Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into mrb_04_04_2023_embeddings_updates

Author: mrbullwinkle

.openpublishing.publish.config.json

@@ -884,6 +884,12 @@
       "branch": "main",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "ms-identity-python-webapp-tutorial",
+      "url": "https://github.com/Azure-Samples/ms-identity-python-webapp",
+      "branch": "0.5.0",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "ms-identity-node",
       "url": "https://github.com/Azure-Samples/ms-identity-node",

.openpublishing.redirection.active-directory.json

@@ -6,8 +6,8 @@
       "redirect_document_id": false
     },
     {
-      "source_path_from_root": "/articles/active-directory/develop/configure-token-lifetimes.md",
-      "redirect_url": "/azure/active-directory/develop/active-directory-saml-claims-customization",
+      "source_path_from_root": "/articles/active-directory/develop/registration-config-change-token-lifetime-how-to.md",
+      "redirect_url": "/azure/active-directory/develop/configure-token-lifetimes",
       "redirect_document_id": false
     },
     {

articles/active-directory-b2c/customize-ui-with-html.md

@@ -33,7 +33,7 @@ Azure AD B2C runs code in your customer's browser by using [Cross-Origin Resourc
 
 ### Custom HTML page content
 
-Create an HTML page with your own branding to serve your custom page content. This page can be a static `*.html` page, or a dynamic page like .NET, Node.js, or PHP.
+Create an HTML page with your own branding to serve your custom page content. This page can be a static `*.html` page, or a dynamic page like .NET, Node.js, or PHP,however, Azure B2C does not support any view engines. Any server-side rendering of the dynamic page must be performed by a dedicated web application.
 
 Your custom page content can contain any HTML elements, including CSS and JavaScript, but can't include insecure elements like iframes. The only required element is a div element with `id` set to `api`, such as this one `<div id="api"></div>` within your HTML page.
 

articles/active-directory/conditional-access/media/workload-identity/conditional-access-workload-identity-risk-policy.png

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: workload-identities
 ms.topic: how-to
-ms.date: 01/05/2023
+ms.date: 04/04/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -29,7 +29,7 @@ These differences make workload identities harder to manage and put them at high
 
 > [!IMPORTANT]
 > Workload Identities Premium licenses are required to create or modify Conditional Access policies scoped to service principals. 
-> In directories without appropriate licenses, existing Conditional Access policies for workload identities will continue to function, but can't be modified. For more information see [Microsoft Entra Workload Identities](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz).  
+> In directories without appropriate licenses, existing Conditional Access policies for workload identities will continue to function, but can't be modified. For more information, see [Microsoft Entra Workload Identities](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz).  
 
 > [!NOTE]
 > Policy can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities are not covered by policy. 
@@ -49,7 +49,7 @@ Create a location based Conditional Access policy that applies to service princi
 1. Under **Assignments**, select **Users or workload identities**.
    1. Under **What does this policy apply to?**, select **Workload identities**.
    1. Under **Include**, choose **Select service principals**, and select the appropriate service principals from the list.
-1. Under **Cloud apps or actions**, select **All cloud apps**. The policy will apply only when a service principal requests a token.
+1. Under **Cloud apps or actions**, select **All cloud apps**. The policy applies only when a service principal requests a token.
 1. Under **Conditions** > **Locations**, include **Any location** and exclude **Selected locations** where you want to allow access.
 1. Under **Grant**, **Block access** is the only available option. Access is blocked when a token request is made from outside the allowed range.
 1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**.
@@ -68,7 +68,7 @@ Create a risk-based Conditional Access policy that applies to service principals
 1. Under **Assignments**, select **Users or workload identities**.
    1. Under **What does this policy apply to?**, select **Workload identities**.
    1. Under **Include**, choose **Select service principals**, and select the appropriate service principals from the list.
-1. Under **Cloud apps or actions**, select **All cloud apps**. The policy will apply only when a service principal requests a token.
+1. Under **Cloud apps or actions**, select **All cloud apps**. The policy applies only when a service principal requests a token.
 1. Under **Conditions** > **Service principal risk**
    1. Set the **Configure** toggle to **Yes**.
    1. Select the levels of risk where you want this policy to trigger.

articles/active-directory/conditional-access/workload-identity.md

@@ -140,7 +140,7 @@
             - name: Customize SAML claims
               href: active-directory-saml-claims-customization.md
             - name: Set an access token lifetime policy
-              href: registration-config-change-token-lifetime-how-to.md
+              href: configure-token-lifetimes.md
             - name: Directory extension attributes
               href: active-directory-schema-extensions.md
             - name: SAML app multi-instancing

articles/active-directory/develop/TOC.yml

@@ -9,10 +9,10 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/07/2023
+ms.date: 04/04/2023
 ms.author: ryanwi
 ms.custom: aaddev, identityplatformtop40, contperf-fy21q1
-ms.reviewer: ludwignick, sreyanthmora, marsma
+ms.reviewer: ludwignick, sreyanthmora
 ---
 # Configurable token lifetimes in the Microsoft identity platform (preview)
 
@@ -74,7 +74,7 @@ A token lifetime policy is a type of policy object that contains token lifetime
 
 Reducing the Access Token Lifetime property mitigates the risk of an access token or ID token being used by a malicious actor for an extended period of time. (These tokens cannot be revoked.) The trade-off is that performance is adversely affected, because the tokens have to be replaced more often.
 
-For an example, see [Create a policy for web sign-in](registration-config-change-token-lifetime-how-to.md).
+For an example, see [Create a policy for web sign-in](configure-token-lifetimes.md).
 
 Access, ID, and SAML2 token configuration are affected by the following properties and their respectively set values:
 

articles/active-directory/develop/active-directory-configurable-token-lifetimes.md

@@ -0,0 +1,79 @@
+---
+title: Set lifetimes for tokens
+description: Learn how to set lifetimes for access tokens issued by Microsoft identity platform. 
+services: active-directory
+author: rwike77
+manager: CelesteDG
+
+ms.service: active-directory
+ms.subservice: develop
+ms.workload: identity
+ms.topic: how-to
+ms.date: 04/04/2023
+ms.author: ryanwi
+ms.custom: identityplatformtop40, contperf-fy21q2, engagement-fy23
+ms.reviewer: ludwignick
+---
+# Configure token lifetime policies (preview)
+
+In the following steps, you'll implement a common policy scenario that imposes new rules for token lifetime. It's possible to specify the lifetime of an access, SAML, or ID token issued by the Microsoft identity platform. This can be set for all apps in your organization or for a specific service principal. They can also be set for multi-organizations (multi-tenant application). 
+
+For more information, see [configurable token lifetimes](active-directory-configurable-token-lifetimes.md).
+
+## Get started
+
+To get started, download the latest [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation).
+
+## Create a policy for web sign-in
+
+In the following steps, you'll create a policy that requires users to authenticate less frequently in your web app. This policy sets the lifetime of the access/ID tokens for your web app.
+
+```powershell
+Connect-MgGraph -Scopes  "Policy.ReadWrite.ApplicationConfiguration"
+
+# Create a token lifetime policy
+$params = @{
+	Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"4:00:00"}}') 
+    DisplayName = "WebPolicyScenario"
+	IsOrganizationDefault = $false
+}
+$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id
+
+# Display the policy
+Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId
+
+# Assign the token lifetime policy to an app
+$params = @{
+	"@odata.id" = "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenLifetimePolicyId"
+}
+
+$applicationObjectId="11111111-1111-1111-1111-111111111111"
+
+New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params
+
+# List the token lifetime policy on the app
+Get-MgApplicationTokenLifetimePolicy -ApplicationId $applicationObjectId
+
+# Remove the policy from the app
+Remove-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -TokenLifetimePolicyId $tokenLifetimePolicyId
+
+# Delete the policy
+Remove-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId
+```
+
+## View existing policies in a tenant
+
+To see all policies that have been created in your organization, run the [Get-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/get-mgpolicytokenlifetimepolicy) cmdlet.  Any results with defined property values that differ from the defaults listed above are in scope of the retirement.
+
+```powershell
+Get-MgPolicyTokenLifetimePolicy
+```
+
+To see which apps are linked to a specific policy that you identified, run [List appliesTo](/graph/api/tokenlifetimepolicy-list-appliesto) with any of your policy IDs. 
+
+```powershell
+GET https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/4d2f137b-e8a9-46da-a5c3-cc85b2b840a4/appliesTo
+```
+
+## Next steps
+Learn about [authentication session management capabilities](../conditional-access/howto-conditional-access-session-lifetime.md) in Azure AD Conditional Access.

articles/active-directory/develop/configure-token-lifetimes.md

@@ -182,26 +182,34 @@ public ModelAndView getUserFromGraph(HttpServletRequest httpRequest, HttpServlet
 
 # [Python](#tab/python)
 
-In the Python sample, the code that calls Microsoft Graph is in [app.py#L53-L62](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/48637475ed7d7733795ebeac55c5d58663714c60/app.py#L53-L62).
-
-The code attempts to get a token from the token cache. Then, after setting the authorization header, it calls the web API. If it can't get a token, it signs the user in again.
-
-```python
-@app.route("/graphcall")
-def graphcall():
-    token = _get_token_from_cache(app_config.SCOPE)
-    if not token:
-        return redirect(url_for("login"))
-    graph_data = requests.get(  # Use token to call downstream service.
-        app_config.ENDPOINT,
-        headers={'Authorization': 'Bearer ' + token['access_token']},
-        ).json()
-    return render_template('display.html', result=graph_data)
-```
+In the Python sample, the code that calls the API is in [app.py#L60-71](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.5.0/app.py#L60-71).
+
+The code attempts to get a token from the token cache. If it can't get a token, it redirects the user to the sign-in route. Otherwise, it can proceed to call the API.
+
+:::code language="python" source="~/ms-identity-python-webapp-tutorial/app.py" range="60-71":::
 
 ---
 
 ## Next steps
 
+# [ASP.NET Core](#tab/aspnetcore)
+
+Move on to the next article in this scenario,
+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=aspnetcore).
+
+# [ASP.NET](#tab/aspnet)
+
 Move on to the next article in this scenario,
-[Call a web API](scenario-web-app-call-api-call-api.md).
+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=aspnet).
+
+# [Java](#tab/java)
+
+Move on to the next article in this scenario,
+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=java).
+
+# [Python](#tab/python)
+
+Move on to the next article in this scenario,
+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=python).
+
+---