Merge branch 'main' into release-preview-mswb

Author: v-alje

articles/active-directory/develop/howto-add-app-roles-in-apps.md

@@ -63,6 +63,17 @@ To create an app role by using the Azure portal's user interface:
 
 When the app role is set to enabled, any users, applications or groups who are assigned has it included in their tokens. These can be access tokens when your app is the API being called by an app or ID tokens when your app is signing in a user. If set to disabled, it becomes inactive and no longer assignable. Any previous assignees will still have the app role included in their tokens, but it has no effect as it is no longer actively assignable. 
 
+## Assign application owner 
+
+If you have not already done so, you'll need to assign yourself as the application owner.
+
+1. In your app registration, under **Manage**, select **Owners**, and **Add owners**.
+1. In the new window, find and select the owner(s) that you want to assign to the application. Selected owners appear in the right panel. Once done, confirm with **Select**. The app owner(s) will now appear in the owner's list.
+
+>[!NOTE]
+>
+> Ensure that both the API application and the application you want to add permissions to both have an owner, otherwise the API will not be listed when requesting API permissions.
+
 ## Assign users and groups to roles
 
 Once you've added app roles in your application, you can assign users and groups to the roles. Assignment of users and groups to roles can be done through the portal's UI, or programmatically using [Microsoft Graph](/graph/api/user-post-approleassignments). When the users assigned to the various app roles sign in to the application, their tokens will have their assigned roles in the `roles` claim.

articles/active-directory/develop/includes/web-app-client-credentials.md

@@ -72,4 +72,8 @@ Instead of a client secret, you can provide a client certificate. The following
 }
 ```
 
-*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.
+> [!WARNING]
+>
+> If you forget to change the `Scopes` to an array, when you try to use the `IDownstreamApi` the scopes will appear null, and `IDownstreamApi` will attempt an anonymous (unauthenticated) call to the downstream API, which will result in a `401/unauthenticated`.
+
+*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.

articles/active-directory/develop/quickstart-configure-app-expose-web-apis.md

@@ -17,7 +17,7 @@ ms.reviewer: aragra, lenalepa, sureshja
 
 # Quickstart: Configure an application to expose a web API
 
-In this quickstart, you'll register a web API with the Microsoft identity platform and expose it to client apps by adding a scope. By registering your web API and exposing it through scopes, you can provide permissions-based access to its resources to authorized users and client apps that access your API.
+In this quickstart, you'll register a web API with the Microsoft identity platform and expose it to client apps by adding a scope. By registering your web API and exposing it through scopes, assigning an owner and app role, you can provide permissions-based access to its resources to authorized users and client apps that access your API.
 
 ## Prerequisites
 
@@ -34,7 +34,30 @@ Perform the steps in the **Register an application** section of [Quickstart: Reg
 
 Skip the **Redirect URI (optional)** section. You don't need to configure a redirect URI for a web API since no user is logged in interactively.
 
-With the web API registered, you can add scopes to the API's code so it can provide granular permission to consumers.
+## Assign application owner 
+
+1. In your app registration, under **Manage**, select **Owners**, and **Add owners**.
+1. In the new window, find and select the owner(s) that you want to assign to the application. Selected owners appear in the right panel. Once done, confirm with **Select**. The app owner(s) will now appear in the owner's list.
+
+>[!NOTE]
+>
+> Ensure that both the API application and the application you want to add permissions to both have an owner, otherwise the API will not be listed when requesting API permissions.
+
+## Assign app role
+
+1. In your app registration, under **Manage**, select **App roles**, and **Create app role**.
+1. Next, specify the app role's attributes in the **Create app role** pane. For this walk-through, you can use the example values or specify your own. 
+
+   | Field | Description | Example |
+   |-------|-------------|---------|
+   | **Display name** | The name of your app role | *Employee Records* |
+   | **Allowed member types** | Specifies whether the app role can be assigned to users/groups and/or applications | *Applications* |
+   | **Value** | The value displayed in the "roles" claim of a token | `Employee.Records` |
+   | **Description** | A more detailed description of the app role | *Applications have access to employee records* |
+
+1. Select the checkbox to enable the app role.
+
+With the web API registered, assigned an app role and owner, you can add scopes to the API's code so it can provide granular permission to consumers.
 
 ## Add a scope
 
@@ -44,9 +67,9 @@ The code in a client application requests permission to perform operations defin
 
 First, follow these steps to create an example scope named `Employees.Read.All`:
 
-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/quickstart-configure-app-expose-web-apis/portal-01-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant containing your client app's registration.
-1. Select **Azure Active Directory** > **App registrations**, and then select your API's app registration.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/quickstart-configure-app-access-web-apis/portal-01-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant containing your client app's registration.
+1. Browse to **Identity** > **Applications** > **App registrations**, and then select your API's app registration.
 1. Select **Expose an API**
 1. Select **Add** next to **Application ID URI** if you haven't yet configured one.
 
@@ -56,7 +79,6 @@ First, follow these steps to create an example scope named `Employees.Read.All`:
     :::image type="content" source="media/quickstart-configure-app-expose-web-apis/portal-02-expose-api.png" alt-text="An app registration's Expose an API pane in the Azure portal":::
 
 
-
 1. Next, specify the scope's attributes in the **Add a scope** pane. For this walk-through, you can use the example values or specify your own.
 
     | Field | Description | Example |

articles/active-directory/develop/reference-claims-mapping-policy-type.md

@@ -257,13 +257,10 @@ Restricted Claim type (URI):
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/groups`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/ispersistent`
-- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid`
-- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/samlissuername`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/wids`
-- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdeviceclaim`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdevicegroup`
 - `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsfqbnversion`
@@ -272,14 +269,9 @@ Restricted Claim type (URI):
 - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication`
 - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision`
 - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid`
-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`
 - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier`
-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid`
 - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn`
 - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`
-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname`
 - `http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor`
 
 

articles/active-directory/develop/saml-claims-customization.md

@@ -210,10 +210,14 @@ When the following conditions occur after **Add** or **Run test** is selected, a
 
 ## Add the UPN claim to SAML tokens
 
-The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal.  
+The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md#saml-restricted-claim-set). If you have custom signing key configured, you can add it in the **Attributes & Claims** section.  
 
+In case there is no custom signing key configured, please refer to [SAML Restricted claim set](reference-claims-mapping-policy-type.md#saml-restricted-claim-set). You can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal.
+ 
 Open the application in **App registrations**, select **Token configuration**, and then select **Add optional claim**. Select the **SAML** token type, choose **upn** from the list, and then click **Add** to add the claim to the token.
 
+Customization done in the **Attributes & Claims** section can overwrite the optional claims in the **App Registration**.
+
 ## Emit claims based on conditions
 
 You can specify the source of a claim based on user type and the group to which the user belongs.

articles/active-directory/develop/whats-new-docs.md

@@ -5,7 +5,7 @@ services: active-directory
 author: henrymbuguakiarie
 manager: CelesteDG
 
-ms.date: 08/01/2023
+ms.date: 09/04/2023
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
@@ -18,6 +18,16 @@ ms.custom: has-adal-ref
 
 Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
 
+## August 2023
+
+### Updated articles
+
+- [Call an ASP.NET Core web API with cURL](howto-call-a-web-api-with-curl.md) - Updated sign-in steps for admin center
+- [Troubleshoot publisher verification](troubleshoot-publisher-verification.md) - Removed references to aad.portal.azure.com and terminology updates for partner program updates
+- [Configure a custom claim provider token issuance event (preview)](custom-extension-get-started.md) - Updated MS Graph sections - custom claim provider token issuance event tutorial and custom authentication extensions references
+- [Customize claims issued in the JSON web token (JWT) for enterprise applications](jwt-claims-customization.md) - Updated sign-in steps for admin center
+- [Access tokens in the Microsoft identity platform](access-tokens.md) - Updated details about issuer validation
+
 ## July 2023
 
 ### New articles
@@ -51,33 +61,3 @@ Welcome to what's new in the Microsoft identity platform documentation. This art
 - [Tokens and claims overview](security-tokens.md) - Editorial review of security tokens
 - [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md) - Editorial review
 - [What's new for authentication?](reference-breaking-changes.md) - Identity breaking change: omission of unverified emails by default
-
-## May 2023
-
-### New articles
-
-- [Access token claims reference](access-token-claims-reference.md)
-- [Directory extension attributes in claims](schema-extensions.md)
-- [Provide optional claims to your app](optional-claims.md)
-
-### Updated articles
-
-- [Application and service principal objects in Azure Active Directory](app-objects-and-service-principals.md)
-- [What's new for authentication?](reference-breaking-changes.md)
-- [A web app that calls web APIs: Acquire a token for the app](scenario-web-app-call-api-acquire-token.md)
-- [A web app that calls web APIs: Code configuration](scenario-web-app-call-api-app-configuration.md)
-- [A web app that calls web APIs: Call a web API](scenario-web-app-call-api-call-api.md)
-- [A web API that calls web APIs: Acquire a token for the app](scenario-web-api-call-api-acquire-token.md)
-- [A web API that calls web APIs: Code configuration](scenario-web-api-call-api-app-configuration.md)
-- [A web API that calls web APIs: Call an API](scenario-web-api-call-api-call-api.md)
-- [Confidential client assertions](msal-net-client-assertions.md)
-- [Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview)](jwt-claims-customization.md)
-- [Customize claims issued in the SAML token for enterprise applications](saml-claims-customization.md)
-- [Desktop app that calls web APIs: Acquire a token by using WAM](scenario-desktop-acquire-token-wam.md)
-- [Desktop app that calls web APIs: Acquire a token interactively](scenario-desktop-acquire-token-interactive.md)
-- [Handle errors and exceptions in MSAL for Python](msal-error-handling-python.md)
-- [Protected web API: Code configuration](scenario-protected-web-api-app-configuration.md)
-- [Shared device mode for iOS devices](msal-ios-shared-devices.md)
-- [Tutorial: Sign in users and call the Microsoft Graph API from an Android application](tutorial-v2-android.md)
-- [Tutorial: Sign in users and call the Microsoft Graph API from an Angular single-page application (SPA) using auth code flow](tutorial-v2-angular-auth-code.md)
-- [Web app that signs in users: Code configuration](scenario-web-app-sign-user-app-configuration.md)