AD Sign-ins | Status = Interrupted<br>-and-<br>error code = 50074<br>-and-<br>Failure reason = Strong Auth required<br>Status = Interrupted<br>-and-<br>Error code = 500121<br>Failure Reason = Authentication failed during strong authentication request | This can be an indication an attacker has the password for the account but can't pass the MFA challenge. | 
 | Privileged accounts that don't follow naming policy.| High | Azure AD directory | [List Azure AD role assignments](../roles/view-assignments.md)| List roles assignments for Azure AD roles alert where UPN doesn't match your organizations format. For example, ADM_ as a prefix. |
-| Discover privileged accounts not registered for MFA. | High | Azure AD Graph API| Query for IsMFARegistered eq false for administrator accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http) | Audit and investigate to determine if intentional or an oversight. |
+| Discover privileged accounts not registered for MFA. | High | Microsoft Graph API| Query for IsMFARegistered eq false for administrator accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http) | Audit and investigate to determine if intentional or an oversight. |
 | Account lockout | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |
 | Account disabled/blocked for sign-ins | Low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>Target = user UPN<br>-and-<br>error code = 50057 | This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked, it's still important to log and alert on this activity. |
 | MFA fraud alert/block | High | Azure AD Sign-ins log/Azure Log Anaylitics | Sign-ins>Authentication details Result details = MFA denied, Fraud Code Entered | Privileged user has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@ You can also specify options to limit the size of the in memory token cache:`
`265`	`265`	`// Configure the memory cache options`
`266`	`266`	`services.Configure<MemoryCacheOptions>(options =>`
`267`	`267`	`{`
`268`		`- options.SizeLimit = 5000000; // in bytes (5 Mb)`
	`268`	`+ options.SizeLimit = 500 * 1024 * 1024; // in bytes (500 Mb)`
`269`	`269`	`});`
`270`	`270`	`}`
`271`	`271`	`);`