Merge pull request #288310 from kengaderdus/remediate-add-ropc-policy

prmerger-automator[bot] · web-flow · commit 477a222486cd · 2024-10-14T12:51:19.000Z
[SFI Remediate] ROPC flow
diff --git a/articles/active-directory-b2c/secure-rest-api.md b/articles/active-directory-b2c/secure-rest-api.md
@@ -6,7 +6,7 @@ author: kengaderdus
 manager: CelesteDG
 ms.service: azure-active-directory
 ms.topic: how-to
-ms.date: 01/11/2024
+ms.date: 10/14/2024
 ms.author: kengaderdus
 ms.subservice: b2c
 zone_pivot_groups: b2c-policy-type
@@ -276,7 +276,10 @@ A claim provides temporary storage of data during an Azure AD B2C policy executi
 
 ### Acquiring an access token 
 
-You can obtain an access token in one of several ways, for the [from a federated identity provider](idp-pass-through-user-flow.md), by calling a REST API that returns an access token, by using an [ROPC flow](../active-directory/develop/v2-oauth-ropc.md), or by using the [client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). The client credentials flow is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
+You can obtain an access token in one of several ways, for the [from a federated identity provider](idp-pass-through-user-flow.md), by calling a REST API that returns an access token, by using an [ROPC flow](/entra/identity-platform/v2-oauth-ropc), or by using the [client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). The client credentials flow is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
+
+> [!WARNING]
+> Microsoft recommends you do *not* use the ROPC flow. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.
 
 <a name='acquiring-an-azure-ad-access-token-'></a>
 
@@ -577,12 +580,12 @@ The following XML snippet is an example of a RESTful technical profile configure
 ```
 ::: zone-end
 
-## Next steps
+## Related content
 
 ::: zone pivot="b2c-user-flow"
 - Get started with our [samples](api-connector-samples.md#api-connector-rest-api-samples).
 ::: zone-end
 
 ::: zone pivot="b2c-custom-policy"
 - Learn more about the [Restful technical profile](restful-technical-profile.md) element in the custom policy reference.
-::: zone-end
+::: zone-end
