Merge pull request #263408 from MicrosoftDocs/main

1/17/2024 AM Publish

Author: Taojunshen

articles/active-directory-b2c/claim-resolver-overview.md

@@ -9,12 +9,12 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: reference
-ms.date: 01/11/2024
+ms.date: 01/17/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 
 
-#Customer intent: As a developer using Azure Active Directory B2C custom policies, I want to understand how to use claim resolvers in my technical profiles, so that I can provide context information about authorization requests and populate claims with dynamic values.
+#Customer intent: As a developer using Azure AD B2C custom policies, I want to understand how to use claim resolvers in my technical profiles, so that I can provide context information about authorization requests and populate claims with dynamic values.
 
 ---
 
@@ -122,6 +122,17 @@ Any parameter name included as part of an OIDC or OAuth2 request can be mapped t
 | {OAUTH-KV:loyalty_number} | A query string parameter. | 1234 |
 | {OAUTH-KV:any custom query string} | A query string parameter. | N/A |
 
+## SAML key-value parameters
+
+In a SAML authentication request, any parameter name that's included in the request, but isn’t specific to the protocol (such as SAMLRequest) can be mapped to a claim in the user journey. For example, the request may include a custom parameter such as `username`. This applies to both SP-Initiated and IDP-Initiated SAML requests.
+
+| Claim | Description | Example |
+| ----- | ----------------------- | --------|
+| {SAML-KV:username} | A query string or POST body parameter. | [email protected] |
+| {SAML-KV:loyalty_number} |  A query string or POST body parameter. | 1234 |
+| {SAML-KV:any custom query string} |  A query string or POST body parameter. | N/A |
+
+
 ## SAML
 
 The following table lists the claim resolvers  with information about the SAML authorization request:

articles/active-directory-b2c/configure-authentication-sample-python-web-app.md

@@ -86,24 +86,21 @@ Extract the sample file to a folder where the total length of the path is 260 or
 
 In the project's root directory, follow these steps:
 
-1. Rename the *app_config.py* file to *app_config.py.OLD*.
-1. Rename the *app_config_b2c.py* file to *app_config.py*. This file contains information about your Azure AD B2C identity provider. 
-
-1. Create an `.env` file in the root folder of the project using `.env.sample.b2c` as a guide.
+1. Create an `.env` file in the root folder of the project using `.env.sample` as a guide.
 
     ```shell
     FLASK_DEBUG=True
-    TENANT_NAME=<tenant name>
+    B2C_TENANT_NAME=<tenant name>
     CLIENT_ID=<client id>
     CLIENT_SECRET=<client secret>
-    SIGNUPSIGNIN_USER_FLOW=B2C_1_profile_editing
-    EDITPROFILE_USER_FLOW=B2C_1_reset_password
-    RESETPASSWORD_USER_FLOW=B2C_1_signupsignin1
+    SIGNUPSIGNIN_USER_FLOW=B2C_1_signupsignin1
+    EDITPROFILE_USER_FLOW=B2C_1_profile_editing
+    RESETPASSWORD_USER_FLOW=B2C_1_reset_password
     ```
 
     |Key  |Value  |
     |---------|---------|
-    |`TENANT_NAME`| The first part of your Azure AD B2C [tenant name](tenant-management-read-tenant-name.md#get-your-tenant-name) (for example, `contoso`). |
+    |`B2C_TENANT_NAME`| The first part of your Azure AD B2C [tenant name](tenant-management-read-tenant-name.md#get-your-tenant-name) (for example, `contoso`). |
     |`CLIENT_ID`| The web API application ID from [step 2.1](#step-21-register-the-app).|
     |`CLIENT_SECRET`| The client secret value you created in [step 2.2](#step-22-create-a-web-app-client-secret). |
     |`*_USER_FLOW`|The user flows you created in [step 1](#step-1-configure-your-user-flow).|

articles/active-directory-b2c/custom-policy-developer-notes.md

@@ -177,7 +177,7 @@ The following table summarizes the Security Assertion Markup Language (SAML) app
 | ------- | :--: | ----- |
 | Azure portal | GA |   |
 | [Application Insights user journey logs](troubleshoot-with-application-insights.md) | Preview | Used for troubleshooting during development.  |
-| [Application Insights event logs](analytics-with-application-insights.md) | Preview | Used to monitor user flows in production. |
+| [Application Insights event logs](analytics-with-application-insights.md) | Preview | Used to monitor user flows and custom policies in production. |
 
 ## Other features 
 

articles/active-directory-b2c/openid-connect.md

@@ -94,7 +94,7 @@ Error responses can also be sent to the `redirect_uri` parameter so that the app
 ```http
 GET https://jwt.ms/#
 error=access_denied
-&error_description=the+user+canceled+the+authentication
+&error_description=AADB2C90091%3a+The+user+has+cancelled+entering+self-asserted+information.%0d%0aCorrelation+ID%3a+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%0d%0aTimestamp%3a+xxxx-xx-xx+xx%3a23%3a27Z%0d%0a
 &state=arbitrary_data_you_can_receive_in_the_response
 ```
 
@@ -202,8 +202,8 @@ Error responses look like:
 
 ```json
 {
-    "error": "access_denied",
-    "error_description": "The user revoked access to the app."
+    "error": "invalid_grant",
+    "error_description": "AADB2C90080: The provided grant has expired. Please re-authenticate and try again. Current time: xxxxxxxxxx, Grant issued time: xxxxxxxxxx, Grant expiration time: xxxxxxxxxx\r\nCorrelation ID: xxxxxxxx-xxxx-xxxX-xxxx-xxxxxxxxxxxx\r\nTimestamp: xxxx-xx-16 xx:10:52Z\r\n"
 }
 ```
 
@@ -279,8 +279,8 @@ Error responses look like:
 
 ```json
 {
-    "error": "access_denied",
-    "error_description": "The user revoked access to the app.",
+    "error": "invalid_grant",
+    "error_description": "AADB2C90129: The provided grant has been revoked. Please reauthenticate and try again.\r\nCorrelation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nTimestamp: xxxx-xx-xx xx:xx:xxZ\r\n",
 }
 ```
 
@@ -318,4 +318,4 @@ To set the required ID Token in logout requests, see [Configure session behavior
 
 ## Next steps
 
-- Learn more about [Azure AD B2C session](session-behavior.md).
+- Learn more about [Azure AD B2C session](session-behavior.md).

articles/active-directory-b2c/restful-technical-profile.md

@@ -276,13 +276,13 @@ The following example shows a C# class that returns an error message:
 ```csharp
 public class ResponseContent
 {
-  public string version { get; set; }
-  public int status { get; set; }
-  public string code { get; set; }
-  public string userMessage { get; set; }
-  public string developerMessage { get; set; }
-  public string requestId { get; set; }
-  public string moreInfo { get; set; }
+  public string Version { get; set; }
+  public int Status { get; set; }
+  public string Code { get; set; }
+  public string UserMessage { get; set; }
+  public string DeveloperMessage { get; set; }
+  public string RequestId { get; set; }
+  public string MoreInfo { get; set; }
 }
 ```
 

articles/active-directory-b2c/userinfo-endpoint.md

@@ -9,6 +9,7 @@ ms.service: active-directory
 
 ms.topic: reference
 ms.date: 01/11/2024
+
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type

articles/active-directory-b2c/userjourneys.md

@@ -8,13 +8,12 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: reference
-ms.date: 01/11/2024
+ms.date: 01/17/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 
 
-#Customer intent: As a developer integrating Azure AD B2C into an application, I want to understand how user journeys, authorization technical profiles, orchestration steps, preconditions, claims provider selection, claims exchanges, and journey lists work, so that I can configure the policy file correctly and ensure a successful user flow.
-
+#Customer intent: As a developer integrating Azure AD B2C into an application, I want to understand how custom policy user journeys work so that I can design the steps that a users goes through for the relying party application to obtain the desired claims for a user.  
 ---
 
 # UserJourneys
@@ -92,7 +91,7 @@ A user journey is represented as an orchestration sequence that must be followed
 
 Orchestration steps can be conditionally executed based on preconditions defined in the orchestration step element. For example, you can check to perform an orchestration step only if a specific claim exists, or if a claim is equal or not to the specified value.
 
-To specify the ordered list of orchestration steps, an **OrchestrationSteps** element is added as part of the policy. This element is required.
+To specify the ordered list of orchestration steps, an **OrchestrationSteps** element is added as part of the policy. This element is required. 
 
 ```xml
 <UserJourney Id="SignUpOrSignIn">
@@ -111,7 +110,7 @@ The **OrchestrationStep** element contains the following attributes:
 
 | Attribute | Required | Description |
 | --------- | -------- | ----------- |
-| `Order` | Yes | The order of the orchestration steps. |
+| `Order` | Yes | The order of the orchestration steps. The value of the `Order` attribute starts at `1` through `N`. So, if you've 10 steps and you delete the second step, you need to renumber the steps three to 10 to become two to nine. |
 | `Type` | Yes | The type of the orchestration step. Possible values: <ul><li>**ClaimsProviderSelection** - Indicates that the orchestration step presents various claims providers to the user to select one.</li><li>**CombinedSignInAndSignUp** - Indicates that the orchestration step presents a combined social provider sign-in and local account sign-up page.</li><li>**ClaimsExchange** - Indicates that the orchestration step exchanges claims with a claims provider.</li><li>**GetClaims** - Specifies that the orchestration step should process claim data sent to Azure AD B2C from the relying party via its `InputClaims` configuration.</li><li>**InvokeSubJourney** - Indicates that the orchestration step exchanges claims with a [sub journey](subjourneys.md).</li><li>**SendClaims** - Indicates that the orchestration step sends the claims to the relying party with a token issued by a claims issuer.</li></ul> |
 | ContentDefinitionReferenceId | No | The identifier of the [content definition](contentdefinitions.md) associated with this orchestration step. Usually the content definition reference identifier is defined in the self-asserted technical profile. But, there are some cases when Azure AD B2C needs to display something without a technical profile. There are two examples - if the type of the orchestration step is one of following: `ClaimsProviderSelection` or  `CombinedSignInAndSignUp`, Azure AD B2C needs to display the identity provider selection without having a technical profile. |
 | CpimIssuerTechnicalProfileReferenceId | No | The type of the orchestration step is `SendClaims`. This property defines the technical profile identifier of the claims provider that issues the token for the relying party.  If absent, no relying party token is created. |

articles/ai-services/speech-service/regions.md

@@ -6,7 +6,7 @@ author: eric-urban
 manager: nitinme
 ms.service: azure-ai-speech
 ms.topic: conceptual
-ms.date: 10/27/2023
+ms.date: 1/17/2024
 ms.author: eur
 ms.custom: references_regions
 ---
@@ -50,6 +50,7 @@ The following regions are supported for Speech service features such as speech t
 | Europe | UK South | `uksouth` <sup>1,2,3,4,7</sup>|
 | Middle East | UAE North | `uaenorth` <sup>6</sup>|
 | South America | Brazil South | `brazilsouth` <sup>6</sup>|
+| Qatar | Qatar Central | `qatarcentral`<sup>8</sup> |
 | US | Central US | `centralus` |
 | US | East US | `eastus` <sup>1,2,3,4,5,7,9</sup>|
 | US | East US 2 | `eastus2` <sup>1,2,4,5</sup>|

articles/aks/workload-identity-deploy-cluster.md

@@ -66,16 +66,16 @@ az aks update -g "${RESOURCE_GROUP}" -n myAKSCluster --enable-oidc-issuer --enab
 To get the OIDC Issuer URL and save it to an environmental variable, run the following command. Replace the default value for the arguments `-n`, which is the name of the cluster:
 
 ```bash
-export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -otsv)"
+export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -o tsv)"
 ```
 
 The variable should contain the Issuer URL similar to the following example:
 
 ```output
-https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000/
+https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111/
 ```
 
-By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com/{uuid}`, where the value for `{region}` matches the location the AKS cluster is deployed in. The value `{uuid}` represents the OIDC key.
+By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com/{tenant_id}/{uuid}`, where the value for `{region}` matches the location the AKS cluster is deployed in. The value `{uuid}` represents the OIDC key.
 
 ## Create a managed identity
 
@@ -88,7 +88,7 @@ az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${R
 Next, let's create a variable for the managed identity ID.
 
 ```bash
-export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -o tsv)"
 ```
 
 ## Create Kubernetes service account
@@ -116,7 +116,7 @@ EOF
 The following output resembles successful creation of the identity:
 
 ```output
-Serviceaccount/workload-identity-sa created
+serviceaccount/workload-identity-sa created
 ```
 
 ## Establish federated identity credential
@@ -139,33 +139,21 @@ cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Pod
 metadata:
-  name: quick-start
+  name: your-pod
   namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
   labels:
     azure.workload.identity/use: "true"
 spec:
   serviceAccountName: "${SERVICE_ACCOUNT_NAME}"
+  containers:
+    - image: <your image>
+      name: <containerName>
 EOF
 ```
 
 > [!IMPORTANT]
 > Ensure your application pods using workload identity have added the following label `azure.workload.identity/use: "true"` to your pod spec, otherwise the pods fail after their restarted.
 
-```bash
-kubectl apply -f <your application>
-```
-
-To check whether all properties are injected properly by the webhook, use the [kubectl describe][kubectl-describe] command:
-
-```bash
-kubectl describe pod containerName
-```
-
-To verify that pod is able to get a token and access the resource, use the kubectl logs command:
-
-```bash
-kubectl logs containerName
-```
 
 ## Optional - Grant permissions to access Azure Key Vault
 
@@ -181,20 +169,82 @@ You can retrieve this information using the Azure CLI command: [az keyvault list
 1. Set an access policy for the managed identity to access secrets in your Key Vault by running the following commands:
 
     ```azurecli-interactive
-    export RESOURCE_GROUP="myResourceGroup"
-    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
+    export KEYVAULT_RESOURCE_GROUP="myResourceGroup"
     export KEYVAULT_NAME="myKeyVault"
-    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -o tsv)"
 
     az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
     ```
 
+2. Create a secret in Key Vault:
+
+    ```azurecli-interactive
+    export KEYVAULT_SECRET_NAME="my-secret"
+
+    az keyvault secret set --vault-name "${KEYVAULT_NAME}" \
+       --name "${KEYVAULT_SECRET_NAME}" \
+       --value "Hello\!"
+    ```
+
+3. Export Key Vault URL:
+    ```azurecli-interactive
+    export KEYVAULT_URL="$(az keyvault show -g ${KEYVAULT_RESOURCE_GROUP} -n ${KEYVAULT_NAME} --query properties.vaultUri -o tsv)"
+    ```
+
+4. Deploy a pod that references the service account and Key Vault URL above:
+
+    ```yml
+    cat <<EOF | kubectl apply -f -
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: quick-start
+      namespace: ${SERVICE_ACCOUNT_NAMESPACE}
+      labels:
+        azure.workload.identity/use: "true"
+    spec:
+      serviceAccountName: ${SERVICE_ACCOUNT_NAME}
+      containers:
+        - image: ghcr.io/azure/azure-workload-identity/msal-go
+          name: oidc
+          env:
+          - name: KEYVAULT_URL
+            value: ${KEYVAULT_URL}
+          - name: SECRET_NAME
+            value: ${KEYVAULT_SECRET_NAME}
+      nodeSelector:
+        kubernetes.io/os: linux
+    EOF
+    ```
+
+To check whether all properties are injected properly by the webhook, use the [kubectl describe][kubectl-describe] command:
+
+```bash
+kubectl describe pod quick-start | grep "SECRET_NAME:"
+```
+
+If successful, the output should be similar to the following:  
+```bash
+      SECRET_NAME:                 ${KEYVAULT_SECRET_NAME}
+```
+
+To verify that pod is able to get a token and access the resource, use the kubectl logs command:
+
+```bash
+kubectl logs quick-start
+```
+
+If successful, the output should be similar to the following:  
+```bash
+I0114 10:35:09.795900       1 main.go:63] "successfully got secret" secret="Hello\\!"
+```
+
 ## Disable workload identity
 
 To disable the Microsoft Entra Workload ID on the AKS cluster where it's been enabled and configured, you can run the following command:
 
 ```azurecli-interactive
-az aks update --resource-group myResourceGroup --name myAKSCluster --disable-workload-identity
+az aks update --resource-group "${RESOURCE_GROUP}" --name myAKSCluster --disable-workload-identity
 ```
 
 ## Next steps

articles/azure-monitor/app/convert-classic-resource.md

@@ -130,7 +130,7 @@ Use the following script to identify your Application Insights resources by inge
 #### Example
 
 ```azurecli
-Get-AzApplicationInsights -SubscriptionId '1234abcd-5678-efgh-9012-ijklmnopqrst' | Format-Table -Property Name, IngestionMode, Id, @{label='Type';expression={
+Get-AzApplicationInsights -SubscriptionId 'Your Subscription ID' | Format-Table -Property Name, IngestionMode, Id, @{label='Type';expression={
     if ([string]::IsNullOrEmpty($_.IngestionMode)) {
         'Unknown'
     } elseif ($_.IngestionMode -eq 'LogAnalytics') {