Merge pull request #245148 from MicrosoftDocs/main

7/17/2023 AM Publish

Author: Taojunshen

articles/active-directory/develop/access-tokens.md

@@ -111,6 +111,7 @@ Azure AD makes available a tenant-independent version of the document for multi-
     ```
 
 1. Applications that use Azure AD's tenant ID (`tid`) claim as a trust boundary instead of the standard issuer claim should ensure that the tenant-id claim is a GUID and that the issuer and tenant ID match.
+
 Using tenant-independent metadata is more efficient for applications which accept tokens from many tenants.
 > [!NOTE]
 > With Azure AD tenant-independent metadata, claims should be interpreted within the tenant, just as under standard OpenID Connect, claims are interpreted within the issuer. That is, `{"sub":"ABC123","iss":"https://login.microsoftonline.com/{example-tenant-id}/v2.0","tid":"{example-tenant-id}"}` and `{"sub":"ABC123","iss":"https://login.microsoftonline.com/{another-tenand-id}/v2.0","tid":"{another-tenant-id}"}` describe different users, even though the `sub` is the same, because claims like `sub` are interpreted within the context of the issuer/tenant.

articles/active-directory/develop/includes/libraries/libraries-spa.md

@@ -10,7 +10,7 @@ ms.author: henrymbugua
 | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------- | :----------------------------------------------------------------------------------: | :---------------------------------------------------: | :-------------------------------------------------------------: | :----------------------------------------------------------: |
 | Angular              | [MSAL Angular v2](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)<sup>2</sup>          | [msal-angular](https://www.npmjs.com/package/@azure/msal-angular)     |  [Tutorial](../../tutorial-v2-angular-auth-code.md)   | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] |                              GA                              |
 | Angular              | [MSAL Angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/msal-angular-v1/lib/msal-angular)<sup>3</sup> | [msal-angular](https://www.npmjs.com/package/@azure/msal-angular)     |                                          —                                           | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] |                              GA                              |
-| AngularJS            | [MSAL AngularJS](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/maintenance/msal-angularjs)<sup>3</sup> | [msal-angularjs](https://www.npmjs.com/package/@azure/msal-angular) |                                          —                                           | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] |                        Public preview                        |
+| AngularJS            | [MSAL AngularJS](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular)<sup>3</sup> | [msal-angularjs](https://www.npmjs.com/package/@azure/msal-angular) |                                          —                                           | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] |                        Public preview                        |
 | JavaScript           | [MSAL.js v2](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser)<sup>2</sup>               | [msal-browser](https://www.npmjs.com/package/@azure/msal-browser)     | [Tutorial](../../tutorial-v2-javascript-auth-code.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] |                              GA                              |
 | JavaScript           | [MSAL.js 1.0](/javascript/api/overview/msal-overview)<sup>3</sup>                 | [msal-core](https://www.npmjs.com/package/@azure/msal-core)           |                                          —                                           | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] |                              GA                              |
 | React                | [MSAL React](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react)<sup>2</sup>                 | [msal-react](https://www.npmjs.com/package/@azure/msal-react)         |        [Tutorial](../../single-page-app-tutorial-01-register-app.md)         | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] |                              GA                              |

articles/active-directory/develop/scenario-web-api-call-api-call-api.md

@@ -68,7 +68,7 @@ In this scenario, you've added the **Microsoft.Identity.Web.GraphServiceClient**
 
 #### Option 2: Call a downstream web API with the helper class
 
-In this scenario, you've added `.AddDownstreamWebApi()` in *Startup.cs* as specified in [Code configuration](scenario-web-api-call-api-app-configuration.md#option-2-call-a-downstream-web-api-other-than-microsoft-graph), and you can directly inject an `IDownstreamWebApi` service in your controller or page constructor and use it in the actions:
+In this scenario, you've added `.AddDownstreamApi()` in *Startup.cs* as specified in [Code configuration](scenario-web-api-call-api-app-configuration.md#option-2-call-a-downstream-web-api-other-than-microsoft-graph), and you can directly inject an `IDownstreamWebApi` service in your controller or page constructor and use it in the actions:
 
 ```csharp
  [Authorize]

articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md

@@ -353,7 +353,7 @@ In Java, sign-out is handled by calling the Microsoft identity platform `logout`
 
 # [Node.js](#tab/nodejs)
 
-When the user selects the **Sign out** button, the app triggers the `/signout` route, which destroys the session and redirects the browser to Microsoft identity platform sign-out endpoint.
+When the user selects the **Sign out** button, the app triggers the `/auth/signout` route, which destroys the session and redirects the browser to Microsoft identity platform sign-out endpoint.
 
 :::code language="js" source="~/ms-identity-node/App/auth/AuthProvider.js" range="157-175":::
 

articles/active-directory/enterprise-users/TOC.yml

@@ -142,7 +142,9 @@
     items:
     - name: Assign licenses to users    
       href: ../fundamentals/license-users-groups.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
-    - name: Assign licenses to a group    
+    - name: Use Admin center to assign licenses to groups
+      href: licensing-admin-center.md
+    - name: Assign licenses to a group
       href: licensing-groups-assign.md
     - name: Resolve group license problems   
       href: licensing-groups-resolve-problems.md

articles/active-directory/enterprise-users/licensing-admin-center.md

@@ -0,0 +1,71 @@
+---
+title: Assign licenses to a group using the Microsoft 365 admin center
+description: How to assign licenses to groups using the Microsoft 365 admin center
+services: active-directory
+keywords: Azure AD licensing
+documentationcenter: ''
+author: barclayn
+manager: amycolannino
+
+ms.service: active-directory
+ms.subservice: enterprise-users
+ms.topic: how-to
+ms.workload: identity
+ms.date: 07/17/2023
+ms.author: barclayn
+---
+
+# Assign licenses to users by group membership using the Microsoft 365 admin center
+
+This article shows you how to use the Microsoft 365 license center to assign licenses to a group.
+
+> [!NOTE]
+> Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator has to specify the Usage location property on the user.
+>
+> For group license assignment, any users without a usage location specified inherit the location of the directory. If you have users in multiple locations, we recommend that you always set usage location as part of your user creation flow in Azure AD. For example, configure Azure AD Connect configuration to set usage location. This recommendation makes sure the result of license assignment is always correct and users do not receive services in locations that are not allowed.
+
+## Assign a license
+
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/) with a license administrator account. To manage licenses, the account must be a License Administrator, User Administrator, or Global Administrator.
+   
+      ![Screenshot of the Microsoft admin Center landing page](./media/licensing-admin-center/admin-center.png)
+
+1. Browse to **Billing** > **Licenses** to open a page where you can see all licenses available in your organization.
+
+      ![screenshot of portal section allowing user to select products to assign licenses](./media/licensing-admin-center/choose-licenses.png)
+
+1. Under **Licenses**, select the license that you would like to assign. 
+1. In the License details section, choose **Groups** at the top of the page.
+1. Choose **+ Assign licenses**
+1. From the **+ Assign licenses** page search for the group that you would like to use for license assignment.
+
+   ![Screenshot of portal allowing users to choose the group to use for license assignment](./media/licensing-admin-center/assign-license-group.png)
+  
+   >[!NOTE]
+   >When assigning licenses to a group with service plans that have dependencies on other service plans, they must both be assigned together in the same group, otherwise the service plan with the dependency will be disabled.
+  
+1. To complete the assignment, on the **Assign license** page, click **Assign** at the bottom of the page.
+
+   ![Screenshot of the portal section that allows you to choose assign after selecting the group](./media/licensing-admin-center/choose-assign.png)
+
+When assign licenses to a group, Azure AD processes all existing members of that group. This process might take some time depending on the size of the group.
+
+   ![Screenshot of message telling the administrator that they have assigned a license to a group](./media/licensing-admin-center/licenses-assignment-message.png)
+
+## Verify that the initial assignment has finished
+
+1. From the Admin Center, go to **Billing** > **Licenses**. Select the license that you assigned.
+
+1. On the **License details** page, you can view the status of the license assignment operation. For example, in the image show below, you can see that **Contoso marketing** shows a status of **All licenses assigned** while **Contoso human resources** shows a status of **In progress**.
+
+   ![Screenshot showing you the license assignment progress](./media/licensing-admin-center/progress.png)
+
+   [Read this section](licensing-group-advanced.md#use-audit-logs-to-monitor-group-based-licensing-activity) to learn more about how audit logs can be used to analyze changes made by group-based licensing.
+
+
+## Next steps
+
+To learn more about the feature set for license assignment using groups, see the following articles:
+
+- [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context)
+- [Identifying and resolving license problems for a group in Azure Active Directory](licensing-groups-resolve-problems.md)