Merge pull request #229701 from MicrosoftDocs/main

Publish to live, Tuesday 4 AM PST, 3/7

Author: ttorble

.openpublishing.publish.config.json

@@ -914,6 +914,12 @@
       "branch": "main",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "azure-ai-vision-sdk",
+      "url": "https://github.com/Azure-Samples/azure-ai-vision-sdk",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "azure-cache-redis-samples",
       "url": "https://github.com/Azure-Samples/azure-cache-redis-samples",

articles/active-directory-b2c/azure-sentinel.md

@@ -75,7 +75,7 @@ To create the web app registration, use the following steps:
 1. Under **Name**, enter a name for the application (for example, *webapp1*).
 1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**. 
 1. Under **Redirect URI**, select **Web** and then, in the URL box, enter `https://localhost:44316/signin-oidc`.
-1. Under **Implicit grant and hybrid flows**, select the **ID tokens (used for implicit and hybrid flows)** checkbox.
+1. Under  **Authentication**, go to **Implicit grant and hybrid flows**, select the **ID tokens (used for implicit and hybrid flows)** checkbox.
 1. Under **Permissions**, select the **Grant admin consent to openid and offline access permissions** checkbox.
 1. Select **Register**.
 1. Select **Overview**.

articles/active-directory-b2c/configure-authentication-sample-web-app.md

@@ -1,155 +1,134 @@
 ---
-title: Tutorial for configuring Keyless with Azure Active Directory B2C
+title: Tutorial to configure Keyless with Azure Active Directory B2C
 titleSuffix: Azure AD B2C
-description: Tutorial for configuring Keyless with Azure Active Directory B2C for passwordless authentication 
+description: Tutorial to configure Sift Keyless with Azure Active Directory B2C for passwordless authentication 
 services: active-directory-b2c
 author: gargi-sinha
-manager: CelesteDG
+manager: martinco
 ms.reviewer: kengaderdus
-
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/20/2021
+ms.date: 03/06/2023
 ms.author: gasinh
 ms.subservice: B2C
 ---
 
 # Tutorial: Configure Keyless with Azure Active Directory B2C
 
-In this sample tutorial, we provide guidance on how to configure Azure Active Directory (AD) B2C with [Keyless](https://keyless.io/). With Azure AD B2C as an Identity provider, you can integrate Keyless with any of your customer applications to provide true passwordless authentication to your users.
-
-Keyless's solution **Keyless Zero-Knowledge Biometric (ZKB™)** provides passwordless multifactor authentication that eliminates fraud, phishing, and credential reuse – all while enhancing customer experience and protecting their privacy.
+Learn to configure Azure Active Directory B2C (Azure AD B2C) with the Sift Keyless passwordless solution. With Azure AD B2C as an identity provider (IdP), integrate Keyless with customer applications to provide passwordless authentication. The Keyless Zero-Knowledge Biometric (ZKB) is passwordless multi-factor authentication that helps eliminate fraud, phishing, and credential reuse, while enhancing the customer experience and protecting privacy.
 
-## Pre-requisites
+Go to keyless.io to learn about: 
 
-To get started, you'll need:
+* [Sift Keyless](https://keyless.io/)
+* [How Keyless uses zero-knowledge proofs to protect your biometric data](https://keyless.io/blog/post/how-keyless-uses-zero-knowledge-proofs-to-protect-your-biometric-data)
 
-- An Azure subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+## Prerequisites
 
-- An [Azure AD B2C tenant](./tutorial-create-tenant.md). Tenant must be linked to your Azure subscription.
-
-- A Keyless cloud tenant, get a free [trial account](https://keyless.io/go).
+To get started, you'll need:
 
-- The Keyless Authenticator app installed on your user’s device.
+* An Azure subscription 
+  * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to the Azure subscription
+* A Keyless cloud tenant
+  * Go to keyless.io to [Request a demo](https://keyless.io/go)
+* The Keyless Authenticator app installed on a user device
 
 ## Scenario description
 
 The Keyless integration includes the following components:
 
-- Azure AD B2C – The authorization server, responsible for verifying the user’s credentials, also known as the identity provider.
+* **Azure AD B2C** – authorization server that verifies user credentials. Also known as the IdP.
+* **Web and mobile applications** – mobile or web applications to protect with Keyless and Azure AD B2C
+* **The Keyless Authenticator mobile app** – Sift mobile app for authentication to the Azure AD B2C enabled applications
 
-- Web and mobile applications – Your mobile or web applications that you choose to protect with Keyless and Azure AD B2C.
+The following architecture diagram illustrates an implementation.
 
-- The Keyless mobile app – The Keyless mobile app will be used for authentication to the Azure AD B2C enabled applications.
+   ![Image shows Keyless architecture diagram](./media/partner-keyless/keyless-architecture-diagram.png)
 
-The following architecture diagram shows the implementation.
+1. User arrives at a sign-in page. User selects sign-in/sign-up and enters the username.
+2. The application sends user attributes to Azure AD B2C for identity verification.
+3. Azure AD B2C sends user attributes to Keyless for authentication.
+4. Keyless sends a push notification to the users' registered mobile device for authentication, a facial biometric scan.
+5. The user responds to the push notification and is granted or denied access.
 
-![Image shows Keyless architecture diagram](./media/partner-keyless/keyless-architecture-diagram.png)
+## Add an IdP, configure the IdP, and create a user flow policy
 
-|Step | Description |
-|:-----| :-----------|
-| 1. | User arrives at a login page. Users select sign-in/sign-up and enters the username
-| 2. | The application sends the user attributes to Azure AD B2C for identity verification.
-| 3. | Azure AD B2C collects the user attributes and sends the attributes to Keyless to authenticate the user through the Keyless mobile app.
-| 4. | Keyless sends a push notification to the registered user's mobile device for a privacy-preserving authentication in the form of a facial biometric scan.
-| 5. | After the user responds to the push notification, the user is either granted or denied access to the customer application based on the verification results.
-
-## Integrate with Azure AD B2C
+Use the following sections to add an IdP, configure the IdP, and create a user flow policy.
 
 ### Add a new Identity provider
 
-To add a new Identity provider, follow these steps:
-
-1. Sign in to the **[Azure portal](https://portal.azure.com/#home)** as the global administrator of your Azure AD B2C tenant.
-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
-1. Navigate to **Dashboard** > **Azure Active Directory B2C** >  **Identity providers**
-1. Select **Identity providers**.
-1. Select **Add**.
-
-### Configure an Identity provider
-
-To configure an identity provider, follow these steps:
-
-1. Select **Identity provider type** > **OpenID Connect (Preview)**
-1. Fill out the form to set up the Identity provider:
-
-   |Property | Value |
-   |:-----| :-----------|
-   | Name   | Keyless |
-   | Metadata URL | Insert the URI of the hosted Keyless Authentication app, followed by the specific path such as 'https://keyless.auth/.well-known/openid-configuration' |
-   | Client Secret | The secret associated with the Keyless Authentication instance - not same as the one configured before. Insert a complex string of your choice. This secret will be used later in the Keyless Container configuration.|
-   | Client ID | The ID of the client. This ID will be used later in the Keyless Container configuration.|
-   | Scope | openid |
-   | Response type | id_token |
-   | Response mode | form_post|
-
-1. Select **OK**.
-
-1. Select **Map this identity provider’s claims**.
-
-1. Fill out the form to map the Identity provider:
-
-   |Property | Value |
-   |:-----| :-----------|
-   | UserID    | From subscription |
-   | Display name | From subscription |
-   | Response mode | From subscription |
-
-1. Select **Save** to complete the setup for your new Open ID Connect (OIDC) Identity provider.
+To add a new Identity provider:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/#home) as Global Administrator of the Azure AD B2C tenant. 
+2. Select **Directories + subscriptions**.
+3. On the **Portal settings, Directories + subscriptions** page, in the **Directory name** list, find your Azure AD B2C directory.
+4. Select **Switch**.
+5. In the top-left corner of the Azure portal, select **All services**.
+6. Search for and select **Azure AD B2C**.
+7. Navigate to **Dashboard** > **Azure Active Directory B2C** > **Identity providers**.
+8. Select **Identity providers**.
+9. Select **Add**.
+
+### Configure an identity provider
+
+To configure an IdP:
+
+1. Select **Identity provider type** > **OpenID Connect (Preview)**.
+2. For **Name**, select **Keyless**.
+3. For **Metadata URL**, insert the hosted Keyless Authentication app URI, followed by the path, such as `https://keyless.auth/.well-known/openid-configuration`.
+4. For **Client Secret**, select the secret associated with the Keyless Authentication instance. The secret is used later in Keyless Container configuration.
+5. For **Client ID**, select the client ID. The Client ID is used later in Keyless Container configuration.
+6. For **Scope**, select **openid**.
+7. For **Response type**, select **id_token**.
+8. For **Response mode**, select **form_post**.
+9. Select **OK**.
+10. Select **Map this identity provider’s claims**.
+11. For **UserID**, select **From subscription**.
+12. For **Display name**, select **From subscription**.
+13. For **Response mode**, select **From subscription**.
+14. Select **Save**.
 
 ### Create a user flow policy
 
-You should now see Keyless as a new OIDC Identity provider listed within your B2C identity providers.
-
-1. In your Azure AD B2C tenant, under **Policies**, select **User flows**.
-
-2. Select **New** user flow.
-
-3. Select **Sign up and sign in**, select a **version**, and then select **Create**.
-
-4. Enter a **Name** for your policy.
-
-5. In the Identity providers section, select your newly created Keyless Identity Provider.
-
-6. Set up the parameters of your User flow. Insert a name and select the Identity provider you’ve created. You can also add email address. In this case, Azure won’t redirect the login procedure directly to Keyless instead it will show a screen where the user can choose the option they would like to use.
-
-7. Leave the **Multi-factor Authentication** field as is.
-
-8. Select **Enforce conditional access policies**
-
-9. Under **User attributes and token claims**, select **Email Address** in the Collect attribute option. You can add all the attributes that Azure Active Directory can collect about the user alongside the claims that Azure AD B2C can return to the client application.
-
-10. Select **Create**.
-
-11. After a successful creation, select your new **User flow**.
-
-12. On the left panel, select **Application Claims**. Under options, tick the **email** checkbox and select **Save**.
+Keyless appears as a new OpenID Connect (OIDC) IdP with B2C identity providers.
+
+1. Open the Azure AD B2C tenant.
+2. Under **Policies**, select **User flows**.
+3. Select **New** user flow.
+4. Select **Sign up and sign in**.
+5. Select a **version**.
+6. Select **Create**.
+7. Enter a **Name** for your policy.
+8. In the Identity providers section, select the created Keyless Identity Provider.
+9. Enter a name.
+10. Select the IdP you created.
+11. Add an email address. Azure won’t redirect the sign-in to Keyless; a screen appears with a user option.
+12. Leave the **Multi-factor Authentication** field.
+13. Select **Enforce conditional access policies**.
+14. Under **User attributes and token claims**, in the **Collect attribute** option, select **Email Address**. 
+15. Add user attributes Azure AD collects with claims Azure AD B2C returns to the client application.
+16. Select **Create**.
+17. Select the new **User flow**.
+18. On the left panel, select **Application Claims**. 
+19. Under options, select the **email** checkbox.
+20. Select **Save**.
 
 ## Test the user flow
 
-1. Open the Azure AD B2C tenant and under Policies select Identity Experience Framework.
-
-2. Select your previously created SignUpSignIn.
-
-3. Select Run user flow and select the settings:
-
-   a. Application: select the registered app (sample is JWT)
-
-   b. Reply URL: select the redirect URL
+1. Open the Azure AD B2C tenant.
+2. Under **Policies** select **Identity Experience Framework**.
+3. Select the created SignUpSignIn.
+4. Select **Run user flow**.
+5. For **Application**, select the registered app (the example is JWT).
+6. For **Reply URL**, select the redirect URL.
+7. Select **Run user flow**.
+8. Complete the sign-up flow and create an account.
+9. After the user attribute is created, Keyless is called during the flow. 
 
-   c. Select Run user flow.
-
-4. Go through sign-up flow and create an account
-
-5. Keyless will be called during the flow, after user attribute is created. If the flow is incomplete, check that user isn't saved in the directory.
+If the flow is incomplete, confirm user is or isn't saved in the directory.
 
 ## Next steps
 
-For additional information, review the following articles:
-
-- [Custom policies in Azure AD B2C](./custom-policy-overview.md)
-
-- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+* [Azure AD B2C custom policy overview](./custom-policy-overview.md)
+* [Tutorial: Create user flows and custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)

articles/active-directory-b2c/partner-keyless.md

@@ -57,6 +57,8 @@
       href: synchronization.md
     - name: How password hash synchronization works
       href: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md?context=/azure/active-directory-domain-services/context/azure-ad-ds-context
+    - name: Custom attributes
+      href: concepts-custom-attributes.md
     - name: Virtual network considerations
       href: network-considerations.md
     - name: Classic deployment migration benefits

articles/active-directory-domain-services/TOC.yml

@@ -0,0 +1,75 @@
+---
+title: Create and manage custom attributes for Azure AD Domain Services | Microsoft Docs
+description: Learn how to create and manage custom attributes in an Azure AD DS managed domain.
+services: active-directory-ds
+author: justinha
+manager: amycolannino
+
+ms.assetid: 1a14637e-b3d0-4fd9-ba7a-576b8df62ff2
+ms.service: active-directory
+ms.subservice: domain-services
+ms.workload: identity
+ms.topic: how-to
+ms.date: 03/06/2023
+ms.author: justinha
+
+---
+# Custom attributes for Azure Active Directory Domain Services
+
+For various reasons, companies often can’t modify code for legacy apps. For example, apps may use a custom attribute, such as a custom employee ID, and rely on that attribute for LDAP operations. 
+
+Azure AD supports adding custom data to resources using [extensions](/graph/extensibility-overview). Azure Active Directory Domain Services (Azure AD DS) can synchronize the following types of extensions from Azure AD, so you can also use apps that depend on custom attributes with Azure AD DS:  
+
+- [onPremisesExtensionAttributes](/graph/extensibility-overview?tabs=http#extension-attributes) are a set of 15 attributes that can store extended user string attributes. 
+- [Directory extensions](/graph/extensibility-overview?tabs=http#directory-azure-ad-extensions) allow the schema extension of specific directory objects, such as users and groups, with strongly typed attributes through registration with an application in the tenant. 
+
+Both types of extensions can be configured By using Azure AD Connect for users who are managed on-premises, or MSGraph APIs for cloud-only users. 
+
+>[!Note] 
+>The following types of extensions aren't supported for synchronization:  
+>- Custom Security Attributes in Azure AD (Preview)
+>- MSGraph Schema Extensions
+>- MSGraph Open Extensions
+
+
+## Requirements 
+
+The minimum SKU supported for custom attributes is the Enterprise SKU. If you use Standard, you need to [upgrade](change-sku.md) the managed domain to Enterprise or Premium. For more information, see [Azure Active Directory Domain Pricing](https://azure.microsoft.com/pricing/details/active-directory-ds/). 
+
+## How Custom Attributes work 
+
+After you create a managed domain, click **Custom Attributes (Preview)** under **Settings** to enable attribute synchronization. Click **Save** to confirm the change. 
+
+:::image type="content" border="true" source="./media/concepts-custom-attributes/enable.png" alt-text="Screenshot of how to enable custom attributes.":::
+
+## Enable predefined attribute synchronization 
+
+Click **OnPremisesExtensionAttributes** to synchronize the attributes extensionAttribute1-15, also known as [Exchange custom attributes](/graph/api/resources/onpremisesextensionattributes?view=graph-rest-1.0).
+
+## Synchronize Azure AD directory extension attributes 
+
+These are the extended user or group attributes defined in your Azure AD tenant. 
+
+Select **+ Add** to choose which custom attributes to synchronize. The list shows the available extension properties in your tenant. You can filter the list by using the search bar. 
+
+:::image type="content" border="true" source="./media/concepts-custom-attributes/add.png" alt-text="Screenshot of how to add directory extension attributes.":::
+
+
+If you don't see the directory extension you are looking for, enter the extension’s associated application appId and click **Search** to load only that application’s defined extension properties. This search helps when multiple applications define many extensions in your tenant.  
+
+>[!NOTE]
+>If you would like to see directory extensions synchronized by Azure AD Connect, click **Enterprise App** and look for the Application ID of the **Tenant Schema Extension App**. For more information, see [Azure AD Connect sync: Directory extensions](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard).  
+
+Click **Select**, and then **Save** to confirm the change. 
+
+:::image type="content" border="true" source="./media/concepts-custom-attributes/select.png" alt-text="Screenshot of how to save directory extension attributes.":::
+
+Azure AD DS back fills all synchronized users and groups with the onboarded custom attribute values. The custom attribute values gradually populate for objects that contain the directory extension in Azure AD. During the backfill synchronization process, incremental changes in Azure AD are paused, and the sync time depends on the size of the tenant. 
+
+To check the backfilling status, click **Azure AD DS Health** and verify the **Synchronization with Azure AD** monitor has an updated timestamp within an hour since onboarding. Once updated, the backfill is complete. 
+
+## Next steps 
+
+To configure onPremisesExtensionAttributes or directory extensions for cloud-only users in Azure AD, see [Custom data options in Microsoft Graph](/graph/extensibility-overview?tabs=http#custom-data-options-in-microsoft-graph). 
+
+To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md).