Merge pull request #176163 from MicrosoftDocs/master

10/18 AM Publish

Author: huypub

articles/active-directory-b2c/identity-provider-facebook.md

@@ -38,7 +38,7 @@ If you don't already have a Facebook account, sign up at [https://www.facebook.c
 
 1. Sign in to [Facebook for developers](https://developers.facebook.com/apps) with your Facebook developer account credentials.
 1. Select **Create App**.
-1. For the **Select an app type**, select **Consumer**, then select **Continue**.
+1. For the **Select an app type**, select **Consumer**, then select **Next**.
 1. Enter an **App Display Name** and a valid **App Contact Email**.
 1. Select **Create App**. This step may require you to accept Facebook platform policies and complete an online security check.
 1. Select **Settings** > **Basic**.
@@ -51,7 +51,7 @@ If you don't already have a Facebook account, sign up at [https://www.facebook.c
 1. At the bottom of the page, select **Add Platform**, and then select **Website**.
 1. In **Site URL**, enter the address of your website, for example `https://contoso.com`. 
 1. Select **Save Changes**.
-1. From the menu, select the **plus** sign next to **PRODUCTS**. Under the **Add Products to Your App**, select **Set up** under **Facebook Login**.
+1. From the menu, select the **plus** sign or **Add Product** link next to **PRODUCTS**. Under the **Add Products to Your App**, select **Set up** under **Facebook Login**.
 1. From the menu, select **Facebook Login**, select **Settings**.
 1. In **Valid OAuth redirect URIs**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain. 
 1. Select **Save Changes** at the bottom of the page.

articles/active-directory-b2c/tutorial-create-user-flows.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 10/12/2021
+ms.date: 10/18/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -49,7 +49,7 @@ A user flow lets you determine how users interact with your application when the
 
 - If you don't have one already, [create an Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
 - [Register a web application](tutorial-register-applications.md), and [enable ID token implicit grant](tutorial-register-applications.md#enable-id-token-implicit-grant).
-- [Create a Facebook application](identity-provider-facebook.md#create-a-facebook-application). Skip the prerequisites and the rest of the steps in the [Set up sign-up and sign-in with a Facebook account](identity-provider-facebook.md) article. Although a Facebook application is not required for using custom policies, it's used in this walkthrough to demonstrate enabling social login in a custom policy.
+
 
 ::: zone-end
 
@@ -167,16 +167,6 @@ If you want to enable users to edit their profile in your application, you use a
 1. For **Key usage**, select **Encryption**.
 1. Select **Create**.
 
-### Create the Facebook key
-
-Add your Facebook application's [App Secret](identity-provider-facebook.md) as a policy key. You can use the App Secret of the application you created as part of this article's prerequisites.
-
-1. Select **Policy Keys** and then select **Add**.
-1. For **Options**, choose `Manual`.
-1. For **Name**, enter `FacebookSecret`. The prefix `B2C_1A_` might be added automatically.
-1. In **Secret**, enter your Facebook application's *App Secret* from developers.facebook.com. This value is the secret, not the application ID.
-1. For **Key usage**, select **Signature**.
-1. Select **Create**.
 
 ## Register Identity Experience Framework applications
 
@@ -222,8 +212,11 @@ Next, expose the API by adding a scope:
 Next, specify that the application should be treated as a public client:
 
 1. In the left menu, under **Manage**, select **Authentication**.
-1. Under **Advanced settings**, in the **Allow public client flows** section, set **Enable the following mobile and desktop flows** to **Yes**. Ensure that **"allowPublicClient": true** is set in the application manifest. 
+1. Under **Advanced settings**, in the **Allow public client flows** section, set **Enable the following mobile and desktop flows** to **Yes**. 
 1. Select **Save**.
+1. Ensure that **"allowPublicClient": true** is set in the application manifest:
+    1. In the left menu, under **Manage**, select **Manifest** to open application manifest.
+    1. Find **allowPublicClient** key and ensure its value is set to **true**.
 
 Now, grant permissions to the API scope you exposed earlier in the *IdentityExperienceFramework* registration:
 
@@ -303,14 +296,35 @@ As you upload the files, Azure adds the prefix `B2C_1A_` to each.
 1. For **Select application** on the overview page of the custom policy, select the web application named *webapp1* that you previously registered.
 1. Make sure that the **Reply URL** is `https://jwt.ms`.
 1. Select **Run now**.
-1. Sign up using an email address.
+1. Sign up using an email address. Don't use **Facebook** option yet. 
 1. Select **Run now** again.
 1. Sign in with the same account to confirm that you have the correct configuration.
 
 ## Add Facebook as an identity provider
 
-As mentioned in [Prerequisites](#prerequisites), Facebook is *not* required for using custom policies, but is used here to demonstrate how you can enable federated social login in a custom policy.
+The **SocialAndLocalAccounts** starter pack includes Facebook social sign in. Facebook is *not* required for using custom policies, but we use it here to demonstrate how you can enable federated social login in a custom policy.
+
+### Create Facebook application
+
+Use the steps outlined in [Create a Facebook application](identity-provider-facebook.md#create-a-facebook-application) to obtain Facebook *App ID* and *App Secret*. Skip the prerequisites and the rest of the steps in the [Set up sign-up and sign-in with a Facebook account](identity-provider-facebook.md) article. 
+
+### Create the Facebook key
+
+Add your Facebook application's [App Secret](identity-provider-facebook.md) as a policy key. You can use the App Secret of the application you created as part of this article's prerequisites.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
+1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
+1. In the Azure portal, search for and select **Azure AD B2C**.
+1. On the overview page, under **Policies**, select **Identity Experience Framework**.
+1. Select **Policy Keys** and then select **Add**.
+1. For **Options**, choose `Manual`.
+1. For **Name**, enter `FacebookSecret`. The prefix `B2C_1A_` might be added automatically.
+1. In **Secret**, enter your Facebook application's *App Secret* from developers.facebook.com. This value is the secret, not the application ID.
+1. For **Key usage**, select **Signature**.
+1. Select **Create**.
 
+### Update TrustFrameworkExtensions.xml in custom policy starter pack
 1. In the `SocialAndLocalAccounts/`**`TrustFrameworkExtensions.xml`** file, replace the value of `client_id` with the Facebook application ID:
 
    ```xml

articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md

@@ -22,7 +22,7 @@ As the combined check for password policy and banned passwords gets rolled out t
 
 ## Azure AD password policies
 
-A password policy is applied to all user and admin accounts that are created and managed directly in Azure AD. You can ban weak passwords and define parameters to [lock out an account](howto-password-smart-lockout.md) after repeated bad password attempts. Other password policy settings can't be modified.
+A password policy is applied to all user and admin accounts that are created and managed directly in Azure AD. You can [ban weak passwords](concept-password-ban-bad.md) and define parameters to [lock out an account](howto-password-smart-lockout.md) after repeated bad password attempts. Other password policy settings can't be modified.
 
 The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.
 
@@ -35,7 +35,7 @@ The following Azure AD password policy requirements apply for all passwords that
 | Password length |Passwords require<br>- A minimum of 8 characters<br>- A maximum of 256 characters</li> |
 | Password complexity |Passwords require three out of four of the following:<br>- Uppercase characters<br>- Lowercase characters<br>- Numbers <br>- Symbols<br> Note: Password complexity check is not required for Education tenants. |
 | Password not recently used | When a user changes or resets their password, the new password cannot be the same as the current or recently used passwords. |
-| Password is not banned by Azure AD Password Protection | The password can't be on the global list of banned passwords for Azure AD Password Protection, or on a customizable list of banned passwords specific to your organization. |
+| Password is not banned by [Azure AD Password Protection](concept-password-ban-bad.md) | The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization. |
 
 ## Password expiration policies
 
@@ -57,4 +57,4 @@ The following expiration requirements apply to other providers that use Azure AD
 ## Next steps
 
 - [Password policies and account restrictions in Azure Active Directory](concept-sspr-policy.md)
-- [Eliminate bad passwords using Azure Active Directory Password Protection](concept-password-ban-bad.md)
+- [Eliminate bad passwords using Azure Active Directory Password Protection](concept-password-ban-bad.md)

articles/active-directory/conditional-access/concept-conditional-access-session.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 09/21/2021
+ms.date: 10/13/2021
 
 ms.author: joflore
 author: MicrosoftGuyJFlo

articles/active-directory/governance/entitlement-management-overview.md

@@ -119,11 +119,11 @@ To better understand entitlement management and its documentation, you can refer
 
 | Term | Description |
 | --- | --- |
-| access package | A bundle of resources that a team or project needs and is governed with policies. An access package is always contained in a catalog. You would create a new access package for a scenario in which users need to request access.  |
-| access request | A request to access the resources in an access package. A request typically goes through an approval workflow.  If approved, the requesting user receives an access package assignment. |
-| assignment | An assignment of an access package to a user ensures the user has all the resource roles of that access package.  Access package assignments typically have a time limit before they expire. |
-| catalog | A container of related resources and access packages.  Catalogs are used for delegation, so that non-administrators can create their own access packages. Catalog owners can add resources they own to a catalog. |
-| catalog creator | A collection of users who are authorized to create new catalogs.  When a non-administrator user who is authorized to be a catalog creator creates a new catalog, they automatically become the owner of that catalog. |
+| access package | A bundle of resources that a team or project needs and is governed with policies. An access package is always contained in a catalog. You would create a new access package for a scenario in which users need to request access. |
+| access request | A request to access the resources in an access package. A request typically goes through an approval workflow. If approved, the requesting user receives an access package assignment. |
+| assignment | An assignment of an access package to a user ensures the user has all the resource roles of that access package. Access package assignments typically have a time limit before they expire. |
+| catalog | A container of related resources and access packages. Catalogs are used for delegation, so that non-administrators can create their own access packages. Catalog owners can add resources they own to a catalog. |
+| catalog creator | A collection of users who are authorized to create new catalogs. When a non-administrator user who is authorized to be a catalog creator creates a new catalog, they automatically become the owner of that catalog. |
 | connected organization | An external Azure AD directory or domain that you have a relationship with. The users from a connected organization can be specified in a policy as being allowed to request access. |
 | policy | A set of rules that defines the access lifecycle, such as how users get access, who can approve, and how long users have access through an assignment. A policy is linked to an access package. For example, an access package could have two policies - one for employees to request access and a second for external users to request access. |
 | resource | An asset, such as an Office group, a security group, an application, or a SharePoint Online site, with a role that a user can be granted permissions to. |

articles/active-directory/hybrid/how-to-connect-pta-current-limitations.md

@@ -38,6 +38,7 @@ The following scenarios are _not_ supported:
 - Detection of users with [leaked credentials](../identity-protection/overview-identity-protection.md).
 - Azure AD Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication _only_ don't work for scenarios that need Azure AD Domain Services.
 - Pass-through Authentication is not integrated with [Azure AD Connect Health](./whatis-azure-ad-connect.md).
+- Signing in to Azure AD joined (AADJ) devices with a temporary or expired password is not supported for Pass-through authentication users. The error "the sign-in method you're trying to use isn't allowed" will appear.  These users must sign in to a browser to update their temporary password.
 
 > [!IMPORTANT]
 > As a workaround for unsupported scenarios _only_ (except Azure AD Connect Health integration), enable Password Hash Synchronization on the [Optional features](how-to-connect-install-custom.md#optional-features) page in the Azure AD Connect wizard.

articles/active-directory/manage-apps/f5-aad-integration.md

@@ -143,6 +143,8 @@ The following tutorials provide detailed guidance on implementing some of the mo
 
 - [Securing F5 BIG-IP SSL-VPN with Azure AD SHA](f5-aad-password-less-vpn.md)
 
+- [Configure Azure AD B2C with F5 BIG-IP](https://docs.microsoft.com/azure/active-directory-b2c/partner-f5)
+
 ## Additional resources
 
 - [The end of passwords, go passwordless](https://www.microsoft.com/security/business/identity/passwordless)
@@ -167,4 +169,4 @@ Our recommendation is to start with an application that isn’t yet published vi
 
 The below interactive guide walks through the high-level procedure for implementing SHA and seeing the end-user experience.
 
-[![The image shows interactive guide cover](media/f5-aad-integration/interactive-guide.png)](https://aka.ms/Secure-Hybrid-Access-F5-Interactive-Guide)
+[![The image shows interactive guide cover](media/f5-aad-integration/interactive-guide.png)](https://aka.ms/Secure-Hybrid-Access-F5-Interactive-Guide)

articles/active-directory/manage-apps/toc.yml

@@ -140,12 +140,18 @@
       items:
       - name: Secure hybrid access with Azure AD 
         href: secure-hybrid-access.md
-      - name: F5 and Azure AD integration
-        href: f5-aad-integration.md
-      - name: F5 BIG-IP VE deployment in Azure IaaS
-        href: f5-bigip-deployment-guide.md
-      - name: F5 Big-IP with Azure AD for passwordless VPN
-        href: f5-aad-password-less-vpn.md
+      - name: Datawiza
+        href: datawiza-with-azure-ad.md 
+      - name: F5
+        items:
+        - name: F5 and Azure AD integration
+          href: f5-aad-integration.md
+        - name: F5 BIG-IP VE deployment in Azure IaaS
+          href: f5-bigip-deployment-guide.md
+        - name: F5 Big-IP with Azure AD for passwordless VPN
+          href: f5-aad-password-less-vpn.md
+      - name: Silverfort
+        href: silverfort-azure-ad-integration.md
     - name: Single sign-on
       items:
       - name: Linked