Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

.openpublishing.redirection.azure-monitor.json

@@ -3863,12 +3863,12 @@
             "redirect_document_id": false
         },
         {
-            "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema-definitions.md",
+            "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema.md",
             "redirect_url": "/azure/azure-monitor/alerts/alerts-common-schema",
             "redirect_document_id": false
         },
         {
-            "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema.md",
+            "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema-definitions.md",
             "redirect_url": "/azure/azure-monitor/alerts/alerts-common-schema",
             "redirect_document_id": false
         },
@@ -3877,6 +3877,11 @@
             "redirect_url": "/azure/azure-monitor/alerts/alerts-common-schema",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/alerts/alerts-common-schema-test-action-definitions.md",
+            "redirect_url": "/azure/azure-monitor/alerts/alerts-payload-samples",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema-integrations.md",
             "redirect_url": "/azure/azure-monitor/alerts/alerts-common-schema-integrations",

articles/active-directory-b2c/idp-pass-through-user-flow.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/10/2022
+ms.date: 03/16/2023
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -150,6 +150,77 @@ When testing your applications in Azure AD B2C, it can be useful to have the Azu
 
     ![Decoded token in jwt.ms with idp_access_token block highlighted](./media/idp-pass-through-user-flow/identity-provider-pass-through-token-custom.png)
 
+## Pass the IDP refresh token (optional)
+
+The access token the identity provider returns is valid for a short period of time. Some identity providers also issue a refresh token along with the access token. Your client application can then exchange the identity provider's refresh token for a new access token when needed. 
+
+Azure AD B2C custom policy supports passing the refresh token of OAuth 2.0 identity providers, which includes [Facebook](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#facebook-with-access-token), [Google](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#facebook-with-access-token) and [GitHub](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#github-with-access-token).
+
+To pass the identity provider's refresh token, follow these steps:
+
+1. Open your *TrustframeworkExtensions.xml* file and add the following **ClaimType** element with an identifier of `identityProviderRefreshToken` to the **ClaimsSchema** element.
+    
+    ```xml
+    <ClaimType Id="identityProviderRefreshToken">
+        <DisplayName>Identity provider refresh token</DisplayName>
+        <DataType>string</DataType>
+    </ClaimType>
+    ```
+    
+1. Add the **OutputClaim** element to the **TechnicalProfile** element for each OAuth 2.0 identity provider that you would like the refresh token for. The following example shows the element added to the Facebook technical profile:
+    
+    ```xml
+    <ClaimsProvider>
+      <DisplayName>Facebook</DisplayName>
+      <TechnicalProfiles>
+        <TechnicalProfile Id="Facebook-OAUTH">
+          <OutputClaims>
+            <OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="{oauth2:refresh_token}" />
+          </OutputClaims>
+          ...
+        </TechnicalProfile>
+      </TechnicalProfiles>
+    </ClaimsProvider>
+    ```
+
+1. Some identity providers require you to include metadata or scopes to the identity provider's technical profile.
+
+    - For Google identity provider, add two claim types `access_type` and `prompt`. Then add the following input claims to the identity provider's technical profile:
+
+        ```xml
+        <InputClaims>
+            <InputClaim ClaimTypeReferenceId="access_type" PartnerClaimType="access_type" DefaultValue="offline" AlwaysUseDefaultValue="true" />
+    
+            <!-- The refresh_token is return only on the first authorization for a given user. Subsequent authorization request doesn't return the refresh_token.
+                To fix this issue we add the prompt=consent query string parameter to the authorization request-->
+            <InputClaim ClaimTypeReferenceId="prompt" PartnerClaimType="prompt" DefaultValue="consent" AlwaysUseDefaultValue="true" />
+        </InputClaims>
+        ```
+    
+    - Other identity providers may have different methods to issue a refresh token. Follow the identity provider's audience and add the necessary elements to your identity provider's technical profile. 
+
+1. Save the changes you made in your *TrustframeworkExtensions.xml* file.
+1. Open your relying party policy file, such as *SignUpOrSignIn.xml*, and add the **OutputClaim** element to the **TechnicalProfile**:
+
+    ```xml
+    <RelyingParty>
+      <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
+      <TechnicalProfile Id="PolicyProfile">
+        <OutputClaims>
+          <OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="idp_refresh_token"/>
+        </OutputClaims>
+        ...
+      </TechnicalProfile>
+    </RelyingParty>
+    ```
+
+1. Save the changes you made in your policy's relying party policy file.
+1. Upload the *TrustframeworkExtensions.xml* file, and then the relying party policy file.
+1. [Test your policy](#test-your-policy)
+ 
+
+ 
+
 ::: zone-end
 
 ## Next steps

articles/active-directory-b2c/relyingparty.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 11/17/2022
+ms.date: 03/13/2023
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -78,6 +78,8 @@ The optional **RelyingParty** element contains the following elements:
 | UserJourneyBehaviors | 0:1 | The scope of the user journey behaviors. |
 | TechnicalProfile | 1:1 | A technical profile that's supported by the RP application. The technical profile provides a contract for the RP application to contact Azure AD B2C. |
 
+You need to create the **RelyingParty** child elements in the order presented in the preceding table.
+
 ## Endpoints
 
 The **Endpoints** element contains the following element:

articles/active-directory/app-proxy/application-proxy-configure-complex-application.md

@@ -69,13 +69,13 @@ To publish complex distributed app through Application Proxy with application se
 
 3. On the Manage and configure application segments page, select "+ Add app segment"
 
-    :::image type="content" source="./media/application-proxy-configure-complex-application/add-application-segment-1.png" alt-text="Screenshot pf Manage and configure application segment blade.":::
+    :::image type="content" source="./media/application-proxy-configure-complex-application/add-application-segment-1.png" alt-text="Screenshot of Manage and configure application segment blade.":::
 
 4. In the Internal Url field, enter the internal URL for your app.
 
 5. In the External Url field, drop down the list and select the custom domain you want to use.
 
-6. Add CORS Rules (optional).  For more information see [Configuring CORS Rule](https://learn.microsoft.com/graph/api/resources/corsconfiguration_v2?view=graph-rest-beta)
+6. Add CORS Rules (optional).  For more information see [Configuring CORS Rule](/graph/api/resources/corsconfiguration_v2?view=graph-rest-beta).
 
 7. Select Create.
 

articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-access-keys.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: how-to
-ms.date: 02/23/2022
+ms.date: 03/01/2023
 ms.author: jfields
 ---
 
@@ -23,6 +23,9 @@ The **Analytics** dashboard in Permissions Management provides details about ide
 - **Access Keys**: Tracks the permission usage of access keys for a given user.
 - **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions.
 
+> [!NOTE] 
+> Currently, Microsoft Azure and Google Cloud Platform (GCP) do not provide significant information about access keys to return access keys data. Access Keys analytics are currently only available for Amazon Web Services (AWS) accounts. 
+
 This article describes how to view usage analytics about access keys.
 
 ## Create a query to view access keys
@@ -33,8 +36,8 @@ When you select **Access keys**, the **Analytics** dashboard provides a high-lev
 
     The following components make up the **Access Keys** dashboard:
 
-    - **Authorization System Type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
-    - **Authorization System**: Select from a **List** of accounts and **Folders***.
+    - **Authorization System Type**: Select **AWS**.
+    - **Authorization System**: Select from a **List** of accounts and **Folders**.
     - **Key Status**: Select **All**, **Active**, or **Inactive**.
     - **Key Activity State**: Select **All**, how long the access key has been used, or **Not Used**.
     - **Key Age**: Select **All** or how long ago the access key was created.
@@ -68,23 +71,23 @@ Filters can be applied in one, two, or all three categories depending on the typ
 
 ### Apply filters by authorization system type
 
-1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System Type** dropdown, select **AWS**.
 1. Select **Apply** to run your query and display the information you selected.
 
     Select **Reset Filter** to discard your changes.
 
 
 ### Apply filters by authorization system
 
-1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System Type** dropdown, select **AWS**.
 1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**.
 1. Select **Apply** to run your query and display the information you selected.
 
     Select **Reset Filter** to discard your changes.
 
 ### Apply filters by key status
 
-1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System Type** dropdown, select **AWS**.
 1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
 1. From the **Key Status** dropdown, select the type of key: **All**, **Active**, or **Inactive**.
 1. Select **Apply** to run your query and display the information you selected.
@@ -93,7 +96,7 @@ Filters can be applied in one, two, or all three categories depending on the typ
 
 ### Apply filters by key activity status
 
-1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System Type** dropdown, select **AWS**.
 1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
 1. From the **Key Activity State** dropdown, select **All**, the duration for how long the access key has been used, or **Not Used**.
 
@@ -103,7 +106,7 @@ Filters can be applied in one, two, or all three categories depending on the typ
 
 ### Apply filters by key age
 
-1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System Type** dropdown, select **AWS**.
 1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
 1. From the **Key Age** dropdown, select  **All** or how long ago the access key was created.
 
@@ -113,7 +116,7 @@ Filters can be applied in one, two, or all three categories depending on the typ
 
 ### Apply filters by task type
 
-1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System Type** dropdown, select **AWS**.
 1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
 1. From the **Task Type** dropdown, select  **All** tasks, **High Risk Tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.
 1. Select **Apply** to run your query and display the information you selected.

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -93,7 +93,6 @@ The following key applications are affected by the Office 365 cloud app:
 - Microsoft Flow
 - Microsoft Office 365 Portal
 - Microsoft Office client application
-- Microsoft Stream 
 - Microsoft To-Do WebApp
 - Microsoft Whiteboard Services
 - Office Delve

articles/active-directory/fundamentals/auth-ssh.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # SSH authentication with Azure Active Directory  
 
-Secure Shell (SSH) is a network protocol that provides encryption for operating network services securely over an unsecured network. It's commonly used in Unix-based systems such as Linux. SSH replaces the Telnet protocol, which doesn't provide encryption in an unsecured network. 
+Secure Shell (SSH) is a network protocol that provides encryption for operating network services securely over an unsecured network. It's commonly used in systems like Unix and Linux. SSH replaces the Telnet protocol, which doesn't provide encryption in an unsecured network. 
 
 Azure Active Directory (Azure AD) provides a virtual machine (VM) extension for Linux-based systems that run on Azure. It also provides a client extension that integrates with the [Azure CLI](/cli/azure/) and the OpenSSH client.
 

articles/active-directory/identity-protection/concept-workload-identity-risk.md

@@ -57,8 +57,8 @@ We detect risk on workload identities across sign-in behavior and offline indica
 | Suspicious Sign-ins | Offline | This risk detection indicates sign-in properties or patterns that are unusual for this service principal. <br><br> The detection learns the baselines sign-in behavior for workload identities in your tenant in between 2 and 60 days, and fires if one or more of the following unfamiliar properties appear during a later sign-in: IP address / ASN, target resource, user agent, hosting/non-hosting IP change, IP country, credential type. <br><br> Because of the programmatic nature of workload identity sign-ins, we provide a timestamp for the suspicious activity instead of flagging a specific sign-in event. <br><br>  Sign-ins that are initiated after an authorized configuration change may trigger this detection. |
 | Admin confirmed account compromised | Offline | This detection indicates an admin has selected 'Confirm compromised' in the Risky Workload Identities UI or using riskyServicePrincipals API. To see which admin has confirmed this account compromised, check the account’s risk history (via UI or API). |
 | Leaked Credentials | Offline | This risk detection indicates that the account's valid credentials have been leaked. This leak can occur when someone checks in the credentials in public code artifact on GitHub, or when the credentials are leaked through a data breach. <br><br> When the Microsoft leaked credentials service acquires credentials from GitHub, the dark web, paste sites, or other sources, they're checked against current valid credentials in Azure AD to find valid matches. |
-| Malicious application | Offline | This detection indicates that Microsoft has disabled an application for violating our terms of service. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.| 
-| Suspicious application | Offline | This detection indicates that Microsoft has identified an application that may be violating our terms of service, but hasn't disabled it. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.| 
+| Malicious application | Offline | This detection indicates that Microsoft has disabled an application for violating our terms of service. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application. Note: These applications will show `DisabledDueToViolationOfServicesAgreement` on the `disabledByMicrosoftStatus` property on the related [application](/graph/api/resources/application) and [service principal](/graph/api/resources/serviceprincipal) resource types in Microsoft Graph. To prevent them from being instantiated in your organization again in the future, you cannot delete these objects. |
+| Suspicious application | Offline | This detection indicates that Microsoft has identified an application that may be violating our terms of service, but hasn't disabled it. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.|
 | Anomalous service principal activity | Offline | This risk detection baselines normal administrative service principal behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrative service principal making the change or the object that was changed. |
 
 ## Identify risky workload identities
@@ -123,3 +123,4 @@ The [Azure AD Toolkit](https://github.com/microsoft/AzureADToolkit) is a PowerSh
 - [Azure AD sign-in logs](../reports-monitoring/concept-sign-ins.md)
 - [Simulate risk detections](howto-identity-protection-simulate-risk.md)
 
+

articles/active-directory/saas-apps/servicenow-provisioning-tutorial.md

@@ -2,15 +2,15 @@
 title: Configure ServiceNow for automatic user provisioning with Azure Active Directory
 description: Learn how to automatically provision and deprovision user accounts from Azure AD to ServiceNow.
 services: active-directory
-author: jeevansd
+author: twimmers
 manager: CelesteDG
 ms.reviewer: celested
 ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: how-to
 ms.date: 3/10/2023
-ms.author: jeedes
+ms.author: thwimmer
 ---
 
 # Configure ServiceNow for automatic user provisioning
@@ -86,6 +86,12 @@ To configure automatic user provisioning for ServiceNow in Azure AD:
 
 1. In the **Admin Credentials** section, enter your ServiceNow tenant URL, Client ID, Client Secret and Authorization Endpoint. Select **Test Connection** to ensure that Azure AD can connect to ServiceNow. [This ServiceNow documentation](https://docs.servicenow.com/bundle/utah-platform-security/page/administer/security/task/t_CreateEndpointforExternalClients.html) outlines how to generate these values.
 
+- Tenant URL: https://**InsertInstanceName**.service-now.com/api/now/scim
+- Authorization Endpoint: https://**InsertInstanceName**.service-now.com/oauth_auth.do?response_type=code&client_id=**InsertClientID**&state=1&scope=useraccount&redirect_uri=https%3A%2F%2Fportal.azure.com%2FTokenAuthorize
+- Token Endoint: https://**InsertInstanceName**.service-now.com/api/now/scim
+
+![Screenshot that shows the Service Provisioning page, where you can enter admin credentials.](./media/servicenow-provisioning-tutorial/servicenow-provisioning.png)
+
 1. In the **Notification Email** box, enter the email address of a person or group that should receive the provisioning error notifications. Then select the **Send an email notification when a failure occurs** check box.
 
 1. Select **Save**.
@@ -198,7 +204,7 @@ POST https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronizat
 11. Restore any previous changes you made to the application (Authentication details, Scoping filters, Custom attribute mappings) and re-enable provisioning. 
 
 > [!NOTE] 
-> Failure to restore the previous settings may results in attributes (name.formatted for example) updating in Workplace unexpectedly. Be sure to check the configuration before enabling  provisioning 
+> Failure to restore the previous settings may results in attributes (name.formatted for example) updating in ServiceNow unexpectedly. Be sure to check the configuration before enabling  provisioning 
 
 ## Additional resources