Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into issues

Author: markingmyname

.openpublishing.redirection.active-directory.json

@@ -10953,7 +10953,7 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/fundamentals/keep-me-signed-in.md",
-      "redirect_url": "/azure/active-directory/fundamentals/customize-branding",
+      "redirect_url": "/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal",
       "redirect_document_id": false
     },
     {

articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md

@@ -68,7 +68,7 @@ When a user selects **Yes** on the *Stay signed in?* option during sign-in, a pe
 
 If you have an Azure AD Premium 1 license, we recommend using Conditional Access policy for *Persistent browser session*. This policy overwrites the *Stay signed in?* setting and provides an improved user experience. If you don't have an Azure AD Premium 1 license, we recommend enabling the stay signed in setting for your users.
 
-For more information on configuring the option to let users remain signed-in, see [Customize your Azure AD sign-in page](../fundamentals/customize-branding.md#learn-about-the-stay-signed-in-prompt).
+For more information on configuring the option to let users remain signed-in, see [Customize your Azure AD sign-in page](../fundamentals/active-directory-users-profile-azure-portal.md#learn-about-the-stay-signed-in-prompt).
 
 ### Remember Multi-Factor Authentication  
 

articles/active-directory/conditional-access/workload-identity.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 03/25/2022
+ms.date: 11/21/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -56,7 +56,7 @@ Create a location based Conditional Access policy that applies to service princi
 
 ### Create a risk-based Conditional Access policy
 
-Create a location based Conditional Access policy that applies to service principals.
+Create a risk-based Conditional Access policy that applies to service principals.
 
 :::image type="content" source="media/workload-identity/conditional-access-workload-identity-risk-policy.png" alt-text="Creating a Conditional Access policy with a workload identity and risk as a condition." lightbox="media/workload-identity/conditional-access-workload-identity-risk-policy.png":::
 

articles/active-directory/develop/msal-migration.md

@@ -29,6 +29,16 @@ If any of your applications use the Azure Active Directory Authentication Librar
 
 ## Why switch to MSAL?
 
+To understand 'Why MSAL?', it's important to first understand the differences between Microsoft identity platform (v2.0) and Azure Active Directory (v1.0) endpoints. The v1.0 endpoint is used by Azure AD Authentication Library (ADAL) while the v2.0 endpoint is used by Microsoft Authentication Library (MSAL). If you've developed apps against the v1.0 endpoint in the past, you're likely using ADAL. Since the v2.0 endpoint has changed significantly enough, the new library (MSAL) was built for the new endpoint entirely. 
+
+The following diagram shows the v2.0 vs v1.0 endpoint experience at a high level, including the app registration experience, SDKs, endpoints, and supported identities.
+
+![Diagram that shows the v1.0 versus the v2.0 architecture.](../azuread-dev/media/about-microsoft-identity-platform/about-microsoft-identity-platform.svg)
+
+MSAL leverages all the [benefits of Microsoft identity platform (v2.0) endpoint](../azuread-dev/azure-ad-endpoint-comparison.md).
+
+MSAL is designed to enable a secure solution without developers having to worry about the implementation details. it simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. We recommend you use MSAL to [increase the resilience of authentication and authorization in client applications that you develop](../fundamentals/resilience-client-app.md?tabs=csharp#use-the-microsoft-authentication-library-msal).
+
 MSAL provides multiple benefits over ADAL, including the following features: 
 
 |Features|MSAL|ADAL|
@@ -46,6 +56,13 @@ MSAL provides multiple benefits over ADAL, including the following features:
 | Proactive token renewal |![Proactive token renewal - MSAL provides the feature][y]|![Proactive token renewal - ADAL doesn't provide the feature][n]|
 | Throttling |![Throttling - MSAL provides the feature][y]|![Throttling - ADAL doesn't provide the feature][n]|
 
+## Additional Capabilities of MSAL over ADAL
+- Auth broker support – Device-based Conditional Access policy
+- Proof of possession tokens
+- Azure AD certificate-based authentication (CBA) on mobile
+- System browsers on mobile devices
+- Where ADAL had only authentication context class, MSAL exposes the notion of a collection of client apps (public client and confidential client).
+
 ## AD FS support in MSAL.NET
 
 You can use MSAL.NET, MSAL Java, and MSAL Python to get tokens from Active Directory Federation Services (AD FS) 2019 or later. Earlier versions of AD FS, including AD FS 2016, are unsupported by MSAL.
@@ -61,6 +78,15 @@ After identifying your apps that use ADAL, migrate them to MSAL depending on you
 
 [!INCLUDE [application type](includes/adal-msal-migration.md)]
 
+MSAL Supports a wide range of application types and scenarios. Please refer to [Microsoft Authentication Library support for several application types](reference-v2-libraries.md#single-page-application-spa).
+
+ADAL to MSAL Migration Guide for different platforms are available in the following link.
+- [Migrate to MSAL iOS and MacOS](migrate-objc-adal-msal.md)
+- [Migrate to MSAL Java](migrate-adal-msal-java.md)
+- [Migrate to MSAL .Net](msal-net-migration.md)
+- [Migrate to MSAL Node](msal-node-migration.md)
+- [Migrate to MSAL Python](migrate-python-adal-msal.md)   
+
 ## Migration help
 
 If you have questions about migrating your app from ADAL to MSAL, here are some options:
@@ -82,4 +108,4 @@ For more information about MSAL, including usage information and which libraries
  ![X indicating no.][n] | ![Green check mark.][y] | ![Green check mark.][y] | -- |
 -->
 [y]: media/common/yes.png
-[n]: media/common/no.png
+[n]: media/common/no.png

articles/active-directory/develop/tutorial-v2-javascript-spa.md

@@ -165,7 +165,7 @@ sampleApp/
 In the next steps, you'll create a new folder for the JavaScript SPA and set up the user interface (UI).
 
 > [!TIP]
-> When you set up an Azure Active Directory (Azure AD) account, you create a tenant. This is a digital representation of your organization. It's primarily associated with a domain, like Microsoft.com. If you want to learn how applications can work with multiple tenants, refer to the [application model](/articles/active-directory/develop/application-model.md).
+> When you set up an Azure Active Directory (Azure AD) account, you create a tenant. This is a digital representation of your organization. It's primarily associated with a domain, like Microsoft.com. If you want to learn how applications can work with multiple tenants, refer to the [application model](/azure/active-directory/develop/application-model).
 
 ## Create the SPA UI
 

articles/active-directory/develop/tutorial-v2-shared-device-mode.md

@@ -155,7 +155,7 @@ private void loadAccount()
       }
     }
     @Override
-    public void on AccountChanged(@Nullable IAccount priorAccount, @Nullable Iaccount currentAccount)
+    public void onAccountChanged(@Nullable IAccount priorAccount, @Nullable Iaccount currentAccount)
     {
       if (currentAccount == null)
       {

articles/active-directory/fundamentals/active-directory-users-profile-azure-portal.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 10/17/2022
+ms.date: 11/21/2022
 ms.author: sarahlipsey
 ms.reviewer: jeffsta
 ms.collection: M365-identity-device-management
@@ -60,7 +60,7 @@ There are six categories of profile details you may be able to edit.
 
 - **Settings:** Decide whether the user can sign in to the Azure Active Directory tenant. You can also specify the user's global location.
 
-- **On-premises:** Accounts synced from Windows Server Active Directory include additional values not applicable to Azure AD accounts.
+- **On-premises:** Accounts synced from Windows Server Active Directory include other values not applicable to Azure AD accounts.
 
     >[!Note]
     >You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the changes.
@@ -78,6 +78,47 @@ In the **User settings** area of Azure AD, you can adjust several settings that
 
 Go to **Azure AD** > **User settings**.
 
+### Learn about the 'Stay signed in?' prompt
+
+The **Stay signed in?** prompt appears after a user successfully signs in. This process is known as **Keep me signed in** (KMSI). If a user answers **Yes** to this prompt, the KMSI service gives them a persistent [refresh token](../develop/developer-glossary.md#refresh-token). For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.
+
+The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the **Stay signed in?** option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device.
+
+KMSI is only available on the default custom branding. It can't be added to language-specific branding. Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.
+
+![Diagram showing the user sign-in flow for a managed vs. federated tenant](media/customize-branding/kmsi-workflow.png)
+
+Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:
+
+- Azure AD Premium 1
+- Azure AD Premium 2
+- Office 365 (for Office apps)
+- Microsoft 365
+
+#### Troubleshoot 'Stay signed in?' issues
+
+If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Azure AD **Sign-ins** page. The prompt the user sees is called an "interrupt."
+
+![Sample 'Stay signed in?' prompt](media/customize-branding/kmsi-stay-signed-in-prompt.png)
+
+Details about the sign-in error are found in the **Sign-in logs** in Azure AD. Select the impacted user from the list and locate the details below in the **Basic info** section.
+
+* **Sign in error code**: 50140
+* **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in.
+
+You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the advanced branding settings. This setting disables the KMSI prompt for all users in your Azure AD directory.
+
+You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory.
+
+To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:
+
+* User is signed in via seamless SSO and integrated Windows authentication (IWA)
+* User is signed in via Active Directory Federation Services and IWA
+* User is a guest in the tenant
+* User's risk score is high
+* Sign-in occurs during user or admin consent flow
+* Persistent browser session control is configured in a conditional access policy
+
 ## Next steps
 - [Add or delete users](add-users-azure-active-directory.md)
 

articles/active-directory/fundamentals/customize-branding.md

@@ -2,32 +2,35 @@
 title: Add branding to your organization's sign-in page - Azure AD
 description: Instructions about how to add your organization's branding to the Azure Active Directory sign-in page.
 services: active-directory
-author: barclayn
+author: shlipsey3
 manager: amycolannino
 
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 08/26/2022
-ms.author: barclayn
+ms.date: 11/21/2022
+ms.author: sarahlipsey
 ms.reviewer: kexia
 ms.custom: "it-pro, seodec18, fasttrack-edit"
 ms.collection: M365-identity-device-management
 ---
 
 # Configure your company branding
 
-Create a consistent experience when users sign into your organization's web-based apps that use Azure Active Directory (Azure AD) as your identity provider, such as Microsoft 365. The sign-in process can include your company logo and customized experiences based on browser language.
+When users authenticate into your corporate intranet or web-based applications, Azure Active Directory (Azure AD) provides the identity and access management (IAM) service. You can add company branding that applies to all these sign-in experiences to create a consistent experience for your users.
+
+This article covers how to customize the company branding for sign-in experiences for your users. 
+
+An updated experience for adding company branding is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature. Check out the updated documentation on [how to customize branding](how-to-customize-branding.md).
 
 ## License requirements
 
-Adding custom branding and configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:
+Adding custom branding requires one of the following licenses:
 
 - Azure AD Premium 1
 - Azure AD Premium 2
 - Office 365 (for Office apps)
-- Microsoft 365 (KMSI only)
 
 Azure AD Premium editions are available for customers in China using the worldwide instance of Azure AD. Azure AD Premium editions aren't currently supported in the Azure service operated by 21Vianet in China. For more information about licensing and editions, see [Sign up for Azure AD Premium](active-directory-get-started-premium.md).
 
@@ -91,7 +94,7 @@ Custom branding appears after users sign in. Users that start the sign-in proces
     >[!IMPORTANT]
     > Transparent logos are supported with the square logo image. The color palette used in the transparent logo could conflict with backgrounds (such as, white, light grey, dark grey, and black backgrounds) used within Microsoft 365 apps and services that consume the square logo image. Solid color backgrounds may need to be used to ensure the square image logo is rendered correctly in all situations.
         
-    - **Show option to remain signed in** You can choose to let your users remain signed in to Azure AD until explicitly signing out. If you uncheck this option, users must sign in each time the browser is closed and reopened. This feature is covered in detail in the [Learn about the 'Stay signed in?' prompt](#learn-about-the-stay-signed-in-prompt) section of this article.
+    - **Show option to remain signed in** You can choose to let your users remain signed in to Azure AD until explicitly signing out. If you uncheck this option, users must sign in each time the browser is closed and reopened. For more information, see the [Add or update a user's profile](active-directory-users-profile-azure-portal.md#learn-about-the-stay-signed-in-prompt) article.
 
 3. After you've finished adding your branding, select **Save** in the upper-left corner of the configuration panel.
 
@@ -116,7 +119,7 @@ We recommend adding **Sign-in page text** in the selected language.
 
 If custom branding has been added to your tenant, you can edit the details already provided. Refer to the details and descriptions of each setting in the [Add custom branding](#customize-the-default-sign-in-experience) section of this article.
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) using a Global administrator account for the directory.
+1. Sign in to the [Azure portal](https://portal.azure.com/) using a Global Administrator account for the directory.
 
 1. Go to **Azure Active Directory** > **Company branding**.
 
@@ -128,42 +131,6 @@ If custom branding has been added to your tenant, you can edit the details alrea
 
    It can take up to an hour for any changes you made to the sign-in page branding to appear.
 
-## Learn about the 'Stay signed in?' prompt
-
-The **Stay signed in?** prompt appears after a user successfully signs in. This process is known as **Keep me signed in** (KMSI). If a user answers **Yes** to this prompt, the KMSI service gives them a persistent [refresh token](../develop/developer-glossary.md#refresh-token). For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.
-
-The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the **Stay signed in?** option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device.
-
-KMSI is only available on the default custom branding. It can't be added to language-specific branding. Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.
-
-![Diagram showing the user sign-in flow for a managed vs. federated tenant](media/customize-branding/kmsi-workflow.png)
-
-See the [License requirements](#license-requirements) section for using the KMSI service.
-
-### Troubleshoot 'Stay signed in?' issues
-
-If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Azure AD **Sign-ins** page. The prompt the user sees is called an "interrupt."
-
-![Sample 'Stay signed in?' prompt](media/customize-branding/kmsi-stay-signed-in-prompt.png)
-
-Details about the sign-in error are found in the **Sign-in logs** in Azure AD. Select the impacted user from the list and locate the details below in the **Basic info** section.
-
-* **Sign in error code**: 50140
-* **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in.
-
-You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the advanced branding settings. This setting disables the KMSI prompt for all users in your Azure AD directory.
-
-You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory.
-
-To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:
-
-* User is signed in via seamless SSO and integrated Windows authentication (IWA)
-* User is signed in via Active Directory Federation Services and IWA
-* User is a guest in the tenant
-* User's risk score is high
-* Sign-in occurs during user or admin consent flow
-* Persistent browser session control is configured in a conditional access policy
-
 ## Next steps
 
 - [Add your organization's privacy info on Azure AD](./active-directory-properties-area.md)