Merge pull request #181638 from MicrosoftDocs/master

Merge master to live, 4 AM

Author: v-ccolin

articles/active-directory-b2c/partner-f5.md

@@ -428,4 +428,4 @@ Your application’s logs would then help understand if it received those attrib
 
   5. Finally, select the yellow **Apply Access Policy** option in the top left-hand corner, located next to the F5 logo. Apply those settings and select **Apply** again to refresh the access profile list.
 
-See F5’s guidance for more [OAuth client and resource server troubleshooting tips](https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-access-policy-manager-oauth-configuration-14-1-0/apm-oauth-client-and-resource-server.html#GUID-774384BC-CF63-469D-A589-1595D0DDFBA2)
+See F5’s guidance for more [OAuth client and resource server troubleshooting tips](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html#GUID-774384BC-CF63-469D-A589-1595D0DDFBA2)

articles/active-directory-b2c/whats-new-docs.md

@@ -15,6 +15,15 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md).
 
+## November 2021
+
+### Updated articles
+
+- [Define an OAuth2 technical profile in an Azure Active Directory B2C custom policy](oauth2-technical-profile.md)
+- [Error codes: Azure Active Directory B2C](error-codes.md)
+- [Configure authentication options in an Android app by using Azure AD B2C](enable-authentication-android-app-options.md)
+- [Set up a force password reset flow in Azure Active Directory B2C](force-password-reset.md)
+
 
 ## October 2021
 

articles/active-directory/develop/msal-net-token-cache-serialization.md

@@ -0,0 +1,42 @@
+---
+title: Frequently asked questions about the admin consent workflow
+titleSuffix: Azure AD
+description: Find answers to frequently asked questions (FAQs) about the admin consent workflow.
+services: active-directory
+author: eringreenlee
+manager: CelesteDG
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.workload: identity
+ms.topic: how-to
+ms.date: 11/17/2021
+ms.author: ergreenl
+ms.reviewer: ergreenl
+ms.collection: M365-identity-device-management
+
+---
+# Azure Active Directory admin consent workflow frequently asked questions
+
+## I enabled a workflow, but when testing the functionality, why can’t I see the new “Approval required” prompt that allows me to request access?
+
+After enabling the feature, it may take up to 60 minutes for users to see the update, though it's usually available to all users within a few minutes.
+
+## As a reviewer, why can’t I see all pending requests?
+
+Reviewers can only see admin requests that are created after they're designated as a reviewer. If you've recently been added as a reviewer, you won't see requests that were created before your assignment.
+
+## As a reviewer, why do I see multiple requests for the same application?
+  
+If an application is configured to use static and dynamic consent to request access to their user’s data, you'll see two admin consent requests. One request represents the static permissions, and the other represents the dynamic permissions.
+
+## As a requestor, can I check the status of my request?
+
+No, requestors are only able to receive updates using email notifications.
+
+## As a reviewer, is it possible to approve the application, but not for everyone?
+
+If you're concerned about granting admin consent and allowing all users in the tenant to use the application, you should deny the request. You can then manually grant admin consent by restricting access to the application. Configure the application to require user assignment, and assign users or groups to the application to restrict access. For more information, see [Methods for assigning users and groups](./assign-user-or-group-access-portal.md).
+
+## I have an application that requires user assignment. A user that I assigned to an application is being asked to request admin consent instead of being able to consent themselves. Why is that?
+
+When access to an application is restricted using the "user assignment required" setting, an administrator needs to consent to all the permissions requested by the application.

articles/active-directory/manage-apps/admin-consent-workflow-faq.md

@@ -3,107 +3,69 @@ title: Configure the admin consent workflow
 titleSuffix: Azure AD
 description: Learn how to configure a way for end users to request access to applications that require admin consent. 
 services: active-directory
-author: davidmu1
+author: eringreenlee
 manager: CelesteDG
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/06/2021
-ms.author: davidmu
+ms.date: 11/17/2021
+ms.author: ergreenl
 ms.reviewer: ergreenl
 ms.collection: M365-identity-device-management
+#customer intent: As an admin, I want to configure the admin consent workflow.
 ---
 
 # Configure the admin consent workflow
 
-This article describes how to enable the admin consent workflow feature, which gives end users a way to request access to applications that require admin consent.
+In this article, you'll learn how to configure the admin consent workflow to enable users to request access to applications that require admin consent. You enable the ability to make requests by using an admin consent workflow. For more information on consenting to applications, see [Azure Active Directory consent framework](../develop/consent-framework.md).
 
-Without an admin consent workflow, a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help. But often, the user doesn't know who to contact, so they either give up or create a new local account in the application. Even when an admin is notified, there isn't always a streamlined process to help the admin grant access and notify their users.
 The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.
 
 To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges.
 
-## Enable the admin consent workflow
+## Prerequisites
 
-To enable the admin consent workflow and choose reviewers:
+To configure the admin consent workflow, you need:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.
-2. Click **All services** at the top of the left-hand navigation menu. The **Azure Active Directory Extension** opens.
-3. In the filter search box, type "**Azure Active Directory**" and select **the Azure Active Directory** item.
-4. From the navigation menu, click **Enterprise applications**.
-5. Under **Manage**, select **User settings**.
-6. Under **Admin consent requests**, set **Users can request admin consent to apps they are unable to consent to** to **Yes**.
+- An Azure account. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 
-   ![Configure admin consent workflow settings](media/configure-admin-consent-workflow/admin-consent-requests-settings.png)
+## Enable the admin consent workflow
 
-7. Configure the following settings:
+To enable the admin consent workflow and choose reviewers:
 
-   * **Select users to review admin consent requests**. Select reviewers for this workflow from a set of users that have the global administrator, cloud application administrator, and application administrator roles. **Note that you must designate at least one reviewer before the workflow can be turned on.**
-   * **Selected users will receive email notifications for requests**. Enable or disable email notifications to the reviewers when a request is made.  
-   * **Selected users will receive request expiration reminders**. Enable or disable reminder email notifications to the reviewers when a request is about to expire.  
-   * **Consent request expires after (days)**. Specify how long requests stay valid.
+1. Sign in to the [Azure portal](https://portal.azure.com)  with one of the roles listed in the prerequisites.
+1. Search for and select **Azure Active Directory**.
+1. Select **Enterprise applications**.
+1. Under **Manage**, select **User settings**.
+Under **Admin consent requests**,  select **Yes** for **Users can request admin consent to apps they are unable to consent to** .
+   :::image type="content" source="media/configure-admin-consent-workflow/admin-consent-requests-settings.png" alt-text="Configure admin consent workflow settings":::
+1. Configure the following settings:
 
-8. Select **Save**. It can take up to an hour for the feature to become enabled.
+   - **Select users to review admin consent requests** - Select reviewers for this workflow from a set of users that have the global administrator, cloud application administrator, or application administrator roles. You can also add groups and roles that can configure an admin consent workflow. You must designate at least one reviewer before the workflow can be enabled.
+   - **Selected users will receive email notifications for requests** - Enable or disable email notifications to the reviewers when a request is made.  
+   - **Selected users will receive request expiration reminders** - Enable or disable reminder email notifications to the reviewers when a request is about to expire.  
+   - **Consent request expires after (days)** - Specify how long requests stay valid.
+1. Select **Save**. It can take up to an hour for the feature to become enabled.
 
 > [!NOTE]
 > You can add or remove reviewers for this workflow by modifying the **Select admin consent requests reviewers** list. Note that a current limitation of this feature is that reviewers can retain the ability to review requests that were made while they were designated as a reviewer.
 
-## How users request admin consent
-
-After the admin consent workflow is enabled, users can request admin approval for an application they're unauthorized to consent to. The following steps describe user's experience when requesting approval.
-
-1. The user attempts to sign in to the application.
-
-2. The **Approval required** message appears. The user types a justification for needing access to the app, and then selects **Request approval**.
-
-   ![Screenshot shows an Approval required dialog box where you can Request approval.](media/configure-admin-consent-workflow/end-user-justification.png)
-
-3. A **Request sent** message confirms that the request was submitted to the admin. If the user sends several requests, only the first request is submitted to the admin.
-
-   ![Screenshot shows the Request sent confirmation.](media/configure-admin-consent-workflow/end-user-sent-request.png)
-
-4. The user receives an email notification when their request is approved, denied, or blocked.
-
-## Review and take action on admin consent requests
-
-To review the admin consent requests and take action:
-
-1. Sign in to the [Azure portal](https://portal.azure.com) as one of the registered reviewers of the admin consent workflow.
-2. Select **All services** at the top of the left-hand navigation menu. The **Azure Active Directory Extension** opens.
-3. In the filter search box, type "**Azure Active Directory**" and select the **Azure Active Directory** item.
-4. From the navigation menu, click **Enterprise applications**.
-5. Under **Activity**, select **Admin consent requests**.
-
-   > [!NOTE]
-   > Reviewers will only see admin requests that were created after they were designated as a reviewer.
-
-6. Select the application that is being requested.
-7. Review details about the request:  
-
-   * To see who is requesting access and why, select the **Requested by** tab.
-   * To see what permissions are being requested by the application, select **Review permissions and consent**.
-
-8. Evaluate the request and take the appropriate action:
-
-   * **Approve the request**. To approve a request, grant admin consent to the application. Once a request is approved, all requestors are notified that they have been granted access. Approving a request allows all users in your tenant to access the application unless otherwise restricted with user assignment. 
-   * **Deny the request**. To deny a request, you must provide a justification that will be provided to all requestors. Once a request is denied, all requestors are notified that they have been denied access to the application. Denying a request won't prevent users from requesting admin consent to the app again in the future.  
-   * **Block the request**. To block a request, you must provide a justification that will be provided to all requestors. Once a request is blocked, all requestors are notified they've been denied access to the application. Blocking a request creates a service principal object for the application in your tenant in a disabled state. Users won't be able to request admin consent to the application in the future.
-
 ## Email notifications
 
 If configured, all reviewers will receive email notifications when:
 
-* A new request has been created
-* A request has expired
-* A request is nearing the expiration date  
+- A new request has been created
+- A request has expired
+- A request is nearing the expiration date  
 
 Requestors will receive email notifications when:
 
-* They submit a new request for access
-* Their request has expired
-* Their request has been denied or blocked
-* Their request has been approved
+- They submit a new request for access
+- Their request has expired
+- Their request has been denied or blocked
+- Their request has been approved
 
 ## Audit logs
 
@@ -118,40 +80,6 @@ The table below outlines the scenarios and audit values available for the admin
 |Reviewers approving an admin consent request       |Access Reviews           |UserManagement           |Approve all requests in business flow          |App context            |Currently you cannot find the user context or the app ID that was granted admin consent.           |
 |Reviewers denying an admin consent request       |Access Reviews           |UserManagement           |Approve all requests in business flow          |App context            | Currently you cannot find the user context of the actor that denied an admin consent request          |
 
-## FAQ
-
-**I turned on this workflow, but when testing out the functionality, why can’t I see the new “Approval required” prompt allowing me to request access?**
-
-After turning on the feature, it may take up to 60 minutes for end users to see the update, though it's usually available to all users within a few minutes.
-
-**As a reviewer, why can’t I see all pending requests?**
-
-Reviewers can only see admin requests that were created after they were designated as a reviewer. So if you were recently added as a reviewer, you won't see any requests that were created before your assignment.
-
-**As a reviewer, why do I see multiple requests for the same application?**
-  
-If an application developer has configured their app to use static and dynamic consent to request access to their end user’s data, you'll see two admin consent requests. One request represents the static permissions, and the other represents the dynamic permissions.
-
-**As a requestor, can I check the status of my request?**  
-
-No, for now requestors are only able to get updates via email notifications.
-
-**As a reviewer, is it possible to approve the application, but not for everyone?**
-
-If you're concerned about granting admin consent and allowing all users in the tenant to use the application, we recommend that you deny the request. Then manually grant admin consent by restricting access to the application by requiring user assignment, and assigning users or groups to the application. For more information, see [Methods for assigning users and groups](./assign-user-or-group-access-portal.md).
-
-**I have an app that requires user assignment. A user that I assigned to an application is being asked to request admin consent instead of being able to consent themself. Why is that?**
-
-When access to an application is restricted via the "user assignment required", an Azure AD administrator needs to consent all the permissions requested by the application. 
-
 ## Next steps
 
-For more information on consenting to applications, see [Azure Active Directory consent framework](../develop/consent-framework.md).
-
-[Configure how end-users consent to applications](configure-user-consent.md)
-
 [Grant tenant-wide admin consent to an application](grant-admin-consent.md)
-
-[Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md)
-
-[Azure AD on Microsoft Q&A](/answers/topics/azure-active-directory.html)

articles/active-directory/manage-apps/configure-admin-consent-workflow.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 10/23/2021
 ms.author: davidmu
 ms.reviewer: phsignor