Merge branch 'master' into mau-2

Author: Justinha

.whatsnew/.external-identities.json

@@ -7,7 +7,7 @@
         "relativeLinkPrefix": "/azure/active-directory/external-identities"
     },
     "inclusionCriteria": {
-        "excludePullRequestTitles": true,
+        "omitPullRequestTitles" : true,
         "minAdditionsToFile" : 10,
         "maxFilesChanged": 50,
         "labels": [
@@ -17,7 +17,7 @@
     },
     "areas": [
         {
-            "name": ".",
+            "names": [ "."],
             "heading": "Azure Active Directory external identities"
         }
     ]

articles/active-directory-b2c/localization-string-ids.md

@@ -520,7 +520,7 @@ The following are the IDs for a [one-time password technical profile](one-time-p
   <LocalizedStrings>
     <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfSessionDoesNotExist">You have exceeded the maximum time allowed.</LocalizedString>
     <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfMaxRetryAttempted">You have exceeded the number of retries allowed.</LocalizedString>
-    <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfMaxNumberOfCodeGenerated">You have exceeded the number of retries allowed.</LocalizedString>
+    <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfMaxNumberOfCodeGenerated">You have exceeded the number of code generation attempts allowed.</LocalizedString>
     <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfInvalidCode">You have entered the wrong code.</LocalizedString>
     <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfVerificationFailedRetryAllowed">That code is incorrect. Please try again.</LocalizedString>
    <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfSessionConflict">Cannot verify the code, please try again later.</LocalizedString>

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -105,26 +105,6 @@ The following process is used when a user signs in with a FIDO2 security key:
 8. Azure AD verifies the signed nonce using the FIDO2 public key.
 9. Azure AD returns PRT to enable access to on-premises resources.
 
-While there are many keys that are FIDO2 certified by the FIDO Alliance, Microsoft requires some optional extensions of the FIDO2 Client-to-Authenticator Protocol (CTAP) specification to be implemented by the vendor to ensure maximum security and the best experience.
-
-A security key MUST implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible. Authenticator vendor must implement both FIDO_2_0 and FIDO_2_1 version of the spec. For more information, see the [Client to Authenticator Protocol](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html).
-
-| # | Feature / Extension trust | Why is this feature or extension required? |
-| --- | --- | --- |
-| 1 | Resident/Discoverable key | This feature enables the security key to be portable, where your credential is stored on the security key and is discoverable which makes usernameless flows possible. |
-| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface.<br>Both [PIN protocol 1](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#pinProto1) and [PIN protocol 2](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#pinProto2) MUST be implemented. |
-| 3 | hmac-secret | This extension ensures you can sign in to your device when it's off-line or in airplane mode. |
-| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account and Azure Active Directory. |
-| 5 | Credential Management    | This feature allows users to manage their credentials on security keys on platforms and applies to security keys that do not have this capability built-in.<br>Authenticator MUST implement [authenticatorCredentialManagement](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorCredentialManagement) and [credentialMgmtPreview](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#prototypeAuthenticatorCredentialManagement) commands for this feature.  |
-| 6 | Bio Enrollment           | This feature allows users to enroll their biometrics on their authenticators and applies to security keys that do not have this capability built in.<br> Authenticator MUST implement [authenicatorBioEnrollment](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorBioEnrollment) and [userVerificationMgmtPreview](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#prototypeAuthenticatorBioEnrollment) commands for this feature. |
-| 7 | pinUvAuthToken           | This feature allows platform to have auth tokens using PIN or BIO match which helps in better user experience when multiple credentials are present on the authenticator.  |
-| 8 | forcePinChange           | This feature allows enterprises to ask users to change their PIN in remote deployments.  |
-| 9 | setMinPINLength          | This feature allows enterprises to have custom minimum PIN length for their users. Authenticator MUST implement minPinLength extension and have maxRPIDsForSetMinPINLength of value at least 1.  |
-| 10 | alwaysUV                | This feature allows enterprises or users to always require user verification to use this security key. Authenticator MUST implement toggleAlwaysUv subcommand. It is up to vendor to decide the default value of alwaysUV. At this point due to nature of various RPs adoption and OS versions, recommended value for biometric based authenticators is true and non-biometric based authenticators is false.  |
-| 11 | credBlob                | This extension allows websites to store small information in the security key. maxCredBlobLength MUST be atleast 32 bytes.  |
-| 12 | largeBlob               | This extension allows websites to store larger information like certificates in the security key. maxSerializedLargeBlobArray MUST be atleast 1024 bytes.  |
-
-
 ### FIDO2 security key providers
 
 The following providers offer FIDO2 security keys of different form factors that are known to be compatible with the passwordless experience. We encourage you to evaluate the security properties of these keys by contacting the vendor as well as FIDO Alliance.

articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md

@@ -99,13 +99,13 @@ Run the following steps in each domain and forest in your organization that cont
 1. Open a PowerShell prompt using the Run as administrator option.
 1. Run the following PowerShell commands to create a new Azure AD Kerberos Server object both in your on-premises Active Directory domain and in your Azure Active Directory tenant.
 
-> [!NOTE]
-> Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
+   > [!NOTE]
+   > Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
 
-```powershell
-# Specify the on-premises Active Directory domain. A new Azure AD
-# Kerberos Server object will be created in this Active Directory domain.
-$domain = "contoso.corp.com"
+   ```powershell
+   # Specify the on-premises Active Directory domain. A new Azure AD
+   # Kerberos Server object will be created in this Active Directory domain.
+   $domain = "contoso.corp.com"
 
    # Enter an Azure Active Directory global administrator username and password.
    $cloudCred = Get-Credential
@@ -137,13 +137,13 @@ $domain = "contoso.corp.com"
 
    > [!NOTE]
    > If your organization protects password-based sign-in and enforces modern authentication methods such as multifactor authentication, FIDO2, or smart card technology, you must use the `-UserPrincipalName` parameter with the User Principal Name (UPN) of a global administrator.
-   >    - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
-   >    - Replace `[email protected]` in the following example with the UPN of a global administrator.
+   > - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
+   > - Replace `[email protected]` in the following example with the UPN of a global administrator.
 
-```powershell
-# Specify the on-premises Active Directory domain. A new Azure AD
-# Kerberos Server object will be created in this Active Directory domain.
-$domain = "contoso.corp.com"
+   ```powershell
+   # Specify the on-premises Active Directory domain. A new Azure AD
+   # Kerberos Server object will be created in this Active Directory domain.
+   $domain = "contoso.corp.com"
 
    # Enter a UPN of an Azure Active Directory global administrator
    $userPrincipalName = "[email protected]"

articles/active-directory/develop/TOC.yml

@@ -738,9 +738,9 @@
   items:
   - name: Videos
     href: identity-videos.md
-  - name: Microsoft identity platform developer blog
-    href: https://developer.microsoft.com/identity/blogs/
-  - name: Azure AD blog
+  - name: Microsoft identity platform - Microsoft 365 Developer Blog
+    href: https://devblogs.microsoft.com/microsoft365dev/category/microsoft-identity-platform/
+  - name: Azure Active Directory Identity Blog
     href: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/bg-p/Identity
   - name: Azure roadmap
     href: https://azure.microsoft.com/roadmap/?category=security-identity

articles/active-directory/develop/apple-sso-plugin.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.date: 08/10/2021
 ms.author: brandwe
 ms.reviewer: brandwe
-ms.custom: aaddev, has-adal-ref
+ms.custom: aaddev
 ---
 
 # Microsoft Enterprise SSO plug-in for Apple devices (preview)
@@ -218,7 +218,7 @@ Use the bundle IDs to configure SSO for the apps.
 
 #### Allow users to sign in from unknown applications and the Safari browser
 
-By default, the Microsoft Enterprise SSO plug-in provides SSO for authorized apps only when a user has signed in from an app that uses a Microsoft identity platform library like MSAL or Azure Active Directory Authentication Library (ADAL). The Microsoft Enterprise SSO plug-in can also acquire a shared credential when it's called by another app that uses a Microsoft identity platform library during a new token acquisition.
+By default, the Microsoft Enterprise SSO plug-in provides SSO for authorized apps only when a user has signed in from an app that uses a Microsoft identity platform library like MSAL. The Microsoft Enterprise SSO plug-in can also acquire a shared credential when it's called by another app that uses a Microsoft identity platform library during a new token acquisition.
 
 When you enable the `browser_sso_interaction_enabled` flag, apps that don't use a Microsoft identity platform library can do the initial bootstrapping and get a shared credential. The Safari browser can also do the initial bootstrapping and get a shared credential. 
 

articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md

@@ -3,15 +3,15 @@ title: "Migrate your JavaScript application from ADAL.js to MSAL.js | Azure"
 titleSuffix: Microsoft identity platform
 description: How to update your existing JavaScript application to use the Microsoft Authentication Library (MSAL) for authentication and authorization instead of the Active Directory Authentication Library (ADAL).
 services: active-directory
-author: KarenH444
+author: mmacy
 manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
 ms.date: 07/06/2021
-ms.author: karenhoran
+ms.author: marsma
 ms.custom: has-adal-ref
 #Customer intent: As an application developer, I want to learn how to change the code in my JavaScript application from using ADAL.js as its authentication library to MSAL.js.
 ---
@@ -321,7 +321,7 @@ The snippets below demonstrates the minimal code required for a single-page appl
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 
-  <script 
+  <script
     type="text/javascript"
     src="https://secure.aadcdn.microsoftonline-p.com/lib/1.0.18/js/adal.min.js">
   </script>
@@ -374,8 +374,8 @@ The snippets below demonstrates the minimal code required for a single-page appl
 
     tokenButton.addEventListener('click', () => {
         authContext.acquireTokenPopup(
-            "https://graph.microsoft.com", 
-            null, null, 
+            "https://graph.microsoft.com",
+            null, null,
             function (error, token) {
                 console.log(error, token);
             }
@@ -398,8 +398,8 @@ The snippets below demonstrates the minimal code required for a single-page appl
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 
-  <script 
-    type="text/javascript" 
+  <script
+    type="text/javascript"
     src="https://alcdn.msauth.net/browser/2.14.2/js/msal-browser.min.js">
   </script>
 </head>

articles/active-directory/develop/msal-node-migration.md

@@ -3,15 +3,15 @@ title: "Migrate your Node.js application from ADAL to MSAL | Azure"
 titleSuffix: Microsoft identity platform
 description: How to update your existing Node.js application to use the Microsoft Authentication Library (MSAL) for authentication and authorization instead of the Active Directory Authentication Library (ADAL).
 services: active-directory
-author: KarenH444
+author: mmacy
 manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
 ms.date: 04/26/2021
-ms.author: karenhoran
+ms.author: marsma
 ms.custom: has-adal-ref
 #Customer intent: As an application developer, I want to learn how to change the code in my Node.js application from using ADAL as its authentication library to MSAL.
 ---
@@ -123,7 +123,7 @@ const msalConfig = {
         clientId: "YOUR_CLIENT_ID",
         authority: "https://login.microsoftonline.com/YOUR_TENANT_ID",
         clientSecret: "YOUR_CLIENT_SECRET",
-        knownAuthorities: [], 
+        knownAuthorities: [],
     },
     cache: {
         // your implementation of caching
@@ -309,13 +309,13 @@ const msal = require('@azure/msal-node');
 
 const msalConfig = {
     auth: {
-        // authentication related parameters 
+        // authentication related parameters
     },
     cache: {
         cachePlugin // your implementation of cache plugin
     },
     system: {
-        // logging related options 
+        // logging related options
     }
 }
 
@@ -435,9 +435,9 @@ adal.Logging.setLoggingOptions({
 });
 
 // Auth code request URL template
-var templateAuthzUrl = 'https://login.microsoftonline.com/' 
-    + tenant + '/oauth2/authorize?response_type=code&client_id=' 
-    + clientId + '&redirect_uri=' + redirectUri 
+var templateAuthzUrl = 'https://login.microsoftonline.com/'
+    + tenant + '/oauth2/authorize?response_type=code&client_id='
+    + clientId + '&redirect_uri=' + redirectUri
     + '&state=<state>&resource=' + resource;
 
 // Initialize express
@@ -453,7 +453,7 @@ app.get('/auth', function(req, res) {
         app.locals.state = buf.toString('base64')
             .replace(/\//g, '_')
             .replace(/\+/g, '-');
-        
+
         // Construct auth code request URL
         var authorizationUrl = templateAuthzUrl
             .replace('<state>', app.locals.state);
@@ -469,24 +469,24 @@ app.get('/redirect', function(req, res) {
     }
 
     // Initialize an AuthenticationContext object
-    var authenticationContext = 
+    var authenticationContext =
         new adal.AuthenticationContext(authorityUrl);
-    
+
     // Exchange auth code for tokens
     authenticationContext.acquireTokenWithAuthorizationCode(
-        req.query.code, 
-        redirectUri, 
-        resource, 
-        clientId, 
+        req.query.code,
+        redirectUri,
+        resource,
+        clientId,
         clientSecret,
         function(err, response) {
             res.send(response);
         }
     );
 });
 
-app.listen(3000, function() { 
-    console.log(`listening on port 3000!`); 
+app.listen(3000, function() {
+    console.log(`listening on port 3000!`);
 });
 ```
 
@@ -525,7 +525,7 @@ const cca = new msal.ConfidentialClientApplication(config);
 const app = express();
 
 app.get('/auth', (req, res) => {
-    
+
     // Construct a request object for auth code
     const authCodeUrlParameters = {
         scopes: ["user.read"],
@@ -540,7 +540,7 @@ app.get('/auth', (req, res) => {
 });
 
 app.get('/redirect', (req, res) => {
-    
+
     // Use the auth code in redirect request to construct
     // a token request object
     const tokenRequest = {
@@ -556,7 +556,7 @@ app.get('/redirect', (req, res) => {
         }).catch((error) => res.status(500).send(error));
 });
 
-app.listen(3000, () => 
+app.listen(3000, () =>
     console.log(`listening on port 3000!`));
 ```
 

articles/active-directory/develop/quickstart-v2-nodejs-console.md

@@ -3,14 +3,14 @@ title: "Quickstart: Call Microsoft Graph from a Node.js console app | Azure"
 titleSuffix: Microsoft identity platform
 description: In this quickstart, you download and run a code sample that shows how a Node.js console application can get an access token and call an API protected by a Microsoft identity platform endpoint, using the app's own identity
 services: active-directory
-author: KarenH444
+author: mmacy
 manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: quickstart
 ms.date: 02/17/2021
-ms.author: karenhoran
+ms.author: marsma
 #Customer intent: As an application developer, I want to learn how my Node.js app can get an access token and call an API that is protected by a Microsoft identity platform endpoint using client credentials flow.
 ---
 

articles/active-directory/develop/quickstart-v2-nodejs-desktop.md

@@ -3,14 +3,14 @@ title: "Quickstart: Call Microsoft Graph from a Node.js desktop app | Azure"
 titleSuffix: Microsoft identity platform
 description: In this quickstart, you learn how a Node.js Electron desktop application can sign-in users and get an access token to call an API protected by a Microsoft identity platform endpoint
 services: active-directory
-author: KarenH444
+author: mmacy
 manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: quickstart
 ms.date: 02/17/2021
-ms.author: karenhoran
+ms.author: marsma
 #Customer intent: As an application developer, I want to learn how my Node.js Electron desktop application can get an access token and call an API that's protected by a Microsoft identity platform endpoint.
 ---