MicrosoftDocs
diff --git a/‎.acrolinx-config.edn
Lines changed: 1 addition & 1 deletion b/‎.acrolinx-config.edn
Lines changed: 1 addition & 1 deletion
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 8 additions & 1 deletion b/‎.openpublishing.publish.config.json
Lines changed: 8 additions & 1 deletion
diff --git a/‎.openpublishing.redirection.json
Lines changed: 8030 additions & 2829 deletions b/‎.openpublishing.redirection.json
Lines changed: 8030 additions & 2829 deletions
diff --git a/‎CODEOWNERS
Lines changed: 6 additions & 5 deletions b/‎CODEOWNERS
Lines changed: 6 additions & 5 deletions
diff --git a/‎articles/active-directory-b2c/TOC.md
Lines changed: 17 additions & 4 deletions b/‎articles/active-directory-b2c/TOC.md
Lines changed: 17 additions & 4 deletions
diff --git a/‎articles/active-directory-b2c/active-directory-b2c-access-tokens.md
Lines changed: 52 additions & 24 deletions b/‎articles/active-directory-b2c/active-directory-b2c-access-tokens.md
Lines changed: 52 additions & 24 deletions
@@ -5,7 +5,7 @@
    "
 ## Acrolinx Scorecards
 
-**Starting Wednesday, 7/26, a minimum Acrolinx score of 80 will be required for merging PRs that require human review.** 
+**A minimum Acrolinx score of 80 is required.** 
  
  Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
 
 
@@ -6,7 +6,9 @@
 	"enable_pull_request_aggregation": true,	
 	"branch_target_mapping": {
 		"live": ["Publish", "PDF"],
-		"master": ["Publish", "PDF"]
+		"master": ["Publish", "PDF"],
+		"release-event-grid": ["Publish", "PDF"],
+		"hd-insight-pdf": ["Publish", "PDF"]
 		},
 	"docsets_to_publish": [{
 		"docset_name": "azure-documents",
@@ -110,6 +112,11 @@
         "path_to_root": "samples-mediaservices-encoderstandard",
         "url": "https://github.com/Azure-Samples/media-services-dotnet-on-demand-encoding-with-media-encoder-standard",
         "branch":"master"
+    },
+    {
+        "path_to_root": "samples-durable-functions",
+        "url": "https://github.com/Azure/azure-functions-durable-extension",
+        "branch":"netcore20"
     }
 	]
 }
@@ -1,7 +1,8 @@
 # Testing the new code owners feature in GitHub. Please contact Tyson if you have questions.
 
-contributor-guide/*           [email protected]
-articles/storage/*            [email protected]
-articles/virtual-machines/*   [email protected] [email protected]
-articles/virtual-machines/linux/*   [email protected] [email protected]
-articles/virtual-machines/windows/*   [email protected] [email protected]
+articles/storage/  @tamram @robinsh
+articles/virtual-machines/  @iainfoulds @cynthn
+articles/virtual-machines/linux/  @iainfoulds @cynthn
+articles/virtual-machines/windows/  @iainfoulds @cynthn
+articles/application-insights/  @SergeyKanzhelev
+articles/cosmos-db/ @mimig1
@@ -46,6 +46,7 @@
 ## [Configure tokens](active-directory-b2c-token-session-sso.md)
 ## [Enable MFA](active-directory-b2c-reference-mfa.md)
 ## [Use custom attributes](active-directory-b2c-reference-custom-attr.md)
+## [Customize password](active-directory-b2c-reference-password-complexity.md)
 ## [Customizing the UI](active-directory-b2c-reference-ui-customization.md)
 ### [Helper tool for customization](active-directory-b2c-reference-ui-customization-helper-tool.md)
 ## [Language customization](active-directory-b2c-reference-language-customization.md)
@@ -56,24 +57,34 @@
 ## [Custom policies](active-directory-b2c-overview-custom.md)
 ## Guides
 ### [Get started](active-directory-b2c-get-started-custom.md)
-### Configure OIDC providers
+### Configure OIDC/OAUTH2 providers
 #### [Azure AD](active-directory-b2c-setup-aad-custom.md)
+#### [Microsoft Account](active-directory-b2c-custom-setup-msa-idp.md)
+#### [Google+](active-directory-b2c-custom-setup-goog-idp.md)
 ### Configure SAML providers
+#### [ADFS](active-directory-b2c-custom-setup-adfs2016-idp.md)
 #### [Salesforce](active-directory-b2c-setup-sf-app-custom.md)
 ### Integrate RESTful APIs
 #### [Validate user input](active-directory-b2c-rest-api-validation-custom.md)
 #### [Obtain additional claims](active-directory-b2c-rest-api-step-custom.md)
-### Customize login
+### User flows
 #### [Configure user input](active-directory-b2c-configure-signup-self-asserted-custom.md)
 #### [Custom attributes](active-directory-b2c-create-custom-attributes-profile-edit-custom.md)
 #### [Customize UI](active-directory-b2c-ui-customization-custom.md)
 #### [Customize tokens](active-directory-b2c-reference-manage-sso-and-token-configuration.md)
+#### [Password complexity](active-directory-b2c-reference-password-complexity-custom.md)
+
+#### [Password change](active-directory-b2c-reference-password-change-custom.md)
+
+#### [Enable keep me signed in](active-directory-b2c-reference-kmsi-custom.md)
+
 ### Troubleshooting
 #### [Collect logs using Application Insights](active-directory-b2c-troubleshoot-custom.md)
 ## Reference
 ### [Release notes](active-directory-b2c-developer-notes-custom.md)
-
+### [Trust Framework definition](active-directory-b2c-reference-trustframeworks-defined-ief-custom.md) 
 # Reference
+## [Code samples](https://azure.microsoft.com/en-us/resources/samples/?service=active-directory-b2c)
 ## Glossary
 ### [Types of applications](active-directory-b2c-apps.md)
 ### [Authentication protocols](active-directory-b2c-reference-protocols.md)
@@ -82,16 +93,18 @@
 ## [Enable billing](active-directory-b2c-how-to-enable-billing.md)
 ## [Threat management](active-directory-b2c-reference-threat-management.md)
 ## [Issues when creating a directory](active-directory-b2c-support-create-directory.md)
+## [Extensions app](active-directory-b2c-reference-extensions-app.md)
 
 # Related
 ## [Azure Active Directory](../active-directory/active-directory-whatis.md)
 ## [Multi-factor authentication](../multi-factor-authentication/multi-factor-authentication.md)
 
 # Resources
 ## [Azure AD B2C feedback forum](https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c)
-## [Azure Roadmap](https://azure.microsoft.com/roadmap/)
+## [Azure Roadmap](https://azure.microsoft.com/roadmap/?category=security-identity)
 ## [Frequently asked questions](active-directory-b2c-faqs.md)
 ## [Pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/)
+## [Pricing calculator](https://azure.microsoft.com/pricing/calculator/)
 ## [Service updates](https://azure.microsoft.com/updates/?product=active-directory-b2c)
 ## [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-ad-b2c)
 ## [Support](active-directory-b2c-support.md)
 
@@ -1,5 +1,5 @@
 ---
-title: 'Azure Active Directory B2C: Requesting access tokens | Microsoft Docs'
+title: 'Requesting access tokens - Azure AD B2C | Microsoft Docs'
 description: This article will show you how to setup a client application and acquire an access token.
 services: active-directory-b2c
 documentationcenter: android
@@ -13,34 +13,57 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 03/16/2017
+ms.date: 08/09/2017
 ms.author: parakhj
 
 ---
-# Azure AD B2C: Requesting Access Tokens
+# Azure AD B2C: Requesting access tokens
 
-An access token (denoted as **access\_token**) is a form of security token that a client can use to access resources that are secured by an [authorization server](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-reference-protocols#the-basics), such as a web API. Access tokens are represented as [JWTs](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-reference-tokens#types-of-tokens) and contain information about the intended resource server and the granted permissions to the server. When calling the resource server, the access token must be present in the HTTP request.
+An access token (denoted as **access\_token** in the responses from Azure AD B2C) is a form of security token that a client can use to access resources that are secured by an [authorization server](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-reference-protocols#the-basics), such as a web API. Access tokens are represented as [JWTs](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-reference-tokens#types-of-tokens) and contain information about the intended resource server and the granted permissions to the server. When calling the resource server, the access token must be present in the HTTP request.
 
-This article discusses how to configure a client application and have it make a request to acquire an **access\_token** from the `authorize` and `token` endpoints.
+This article discusses how to configure a client application and web API in order to obtain an **access\_token**.
 
 > [!NOTE]
 > **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.**
 >
-> Many architectures include a Web API that needs to call another downstream Web API, both secured by Azure AD B2C. This scenario is common in native clients that have a Web API back end, which in turn calls a Microsoft online service such as the Azure AD Graph API.
+> Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in native clients that have a web API back end, which in turn calls a Microsoft online service such as the Azure AD Graph API.
 >
-> This chained Web API scenario can be supported by using the OAuth 2.0 Jwt Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in the Azure AD B2C.
+> This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C.
 
-## Prerequisite
+## Register a web API and publish permissions
 
-Before requesting an access token, you first need to register a web API and publish permissions that can be granted to the client application. Get started by following the steps under the [Register a web API](active-directory-b2c-app-registration.md#register-a-web-api) section.
+Before requesting an access token, you first need to register a web API and publish permissions (scopes) that can be granted to the client application.
 
-## Granting permissions to a web API
+### Register a web API
 
-In order for a client application to get specific permissions to an API, the client application needs to be granted those permissions via the Azure portal. To grant permissions to a client application:
+1. On the Azure AD B2C features menu on the Azure portal, click **Applications**.
+1. Click **+Add** at the top of the menu.
+1. Enter a **Name** for the application that will describe your application to consumers. For example, you could enter "Contoso API".
+1. Toggle the **Include web app / web API** switch to **Yes**.
+1. Enter an arbitrary value for the **Reply URLs**. For example, enter `https://localhost:44316/`. The value does not matter since an API should not be receiving the token directly from Azure AD B2C.
+1. Enter an **App ID URI**. This is the identifier used for your web API. For example, enter 'notes' in the box. The **App ID URI** would then be `https://{tenantName}.onmicrosoft.com/notes`.
+1. Click **Create** to register your application.
+1. Click the application that you just created and copy down the globally unique **Application Client ID** that you'll use later in your code.
 
-1. Navigate to the **Applications** menu in the B2C features blade.
-1. Register a client application ([web app](active-directory-b2c-app-registration.md#register-a-web-application) or [native client](active-directory-b2c-app-registration.md#register-a-mobilenative-application)) if you don’t have one already.
-1. On your application's Settings blade, select **Api access**.
+### Publishing permissions
+
+Scopes, which are analogous to permissions, are necessary when your app is calling an API. Some examples of scopes are "read" or "write". Suppose you want your web or native app to "read" from an API. Your app would call Azure AD B2C and request an access token that gives access to the scope "read". In order for Azure AD B2C to emit such an access token, the app needs to be granted permission to "read" from the specific API. To do this, your API first needs to publish the "read" scope.
+
+1. Within the Azure AD B2C **Applications** menu, open the web API application ("Contoso API").
+1. Click on **Published scopes**. This is where you define the permissions (scopes) that can be granted to other applications.
+1. Add **Scope Values** as necessary (for example, "read"). By default, the "user_impersonation" scope will be defined. You can ignore this if you wish. Enter a description of the scope in the **Scope Name** column.
+1. Click **Save**.
+
+> [!IMPORTANT]
+> The **Scope Name** is the description of the **Scope Value**. When using the scope, make sure to use the **Scope Value**.
+
+## Grant a native or web app permissions to a web API
+
+Once an API is configured to publish scopes, the client application needs to be granted those scopes via the Azure portal.
+
+1. Navigate to the **Applications** menu in the Azure AD B2C features menu.
+1. Register a client application ([web app](active-directory-b2c-app-registration.md#register-a-web-app) or [native client](active-directory-b2c-app-registration.md#register-a-mobile-or-native-app)) if you don’t have one already. If you are following this guide as your starting point, you'll need to register a client application.
+1. Click on **API access**.
 1. Click on **Add**.
 1. Select your web API and the scopes (permissions) you would like to grant.
 1. Click **OK**.
@@ -50,13 +73,13 @@ In order for a client application to get specific permissions to an API, the cli
 
 ## Requesting a token
 
-To get an access token for a resource application, the client application needs to specify the permissions wanted in the **scope** parameter of the request. For example, to acquire the “read” permission for the resource application that has the App ID URI of `https://contoso.onmicrosoft.com/notes`, the scope would be `https://contoso.onmicrosoft.com/notes/read`. Below is an example of an authorization code request to the `authorize` endpoint.
+When requesting an access token, the client application needs to specify the desired permissions in the **scope** parameter of the request. For example, to specify the **Scope Value** “read” for the API that has the **App ID URI** of `https://contoso.onmicrosoft.com/notes`, the scope would be `https://contoso.onmicrosoft.com/notes/read`. Below is an example of an authorization code request to the `/authorize` endpoint.
 
 > [!NOTE]
-> At this point, custom domains are not supported along with access tokens. You must use your yourtenantId.onmicrosoft.com domain in the request URL.
+> Currently, custom domains are not supported along with access tokens. You must use your tenantName.onmicrosoft.com domain in the request URL.
 
 ```
-https://login.microsoftonline.com/<yourTenantId>.onmicrosoft.com/oauth2/v2.0/authorize?p=<yourPolicyId>&client_id=<appID_of_your_client_application>&nonce=anyRandomValue&redirect_uri=<redirect_uri_of_your_client_application>&scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fnotes%2Fread&response_type=code 
+https://login.microsoftonline.com/<tenantName>.onmicrosoft.com/oauth2/v2.0/authorize?p=<yourPolicyId>&client_id=<appID_of_your_client_application>&nonce=anyRandomValue&redirect_uri=<redirect_uri_of_your_client_application>&scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fnotes%2Fread&response_type=code 
 ```
 
 To acquire multiple permissions in the same request, you can add multiple entries in the single **scope** parameter, separated by spaces. For example:
@@ -73,7 +96,7 @@ URL encoded:
 scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fnotes%2Fread%20openid%20offline_access
 ```
 
-You may request more scopes/permissions for a resource than what is granted for your client application. When this is the case, the call will succeed if at least one permission is granted. The resulting **access\_token** will have its “scp” claim populated with only the permissions that were successfully granted.
+You may request more scopes (permissions) for a resource than what is granted for your client application. When this is the case, the call will succeed if at least one permission is granted. The resulting **access\_token** will have its “scp” claim populated with only the permissions that were successfully granted.
 
 > [!NOTE] 
 > We do not support requesting permissions against two different web resources in the same request. This kind of request will fail.
@@ -83,20 +106,25 @@ You may request more scopes/permissions for a resource than what is granted for
 The OpenID Connect standard specifies several special “scope” values. The following special scopes represent the permission to “access the user’s profile”:
 
 * **openid**: This requests an ID token
-* **offline\_access**: This requests a refresh token (using Auth Code flows).
+* **offline\_access**: This requests a refresh token (using [Auth Code flows](active-directory-b2c-reference-oauth-code.md)).
 
-If the “response\_type” parameter in a `authorize` request includes “token”, the “scope” parameter must include at least one resource permission (other than “openid” and “offline\_access”) that will be granted. Otherwise, the `authorize` request will terminate with a failure.
+If the `response_type` parameter in a `/authorize` request includes `token`, the `scope` parameter must include at least one resource scope (other than `openid` and `offline_access`) that will be granted. Otherwise, the `/authorize` request will terminate with a failure.
 
 ## The returned token
 
-In a successfully minted **access\_token** (from either the `authorize` or `token` endpoint), the following claims will be present:
+In a successfully minted **access\_token** (from either the `/authorize` or `/token` endpoint), the following claims will be present:
 
 | Name | Claim | Description |
 | --- | --- | --- |
-|Audience |`aud` |The \*application ID\* of the single resource that the token grants access to. |
+|Audience |`aud` |The **application ID** of the single resource that the token grants access to. |
 |Scope |`scp` |The permissions granted to the resource. Multiple granted permissions will be separated by space. |
-|Authorized Party |`azp` |The \*application ID\* of the client application that initiated the request. |
+|Authorized Party |`azp` |The **application ID** of the client application that initiated the request. |
 
 When your API receives the **access\_token**, it must [validate the token](active-directory-b2c-reference-tokens.md) to prove that the token is authentic and has the correct claims.
 
-We are always open to feedback and suggestions! If you have any difficulties with this topic, or have recommendations for improving this content, we would appreciate your feedback at the bottom of the page. For feature requests, add them to [UserVoice](https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c).
+We are always open to feedback and suggestions! If you have any difficulties with this topic, please post on Stack Overflow using the tag ['azure-ad-b2c'](https://stackoverflow.com/questions/tagged/azure-ad-b2c). For feature requests, add them to [UserVoice](https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c).
+
+## Next steps
+
+* Build a web API using [.NET Core](https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapi)
+* Build a web API using [Node.JS](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi)
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`"`
`6`	`6`	`## Acrolinx Scorecards`
`7`	`7`
`8`		`-Starting Wednesday, 7/26, a minimum Acrolinx score of 80 will be required for merging PRs that require human review.`
	`8`	`+A minimum Acrolinx score of 80 is required.`
`9`	`9`
`10`	`10`	`Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:`
`11`	`11`