Merge pull request #189683 from MicrosoftDocs/main

2/24 PM Publish

Author: huypub

articles/active-directory-b2c/azure-monitor.md

@@ -11,7 +11,7 @@ ms.workload: identity
 ms.topic: how-to
 ms.author: kengaderdus
 ms.subservice: B2C
-ms.date: 02/09/2022
+ms.date: 02/23/2022
 ---
 
 # Monitor Azure AD B2C with Azure Monitor
@@ -147,7 +147,9 @@ After you've deployed the template and waited a few minutes for the resource pro
 1. Sign in to the [Azure portal](https://portal.azure.com) with your **Azure AD B2C** administrative account. This account must be a member of the security group you specified in the [Delegate resource management](#3-delegate-resource-management) step.
 1. Select the **Directories + subscriptions** icon in the portal toolbar.
 1. On the **Portal settings | Directories + subscriptions** page, in the **Directory name** list,  find your Azure AD directory that contains the Azure subscription and the _azure-ad-b2c-monitor_ resource group you created, and then select **Switch**.
-1. Verify that you've selected the correct directory and subscription.
+1. Verify that you've selected the correct directory and your Azure subscription is listed and selected in the **Default subscription filter**.
+
+   ![Screenshot of the default subscription filter](./media/azure-monitor/default-subscription-filter.png)
 
 ## 5. Configure diagnostic settings
 
@@ -178,6 +180,10 @@ To configure monitoring settings for Azure AD B2C activity logs:
 1. Check the box for each destination to send the logs. Select **Configure** to specify their settings **as described in the following table**.
 1. Select **Send to Log Analytics**, and then select the **Name of workspace** you created earlier (`AzureAdB2C`).
 1. Select **AuditLogs** and **SignInLogs**.
+
+   > [!NOTE]
+   > Only the **AuditLogs** and **SignInLogs** diagnostic settings are currently supported for Azure AD B2C tenants.
+
 1. Select **Save**.
 
 > [!NOTE]

articles/active-directory-b2c/media/azure-monitor/default-subscription-filter.png

@@ -28,7 +28,7 @@ CloudKnox is a cloud infrastructure entitlement management (CIEM) solution that
 
 ## What are the prerequisites to use CloudKnox?
 
-CloudKnox supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use CloudKnox, however, an Azure subscription or Azure AD P1 or P2 license aren't required to use CloudKnox for AWS or GCP.
+CloudKnox supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use CloudKnox.
 
 ## Can a customer use CloudKnox if they have other identities with access to their IaaS platform that aren’t yet in Azure AD (for example, if part of their business has Okta or AWS Identity & Access Management (IAM))?
 

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-faqs.md

@@ -34,7 +34,7 @@ To compute the assertion, you can use one of the many JWT libraries in the langu
 | --- | --- |
 | `alg` | Should be **RS256** |
 | `typ` | Should be **JWT** |
-| `x5t` | The X.509 certificate hash's (also known as the cert's SHA-1 *thumbprint*) Hex representation encoded as a Base64url string value. For example, given an X.509 certificate hash of `84E05C1D98BCE3A5421D225B140B36E86A3D5534` (Hex), the `x5t` claim would be `hOBcHZi846VCHSJbFAs26Go9VTQ=` (Base64url). |
+| `x5t` | Base64url-encoded SHA-1 thumbprint of the X.509 certificate thumbprint. For example, given an X.509 certificate hash of `84E05C1D98BCE3A5421D225B140B36E86A3D5534` (Hex), the `x5t` claim would be `hOBcHZi846VCHSJbFAs26Go9VTQ=` (Base64url). |
 
 ### Claims (payload)
 

articles/active-directory/develop/active-directory-certificate-credentials.md

@@ -132,6 +132,9 @@ To complete the scenario in this tutorial, you need:
 
     ![Screenshot showing the More information required message](media/tutorial-mfa/mfa-required.png)
 
+    > [!NOTE]
+    > You also can configure [cross-tenant access settings](cross-tenant-access-overview.md) to trust the MFA from the Azure AD home tenant. This allows external Azure AD users to use the MFA registered in their own tenant rather than register in the resource tenant.
+
 1. Sign out.
 
 ## Clean up resources

articles/active-directory/external-identities/b2b-tutorial-require-mfa.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 10/01/2021
+ms.date: 02/24/2022
 
 ms.author: mimart
 author: msmimart
@@ -140,47 +140,49 @@ Follow [Google’s guidance](https://developers.googleblog.com/2016/08/modernizi
 
 First, create a new project in the Google Developers Console to obtain a client ID and a client secret that you can later add to Azure Active Directory (Azure AD). 
 1. Go to the Google APIs at https://console.developers.google.com, and sign in with your Google account. We recommend that you use a shared team Google account.
-2. Accept the terms of service if you're prompted to do so.
-3. Create a new project: In the upper-left corner of the page, select the project list, and then on the **Select a project** page, select **New Project**.
-4. On the **New Project** page, give the project a name (for example, **Azure AD B2B**), and then select **Create**: 
+
+1. Accept the terms of service if you're prompted to do so.
+
+1. Create a new project: At the top of the page, select the project menu to open the **Select a project** page. Choose  **New Project**.
+
+1. On the **New Project** page, give the project a name (for example, `MyB2BApp`), and then select **Create**:
 
    ![Screenshot that shows a New Project page.](media/google-federation/google-new-project.png)
 
-4. On the **APIs & Services** page, select **View** under your new project.
+1. Open the new project by selecting the link in the **Notifications** message box or by using the project menu at the top of the page.
 
-5. Select **Go to APIs overview** on the APIs card. Select **OAuth consent screen**.
+1. In the left menu, select **APIs & Services**, and then select **OAuth consent screen**.
 
-6. Select **External**, and then select **Create**. 
+1. Under **User Type**, select **External**, and then select **Create**.
 
-7. On the **OAuth consent screen**, enter an **Application name**:
+1. On the **OAuth consent screen**, under **App information**, enter an **App name**.
 
-   ![Screenshot that shows the Google OAuth consent screen.](media/google-federation/google-oauth-consent-screen.png)
+1. Under **User support email**, select an email address.
 
-8. Scroll to the **Authorized domains** section and enter **microsoftonline.com**:
+1. Under **Authorized domains**, select **Add domain**, and then add the `microsoftonline.com` domain.
 
-   ![Screenshot that shows the Authorized domains section.](media/google-federation/google-oauth-authorized-domains.PNG)
+1. Under **Developer contact information**, enter an email address.
 
-9. Select **Save**.
+1. Select **Save and continue**.
 
-10. Select **Credentials**. On the **Create credentials** menu, select **OAuth client ID**:
+1. In the left menu, select **Credentials**.
 
-    ![Screenshot that shows the Google APIs Create credentials menu.](media/google-federation/google-api-credentials.png)
+1. Select **Create credentials**, and then select **OAuth client ID**.
+
+1. In the Application type menu, select **Web application**. Give the application a suitable name, like `Azure AD B2B`. Under **Authorized redirect URIs**, add the following URIs:
 
-11. Under **Application type**, select **Web application**. Give the application a suitable name, like **Azure AD B2B**. Under **Authorized redirect URIs**, enter the following URIs:
     - `https://login.microsoftonline.com`
     - `https://login.microsoftonline.com/te/<tenant ID>/oauth2/authresp` <br>(where `<tenant ID>` is your tenant ID)
     - `https://login.microsoftonline.com/te/<tenant name>.onmicrosoft.com/oauth2/authresp` <br>(where `<tenant name>` is your tenant name)
 
     > [!NOTE]
     > To find your tenant ID, go to the [Azure portal](https://portal.azure.com). Under **Azure Active Directory**, select **Properties** and copy the **Tenant ID**.
 
-    ![Screenshot that shows the Authorized redirect URIs section.](media/google-federation/google-create-oauth-client-id.png)
-
-12. Select **Create**. Copy the client ID and client secret. You'll use them when you add the identity provider in the Azure portal.
+1. Select **Create**. Copy your client ID and client secret. You'll use them when you add the identity provider in the Azure portal.
 
     ![Screenshot that shows the OAuth client ID and client secret.](media/google-federation/google-auth-client-id-secret.png)
 
-13. You can leave your project at a publishing status of **Testing** and add test users to the OAuth consent screen. Or you can select the **Publish app** button on the OAuth consent screen to make the app available to any user with a Google Account.
+1. You can leave your project at a publishing status of **Testing** and add test users to the OAuth consent screen. Or you can select the **Publish app** button on the OAuth consent screen to make the app available to any user with a Google Account.
 
 ## Step 2: Configure Google federation in Azure AD 
 
@@ -190,7 +192,7 @@ You'll now set the Google client ID and client secret. You can use the Azure por
 1. Go to the [Azure portal](https://portal.azure.com). On the left pane, select **Azure Active Directory**. 
 2. Select **External Identities**.
 3. Select **All identity providers**, and then select the **Google** button.
-4. Enter the client ID and client secret you obtained earlier. Select **Save**: 
+4. Enter the client ID and client secret you obtained earlier. Select **Save**:
 
    ![Screenshot that shows the Add Google identity provider page.](media/google-federation/google-identity-provider.png)