Merge pull request #99392 from MicrosoftDocs/master

12/18 PM Publish

Author: huypub

articles/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.md

@@ -26,9 +26,6 @@ For B2C tenants, there are two primary modes of communicating with the Graph API
 
 In this article, you learn how to perform the automated use case. You'll build a .NET 4.5 `B2CGraphClient` that performs user create, read, update, and delete (CRUD) operations. The client will have a Windows command-line interface (CLI) that allows you to invoke various methods. However, the code is written to behave in a non-interactive, automated fashion.
 
->[!IMPORTANT]
-> You **must** use the [Azure AD Graph API](../active-directory/develop/active-directory-graph-api-quickstart.md) to manage users in an Azure AD B2C directory. The Azure AD Graph API is different from the Microsoft Graph API. Learn more in this MSDN blog post: [Microsoft Graph or Azure AD Graph](https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/).
-
 ## Prerequisites
 
 Before you can create applications or users, you need an Azure AD B2C tenant. If you don't already have one, [Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md).

articles/active-directory-b2c/manage-user-access.md

@@ -172,3 +172,4 @@ The following is an example of a Version based terms of use consent in a claim:
 ## Next steps
 
 - To learn how to delete and export user data, see [Manage user data](manage-user-data.md).
+- For an example custom policy that implements a terms of use prompt, see [A B2C IEF Custom Policy - Sign Up and Sign In with 'Terms of Use' prompt](https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-sign-up-versioned-tou).

articles/active-directory/b2b/b2b-fundamentals.md

@@ -0,0 +1,38 @@
+---
+title: Azure Active Directory B2B best practices and recommendations
+description: Learn best practices and recommendations for business-to-business (B2B) guest user access in Azure Active Directory.
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: B2B
+ms.topic: conceptual
+ms.date: 12/18/2019
+
+ms.author: mimart
+author: msmimart
+manager: celestedg
+ms.reviewer: elisol
+ms.custom: "it-pro"
+ms.collection: M365-identity-device-management
+---
+
+# Azure Active Directory B2B best practices
+This article contains recommendations and best practices for business-to-business (B2B) collaboration in Azure Active Directory (Azure AD).
+
+## B2B recommendations
+| Recommendation | Comments |
+| --- | --- |
+| For an optimal sign-in experience, federate with identity providers | Whenever possible, federate directly with identity providers to allow invited users to sign in to your shared apps and resources without having to create Microsoft Accounts (MSAs) or Azure AD accounts. You can use the [Google federation feature](google-federation.md) to allow B2B guest users to sign in with their Google accounts. Or, you can use the [Direct federation (preview) feature](direct-federation.md) to set up direct federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol. |
+| Use the Email one-time passcode (preview) feature for B2B guests who can’t authenticate by other means | The [Email one-time passcode (preview)](one-time-passcode.md) feature authenticates B2B guest users when they can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. When the guest user redeems an invitation or accesses a shared resource, they can request a temporary code, which is sent to their email address. Then they enter this code to continue signing in. |
+| Add company branding to your sign-in page | You can customize your sign-in page so it's more intuitive for your B2B guest users. See how to [add company branding to sign in and Access Panel pages](../fundamentals/customize-branding.md). |
+| Add your privacy statement to the B2B guest user redemption experience | You can add the URL of your organization's privacy statement to the first time invitation redemption process so that an invited user must consent to your privacy terms to continue. See [How-to: Add your organization's privacy info in Azure Active Directory](https://aka.ms/adprivacystatement). |
+| Use the bulk invite (preview) feature to invite multiple B2B guest users at the same time | Invite multiple guest users to your organization at the same time by using the bulk invite preview feature in the Azure portal. This feature lets you upload a CSV file to create B2B guest users and send invitations in bulk. See [Tutorial for bulk inviting B2B users](tutorial-bulk-invite.md). |
+| Enforce Conditional Access policies for Multi-Factor Authentication (MFA) | We recommend enforcing MFA policies on the apps you want to share with partner B2B users. This way, MFA will be consistently enforced on the apps in your tenant regardless of whether the partner organization is using MFA. See [Conditional Access for B2B collaboration users](conditional-access.md). |
+| If you’re enforcing device-based Conditional Access policies, use exclusion lists to allow access to B2B users | If device-based Conditional Access policies are enabled in your organization, B2B guest user devices will be blocked because they’re not managed by your organization. You can create exclusion lists containing specific partner users to exclude them from the device-based Conditional Access policy. See [Conditional Access for B2B collaboration users](conditional-access.md). |
+| Use a tenant-specific URL when providing direct links to your B2B guest users | As an alternative to the invitation email, you can give a guest a direct link to your app or portal. This direct link must be tenant-specific, meaning it must include a tenant ID or verified domain so the guest can be authenticated in your tenant, where the shared app is located. See [Redemption experience for the guest user](redemption-experience.md). |
+| When developing an app, use UserType to determine guest user experience  | If you're developing an application and you want to provide different experiences for tenant users and guest users, use the UserType property. The UserType claim isn't currently included in the token. Applications should use the Graph API to query the directory for the user to get their UserType. |
+| Change the UserType property *only* if the user’s relationship to the organization changes | Although it’s possible to use PowerShell to convert the UserType property for a user from Member to Guest (and vice-versa), you should change this property only if the relationship of the user to your organization changes. See [Properties of a B2B guest user](user-properties.md).|
+
+## Next steps
+
+[Manage B2B sharing](delegate-invitations.md)

articles/active-directory/b2b/toc.yml

@@ -28,6 +28,8 @@
   - name: Concepts
     expanded: false
     items:
+    - name: B2B best practices
+      href: b2b-fundamentals.md
     - name: B2B licensing
       href: licensing-guidance.md
     - name: B2B and Office 365 external sharing

articles/active-directory/develop/active-directory-authentication-protocols.md

@@ -1,6 +1,6 @@
 ---
-title: Azure Active Directory authentication protocols | Microsoft Docs
-description: An overview of the authentication protocols supported by Azure Active Directory (AD)
+title: Microsoft identity platform authentication protocols | Microsoft Docs
+description: An overview of the authentication protocols supported by Microsoft identity platform
 author: rwike77
 services: active-directory
 manager: CelesteDG
@@ -10,29 +10,28 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 04/27/2017
+ms.date: 12/18/2019
 ms.author: ryanwi
 ms.custom: aaddev
 ms.reviewer: hirsin
 ms.collection: M365-identity-device-management
 ---
 
-# Azure Active Directory authentication protocols
+# Microsoft identity platform authentication protocols
 
-Azure Active Directory (Azure AD) supports several of the most widely used authentication and authorization protocols. The topics in this section describe the supported protocols and their implementation in Azure AD. The topics included a review of supported claim types, an introduction to the use of federation metadata, detailed OAuth 2.0. and SAML 2.0 protocol reference documentation, and a troubleshooting section.
+Microsoft identity platform supports several of the most widely used authentication and authorization protocols. The topics in this section describe the supported protocols and their implementation in Microsoft identity platform. The topics included a review of supported claim types, an introduction to the use of federation metadata, detailed OAuth 2.0. and SAML 2.0 protocol reference documentation, and a troubleshooting section.
 
 ## Authentication protocols articles and reference
 
-* [Important Information About Signing Key Rollover in Azure AD](active-directory-signing-key-rollover.md) – Learn about Azure AD’s signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios.
-* [Supported Token and Claim Types](v1-id-and-access-tokens.md) - Learn about the claims in the tokens that Azure AD issues.
-* [Federation Metadata](azure-ad-federation-metadata.md) - Learn how to find and interpret the metadata documents that Azure AD generates.
-* [OAuth 2.0 in Azure AD](v1-protocols-oauth-code.md) - Learn about the implementation of OAuth 2.0 in Azure AD.
-* [OpenID Connect 1.0](v1-protocols-openid-connect-code.md) - Learn how to use OAuth 2.0, an authorization protocol, for authentication.
-* [Service to Service Calls with Client Credentials](v1-oauth2-client-creds-grant-flow.md) - Learn how to use OAuth 2.0 client credentials grant flow for service to service calls.
-* [Service to Service Calls with On-Behalf-Of Flow](v1-oauth2-on-behalf-of-flow.md) - Learn how to use OAuth 2.0 On-Behalf-Of flow for service to service calls.
-* [SAML Protocol Reference](active-directory-saml-protocol-reference.md) - Learn about the Single Sign-On and Single Sign-out SAML profiles of Azure AD.
+* [Important Information About Signing Key Rollover in Microsoft identity platform](active-directory-signing-key-rollover.md) – Learn about Microsoft identity platform’s signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios.
+* [Supported Token and Claim Types](id-tokens.md) - Learn about the claims in the tokens that Microsoft identity platform issues.
+* [OAuth 2.0 in Microsoft identity platform](v2-oauth2-auth-code-flow.md) - Learn about the implementation of OAuth 2.0 in Microsoft identity platform.
+* [OpenID Connect 1.0](v2-protocols-oidc.md) - Learn how to use OAuth 2.0, an authorization protocol, for authentication.
+* [Service to Service Calls with Client Credentials](v2-oauth2-client-creds-grant-flow.md) - Learn how to use OAuth 2.0 client credentials grant flow for service to service calls.
+* [Service to Service Calls with On-Behalf-Of Flow](v2-oauth2-on-behalf-of-flow.md) - Learn how to use OAuth 2.0 On-Behalf-Of flow for service to service calls.
+* [SAML Protocol Reference](active-directory-saml-protocol-reference.md) - Learn about the Single Sign-On and Single Sign-out SAML profiles of Microsoft identity platform.
 
 ## See also
 
-* [Azure Active Directory Developer's Guide](v1-overview.md)
-* [Active Directory Code Samples](sample-v1-code.md)
+* [Microsoft identity platform overview](v2-overview.md)
+* [Active Directory Code Samples](sample-v2-code.md)

articles/active-directory/develop/active-directory-certificate-credentials.md

@@ -1,7 +1,7 @@
 ---
-title: Azure AD certificate credentials
+title: Microsoft identity platform certificate credentials
 titleSuffix: Microsoft identity platform
-description: This article discusses the registration and use of certificate credentials for application authentication
+description: This article discusses the registration and use of certificate credentials for application authentication.
 services: active-directory
 author: rwike77
 manager: CelesteDG
@@ -11,21 +11,21 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 05/21/2019
+ms.date: 12/18/2019
 ms.author: ryanwi
 ms.reviewer: nacanuma, jmprieur
 ms.custom: aaddev
 ms.collection: M365-identity-device-management
 ---
 
-# Azure AD application authentication certificate credentials
+# Microsoft identity platform application authentication certificate credentials
 
-Azure Active Directory (Azure AD) allows an application to use its own credentials for authentication, for example, in the OAuth 2.0 Client Credentials Grant flow ([v1.0](v1-oauth2-client-creds-grant-flow.md), [v2.0](v2-oauth2-client-creds-grant-flow.md)) and the On-Behalf-Of flow ([v1.0](v1-oauth2-on-behalf-of-flow.md), [v2.0](v2-oauth2-on-behalf-of-flow.md)).
+Microsoft identity platform allows an application to use its own credentials for authentication, for example, in the [OAuth 2.0 Client Credentials Grant flowv2.0](v2-oauth2-client-creds-grant-flow.md) and the [On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md)).
 
 One form of credential that an application can use for authentication is a JSON Web Token(JWT) assertion signed with a certificate that the application owns.
 
 ## Assertion format
-
+Microsoft identity platform
 To compute the assertion, you can use one of the many [JSON Web Token](https://jwt.ms/) libraries in the language of your choice. The information carried by the token are as follows:
 
 ### Header
@@ -85,9 +85,9 @@ The following string is an example of encoded assertion. If you look carefully,
 Gh95kHCOEGq5E_ArMBbDXhwKR577scxYaoJ1P{a lot of characters here}KKJDEg"
 ```
 
-## Register your certificate with Azure AD
+## Register your certificate with Microsoft identity platform
 
-You can associate the certificate credential with the client application in Azure AD through the Azure portal using any of the following methods:
+You can associate the certificate credential with the client application in Microsoft identity platform through the Azure portal using any of the following methods:
 
 ### Uploading the certificate file
 
@@ -121,7 +121,7 @@ In the Azure app registration for the client application:
        }
    ]
    ```
-3. Save the edits to the application manifest and then upload the manifest to Azure AD. 
+3. Save the edits to the application manifest and then upload the manifest to Microsoft identity platform. 
 
    The `keyCredentials` property is multi-valued, so you may upload multiple certificates for richer key management.
 
@@ -130,4 +130,4 @@ In the Azure app registration for the client application:
 > [!NOTE]
 > You must calculate the X5T header by using the certificate's hash and  converting it to a base64 string. In C# it would look something similar to that of : `System.Convert.ToBase64String(cert.GetCertHash());`
 
-The code sample on [Authenticating to Azure AD in daemon apps with certificates](https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential) shows how an application uses its own credentials for authentication. It also shows how you can [create a self-signed certificate](https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential#create-a-self-signed-certificate) using the `New-SelfSignedCertificate` Powershell command. You can also take advantage and use the [app creation scripts](https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential/blob/master/AppCreationScripts/AppCreationScripts.md) to create the certificates, compute the thumbprint, and so on.
+The code sample on [Authenticating to Microsoft identity platform in daemon apps with certificates](https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential) shows how an application uses its own credentials for authentication. It also shows how you can [create a self-signed certificate](https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential#create-a-self-signed-certificate) using the `New-SelfSignedCertificate` Powershell command. You can also take advantage and use the [app creation scripts](https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential/blob/master/AppCreationScripts/AppCreationScripts.md) to create the certificates, compute the thumbprint, and so on.

articles/active-directory/develop/authentication-scenarios.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 10/15/2019
+ms.date: 12/18/2019
 ms.author: ryanwi
 ms.reviewer: jmprieur, saeeda, sureshja, hirsin
 ms.custom: aaddev, identityplatformtop40, scenarios:getting-started
@@ -162,6 +162,7 @@ By default, MSAL uses the system browser except for .NET Framework desktop appli
 
 ## Next steps
 
-See the [Microsoft identity platform developer glossary](developer-glossary.md) to get familiar with common terms.
-See [Authentication flows and app scenarios](authentication-flows-app-scenarios.md) to learn more about other scenarios for authenticating users supported by the Microsoft identity platform.
-See [MSAL libraries](msal-overview.md) to learn about the Microsoft libraries that help you develop applications that work with Microsoft Accounts, Azure AD accounts, and Azure AD B2C users all in a single, streamlined programming model.
+- See the [Microsoft identity platform developer glossary](developer-glossary.md) to get familiar with common terms.
+- See [Authentication flows and app scenarios](authentication-flows-app-scenarios.md) to learn more about other scenarios for authenticating users supported by the Microsoft identity platform.
+- See [MSAL libraries](msal-overview.md) to learn about the Microsoft libraries that help you develop applications that work with Microsoft Accounts, Azure AD accounts, and Azure AD B2C users all in a single, streamlined programming model.
+- See [Integrate App Service with Microsfot identity platform](/azure/app-service/configure-authentication-provider-aad) to learn how to configure authentication for your App Service app.

articles/active-directory/develop/quickstart-v2-dotnet-native-aspnet.md

@@ -1,6 +1,6 @@
 ---
-title: Call Azure AD protected ASP.NET Web API - Microsoft identity platform
-description: In this quickstart, learn how to call an ASP.NET web API protected by Azure Active Directory from a Windows Desktop (WPF) application. The WPF client authenticates a user, requests an access token, and calls the web API.
+title: Call a ASP.NET Web API protected by Microsoft identity platform
+description: In this quickstart, learn how to call an ASP.NET web API protected by Microsoft identity platform from a Windows Desktop (WPF) application. The WPF client authenticates a user, requests an access token, and calls the web API.
 services: active-directory
 author: jmprieur
 manager: CelesteDG
@@ -16,9 +16,9 @@ ms.custom: aaddev, identityplatformtop40, scenarios:getting-started, languages:A
 ms.collection: M365-identity-device-management
 ---
 
-# Quickstart: Call an ASP.NET Web API protected by Azure AD
+# Quickstart: Call an ASP.NET Web API protected by Microsoft identity platform
 
-In this quickstart, you expose a Web API and protect it so that only authenticated user can access it. This sample shows how to expose a ASP.NET Web API so it can accept tokens issued by personal accounts (including outlook.com, live.com, and others) as well as work and school accounts from any company or organization that has integrated with Azure Active Directory.
+In this quickstart, you expose a Web API and protect it so that only authenticated user can access it. This sample shows how to expose a ASP.NET Web API so it can accept tokens issued by personal accounts (including outlook.com, live.com, and others) as well as work and school accounts from any company or organization that has integrated with Microsoft identity platform.
 
 The sample also includes a Windows Desktop application (WPF) client that demonstrates how you can request an access token to access a Web API.