Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-aadroles-admin-units-scope-sharepoint-teams-update

Author: rolyon

.openpublishing.redirection.json

@@ -43933,6 +43933,11 @@
         "source_path_from_root": "/articles/governance/policy/how-to/guest-configuration-create-group-policy.md",
         "redirect_url": "/azure/governance/policy/how-to/guest-configuration-create",
         "redirect_document_id": false
+      },
+      {
+        "source_path_from_root": "/articles/virtual-desktop/compare-virtual-desktop-windows-365.md",
+        "redirect_url": "/azure/virtual-desktop/overview",
+        "redirect_document_id": false
       }
   ]
 }

articles/active-directory-b2c/claimsschema.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/16/2022
+ms.date: 03/06/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -127,7 +127,7 @@ The **Mask** element contains the following attributes:
 | `Type` | Yes | The type of the claim mask. Possible values: `Simple` or `Regex`. The `Simple` value indicates that a simple text mask is applied to the leading portion of a string claim. The `Regex` value indicates that a regular expression is applied to the string claim as whole.  If the `Regex` value is specified, an optional attribute must also be defined with the regular expression to use. |
 | `Regex` | No | If **`Type`** is set to `Regex`, specify the regular expression to use.
 
-The following example configures a **PhoneNumber** claim with the `Simple` mask:
+The following example configures a **PhoneNumber** claim with the `Simple` mask. For more samples, check out the [Claim simple mask live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims#simple-mask).
 
 ```xml
 <ClaimType Id="PhoneNumber">
@@ -142,7 +142,7 @@ The Identity Experience Framework renders the phone number while hiding the firs
 
 ![Phone number claim shown in browser with first six digits masked by Xs](./media/claimsschema/mask.png)
 
-The following example configures a **AlternateEmail** claim with the `Regex` mask:
+The following example configures a **AlternateEmail** claim with the `Regex` mask. For more samples, check out the [Regex mask live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims#regex-mask).
 
 ```xml
 <ClaimType Id="AlternateEmail">
@@ -157,7 +157,6 @@ The Identity Experience Framework renders only the first letter of the email add
 
 ![Email claim shown in browser with characters masked by asterisks](./media/claimsschema/mask-regex.png)
 
-
 ### Restriction
 
 The **Restriction** element may contain the following attribute:
@@ -185,7 +184,7 @@ The **Enumeration** element contains the following attributes:
 |Value | Yes | The claim value that is associated with selecting this option. |
 | SelectByDefault | No | Indicates whether or not this option should be selected by default in the UI. Possible values: True or False. |
 
-The following example configures a **city** dropdown list claim with a default value set to `New York`:
+The following example configures a **city** dropdown list claim with a default value set to `New York`. For more samples, check out the [Claim restriction enumeration live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims#restriction-enumeration).
 
 ```xml
 <ClaimType Id="city">
@@ -390,7 +389,6 @@ The **Readonly** user input type is used to provide a readonly field to display
 </ClaimType>
 ```
 
-
 #### Paragraph
 
 The **Paragraph** user input type is used to provide a field that shows text only in a paragraph tag.  For example, &lt;p&gt;text&lt;/p&gt;. A **Paragraph** user input type `OutputClaim` of self-asserted technical profile, must set the `Required` attribute `false` (default).
@@ -404,10 +402,5 @@ The **Paragraph** user input type is used to provide a field that shows text onl
   <AdminHelpText>A claim responsible for holding response messages to send to the relying party</AdminHelpText>
   <UserHelpText>A claim responsible for holding response messages to send to the relying party</UserHelpText>
   <UserInputType>Paragraph</UserInputType>
-  <Restriction>
-    <Enumeration Text="B2C_V1_90001" Value="You cannot sign in because you are a minor" />
-    <Enumeration Text="B2C_V1_90002" Value="This action can only be performed by gold members" />
-    <Enumeration Text="B2C_V1_90003" Value="You have not been enabled for this operation" />
-  </Restriction>
 </ClaimType>
 ```

articles/active-directory-b2c/configure-authentication-sample-web-app.md

@@ -113,7 +113,7 @@ Under the project root folder, open the *appsettings.json* file. This file conta
 |---------|---------|---------|
 |AzureAdB2C|Instance| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com`).|
 |AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).|
-|AzureAdB2C|ClientId| The web API application ID from [step 2](#step-2-register-a-web-application).|
+|AzureAdB2C|ClientId| The Web App Application (client) ID from [step 2](#step-2-register-a-web-application).|
 |AzureAdB2C|SignUpSignInPolicyId|The user flows or custom policy you created in [step 1](#step-1-configure-your-user-flow).|
 
 Your final configuration file should look like the following JSON:

articles/active-directory-b2c/localization.md

@@ -7,7 +7,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 01/21/2022
+ms.date: 03/06/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -110,24 +110,26 @@ The **Item** element contains the following attributes:
 | Value | Yes | The string claim value associated with selecting this option. |
 | SelectByDefault | No | Indicates whether or not this option should be selected by default in the UI. Possible values: True or False. |
 
-The following example shows the use of the **LocalizedCollections** element. It contains two **LocalizedCollection** elements, one for English and another one for Spanish. Both set the **Restriction** collection of the claim `Gender` with a list of items for English and Spanish.
+The following example shows the use of the **LocalizedCollections** element. It contains two **LocalizedCollection** elements, one for English and another one for Spanish. Both set the **Restriction** collection of the claim `Gender` with a list of items for English and Spanish. For more samples, check out the [Claim restriction enumeration live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims#restriction-enumeration).
 
 ```xml
 <LocalizedResources Id="api.selfasserted.en">
- <LocalizedCollections>
-   <LocalizedCollection ElementType="ClaimType" ElementId="Gender" TargetCollection="Restriction">
+  <LocalizedCollections>
+    <LocalizedCollection ElementType="ClaimType" ElementId="Gender" TargetCollection="Restriction">
       <Item Text="Female" Value="F" />
       <Item Text="Male" Value="M" />
     </LocalizedCollection>
-</LocalizedCollections>
+  </LocalizedCollections>
+</LocalizedResources>
 
 <LocalizedResources Id="api.selfasserted.es">
  <LocalizedCollections>
    <LocalizedCollection ElementType="ClaimType" ElementId="Gender" TargetCollection="Restriction">
       <Item Text="Femenino" Value="F" />
       <Item Text="Masculino" Value="M" />
     </LocalizedCollection>
-</LocalizedCollections>
+  </LocalizedCollections>
+</LocalizedResources>
 ```
 
 ### LocalizedStrings

articles/active-directory-b2c/protocols-overview.md

@@ -34,6 +34,8 @@ https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
 https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/token
 ```
 
+If you're using a [custom domain](custom-domain.md), replace `{tenant}.b2clogin.com` with the custom domain, such as `contoso.com`, in the endpoints.  
+
 In nearly all OAuth and OpenID Connect flows, four parties are involved in the exchange:
 
 

articles/active-directory/conditional-access/media/workload-identity/conditional-access-workload-identity-risk-policy.png

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 02/23/2022
+ms.date: 03/04/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -56,49 +56,25 @@ Create a location based Conditional Access policy that applies to service princi
 
 ### Create a risk-based Conditional Access policy
 
-Use this sample JSON for a risk-based policy using the [Microsoft Graph beta endpoint](/graph/api/resources/conditionalaccesspolicy?view=graph-rest-1.0&preserve-view=true). 
+Create a location based Conditional Access policy that applies to service principals.
 
-> [!NOTE]
-> Report-only mode doesn't report account risk on a risky workload identity.
+:::image type="content" source="media/workload-identity/conditional-access-workload-identity-risk-policy.png" alt-text="Creating a Conditional Access policy with a workload identity and risk as a condition." lightbox="media/workload-identity/conditional-access-workload-identity-risk-policy.png":::
 
-```json
-{
-"displayName": "Name",
-"state": "enabled OR disabled",
-"conditions": {
-"applications": {
-"includeApplications": [
-"All"
-],
-"excludeApplications": [],
-"includeUserActions": [],
-"includeAuthenticationContextClassReferences": [],
-"applicationFilter": null
-},
-"userRiskLevels": [],
-"signInRiskLevels": [],
-"clientApplications": {
-"includeServicePrincipals": [
-"ServicePrincipalsInMyTenant"
-],
-"excludeServicePrincipals": []
-},
-"servicePrincipalRiskLevels": [
-"low",
-"medium",
-"high"
-]
-},
-"grantControls": {
-"operator": "and",
-"builtInControls": [
-"block"
-],
-"customAuthenticationFactors": [],
-"termsOfUse": []
-}
-}
-```
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users or workload identities**.
+   1. Under **What does this policy apply to?**, select **Workload identities (Preview)**.
+   1. Under **Include**, choose **Select service principals**, and select the appropriate service principals from the list.
+1. Under **Cloud apps or actions**, select **All cloud apps**. The policy will apply only when a service principal requests a token.
+1. Under **Conditions** > **Service principal risk (Preview)**
+   1. Set the **Configure** toggle to **Yes**.
+   1. Select the levels of risk where you want this policy to trigger.
+   1. Select **Done**.
+1. Under **Grant**, **Block access** is the only available option. Access is blocked when a token request is made from outside the allowed range.
+1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**.
+1. Select **Create** to complete your policy.
 
 ## Roll back
 

articles/active-directory/conditional-access/workload-identity.md

@@ -1,7 +1,7 @@
 ---
 title: "Quickstart: ASP.NET Core web app that signs in users and calls Microsoft Graph | Azure"
 titleSuffix: Microsoft identity platform
-description: In this quickstart, you learn how an app leverages Microsoft.Identity.Web to implement Microsoft sign-in in an ASP.NET Core web app using OpenID Connect and calls Microsoft Graph
+description: Learn how an ASP.NET Core web app leverages Microsoft.Identity.Web to implement Microsoft sign-in using OpenID Connect and call Microsoft Graph
 services: active-directory
 author: jmprieur
 manager: CelesteDG
@@ -22,7 +22,7 @@ See [How the sample works](#how-the-sample-works) for an illustration.
 
 ## Prerequisites
 
-* [Visual Studio 2019](https://visualstudio.microsoft.com/vs/) or [Visual Studio Code](https://code.visualstudio.com/)
+* [Visual Studio](https://visualstudio.microsoft.com/vs/) or [Visual Studio Code](https://code.visualstudio.com/)
 * [.NET Core SDK 3.1+](https://dotnet.microsoft.com/download)
 
 ## Register and download your quickstart application
@@ -46,7 +46,7 @@ See [How the sample works](#how-the-sample-works) for an illustration.
 
 #### Step 2: Download the ASP.NET Core project
 
-[Download the ASP.NET Core solution](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/aspnetcore3-1.zip)
+[Download the ASP.NET Core solution](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/aspnetcore3-1-callsgraph.zip)
 
 [!INCLUDE [active-directory-develop-path-length-tip](../../../../../includes/active-directory-develop-path-length-tip.md)]
 
@@ -84,6 +84,7 @@ After consenting to the requested permissions, the app displays that you've succ
 
 :::image type="content" source="../../media/quickstart-v2-aspnet-core-webapp-calls-graph/webapp-02-signed-in.png" alt-text="Web browser displaying the running web app and the user signed in":::
 
+
 ## More information
 
 This section gives an overview of the code required to sign in users and call the Microsoft Graph API on their behalf. This overview can be useful to understand how the code works, main arguments, and also if you want to add sign-in to an existing ASP.NET Core application and call Microsoft Graph. It uses [Microsoft.Identity.Web](../../microsoft-identity-web.md), which is a wrapper around [MSAL.NET](../../msal-overview.md).

articles/active-directory/develop/includes/web-app/quickstart-aspnet-core.md

@@ -110,7 +110,7 @@ MSAL.NET is able to respond with an HTTP message when a token is received or in
 ```csharp
 var options = new SystemWebViewOptions() 
 {
-    HtmlMessageError = "<p> An error occured: {0}. Details {1}</p>",
+    HtmlMessageError = "<p> An error occurred: {0}. Details {1}</p>",
     BrowserRedirectSuccess = new Uri("https://www.microsoft.com");
 }
 

articles/active-directory/develop/msal-net-web-browsers.md

@@ -10,7 +10,7 @@ ms.subservice: develop
 ms.custom: aaddev
 ms.workload: identity
 ms.topic: reference
-ms.date: 01/04/2022
+ms.date: 03/04/2022
 ms.author: ryanwi
 ms.reviewer: paulgarn, ludwignick, jeedes, luleon
 ---
@@ -31,6 +31,10 @@ There are certain sets of claims that define how and when they're used in tokens
 | Basic claim set | Includes the claims that are emitted by default for tokens (in addition to the core claim set). You can [omit or modify basic claims](active-directory-claims-mapping.md#omit-the-basic-claims-from-tokens) by using the claims mapping policies. |
 | Restricted claim set | Can't be modified using policy. The data source cannot be changed, and no transformation is applied when generating these claims. |
 
+This section lists:
+- [Table 1: JSON Web Token (JWT) restricted claim set](#table-1-json-web-token-jwt-restricted-claim-set)
+- [Table 2: SAML restricted claim set](#table-2-saml-restricted-claim-set)
+
 ### Table 1: JSON Web Token (JWT) restricted claim set
 
 > [!NOTE]
@@ -175,6 +179,8 @@ There are certain sets of claims that define how and when they're used in tokens
 
 ### Table 2: SAML restricted claim set
 
+The following table lists the SAML claims that are by default in the restricted claim set.
+
 | Claim type (URI) |
 | ----- |
 |`http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged`|
@@ -200,8 +206,27 @@ There are certain sets of claims that define how and when they're used in tokens
 |`http://schemas.microsoft.com/ws/2008/06/identity/claims/role`|
 |`http://schemas.microsoft.com/ws/2008/06/identity/claims/wids`|
 |`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`|
-
-
+| `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` |
+| `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` |
+| `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid` |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid` |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname` |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`  |
+| `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` |
+
+These claims are restricted by default, but are not restricted if you [set the AcceptMappedClaims property](active-directory-claims-mapping.md#update-the-application-manifest) to `true` in your app manifest *or* have a [custom signing key](active-directory-claims-mapping.md#configure-a-custom-signing-key):
+
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname`
+
+These claims are restricted by default, but are not restricted if you have a [custom signing key](active-directory-claims-mapping.md#configure-a-custom-signing-key):
+
+ - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`
+ - `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`
+ 
 ## Claims mapping policy properties
 
 To control what claims are emitted and where the data comes from, use the properties of a claims mapping policy. If a policy is not set, the system issues tokens that include the core claim set, the basic claim set, and any [optional claims](active-directory-optional-claims.md) that the application has chosen to receive.