MicrosoftDocs
diff --git a/‎.openpublishing.redirection.defender-for-cloud.json
Lines changed: 390 additions & 40 deletions b/‎.openpublishing.redirection.defender-for-cloud.json
Lines changed: 390 additions & 40 deletions
diff --git a/‎.openpublishing.redirection.json
Lines changed: 30 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 30 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/TOC.yml
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/TOC.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory-b2c/billing.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory-b2c/billing.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory-b2c/enable-authentication-android-app-options.md
Lines changed: 20 additions & 1 deletion b/‎articles/active-directory-b2c/enable-authentication-android-app-options.md
Lines changed: 20 additions & 1 deletion
diff --git a/‎articles/active-directory-b2c/media/enable-authentication-android-app-options/system-web-browser-vs-embedded-view.png
133 KB b/‎articles/active-directory-b2c/media/enable-authentication-android-app-options/system-web-browser-vs-embedded-view.png
133 KB
diff --git a/‎articles/active-directory-b2c/secure-rest-api.md
Lines changed: 5 additions & 2 deletions b/‎articles/active-directory-b2c/secure-rest-api.md
Lines changed: 5 additions & 2 deletions
diff --git a/‎articles/active-directory-domain-services/tutorial-configure-ldaps.md
Lines changed: 16 additions & 16 deletions b/‎articles/active-directory-domain-services/tutorial-configure-ldaps.md
Lines changed: 16 additions & 16 deletions
diff --git a/‎articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Lines changed: 2 additions & 2 deletions
@@ -448,6 +448,21 @@
       "redirect_url": "/articles/frontdoor/front-door-geo-filtering",
       "redirect_document_id": false
     },
+    { 
+      "source_path_from_root": "/articles/frontdoor/standard-premium/edge-locations.md",
+      "redirect_url": "/azure/frontdoor/edge-locations-by-region",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/frontdoor/standard-premium/edge-locations-by-abbreviation.md",
+      "redirect_url": "/azure/frontdoor/edge-locations-by-abbreviation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/frontdoor/edge-locations-abbreviation.md",
+      "redirect_url": "/azure/frontdoor/edge-locations-by-abbreviation",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-sql/database/doc-changes-updates-release-notes.md",
       "redirect_url": "/azure/azure-sql/database/doc-changes-updates-release-notes-whats-new",
@@ -47435,6 +47450,21 @@
     "source_path_from_root": "/articles/applied-ai-services/form-recognizer/quickstarts/try-sdk-rest-api.md",
       "redirect_url": "/azure/applied-ai-services/form-recognizer/how-to-guides/try-sdk-rest-api",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/chaos-studio/chaos-studio-tutorial-agent-based.md",
+      "redirect_url": "/azure/chaos-studio/chaos-studio-tutorial-agent-based-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/chaos-studio/chaos-studio-tutorial-service-direct.md",
+      "redirect_url": "/azure/chaos-studio/chaos-studio-tutorial-service-direct-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/chaos-studio/chaos-studio-tutorial-aks.md",
+      "redirect_url": "/azure/chaos-studio/chaos-studio-tutorial-aks-portal",
+      "redirect_document_id": false
     }
   ]
 }
@@ -49,7 +49,7 @@
       href: ../active-directory/develop/authentication-vs-authorization.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
     - name: Tokens
       href: ../active-directory/develop/security-tokens.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
-    - name: Protocols
+    - name: Application authentication request
       href: ../active-directory/develop/v2-app-types.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
     - name: Authentication library
       href: ../active-directory/develop/msal-overview.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
 
@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.topic: reference
 ms.workload: identity
-ms.date: 09/15/2021
+ms.date: 11/11/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -48,7 +48,7 @@ MAU billing went into effect for Azure AD B2C tenants on **November 1, 2019**. A
 
 Your Azure AD B2C tenant must also be linked to the appropriate Azure pricing tier based on the features you want to use. Premium features require Azure AD B2C [Premium P1 or P2 pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/). You might need to upgrade your pricing tier as you use new features. For example, for risk-based Conditional Access policies, you’ll need to select the Azure AD B2C Premium P2 pricing tier for your tenant.
 > [!NOTE]
->  Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.
+>  Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features, but **this free tier doesn’t apply to subscriptions with free trial credits**. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.
 ## Link an Azure AD B2C tenant to a subscription
 
 Usage charges for Azure Active Directory B2C (Azure AD B2C) are billed to an Azure subscription. You need to explicitly link an Azure AD B2C tenant to an Azure subscription by creating an Azure AD B2C *resource* within the target Azure subscription. Several Azure AD B2C resources can be created in a single Azure subscription, along with other Azure resources like virtual machines, Storage accounts, and Logic Apps. You can see all of the resources within a subscription by going to the Azure Active Directory (Azure AD) tenant that the subscription is associated with.
@@ -68,7 +68,7 @@ A subscription linked to an Azure AD B2C tenant can be used for the billing of A
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Make sure you're using the directory that has your Azure AD subscription, and not the directory containing your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**.
-1. Select **Create a resource**, enter `Active Directory B2C` in the **Search the Marketplace** field, and then select **Azure Active Directory B2C**.
+1. Select **Create a resource**, and then, in the **Search services and Marketplace** field, search for and select **Azure Active Directory B2C**.
 1. Select **Create**.
 1. Select **Link an existing Azure AD B2C Tenant to my Azure subscription**.
 1. Select an **Azure AD B2C Tenant** from the dropdown. Only tenants for which you're a global administrator and that are not already linked to a subscription are shown. The **Azure AD B2C Resource name** field is populated with the domain name of the Azure AD B2C tenant you select.
 
@@ -7,7 +7,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 07/05/2021
+ms.date: 11/11/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -270,7 +270,26 @@ b2cApp.acquireToken(parameters);
 
 --- 
 
+## Embedded web view experience
 
+Web browsers are required for interactive authentication. By default, the MSAL library uses the system web view. During sign-in, the MSAL library pops up the Android system web view with the Azure AD B2C user interface.  
+
+For more information, see the [Enable cross-app SSO on Android using MSAL](../active-directory/develop/msal-android-single-sign-on.md#sso-through-system-browser) article.
+
+Depending on your requirements, you can use the embedded web view. There are visual and single sign-on behavior differences between the embedded web view and the system web view in MSAL.
+
+![Screenshot demonstrating the difference between the system web view experience and the embedded web view experience.](./media/enable-authentication-android-app-options/system-web-browser-vs-embedded-view.png)
+
+> [!IMPORTANT]
+> We recommend that you use the platform default, which is ordinarily the system browser. The system browser is better at remembering the users that have logged in before. Some identity providers, such as Google, don't support an embedded view experience.
+
+To change this behavior, open the *app/src/main/res/raw/auth_config_b2c.json* file. Then add the `authorization_user_agent` attribute with the `WEBVIEW` value. The following example demonstrates how to change the web view type to embedded view:
+
+```json
+{
+  "authorization_user_agent": "WEBVIEW" 
+}
+```
 
 ## Next steps
 
 
@@ -336,8 +336,8 @@ For the ServiceUrl, replace your-tenant-name with the name of your Azure AD tena
     <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_SecureRESTClientSecret" />
   </CryptographicKeys>
   <InputClaims>
-    <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />
-    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" />
+    <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" AlwaysUseDefaultValue="true" />
   </InputClaims>
   <OutputClaims>
     <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
@@ -346,6 +346,9 @@ For the ServiceUrl, replace your-tenant-name with the name of your Azure AD tena
 </TechnicalProfile>
 ```
 
+> [!NOTE]
+> If you use the `grant_type` or `scope` claims in other technical profiles, we recommend that they also specify `DefaultValue` and use `AlwaysUseDefaultValue="true"` to avoid potential conflicts in binding against the incorrect value.
+
 ### Change the REST technical profile to use bearer token authentication
 
 To support bearer token authentication in your custom policy, modify the REST API technical profile with the following:
 
@@ -37,13 +37,13 @@ If you don't have an Azure subscription, [create an account](https://azure.micro
 To complete this tutorial, you need the following resources and privileges:
 
 * An active Azure subscription.
-    * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+  * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 * An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
-    * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
+  * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
-    * If needed, [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance].
+  * If needed, [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance].
 * The *LDP.exe* tool installed on your computer.
-    * If needed, [install the Remote Server Administration Tools (RSAT)][rsat] for *Active Directory Domain Services and LDAP*.
+  * If needed, [install the Remote Server Administration Tools (RSAT)][rsat] for *Active Directory Domain Services and LDAP*.
 
 ## Sign in to the Azure portal
 
@@ -54,17 +54,17 @@ In this tutorial, you configure secure LDAP for the managed domain using the Azu
 To use secure LDAP, a digital certificate is used to encrypt the communication. This digital certificate is applied to your managed domain, and lets tools like *LDP.exe* use secure encrypted communication when querying data. There are two ways to create a certificate for secure LDAP access to the managed domain:
 
 * A certificate from a public certificate authority (CA) or an enterprise CA.
-    * If your organization gets certificates from a public CA, get the secure LDAP certificate from that public CA. If you use an enterprise CA in your organization, get the secure LDAP certificate from the enterprise CA.
-    * A public CA only works when you use a custom DNS name with your managed domain. If the DNS domain name of your managed domain ends in *.onmicrosoft.com*, you can't create a digital certificate to secure the connection with this default domain. Microsoft owns the *.onmicrosoft.com* domain, so a public CA won't issue a certificate. In this scenario, create a self-signed certificate and use that to configure secure LDAP.
+  * If your organization gets certificates from a public CA, get the secure LDAP certificate from that public CA. If you use an enterprise CA in your organization, get the secure LDAP certificate from the enterprise CA.
+  * A public CA only works when you use a custom DNS name with your managed domain. If the DNS domain name of your managed domain ends in *.onmicrosoft.com*, you can't create a digital certificate to secure the connection with this default domain. Microsoft owns the *.onmicrosoft.com* domain, so a public CA won't issue a certificate. In this scenario, create a self-signed certificate and use that to configure secure LDAP.
 * A self-signed certificate that you create yourself.
-    * This approach is good for testing purposes, and is what this tutorial shows.
+  * This approach is good for testing purposes, and is what this tutorial shows.
 
 The certificate you request or create must meet the following requirements. Your managed domain encounters problems if you enable secure LDAP with an invalid certificate:
 
 * **Trusted issuer** - The certificate must be issued by an authority trusted by computers connecting to the managed domain using secure LDAP. This authority may be a public CA or an Enterprise CA trusted by these computers.
 * **Lifetime** - The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires.
 * **Subject name** - The subject name on the certificate must be your managed domain. For example, if your domain is named *aaddscontoso.com*, the certificate's subject name must be **.aaddscontoso.com*.
-    * The DNS name or subject alternate name of the certificate must be a wildcard certificate to ensure the secure LDAP works properly with the Azure AD Domain Services. Domain Controllers use random names and can be removed or added to ensure the service remains available.
+  * The DNS name or subject alternate name of the certificate must be a wildcard certificate to ensure the secure LDAP works properly with the Azure AD Domain Services. Domain Controllers use random names and can be removed or added to ensure the service remains available.
 * **Key usage** - The certificate must be configured for *digital signatures* and *key encipherment*.
 * **Certificate purpose** - The certificate must be valid for TLS server authentication.
 
@@ -106,12 +106,12 @@ Thumbprint                                Subject
 To use secure LDAP, the network traffic is encrypted using public key infrastructure (PKI).
 
 * A **private** key is applied to the managed domain.
-    * This private key is used to *decrypt* the secure LDAP traffic. The private key should only be applied to the managed domain and not widely distributed to client computers.
-    * A certificate that includes the private key uses the *.PFX* file format.
-    * When exporting the certificate, you must specify the *TripleDES-SHA1* encryption algorithm. This is applicable to the .pfx file only and does not impact the algorithm used by the certificate itself. Note that the *TripleDES-SHA1* option is available only beginning with Windows Server 2016.
+  * This private key is used to *decrypt* the secure LDAP traffic. The private key should only be applied to the managed domain and not widely distributed to client computers.
+  * A certificate that includes the private key uses the *.PFX* file format.
+  * When exporting the certificate, you must specify the *TripleDES-SHA1* encryption algorithm. This is applicable to the .pfx file only and does not impact the algorithm used by the certificate itself. Note that the *TripleDES-SHA1* option is available only beginning with Windows Server 2016.
 * A **public** key is applied to the client computers.
-    * This public key is used to *encrypt* the secure LDAP traffic. The public key can be distributed to client computers.
-    * Certificates without the private key use the *.CER* file format.
+  * This public key is used to *encrypt* the secure LDAP traffic. The public key can be distributed to client computers.
+  * Certificates without the private key use the *.CER* file format.
 
 These two keys, the *private* and *public* keys, make sure that only the appropriate computers can successfully communicate with each other. If you use a public CA or enterprise CA, you are issued with a certificate that includes the private key and can be applied to a managed domain. The public key should already be known and trusted by client computers.
 
@@ -220,7 +220,7 @@ Some common reasons for failure are if the domain name is incorrect, the encrypt
 
 1. Create a replacement secure LDAP certificate by following the steps to [create a certificate for secure LDAP](#create-a-certificate-for-secure-ldap).
 1. To apply the replacement certificate to Azure AD DS, in the left menu for Azure AD DS in the Azure portal, select **Secure LDAP**, and then select **Change Certificate**.
-1. Distribute the certificate to any clients that connect by using secure LDAP. 
+1. Distribute the certificate to any clients that connect by using secure LDAP.
 
 ## Lock down secure LDAP access over the internet
 
@@ -302,14 +302,14 @@ If you added a DNS entry to the local hosts file of your computer to test connec
 
 ## Troubleshooting
 
-If you see an error stating that LDAP.exe cannot connect, try working through the different aspects of getting the connection: 
+If you see an error stating that LDAP.exe cannot connect, try working through the different aspects of getting the connection:
 
 1. Configuring the domain controller
 1. Configuring the client
 1. Networking
 1. Establishing the TLS session
 
-For the certificate subject name match, the DC will use the Azure ADDS domain name (not the Azure AD domain name) to search its certificate store for the certificate. Spelling mistakes, for example, prevent the DC from selecting the right certificate. 
+For the certificate subject name match, the DC will use the Azure AD DS domain name (not the Azure AD domain name) to search its certificate store for the certificate. Spelling mistakes, for example, prevent the DC from selecting the right certificate.
 
 The client attempts to establish the TLS connection using the name you provided. The traffic needs to get all the way through. The DC sends the public key of the server auth cert. The cert needs to have the right usage in the certificate, the name signed in the subject name must be compatible for the client to trust that the server is the DNS name which you’re connecting to (that is, a wildcard will work, with no spelling mistakes), and the client must trust the issuer. You can check for any problems in that chain in the System log in Event Viewer, and filter the events where source equals Schannel. Once those pieces are in place, they form a session key.  
 
 
@@ -7,7 +7,7 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 06/01/2021
+ms.date: 11/11/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 You can import into the Azure Active Directory (Azure AD) ECMA Connector Host a configuration for a specific connector from a Forefront Identity Manager Synchronization Service or Microsoft Identity Manager Synchronization Service (MIM Sync) installation. The MIM Sync installation is only used for configuration, not for the ongoing synchronization from Azure AD.
 
 >[!IMPORTANT]
->Currently, only the generic SQL connector is supported for use with the Azure AD ECMA Connector Host.
+>Currently, only the generic SQL and LDAP connectors are supported for use with the Azure AD ECMA Connector Host.
 
 ## Create and export a connector configuration in MIM Sync
 If you already have MIM Sync with your ECMA connector configured, skip to step 10.