Merge pull request #229745 from MicrosoftDocs/main

3/07 AM Publish

Author: huypub

articles/active-directory-domain-services/concepts-custom-attributes.md

@@ -2,15 +2,15 @@
 title: Create and manage custom attributes for Azure AD Domain Services | Microsoft Docs
 description: Learn how to create and manage custom attributes in an Azure AD DS managed domain.
 services: active-directory-ds
-author: justinha
+author: AlexCesarini
 manager: amycolannino
 
 ms.assetid: 1a14637e-b3d0-4fd9-ba7a-576b8df62ff2
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/06/2023
+ms.date: 03/07/2023
 ms.author: justinha
 
 ---
@@ -44,7 +44,7 @@ After you create a managed domain, click **Custom Attributes (Preview)** under *
 
 ## Enable predefined attribute synchronization 
 
-Click **OnPremisesExtensionAttributes** to synchronize the attributes extensionAttribute1-15, also known as [Exchange custom attributes](/graph/api/resources/onpremisesextensionattributes?view=graph-rest-1.0).
+Click **OnPremisesExtensionAttributes** to synchronize the attributes extensionAttribute1-15, also known as [Exchange custom attributes](/graph/api/resources/onpremisesextensionattributes).
 
 ## Synchronize Azure AD directory extension attributes 
 

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 02/28/2023
+ms.date: 03/07/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -195,7 +195,7 @@ Use the general guidelines when implementing a SCIM endpoint to ensure compatibi
 * Don't require a case-sensitive match on structural elements in SCIM, in particular **PATCH** `op` operation values, as defined in [section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Azure AD emits the values of `op` as **Add**, **Replace**, and **Remove**.
 * Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the **Test Connection** flow in the [Azure portal](https://portal.azure.com). 
 * Support HTTPS on your SCIM endpoint.
-* Custom complex and multivalued attributes are supported but Azure AD doesn't have many complex data structures to pull data from in these cases. Simple paired name/value type complex attributes can be mapped to easily, but flowing data to complex attributes with three or more subattributes aren't well supported at this time.
+* Custom complex and multivalued attributes are supported but Azure AD doesn't have many complex data structures to pull data from in these cases. Name/value attributes can be mapped to easily, but flowing data to complex attributes with three or more sub-attributes isn't supported.
 * The "type" subattribute values of multivalued complex attributes must be unique. For example, there can't be two different email addresses with the "work" subtype.
 * The header for all the responses should be of content-Type: application/scim+json 
 
@@ -914,7 +914,7 @@ TLS 1.2 Cipher Suites minimum bar:
 
 ### IP Ranges
 
-The Azure AD provisioning service currently operates under the IP Ranges for AzureActiveDirectory as listed [here](https://www.microsoft.com/download/details.aspx?id=56519&WT.mc_id=rss_alldownloads_all). You can add the IP ranges listed under the AzureActiveDirectory tag to allow traffic from the Azure AD provisioning service into your application. You'll need to review the IP range list carefully for computed addresses. An address such as '40.126.25.32' could be represented in the IP range list as  '40.126.0.0/18'. You can also programmatically retrieve the IP range list using the following [API](/rest/api/virtualnetwork/servicetags/list).
+The Azure AD provisioning service currently operates under the IP Ranges for AzureActiveDirectory as listed [here](https://www.microsoft.com/download/details.aspx?id=56519&WT.mc_id=rss_alldownloads_all). You can add the IP ranges listed under the AzureActiveDirectory tag to allow traffic from the Azure AD provisioning service into your application. You need to review the IP range list carefully for computed addresses. An address such as '40.126.25.32' could be represented in the IP range list as  '40.126.0.0/18'. You can also programmatically retrieve the IP range list using the following [API](/rest/api/virtualnetwork/servicetags/list).
 
 Azure AD also supports an agent based solution to provide connectivity to applications in private networks (on-premises, hosted in Azure, hosted in AWS, etc.). Customers can deploy a lightweight agent, which provides connectivity to Azure AD without opening any inbound ports, on a server in their private network. Learn more [here](./on-premises-scim-provisioning.md).
 

articles/active-directory/develop/msal-b2c-overview.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 06/05/2020
+ms.date: 03/07/2023
 ms.author: henrymbugua
 ms.reviewer: nacanuma, negoe
 ms.custom: aaddev devx-track-js
@@ -20,7 +20,7 @@ ms.custom: aaddev devx-track-js
 
 The [Microsoft Authentication Library for JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js) enables JavaScript developers to authenticate users with social and local identities using [Azure Active Directory B2C](../../active-directory-b2c/overview.md) (Azure AD B2C).
 
-By using Azure AD B2C as an identity management service, you can customize and control how your customers sign up, sign in, and manage their profiles when they use your applications. 
+By using Azure AD B2C as an identity management service, you can customize and control how your customers sign up, sign in, and manage their profiles when they use your applications.
 
 Azure AD B2C also enables you to brand and customize the UI that your application displays during the authentication process.
 
@@ -40,4 +40,4 @@ For more information, see: [Working with Azure AD B2C](https://github.com/AzureA
 Follow the tutorial on how to:
 
 - [Sign in users with Azure AD B2C in a single-page application](../../active-directory-b2c/configure-authentication-sample-spa-app.md)
-- [Call an Azure AD B2C protected web API](../../active-directory-b2c/enable-authentication-web-api.md)
+- [Call an Azure AD B2C protected web API](../../active-directory-b2c/enable-authentication-web-api.md)

articles/active-directory/develop/tutorial-v2-windows-uwp.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 12/13/2019
+ms.date: 03/03/2023
 ms.author: henrymbugua
 ms.reviewer: jmprieur
 ms.custom: "devx-track-csharp, aaddev, identityplatformtop40"
@@ -108,6 +108,7 @@ This section shows how to use the Microsoft Authentication Library to get a toke
     ```csharp
     using Microsoft.Identity.Client;
     using Microsoft.Graph;
+    using Microsoft.Graph.Models;
     using System.Diagnostics;
     using System.Threading.Tasks;
     using System.Net.Http.Headers;
@@ -152,7 +153,7 @@ This section shows how to use the Microsoft Authentication Library to get a toke
                 GraphServiceClient graphClient = await SignInAndInitializeGraphServiceClient(scopes);
 
                 // Call the /me endpoint of Graph
-                User graphUser = await graphClient.Me.Request().GetAsync();
+                User graphUser = await graphClient.Me.GetAsync();
 
                 // Go back to the UI thread to make changes to the UI
                 await Dispatcher.RunAsync(Windows.UI.Core.CoreDispatcherPriority.Normal, () =>
@@ -236,6 +237,42 @@ Eventually, the `AcquireTokenSilent` method fails. Reasons for failure include a
 
 ### Instantiate the Microsoft Graph Service Client by obtaining the token from the SignInUserAndGetTokenUsingMSAL method
 
+In the project, create a new file named *TokenProvider.cs*: right-click on the project, select **Add** > **New Item** > **Blank Page**.
+
+Add to the newly created file the following code:
+
+```csharp
+using Microsoft.Kiota.Abstractions.Authentication;
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace UWP_app_MSGraph {
+    public class TokenProvider : IAccessTokenProvider {
+        private Func<string[], Task<string>> getTokenDelegate;
+        private string[] scopes;
+
+        public TokenProvider(Func<string[], Task<string>> getTokenDelegate, string[] scopes) {
+            this.getTokenDelegate = getTokenDelegate;
+            this.scopes = scopes;
+        }
+
+        public Task<string> GetAuthorizationTokenAsync(Uri uri, Dictionary<string, object> additionalAuthenticationContext = default,
+            CancellationToken cancellationToken = default) {
+            return getTokenDelegate(scopes);
+        }
+
+        public AllowedHostsValidator AllowedHostsValidator { get; }
+    }
+}
+```
+
+> [!TIP]
+> After pasting the code, make sure that the namespace in the *TokenProvider.cs* file matches the namespace of your project. This will allow you to more easily reference the `TokenProvider` class in your project.
+
+The `TokenProvider` class defines a custom access token provider that executes the specified delegate method to get and return an access token.
+
 Add the following new method to *MainPage.xaml.cs*:
 
 ```csharp
@@ -245,16 +282,22 @@ Add the following new method to *MainPage.xaml.cs*:
      /// <returns>GraphServiceClient</returns>
      private async static Task<GraphServiceClient> SignInAndInitializeGraphServiceClient(string[] scopes)
      {
-         GraphServiceClient graphClient = new GraphServiceClient(MSGraphURL,
-             new DelegateAuthenticationProvider(async (requestMessage) =>
-             {
-                 requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", await SignInUserAndGetTokenUsingMSAL(scopes));
-             }));
+         var tokenProvider = new TokenProvider(SignInUserAndGetTokenUsingMSAL, scopes);
+         var authProvider = new BaseBearerTokenAuthenticationProvider(tokenProvider);
+         var graphClient = new GraphServiceClient(authProvider, MSGraphURL);
 
          return await Task.FromResult(graphClient);
      }
 ```
 
+In this method, you're using the custom access token provider `TokenProvider` to connect the `SignInUserAndGetTokenUsingMSAL` method to the Microsoft Graph .NET SDK and create an authenticated client.
+
+To use the `BaseBearerTokenAuthenticationProvider`, in the *MainPage.xaml.cs* file, add the following reference:
+
+```cs
+using Microsoft.Kiota.Abstractions.Authentication;
+```
+
 #### More information on making a REST call against a protected API
 
 In this sample application, the `GetGraphServiceClient` method instantiates `GraphServiceClient` by using an access token. Then, `GraphServiceClient` is used to get the user's profile information from the **me** endpoint.

articles/active-directory/reports-monitoring/howto-use-recommendations.md

@@ -0,0 +1,139 @@
+---
+title: How to use Azure Active Directory recommendations | Microsoft Docs
+description: Learn how to use Azure Active Directory recommendations.
+services: active-directory
+author: shlipsey3
+manager: amycolannino
+ms.service: active-directory
+ms.topic: how-to
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 03/06/2023
+ms.author: sarahlipsey
+ms.reviewer: hafowler
+---
+
+# How to: Use Azure AD recommendations
+
+The Azure Active Directory (Azure AD) recommendations feature provides you with personalized insights with actionable guidance to:
+
+- Help you identify opportunities to implement best practices for Azure AD-related features.
+- Improve the state of your Azure AD tenant.
+- Optimize the configurations for your scenarios.
+
+This article covers how to work with Azure AD recommendations. Each Azure AD recommendation contains similar details such as a description, the value of addressing the recommendation, and the steps to address the recommendation. Microsoft Graph API guidance is also provided in this article.
+
+## Role requirements
+
+There are different role requirements for viewing or updating a recommendation. Use the least-privileged role for the type of access needed.
+
+| Azure AD role | Access type |
+|---- |---- |
+| Reports Reader | Read-only | 
+| Security Reader | Read-only |
+| Global Reader | Read-only |
+| Cloud apps Administrator | Update and read |
+| Apps Administrator | Update and read |
+| Security Operator | Update and read |
+| Security Administrator | Update and read |
+
+Some recommendations may require a P2 or other license. For more information, see [Recommendation availability and license requirements](overview-recommendations.md#recommendation-availability-and-license-requirements).
+
+## How to read a recommendation
+
+To view the details of a recommendation:
+
+1. Sign in to Azure using the appropriate least-privilege role.
+1. Go to **Azure AD** > **Recommendations** and select a recommendation from the list.
+
+    ![Screenshot of the list of recommendations.](./media/howto-use-recommendations/recommendations-list.png)
+
+Each recommendation provides the same set of details that explain what the recommendation is, why it's important, and how to fix it.
+
+![Screenshot of a recommendation's status, priority, and impacted resource type.](./media/howto-use-recommendations/recommendation-status-risk.png)
+
+- The **Status** of a recommendation can be updated manually or automatically by the system. If all resources are addressed according to the action plan, the status automatically changes to *Completed* the next time the recommendations service runs. The recommendation service runs every 24-48 hours, depending on the recommendation. 
+
+- The **Priority** of a recommendation could be low, medium, or high. These values are determined by several factors, such as security implications, health concerns, or potential breaking changes.
+
+    - **High**: Must do. Not acting will result in severe security implications or potential downtime.
+    - **Medium**: Should do. No severe risk if action isn't taken.
+    - **Low**: Might do. No security risks or health concerns if action isn't taken.
+
+- The **Impacted resource type** for a recommendation could be applications, users, or your full tenant. This detail gives you an idea of what type of resources you need to address. If the impacted resource is at the tenant level, you may need to make a global change. 
+
+![Screenshot of the recommendation status description, description, and value.](media/howto-use-recommendations/status-description-value.png)
+
+- The **Status description** tells you the date the recommendation status changed and if it was changed by the system or a user.
+
+- The recommendation's **Value** is an explanation of why completing the recommendation will benefit you, and the value of the associated feature. 
+
+- The **Action plan** provides step-by-step instructions to implement a recommendation. The Action plan may include links to relevant documentation or direct you to other pages in the Azure AD portal.
+
+- The **Impacted resources** table contains a list of resources identified by the recommendation. The resource's name, ID, date it was first detected, and status are provided. The resource could be an application or resource service principal, for example. 
+
+## How to update a recommendation
+
+To update the status of a recommendation or a related resource, sign in to Azure using a least-privileged role for updating a recommendation.
+
+1. Go to **Azure AD** > **Recommendations**.
+
+1. Select a recommendation from the list to view the details, status, and action plan.
+
+1. Follow the **Action plan**.
+
+1. If applicable, *right-click on the status* of a resource in a recommendation, select **Mark as**, then select a status.
+
+    - The status for the resource appears as regular text, but you can right-click on the status to open the menu.
+    - You can set each resource to a different status as needed.
+    
+    ![Screenshot of the status options for a resource.](./media/howto-use-recommendations/resource-mark-as-option.png)
+
+1. The recommendation service automatically marks the recommendation as complete, but if you need to manually change the status of a recommendation, select **Mark as** from the top of the page and select a status.
+
+    ![Screenshot of the Mark as options, to highlight the difference from the resource menu.](./media/howto-use-recommendations/recommendation-mark-as-options.png)
+
+    - Mark a recommendation as **Dismissed** if you think the recommendation is irrelevant or the data is wrong.
+        - Azure AD asks for a reason why you dismissed the recommendation so we can improve the service.
+    - Mark a recommendation as **Postponed** if you want to address the recommendation at a later time.
+        - The recommendation becomes **Active** when the selected date occurs.
+    - You can reactivate a completed or postponed recommendation to keep it top of mind and reassess the resources.
+    - Recommendations change to **Completed** if all impacted resources have been addressed.
+       - If the service identifies an active resource for a completed recommendation the next time the service runs, the recommendation will automatically change back to **Active**.
+       - Completing a recommendation is the only action collected in the audit log. To view these logs, go to **Azure AD** > **Audit logs** and filter the service to "Azure AD recommendations."
+
+Continue to monitor the recommendations in your tenant for changes.
+
+### How to use Microsoft Graph with Azure Active Directory recommendations
+
+Azure Active Directory recommendations can be viewed and managed using Microsoft Graph on the `/beta` endpoint. You can view recommendations along with their impacted resources, postpone a recommendation for later, and more. 
+
+To get started, follow these instructions to work with recommendations using Microsoft Graph in Graph Explorer. The example uses the "Migrate apps from Active Directory Federated Services (ADFS) to Azure AD" recommendation.
+
+1. Sign in to [Graph Explorer](https://aka.ms/ge).
+1. Select **GET** as the HTTP method from the dropdown.
+1. Set the API version to **beta**.
+1. Add the following query to retrieve recommendations, then select the **Run query** button.
+
+    ```http
+    GET https://graph.microsoft.com/beta/directory/recommendations
+    ```
+
+1. To view the details of a specific `recommendationType`, use the following API. This example retrieves the detail of the "Migrate apps from AD FS to Azure AD" recommendation.
+
+    ```http
+    GET https://graph.microsoft.com/beta/directory/recommendations?$filter=recommendationType eq 'adfsAppsMigration'
+    ```
+
+1. To view the impacted resources for a specific recommendation, expand the `impactedResources` relationship.
+
+    ```http
+    GET https://graph.microsoft.com/beta/directory/recommendations?$filter=recommendationType eq 'adfsAppsMigration'&$expand=impactedResources
+    ```
+
+For more information, see the [Microsoft Graph documentation for recommendations](/graph/api/resources/recommendations-api-overview).
+
+## Next steps
+
+- [Review the Azure AD recommendations overview](overview-recommendations.md)
+- [Learn about Service Health notifications](overview-service-health-notifications.md)