Merge pull request #219930 from petrsvihlik/patch-7

BCS2022 · web-flow · commit 323dff81f5fc · 2022-12-02T07:26:35.000-08:00
Clarify where to get the correct OID from
diff --git a/articles/communication-services/concepts/credentials-best-practices.md b/articles/communication-services/concepts/credentials-best-practices.md
@@ -28,7 +28,7 @@ Depending on your scenario, you may want to adjust the lifespan of tokens issued
 - Use a [callback function](#callback-function) for agents using the application for longer periods of time.
 
 ### Set a custom token expiration time
-When requesting a new token, we recommend using short lifetime tokens for one-off Chat messages or time-limited Calling sessions and longer lifetime tokens for agents using the application for longer periods of time. The default token expiration time is 24 hours but you can customize it by providing a value between an hour and 24 hours to the optional parameter as follow:
+When requesting a new token, we recommend using short lifetime tokens for one-off Chat messages or time-limited Calling sessions and longer lifetime tokens for agents using the application for longer periods of time. The default token expiration time is 24 hours but you can customize it by providing a value between an hour and 24 hours to the optional parameter as follows:
 
 ```javascript
 const tokenOptions = { tokenExpiresInMinutes: 60 };
@@ -101,7 +101,7 @@ Let's assume we have a Node.js application built on Express with the `/getTokenF
 ```javascript
 app.post('/getTokenForTeamsUser', async (req, res) => {
     const identityClient = new CommunicationIdentityClient("<COMMUNICATION_SERVICES_CONNECTION_STRING>");
-    let communicationIdentityToken = await identityClient.getTokenForTeamsUser(req.body.teamsToken);
+    let communicationIdentityToken = await identityClient.getTokenForTeamsUser(req.body.teamsToken, '<AAD_CLIENT_ID>', '<TEAMS_USER_OBJECT_ID>');
     res.json({ communicationIdentityToken: communicationIdentityToken.token });
 });
 ```
diff --git a/articles/communication-services/concepts/interop/custom-teams-endpoint-authentication-overview.md b/articles/communication-services/concepts/interop/custom-teams-endpoint-authentication-overview.md
@@ -65,7 +65,7 @@ Before we begin:
 - Alice or her Azure AD administrator needs to give Contoso's Azure Active Directory application consent before the first attempt to sign in. Learn more about [consent](../../../active-directory/develop/consent-framework.md).
 
 Steps:
-1. Authenticate Alice using the Fabrikam application: Alice is authenticated through Fabrikam's application. A standard OAuth flow with Microsoft Authentication Library (MSAL) is used. If authentication is successful, the client application, the Contoso app in this case, receives an Azure AD access token with a value of 'A1' and an Object ID of an Azure AD user with a value of 'A2'. Token details are outlined below. Authentication from the developer perspective is explored in this [quickstart](../../quickstarts/manage-teams-identity.md). 
+1. Authenticate Alice using the Fabrikam application: Alice is authenticated through Fabrikam's application. A standard OAuth flow with Microsoft Authentication Library (MSAL) is used. Make sure you configure MSAL with a correct [authority](../../../active-directory/develop/msal-client-application-configuration.md#authority). If authentication is successful, the client application, the Contoso app in this case, receives an Azure AD access token with a value of 'A1' and an Object ID of an Azure AD user with a value of 'A2'. Token details are outlined below. Authentication from the developer perspective is explored in this [quickstart](../../quickstarts/manage-teams-identity.md). 
 1. Get an access token for Alice: The Contoso application by using a custom authentication artifact with value 'B' performs authorization logic to decide whether Alice has permission to exchange the Azure AD access token for an Azure Communication Services access token. After successful authorization, the Contoso application performs control plane logic, using artifacts 'A1', 'A2', and 'A3'. This generates Azure Communication Services access token 'D' for Alice within the Contoso application. This access token can be used for data plane actions in Azure Communication Services, like Calling. The 'A2' and 'A3' artifacts are expected to be passed along with the artifact 'A1' for validation that the Azure AD Token was issued to the expected user and application and will prevent attackers from using the Azure AD access tokens issued to other applications or other users. For more information on how to get 'A' artifacts, see [Receive the Azure AD user token and object ID via the MSAL library](../../quickstarts/manage-teams-identity.md?pivots=programming-language-csharp#step-1-receive-the-azure-ad-user-token-and-object-id-via-the-msal-library) and [Getting Application ID](../troubleshooting-info.md#getting-application-id).
 1. Call Bob: Alice makes a call to Teams user Bob, with Fabrikam's application. The call takes place via the Calling SDK with an Azure Communication Services access token. Learn more about developing custom, Teams apps [in this quickstart](../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md).
 
@@ -79,6 +79,7 @@ Artifacts:
 - Artifact A2
   - Type: Object ID of an Azure AD user
   - Source: Fabrikam's Azure AD tenant
+  - Authority: `https://login.microsoftonline.com/<tenant>/` or `https://login.microsoftonline.com/organizations/` (based on your [scenario](../../../active-directory/develop/msal-client-application-configuration.md#authority))
 - Artifact A3
   - Type: Azure AD application ID
   - Source: Contoso application registration's Azure AD tenant
@@ -103,4 +104,4 @@ The following sample apps may be interesting to you:
 
 - To see how the Azure Communication Services access tokens for Teams users are acquired in a single-page application, check out a [SPA sample app](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/manage-teams-identity-spa).
 
-- To learn more about a server implementation of an authentication service for Azure Communication Services check out the [Authentication service hero sample](../../samples/trusted-auth-sample.md).
+- To learn more about a server implementation of an authentication service for Azure Communication Services check out the [Authentication service hero sample](../../samples/trusted-auth-sample.md).
diff --git a/articles/communication-services/quickstarts/eligible-teams-licenses.md b/articles/communication-services/quickstarts/eligible-teams-licenses.md
@@ -14,7 +14,7 @@ ms.custom: kr2b-contr-experiment
 
 # Teams License requirements to use Azure Communication Services support for Teams users
 
-To use Azure Communication Services support for Teams users, you need an Azure Active Directory instance with users that have a valid Teams license. Furthermore, license must be assigned to the administrators or relevant users. This article describes the service plans requirements to use Azure Communication Services support for Teams users.
+To use Azure Communication Services support for Teams users, you need an Azure Active Directory instance with users that have a valid Teams license. Furthermore, license must be assigned to the administrators or relevant users. Also, note that [MSA accounts (personal Microsoft accounts)](../../active-directory/external-identities/microsoft-account.md) are not supported. This article describes the service plans requirements to use Azure Communication Services support for Teams users.
 
 ## Eligible products and service plans
 
diff --git a/articles/communication-services/quickstarts/includes/manage-teams-identity-java.md b/articles/communication-services/quickstarts/includes/manage-teams-identity-java.md
@@ -89,7 +89,7 @@ public class App
 
 ### Step 1: Receive the Azure Active Directory user token and object ID via the MSAL library
 
-The first step in the token exchange flow is getting a token for your Teams user by using [Microsoft.Identity.Client](../../../active-directory/develop/reference-v2-libraries.md).
+The first step in the token exchange flow is getting a token for your Teams user by using [Microsoft.Identity.Client](../../../active-directory/develop/reference-v2-libraries.md). It's essential to configure the MSAL client with the correct authority, based on the `tenantId` variable, to be able to retrieve the Object ID (`oid`) claim corresponding with a user in Fabrikam's tenant and initialize the `userObjectId` variable.
 
 ```java
 // You need to provide your Azure AD client ID and tenant ID
diff --git a/articles/communication-services/quickstarts/includes/manage-teams-identity-js.md b/articles/communication-services/quickstarts/includes/manage-teams-identity-js.md
@@ -80,7 +80,7 @@ From the project directory:
 
 ### Step 1: Receive the Azure AD user token and object ID via the MSAL library
 
-The first step in the token exchange flow is getting a token for your Teams user by using [Microsoft.Identity.Client](../../../active-directory/develop/reference-v2-libraries.md).
+The first step in the token exchange flow is getting a token for your Teams user by using [Microsoft.Identity.Client](../../../active-directory/develop/reference-v2-libraries.md). The code below retrieves Azure AD client ID and tenant ID from environment variables named `AAD_CLIENT_ID` and `AAD_TENANT_ID`. It's essential to configure the MSAL client with the correct authority, based on the `AAD_TENANT_ID` environment variable, to be able to retrieve the Object ID (`oid`) claim corresponding with a user in Fabrikam's tenant and initialize the `userObjectId` variable.
 
 ```javascript
 // Create configuration object that will be passed to MSAL instance on creation.
diff --git a/articles/communication-services/quickstarts/includes/manage-teams-identity-net.md b/articles/communication-services/quickstarts/includes/manage-teams-identity-net.md
@@ -79,7 +79,7 @@ namespace CommunicationAccessTokensQuickstart
 
 ### Step 1: Receive the Azure AD user token and object ID via the MSAL library
 
-The first step in the token exchange flow is getting a token for your Teams user by using [Microsoft.Identity.Client](../../../active-directory/develop/reference-v2-libraries.md). The code below retrieves Azure AD client ID and tenant ID from environment variables named `AAD_CLIENT_ID` and `AAD_TENANT_ID`.
+The first step in the token exchange flow is getting a token for your Teams user by using [Microsoft.Identity.Client](../../../active-directory/develop/reference-v2-libraries.md). The code below retrieves Azure AD client ID and tenant ID from environment variables named `AAD_CLIENT_ID` and `AAD_TENANT_ID`. It's essential to configure the MSAL client with the correct authority, based on the `AAD_TENANT_ID` environment variable, to be able to retrieve the Object ID (`oid`) claim corresponding with a user in Fabrikam's tenant and initialize the `userObjectId` variable.
 
 ```csharp
 // This code demonstrates how to fetch an AAD client ID and tenant ID 
diff --git a/articles/communication-services/quickstarts/includes/manage-teams-identity-python.md b/articles/communication-services/quickstarts/includes/manage-teams-identity-python.md
@@ -55,7 +55,7 @@ pip install msal
 
 ### Step 1: Receive the Azure AD user token and object ID via the MSAL library
 
-The first step in the token exchange flow is getting a token for your Teams user by using [Microsoft.Identity.Client](../../../active-directory/develop/reference-v2-libraries.md). In Azure portal, configure the Redirect URI of your "Mobile and Desktop application" as `http://localhost`.
+The first step in the token exchange flow is getting a token for your Teams user by using [Microsoft.Identity.Client](../../../active-directory/develop/reference-v2-libraries.md). In Azure portal, configure the Redirect URI of your "Mobile and Desktop application" as `http://localhost`. The code below retrieves Azure AD client ID and tenant ID from environment variables named `AAD_CLIENT_ID` and `AAD_TENANT_ID`. It's essential to configure the MSAL client with the correct authority, based on the `AAD_TENANT_ID` environment variable, to be able to retrieve the Object ID (`oid`) claim corresponding with a user in Fabrikam's tenant and initialize the `user_object_id` variable.
 
 ```python
 # This code demonstrates how to fetch your Azure AD client ID and tenant ID
diff --git a/articles/communication-services/quickstarts/manage-teams-identity.md b/articles/communication-services/quickstarts/manage-teams-identity.md
@@ -181,11 +181,12 @@ In this quickstart, you learned how to:
 
 
 > [!div class="nextstepaction"]
+> [Build trusted authentication service for Teams users](../samples/trusted-auth-sample.md)
 > [Make a call as a Teams users to a Teams user](../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md)
-> [Check use cases for communication as a Teams user](../concepts/interop/custom-teams-endpoint-use-cases.md)
 
 Learn about the following concepts:
 
+- [Use cases for communication as a Teams user](../concepts/interop/custom-teams-endpoint-use-cases.md)
 - [Azure Communication Services support Teams identities](../concepts/teams-endpoint.md)
 - [Teams interoperability](../concepts/teams-interop.md)
 - [Single-tenant and multi-tenant authentication for Teams users](../concepts/interop/custom-teams-endpoint-authentication-overview.md)
