Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into agents-articles-batch-5

Author: paulth1

.openpublishing.publish.config.json

@@ -32,6 +32,12 @@
   "need_preview_pull_request": true,
   "contribution_branch_mappings": {},
   "dependent_repositories": [
+    {
+      "path_to_root": "azure-docs-snippets-pr",
+      "url": "https://github.com/MicrosoftDocs/azure-docs-snippets-pr",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "azure-dev-docs-pr",
       "url": "https://github.com/MicrosoftDocs/azure-dev-docs-pr",

.openpublishing.redirection.active-directory.json

@@ -1,5 +1,15 @@
 {
   "redirections": [
+    {
+      "source_path_from_root": "/articles/active-directory/develop/active-directory-claims-mapping.md",
+      "redirect_url": "/azure/active-directory/develop/active-directory-saml-claims-customization",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/configure-token-lifetimes.md",
+      "redirect_url": "/azure/active-directory/develop/active-directory-saml-claims-customization",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/authentication/how-to-mfa-microsoft-managed.md",
       "redirect_url": "/azure/active-directory/authentication/concept-authentication-default-enablement",

.openpublishing.redirection.json

@@ -2,11 +2,11 @@
 title: Add an identity provider - Azure Active Directory B2C  
 description: Learn how to add an identity provider to your Active Directory B2C tenant.
 services: active-directory-b2c
-author: kengaderdus
+author: garrodonnell
 manager: CelesteDG
 
-ms.author: kengaderdus
-ms.date: 04/08/2022
+ms.author: godonnell
+ms.date: 01/19/2022
 ms.custom: mvc
 ms.topic: how-to
 ms.service: active-directory
@@ -19,9 +19,9 @@ You can configure Azure AD B2C to allow users to sign in to your application wit
 
 With external identity provider federation, you can offer your consumers the ability to sign in with their existing social or enterprise accounts, without having to create a new account just for your application.
 
-On the sign-up or sign-in page, Azure AD B2C presents a list of external identity providers the user can choose for sign-in. Once they select one of the external identity providers, they're taken (redirected) to the selected provider's website to complete the sign in process. After the user successfully signs in, they're returned to Azure AD B2C for authentication of the account in your application.
+On the sign-up or sign-in page, Azure AD B2C presents a list of external identity providers the user can choose for sign-in. Once they select one of the external identity providers, they're taken (redirected) to the selected provider's website to complete the sign-in process. After the user successfully signs in, they're returned to Azure AD B2C for authentication of the account in your application.
 
-![Mobile sign-in example with a social account (Facebook)](media/add-identity-provider/external-idp.png)
+![Diagram showing mobile sign-in example with a social account (Facebook).](media/add-identity-provider/external-idp.png)
 
 You can add identity providers that are supported by Azure Active Directory B2C (Azure AD B2C) to your [user flows](user-flow-overview.md) using the Azure portal. You can also add identity providers to your [custom policies](user-flow-overview.md).
 

articles/active-directory-b2c/add-identity-provider.md

@@ -39,6 +39,8 @@ Define your application and service architecture, inventory current systems, and
 | Usability vs. security | Your solution must strike the right balance between application usability and your organization's acceptable level of risk. |
 | Move on-premises dependencies to the cloud | To help ensure a resilient solution, consider moving existing application dependencies to the cloud. |
 | Migrate existing apps to b2clogin.com | The deprecation of login.microsoftonline.com will go into effect for all Azure AD B2C tenants on 04 December 2020. [Learn more](b2clogin.md). |
+| Use Identity Protection and Conditional Access | Use these capabilities for significantly greater control over risky authentications and access policies. Azure AD B2C Premium P2 is required. [Learn more](conditional-access-identity-protection-overview.md). |
+|Tenant size | You need to plan with Azure AD B2C tenant size in mind. By default, Azure AD B2C tenant can accommodate 1.25 million objects (user accounts and applications). You can increase this limit to 5.25 million objects by adding a custom domain to your tenant, and verifying it. If you need a bigger tenant size, you need to contact [Support](find-help-open-support-ticket.md).|
 | Use Identity Protection and Conditional Access | Use these capabilities for greater control over risky authentications and access policies. Azure AD B2C Premium P2 is required. [Learn more](conditional-access-identity-protection-overview.md). |
 
 ## Implementation
@@ -86,5 +88,6 @@ Stay up to date with the state of the service and find support options.
 | Best practice | Description |
 |--|--|
 | [Service updates](https://azure.microsoft.com/updates/?product=active-directory-b2c) |  Stay up to date with Azure AD B2C product updates and announcements. |
-| [Microsoft Support](support-options.md) | File a support request for Azure AD B2C technical issues. Billing and subscription management support is provided at no cost. |
+| [Microsoft Support](find-help-open-support-ticket.md) | File a support request for Azure AD B2C technical issues. Billing and subscription management support is provided at no cost. |
 | [Azure status](https://azure.status.microsoft/status) | View the current health status of all Azure services. |
+

articles/active-directory-b2c/best-practices.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 07/26/2022
+ms.date: 11/3/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -20,7 +20,11 @@ zone_pivot_groups: b2c-policy-type
 
 [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
 
-This article describes how to enable custom domains in your redirect URLs for Azure Active Directory B2C (Azure AD B2C). Using a custom domain with your application provides a more seamless user experience. From the user's perspective, they remain in your domain during the sign in process rather than redirecting to the Azure AD B2C default domain *<tenant-name>.b2clogin.com*.
+This article describes how to enable custom domains in your redirect URLs for Azure Active Directory B2C (Azure AD B2C). By using a verified custom domain, you've benefits such as: 
+
+- It provides a more seamless user experience. From the user's perspective, they remain in your domain during the sign in process rather than redirecting to the Azure AD B2C default domain *<tenant-name>.b2clogin.com*.
+
+- You increase the number of objects (user accounts and applications) you can create in your Azure AD B2C tenant from the default 1.25 million to 5.25 million. 
 
 ![Screenshot demonstrates an Azure AD B2C custom domain user experience.](./media/custom-domain/custom-domain-user-experience.png)
 

articles/active-directory-b2c/custom-domain.md

@@ -43,7 +43,10 @@ sections:
           In an Azure AD B2C tenant, most apps want the user to sign-in with any arbitrary email address (for example, [email protected], [email protected], [email protected], or [email protected]). This type of account is a local account. We also support arbitrary user names as local accounts (for example, joe, bob, sarah, or jim). You can choose one of these two local account types when configuring identity providers for Azure AD B2C in the Azure portal. In your Azure AD B2C tenant, select **Identity providers**, select **Local account**, and then select **Username**.
           
           User accounts for applications can be created through a sign-up user flow, sign-up or sign-in user flow, the Microsoft Graph API, or in the Azure portal.
-          
+      - question: |
+          How many users can an Azure AD B2C tenant accommodate?
+        answer: |
+          - By default, each tenant can accommodate a total of **1.25 million** objects (user accounts and applications), but you can increase this limit to **5.25 million** objects when you [add and verify a custom domain](custom-domain.md). If you want to increase this limit, please contact [Microsoft Support](find-help-open-support-ticket.md). However, if you created your tenant before **September 2022**, this limit doesn't affect you, and your tenant will retain the size allocated to it at creation, that's, **50 million** objects. 
       - question: |
           Which social identity providers do you support now? Which ones do you plan to support in the future?
         answer: |

articles/active-directory-b2c/faq.yml

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/03/2022
+ms.date: 11/3/2022
 ms.custom: "project-no-code, ignite-fall-2021, b2c-support"
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -26,7 +26,7 @@ Watch this video to learn about Azure AD B2C user migration using Microsoft Grap
 
 ## Prerequisites
 
-To use MS Graph API, and interact with resources in your Azure AD B2C tenant, you need an application registration that grants the permissions to do so. Follow the steps in the [Manage Azure AD B2C with Microsoft Graph](microsoft-graph-get-started.md) article to create an application registration that your management application can use. 
+- To use MS Graph API, and interact with resources in your Azure AD B2C tenant, you need an application registration that grants the permissions to do so. Follow the steps in the [Register a Microsoft Graph application](microsoft-graph-get-started.md) article to create an application registration that your management application can use. 
 
 ## User management
 > [!NOTE]
@@ -162,6 +162,25 @@ For user flows, these extension properties are [managed by using the Azure porta
 > [!NOTE]
 > In Azure AD, directory extensions are managed through the [extensionProperty resource type](/graph/api/resources/extensionproperty) and its associated methods. However, because they are used in B2C through the `b2c-extensions-app` app which should not be updated, they are managed in Azure AD B2C using the [identityUserFlowAttribute resource type](/graph/api/resources/identityuserflowattribute) and its associated methods.
 
+## Tenant usage 
+
+Use the [Get organization details](/graph/api/organization-get) API to get your directory size quota. You need to add the `$select` query parameter as shown in the following HTTP request:
+
+```http
+    GET https://graph.microsoft.com/v1.0/organization/organization-id?$select=directorySizeQuota
+``` 
+Replace `organization-id` with your organization or tenant ID. 
+
+The response to the above request looks similar to the following JSON snippet:
+
+```json
+{
+    "directorySizeQuota": {
+        "used": 156,
+        "total": 1250000
+    }
+}
+``` 
 ## Audit logs
 
 - [List audit logs](/graph/api/directoryaudit-list)

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 12/01/2022
+ms.date: 12/29/2022
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
 ---
@@ -164,6 +164,8 @@ The following table lists the administrative configuration limits in the Azure A
 |Number of sign-out URLs per application        |1          |
 |String Limit per Attribute      |250 Chars          |
 |Number of B2C tenants per subscription      |20         |
+|Total number of objects (user accounts and applications) per tenant (default limit)|1.25 million |
+|Total number of objects (user accounts and applications) per tenant (using a verified custom domain)|5.25 million |
 |Levels of [inheritance](custom-policy-overview.md#inheritance-model) in custom policies     |10         |
 |Number of policies per Azure AD B2C tenant (user flows + custom policies)     |200          |
 |Maximum policy file size      |1024 KB          |

articles/active-directory-b2c/service-limits.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 11/03/2022
+ms.date: 01/18/2022
 ms.author: godonnell
 ms.subservice: B2C
 
@@ -28,7 +28,7 @@ Email sign-up is enabled by default in your local account identity provider sett
 - **Sign-up**: users are prompted for an email address, which is verified at sign-up (optional) and becomes their login ID. The user then enters any other information requested on the sign-up page, for example, display name, given name, and surname. Then they select **Continue** to create an account.
 - **Password reset**: Users enter and verify their email, after which the user can reset the password
 
-![Email sign-up or sign-in experience](./media/sign-in-options/local-account-email-experience.png)
+![Series of screenshots showing email sign-up or sign-in experience.](./media/sign-in-options/local-account-email-experience.png)
 
 Learn how to configure email sign-in in your local account identity provider.
 ## Username sign-in
@@ -39,7 +39,7 @@ Your local account identity provider includes a Username option that lets users
 - **Sign-up**: Users will be prompted for a username, which will become their login ID. Users will also be prompted for an email address, which will be verified at sign-up. The email address will be used during a password reset flow. The user enters any other information requested on the sign-up page, for example, Display Name, Given Name, and Surname. The user then selects Continue to create the account.
 - **Password reset**: Users must enter their username and the associated email address. The email address must be verified, after which, the user can reset the password.
 
-![Username sign-up or sign-in experience](./media/sign-in-options/local-account-username-experience.png)
+![Series of screenshots showing sign-up or sign-in experience.](./media/sign-in-options/local-account-username-experience.png)
 
 ## Phone sign-in
 
@@ -53,7 +53,7 @@ Phone sign-in is a passwordless option in your local account identity provider s
     1. Next, the user is asked to provide a **recovery email**. The user enters their email address, and then selects *Send verification code*. A code is sent to the user's email inbox, which they can retrieve and enter in the Verification code box. Then the user selects Verify code.
     1. Once the code is verified, the user selects *Create* to create their account.
 
-![Phone sign-up or sign-in experience](./media/sign-in-options/local-account-phone-experience.png)
+![Series of screenshots showing phone sign-up or sign-in experience.](./media/sign-in-options/local-account-phone-experience.png)
 
 ### Pricing for phone sign-in
 
@@ -66,22 +66,35 @@ One-time passwords are sent to your users by using SMS text messages. Depending
 
 When you enable phone sign-up and sign-in for your user flows, it's also a good idea to enable the recovery email feature. With this feature, a user can provide an email address that can be used to recover their account when they don't have their phone. This email address is used for account recovery only. It can't be used for signing in.
 
-- When the recovery email prompt is **On**, a user signing up for the first time is prompted to verify a backup email. A user who hasn't provided a recovery email before is asked to verify a backup email during next sign in.
+- When the recovery email prompt is **On**, a user signing up for the first time is prompted to verify a backup email. A user who hasn't provided a recovery email before is asked to verify a backup email during next sign-in.
 
 - When recovery email is **Off**, a user signing up or signing in isn't shown the recovery email prompt.
 
 The following screenshots demonstrate the phone recovery flow:
 
-![Phone recovery user flow](./media/sign-in-options/local-account-change-phone-flow.png)
+![Diagram showing phone recovery user flow.](./media/sign-in-options/local-account-change-phone-flow.png)
 
 
 ## Phone or email sign-in
 
 You can choose to combine the [phone sign-in](#phone-sign-in), and the [email sign-in](#email-sign-in) in your local account identity provider settings. In the sign-up or sign-in page, user can type a phone number, or email address. Based on the user input, Azure AD B2C takes the user to the corresponding flow.
 
-![Phone or email sign-up or sign-in experience](./media/sign-in-options/local-account-phone-and-email-experience.png)
+![Series of screenshots showing phone or email sign-up or sign-in experience.](./media/sign-in-options/local-account-phone-and-email-experience.png)
+
+
+## Federated sign-in
+
+You can configure Azure AD B2C to allow users to sign in to your application with credentials from external social or enterprise identity providers (IdPs). Azure AD B2C supports many [external identity providers](add-identity-provider.md) and any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols. 
+
+With external identity provider federation, you can offer your consumers the ability to sign in with their existing social or enterprise accounts, without having to create a new account just for your application.
+
+On the sign-up or sign-in page, Azure AD B2C presents a list of external identity providers the user can choose for sign-in. Once they select one of the external identity providers, they're redirected to the selected provider's website to complete the sign-in process. After the user successfully signs in, they're returned to Azure AD B2C for authentication of the account in your application.
+
+![Diagram showing mobile sign-in example with a social account (Facebook).](media/add-identity-provider/external-idp.png)
+
+You can add identity providers that are supported by Azure Active Directory B2C (Azure AD B2C) to your [user flows](user-flow-overview.md) using the Azure portal. You can also add identity providers to your [custom policies](user-flow-overview.md).
 
 ## Next steps
 
 - Find out more about the built-in policies provided by [User flows in Azure Active Directory B2C](user-flow-overview.md).
-- [Configure your local account identity provider](identity-provider-local.md).
+- [Configure your local account identity provider](identity-provider-local.md).