Merge pull request #213322 from MicrosoftDocs/main

Publish to live, Sunday 4 AM PST, 10/2

Author: ttorble

articles/active-directory/develop/app-resilience-continuous-access-evaluation.md

@@ -104,11 +104,20 @@ You can test your application by signing in a user to the application then using
 When these conditions are met, the app can extract the claims challenge from the API response header as follows: 
 
 ```javascript
-const authenticateHeader = response.headers.get('www-authenticate');
-const claimsChallenge = parseChallenges(authenticateHeader).claims;
-
-// ...
+try {
+  const response = await fetch(apiEndpoint, options);
+
+  if (response.status === 401 && response.headers.get('www-authenticate')) {
+    const authenticateHeader = response.headers.get('www-authenticate');
+    const claimsChallenge = parseChallenges(authenticateHeader).claims;
+    
+    // use the claims challenge to acquire a new access token...
+  }
+} catch(error) {
+  // ...
+}
 
+// helper function to parse the www-authenticate header
 function parseChallenges(header) {
     const schemeSeparator = header.indexOf(' ');
     const challenges = header.substring(schemeSeparator + 1).split(',');
@@ -126,24 +135,20 @@ function parseChallenges(header) {
 Your app would then use the claims challenge to acquire a new access token for the resource.
 
 ```javascript
+const tokenRequest = {
+    claims: window.atob(claimsChallenge), // decode the base64 string
+    scopes: ['User.Read']
+    account: msalInstance.getActiveAccount();
+};
+
 let tokenResponse;
 
 try {
-    tokenResponse = await msalInstance.acquireTokenSilent({
-        claims: window.atob(claimsChallenge), // decode the base64 string
-        scopes: scopes,  // e.g ['User.Read', 'Contacts.Read']
-        account: account, // current active account
-    });
-
+    tokenResponse = await msalInstance.acquireTokenSilent(tokenRequest);
 } catch (error) {
      if (error instanceof InteractionRequiredAuthError) {
-        tokenResponse = await msalInstance.acquireTokenPopup({
-            claims: window.atob(claimsChallenge), // decode the base64 string
-            scopes: scopes, // e.g ['User.Read', 'Contacts.Read']
-            account: account, // current active account
-        });
+        tokenResponse = await msalInstance.acquireTokenPopup(tokenRequest);
     }
-
 }
 ```
 
@@ -154,8 +159,7 @@ const msalConfig = {
     auth: {
         clientId: 'Enter_the_Application_Id_Here', 
         clientCapabilities: ["CP1"]
-        // the remaining settings
-        // ... 
+        // remaining settings...
     }
 }
 

articles/active-directory/develop/claims-challenge.md

@@ -103,7 +103,7 @@ _clientApp = PublicClientApplicationBuilder.Create(App.ClientId)
  .WithDefaultRedirectUri()
  .WithAuthority(authority)
  .WithClientCapabilities(new [] {"cp1"})
- .Build();*
+ .Build();
 ```
 
 Those using Microsoft.Identity.Web can add the following code to the configuration file:
@@ -112,22 +112,21 @@ Those using Microsoft.Identity.Web can add the following code to the configurati
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    // the remaining settings
-    // ... 
-    "ClientCapabilities": [ "cp1" ]
+    "ClientId": 'Enter_the_Application_Id_Here' 
+    "ClientCapabilities": [ "cp1" ],
+    // remaining settings...
 },
 ```
 #### [JavaScript](#tab/JavaScript)
 
-Those using MSAL.js can add `clientCapabilities` property to the configuration object.
+Those using MSAL.js or MSAL Node can add `clientCapabilities` property to the configuration object. Note: this option is available to both public and confidential cient applications.
 
 ```javascript
 const msalConfig = {
     auth: {
         clientId: 'Enter_the_Application_Id_Here', 
         clientCapabilities: ["CP1"]
-        // the remaining settings
-        // ... 
+        // remaining settings...
     }
 }
 
@@ -222,14 +221,15 @@ else
 
 ### [JavaScript](#tab/JavaScript)
 
+The following snippet illustrates a custom Express.js middleware:
+
 ```javascript
 const checkIsClientCapableOfClaimsChallenge = (req, res, next) => {
     // req.authInfo contains the decoded access token payload
     if (req.authInfo['xms_cc'] && req.authInfo['xms_cc'].includes('CP1')) {
           // Return formatted claims challenge as this client understands this
-          
     } else {
-            return res.status(403).json({ error: 'Client is not capable' });
+          return res.status(403).json({ error: 'Client is not capable' });
     }
 }
 

articles/active-directory/develop/mark-app-as-publisher-verified.md

@@ -31,7 +31,6 @@ If you are already enrolled in the Microsoft Partner Network (MPN) and have met
 
 For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md).
 
-
 ## Mark your app as publisher verified
 Make sure you have met the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified.  
 

articles/active-directory/enterprise-users/directory-delete-howto.md

@@ -30,7 +30,8 @@ You can't delete a organization in Azure AD until it passes several checks. Thes
 * There can be no multifactor authentication providers linked to the organization.
 * There can be no subscriptions for any Microsoft Online Services such as Microsoft Azure, Microsoft 365, or Azure AD Premium associated with the organization. For example, if a default Azure AD tenant was created for you in Azure, you can't delete this organization if your Azure subscription still relies on it for authentication. You also can't delete a tenant if another user has associated an Azure subscription with it.
 
-[!NOTE] Microsoft is aware that customers with certain tenant configurations may be unable to successfully delete their Azure AD organization. We are working to address this problem. In the meantime, if needed, you can contact Microsoft support for details about the issue.
+> [!NOTE]
+> Microsoft is aware that customers with certain tenant configurations may be unable to successfully delete their Azure AD organization. We are working to address this problem. In the meantime, if needed, you can contact Microsoft support for details about the issue.
 
 ## Delete the organization
 

articles/active-directory/enterprise-users/licensing-ps-examples.md

@@ -1,6 +1,6 @@
 ---
 
-title: PowerShell and Graph examples for group licensing - Azure AD | Microsoft Docs
+title: PowerShell and Microsoft Graph examples for group licensing - Azure AD | Microsoft Docs
 description: PowerShell + Graph examples and scenarios for Azure Active Directory group-based licensing
 services: active-directory
 keywords: Azure AD licensing
@@ -17,7 +17,7 @@ ms.reviewer: sumitp
 ms.collection: M365-identity-device-management
 ---
 
-# PowerShell and Graph examples for group-based licensing in Azure AD
+# PowerShell and Microsoft Graph examples for group-based licensing in Azure AD
 
 Full functionality for group-based licensing in Azure Active Directory (Azure AD), part of Microsoft Entra, is available through the [Azure portal](https://portal.azure.com), and currently there are some useful tasks that can be performed using the existing [MSOnline PowerShell
 cmdlets](/powershell/module/msonline) and Microsoft Graph. This document provides examples of what is possible.

articles/active-directory/fundamentals/users-default-permissions.md

@@ -56,7 +56,7 @@ You can restrict default permissions for member users in the following ways:
 | **Allow users to connect work or school account with LinkedIn** | Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](../enterprise-users/linkedin-user-consent.md). |
 | **Create security groups** | Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |
 | **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |
-| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). <br>It does not restrict access to Entra Portal. </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |
+| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). <br>It does not restrict access to Entra Portal. </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |
 | **Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag does not prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`. |
 
 > [!NOTE]

articles/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md

@@ -275,7 +275,7 @@ This PowerShell script will tighten permissions for the AD Connector Account pro
 - Disable inheritance on the specified object 
 - Remove all ACEs on the specific object, except ACEs specific to SELF as we want to keep the default permissions intact when it comes to SELF. 
 
-  The -ADConnectorAccountDN parameter is the AD account whose permissions need to be tightened. This is typically the MSOL_nnnnnnnnnnnn domain account that is configured in the AD DS Connector (see Determine your AD DS Connector Account). The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the target AD object. This is typically the Enterprise or Domain Administrator.  
+  The -ADConnectorAccountDN parameter is the AD account whose permissions need to be tightened. This is typically the MSOL_nnnnnnnnnnnn domain account that is configured in the AD DS Connector (see Determine your AD DS Connector Account). The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the target AD object (this account must be different from the ADConnectorAccountDN account). This is typically the Enterprise or Domain Administrator.  
 
 ``` powershell
 Set-ADSyncRestrictedPermissions [-ADConnectorAccountDN] <String> [-Credential] <PSCredential> [-DisableCredentialValidation] [-WhatIf] [-Confirm] [<CommonParameters>] 
@@ -285,7 +285,7 @@ For Example:
 
 ``` powershell
 $credential = Get-Credential 
-Set-ADSyncRestrictedPermissions -ADConnectorAccountDN'CN=ADConnectorAccount,CN=Users,DC=Contoso,DC=com' -Credential $credential  
+Set-ADSyncRestrictedPermissions -ADConnectorAccountDN 'CN=ADConnectorAccount,CN=Users,DC=Contoso,DC=com' -Credential $credential  
 ```
 
 This cmdlet will set the following permissions: 

articles/active-directory/hybrid/how-to-connect-install-existing-database.md

@@ -45,7 +45,7 @@ Important notes to take note of before you proceed:
 - The version of the Azure AD Connect used for installation must satisfy the following criteria:
 	- 1.1.613.0 or above, AND
 	- Same or higher than the version of the Azure AD Connect last used with the ADSync database. If the Azure AD Connect version used for installation is higher than the version last used with the ADSync database, then a full sync may be required.  Full sync is required if there are schema or sync rule changes between the two versions. 
-- The ADSync database used should contain a synchronization state that is relatively recent. The last synchronization activity with the existing ADSync database should be within the last three weeks.
+- The ADSync database used should contain a synchronization state that is relatively recent. The last synchronization activity with the existing ADSync database should be within the last three weeks, otherwise a full import from Azure AD will be required to update the directory watermark.
 - When installing Azure AD Connect using “use existing database” method, sign-in method configured on the previous Azure AD Connect server is not preserved. Further, you cannot configure sign-in method during installation. You can only configure sign-in method after installation is complete.
 - You cannot have multiple Azure AD Connect servers share the same ADSync database. The “use existing database” method allows you to reuse an existing ADSync database with a new Azure AD Connect server. It does not support sharing.
 

articles/active-directory/hybrid/how-to-connect-selective-password-hash-synchronization.md

@@ -52,13 +52,13 @@ This attribute can be set either:
 ### Disable the synchronization scheduler:
 
 Before you start either scenario, you must disable the synchronization scheduler while making changes to the sync rules.
- 1. Start Windows PowerShell enter.
+ 1. Start Windows PowerShell and enter.
 
-     `set-adsyncscheduler-synccycleenabled$false`
+     `Set-ADSyncScheduler -SyncCycleEnabled $false`
 
 2. Confirm the scheduler is disabled by running the following cmdlet:
 
-    `get-adsyncscheduler`
+    `Get-ADSyncScheduler`
 
 For more information on the scheduler see [Azure AD Connect sync scheduler](how-to-connect-sync-feature-scheduler.md).
 

articles/active-directory/hybrid/how-to-connect-sync-change-addsacct-pass.md

@@ -44,7 +44,7 @@ To update the Synchronization Service with the new password:
 
 7. Click **OK** to save the new password and close the pop-up dialog.
 
-8. Restart the Azure AD Connect Synchronization Service under Windows Service Control Manager. This is to ensure that any reference to the old password is removed from the memory cache.
+8. Restart the **Microsoft Azure AD Sync** service under Windows Service Control Manager. This is to ensure that any reference to the old password is removed from the memory cache.
 
 ## Next steps
 **Overview topics**