Merge branch 'master' into editpass4

Author: Farah Alyasari

.openpublishing.redirection.json

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/10/2018
+ms.date: 02/13/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -258,6 +258,7 @@ The following technical profile deletes a social user account using **alternativ
 | UserMessageIfClaimsPrincipalAlreadyExists | No | If an error is to be raised (see RaiseErrorIfClaimsPrincipalAlreadyExists attribute description), specify the message to show to the user if user object already exists. The value can be [localized](localization.md).|
 | ApplicationObjectId | No | The application object identifier for extension attributes. Value: ObjectId of an application. For more information, see [Use custom attributes in a custom profile edit policy](custom-policy-custom-attributes.md). |
 | ClientId | No | The client identifier for accessing the tenant as a third party. For more information, see [Use custom attributes in a custom profile edit policy](custom-policy-custom-attributes.md) |
+| IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |
 
 
 

articles/active-directory-b2c/active-directory-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 01/25/2019
+ms.date: 02/13/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -100,7 +100,29 @@ Any parameter name included as part of an OIDC or OAuth2 request can be mapped t
 | ----- | ----------------------- | --------|
 | {oauth2:access_token} | The access token. | N/A |
 
-## How to use claim resolvers
+## Using claim resolvers 
+
+You can use claims resolvers with following elements: 
+
+| Item | Element | Settings |
+| ----- | ----------------------- | --------|
+|Application Insights technical profile |`InputClaim` | |
+|[Azure Active Directory](active-directory-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2|
+|[OAuth2](oauth2-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2|
+|[OpenID Connect](openid-connect-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2|
+|[Claims transformation](claims-transformation-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2|
+|[RESTful provider](restful-technical-profile.md) technical profile| `InputClaim`| 1, 2|
+|[SAML2](saml-technical-profile.md)  technical profile| `OutputClaim`| 1, 2|
+|[Self-Asserted](self-asserted-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2|
+|[ContentDefinition](contentdefinitions.md)| `LoadUri`| |
+|[ContentDefinitionParameters](relyingparty.md#contentdefinitionparameters)| `Parameter` | |
+|[RelyingParty](relyingparty.md#technicalprofile) technical profile| `OutputClaim`| 2 |
+
+Settings: 
+1. The `IncludeClaimResolvingInClaimsHandling` metadata must set to `true`
+1. The input or output claims attribute `AlwaysUseDefaultValue` must set to `true`
+
+## Claim resolvers samples
 
 ### RESTful technical profile
 
@@ -116,12 +138,13 @@ The following example shows a RESTful technical profile:
     <Item Key="ServiceUrl">https://your-app.azurewebsites.net/api/identity</Item>
     <Item Key="AuthenticationType">None</Item>
     <Item Key="SendClaimsIn">Body</Item>
+    <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
   </Metadata>
   <InputClaims>
-    <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" />
-    <InputClaim ClaimTypeReferenceId="policyName" DefaultValue="{Policy:PolicyId}" />
-    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="{OIDC:scope}" />
-    <InputClaim ClaimTypeReferenceId="clientId" DefaultValue="{OIDC:ClientId}" />
+    <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="policyName" DefaultValue="{Policy:PolicyId}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="{OIDC:scope}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="clientId" DefaultValue="{OIDC:ClientId}" AlwaysUseDefaultValue="true" />
   </InputClaims>
   <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
 </TechnicalProfile>
@@ -153,6 +176,17 @@ As a result Azure AD B2C sends the above parameters to the HTML content page:
 /selfAsserted.aspx?campaignId=hawaii&language=en-US&app=0239a9cc-309c-4d41-87f1-31288feb2e82
 ```
 
+### Content definition
+
+In a [ContentDefinition](contentdefinitions.md) `LoadUri`, you can send claim resolvers to pull content from different places, based on the parameters used. 
+
+```XML
+<ContentDefinition Id="api.signuporsignin">
+  <LoadUri>https://contoso.blob.core.windows.net/{Culture:LanguageName}/myHTML/unified.html</LoadUri>
+  ...
+</ContentDefinition>
+```
+
 ### Application Insights technical profile
 
 With Azure Application Insights and claim resolvers you can gain insights on user behavior. In the Application Insights technical profile, you send input claims that are persisted to Azure Application Insights. For more information, see [Track user behavior in Azure AD B2C journeys by using Application Insights](analytics-with-application-insights.md). The following example sends the policy ID, correlation ID, language, and the client ID to Azure Application Insights.
@@ -170,3 +204,28 @@ With Azure Application Insights and claim resolvers you can gain insights on use
   </InputClaims>
 </TechnicalProfile>
 ```
+
+### Relying party policy
+
+In a [Relying party](relyingparty.md) policy technical profile, you may want to send the tenant ID, or correlation ID to the relying party application. 
+
+```XML
+<RelyingParty>
+    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
+    <TechnicalProfile Id="PolicyProfile">
+      <DisplayName>PolicyProfile</DisplayName>
+      <Protocol Name="OpenIdConnect" />
+      <OutputClaims>
+        <OutputClaim ClaimTypeReferenceId="displayName" />
+        <OutputClaim ClaimTypeReferenceId="givenName" />
+        <OutputClaim ClaimTypeReferenceId="surname" />
+        <OutputClaim ClaimTypeReferenceId="email" />
+        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
+        <OutputClaim ClaimTypeReferenceId="identityProvider" />
+        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
+        <OutputClaim ClaimTypeReferenceId="correlationId" AlwaysUseDefaultValue="true" DefaultValue="{Context:CorrelationId}" />
+      </OutputClaims>
+      <SubjectNamingInfo ClaimType="sub" />
+    </TechnicalProfile>
+  </RelyingParty>
+```

articles/active-directory-b2c/claim-resolver-overview.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/10/2018
+ms.date: 02/13/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -96,6 +96,12 @@ The claims transformation technical profile enables you to execute a claims tran
 </UserJourney>
 ```
 
+## Metadata
+
+| Attribute | Required | Description |
+| --------- | -------- | ----------- |
+| IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |
+
 ## Use a validation technical profile
 
 A claims transformation technical profile can be used to validate information. In the following example, the [self asserted technical profile](self-asserted-technical-profile.md) named **LocalAccountSignUpWithLogonEmail** asks the user to enter the email twice, then calls the [validation technical profile](validation-technical-profile.md) named **Validate-Email** to validate the emails. The **Validate-Email** technical profile calls the claims transformation **AssertEmailAreEqual** to compare the two claims **email** and **emailRepeat**, and throw an exception if they are not equal according to the specified comparison.

articles/active-directory-b2c/claims-transformation-technical-profile.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/02/2020
+ms.date: 02/12/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -47,7 +47,7 @@ The **ClaimType** element contains the following elements:
 | Element | Occurrences | Description |
 | ------- | ----------- | ----------- |
 | DisplayName | 1:1 | The title that's displayed to users on various screens. The value can be [localized](localization.md). |
-| DataType | 1:1 | The type of the claim. The data types of boolean, date, dateTime, int, long, string, stringCollection can be used. Primitive data type represents the equivalent of C# variable data type. stringCollection represents a collection of strings. For more information see [C# Types and variables](https://docs.microsoft.com/dotnet/csharp/tour-of-csharp/types-and-variables). Date follows ISO 8601 convention. |
+| DataType | 1:1 | The type of the claim. The data types of boolean, date, dateTime, int, long, string, stringCollection and phoneNumber can be used. Primitive data type represents the equivalent of C# variable data type. stringCollection represents a collection of strings. For more information see [C# Types and variables](https://docs.microsoft.com/dotnet/csharp/tour-of-csharp/types-and-variables). Date follows ISO 8601 convention. |
 | DefaultPartnerClaimTypes | 0:1 | The partner default claim types to use for a specified protocol. The value can be overwritten in the **PartnerClaimType** specified in the **InputClaim** or **OutputClaim** elements. Use this element to specify the default name for a protocol.  |
 | Mask | 0:1 | An optional string of masking characters that can be applied when displaying the claim. For example, the phone number 324-232-4343 can be masked as XXX-XXX-4343. |
 | UserHelpText | 0:1 | A description of the claim type that can be helpful for users to understand its purpose. The value can be [localized](localization.md). |

articles/active-directory-b2c/claimsschema.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/10/2020
+ms.date: 02/11/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -80,11 +80,11 @@ The **DataUri** element is used to specify the page identifier. Azure AD B2C use
 | `globalexception` | Displays an error page when an exception or an error is encountered. |
 | `providerselection` |	Lists the identity providers that users can choose from during sign-in. |
 | `unifiedssp` | Displays a form for signing in with a local account that's based on an email address or a user name. This value also provides the “keep me sign-in functionality” and “Forgot your password?” link. |
-| `unifiedssp` | Displays a form for signing in with a local account that's based on an email address or a user name. |
+| `unifiedssd` | Displays a form for signing in with a local account that's based on an email address or a user name. |
 | `multifactor` | Verifies phone numbers by using text or voice during sign-up or sign-in. |
 | `selfasserted` | Displays a form that enables users to create or update their profile. |
 
-## Select a page layout
+### Select a page layout
 
 You can enable [JavaScript client-side code](javascript-samples.md) by inserting `contract` between `elements` and the page type. For example, `urn:com:microsoft:aad:b2c:elements:contract:page-name:version`.
 
@@ -122,6 +122,29 @@ The format of the value must contain the word `contract`: _urn:com:microsoft:aad
 | `urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0` | `urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:1.2.0` |
 | `urn:com:microsoft:aad:b2c:elements:unifiedssp:1.1.0` | `urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:1.2.0` |
 
+
+### Metadata
+
+A **Metadata** element contains the following elements:
+
+| Element | Occurrences | Description |
+| ------- | ----------- | ----------- |
+| Item | 0:n | The metadata that relates to the content definition. |
+
+The **Item** element of the **Metadata** element contains the following attributes:
+
+| Attribute | Required | Description |
+| --------- | -------- | ----------- |
+| Key | Yes | The metadata key.  |
+
+#### Metadata keys
+
+Content definition supports following metadata items: 
+
+| Key | Required | Description |
+| --------- | -------- | ----------- |
+| DisplayName | No | A string that contains the name of the content definition. |
+
 ### LocalizedResourcesReferences
 
 The **LocalizedResourcesReferences** element contains the following elements:
@@ -130,7 +153,7 @@ The **LocalizedResourcesReferences** element contains the following elements:
 | ------- | ----------- | ----------- |
 | LocalizedResourcesReference | 1:n | A list of localized resource references for the content definition. |
 
-The **LocalizedResourcesReferences** element contains the following attributes:
+The **LocalizedResourcesReference** element contains the following attributes:
 
 | Attribute | Required | Description |
 | --------- | -------- | ----------- |

articles/active-directory-b2c/contentdefinitions.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/18/2019
+ms.date: 02/12/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -68,7 +68,7 @@ Custom policy/Identity Experience Framework capabilities are under constant and
 | Relying Party OAUTH1 |  |  |  | Not supported. |
 | Relying Party OAUTH2 |  |  | X |  |
 | Relying Party OIDC |  |  | X |  |
-| Relying Party SAML | X |  |  |  |
+| Relying Party SAML |  |X  |  |  |
 | Relying Party WSFED | X |  |  |  |
 | REST API with basic and certificate auth |  |  | X | For example, Azure Logic Apps. |
 
@@ -81,7 +81,7 @@ Custom policy/Identity Experience Framework capabilities are under constant and
 | Azure Email subsystem for email verification |  |  | X |  |
 | Multi-language support|  |  | X |  |
 | Predicate Validations |  |  | X | For example, password complexity. |
-| Using third party email service providers | X |  |  |  |
+| Using third party email service providers |  |X  |  |  |
 
 ### Content Definition
 

articles/active-directory-b2c/custom-policy-developer-notes.md

@@ -22,7 +22,7 @@ You might need to migrate an existing user store to a B2C tenant. You may want t
 For B2C tenants, there are two primary modes of communicating with the Graph API:
 
 * For **interactive**, run-once tasks, you should act as an administrator account in the B2C tenant when you perform the tasks. This mode requires an administrator to sign in with credentials before that admin can perform any calls to the Graph API.
-* For **automated**, continuous tasks, you should use some type of service account that you provide with the necessary privileges to perform management tasks. In Azure AD, you can do this by registering an application and authenticating to Azure AD. This is done by using an *Application ID* that uses the [OAuth 2.0 client credentials grant](../active-directory/develop/service-to-service.md). In this case, the application acts as itself, not as a user, to call the Graph API.
+* For **automated**, continuous tasks, you should use some type of service account that you provide with the necessary privileges to perform management tasks. In Azure AD, you can do this by registering an application and authenticating to Azure AD. This is done by using an *Application ID* that uses the [OAuth 2.0 client credentials grant](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). In this case, the application acts as itself, not as a user, to call the Graph API.
 
 In this article, you learn how to perform the automated use case. You'll build a .NET 4.5 `B2CGraphClient` that performs user create, read, update, and delete (CRUD) operations. The client will have a Windows command-line interface (CLI) that allows you to invoke various methods. However, the code is written to behave in a non-interactive, automated fashion.
 
@@ -69,7 +69,7 @@ Your Azure AD B2C application now has the additional permissions required to del
 
 ## Get the sample code
 
-The code sample is a .NET console application that uses the [Active Directory Authentication Library (ADAL)](../active-directory/develop/active-directory-authentication-libraries.md) to interact with Azure AD Graph API. Its code demonstrates how to call the API to programmatically manage users in an Azure AD B2C tenant.
+The code sample is a .NET console application that uses the [Active Directory Authentication Library (ADAL)](../active-directory/azuread-dev/active-directory-authentication-libraries.md) to interact with Azure AD Graph API. Its code demonstrates how to call the API to programmatically manage users in an Azure AD B2C tenant.
 
 You can [download the sample archive](https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet/archive/master.zip) (\*.zip) or clone the GitHub repository:
 

articles/active-directory-b2c/manage-user-accounts-graph-api.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/10/2018
+ms.date: 02/13/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -92,6 +92,7 @@ The technical profile also returns claims that aren't returned by the identity p
 | ResponseErrorCodeParamName | No | The name of the parameter that contains the error message returned over HTTP 200 (Ok). |
 | ExtraParamsInAccessTokenEndpointResponse | No | Contains the extra parameters that can be returned in the response from **AccessTokenEndpoint** by some identity providers. For example, the response from **AccessTokenEndpoint** contains an extra parameter such as `openid`, which is a mandatory parameter besides the access_token in a **ClaimsEndpoint** request query string. Multiple parameter names should be escaped and separated by the comma ',' delimiter. |
 | ExtraParamsInClaimsEndpointRequest | No | Contains the extra parameters that can be returned in the **ClaimsEndpoint** request by some identity providers. Multiple parameter names should be escaped and separated by the comma ',' delimiter. |
+| IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |
 
 ## Cryptographic keys
 

articles/active-directory-b2c/oauth2-technical-profile.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/24/2019
+ms.date: 02/13/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -84,6 +84,7 @@ The technical profile also returns claims that aren't returned by the identity p
 | UsePolicyInRedirectUri | No | Indicates whether to use a policy when constructing the redirect URI. When you configure your application in the identity provider, you need to specify the redirect URI. The redirect URI points to Azure AD B2C, `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/oauth2/authresp`.  If you specify `false`, you need to add a redirect URI for each policy you use. For example: `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/{policy-name}/oauth2/authresp`. |
 | MarkAsFailureOnStatusCode5xx | No | Indicates whether a request to an external service should be marked as a failure if the Http status code is in the 5xx range. The default is `false`. |
 | DiscoverMetadataByTokenIssuer | No | Indicates whether the OIDC metadata should be discovered by using the issuer in the JWT token. |
+| IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |
 
 ## Cryptographic keys