Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into outbound-art

Author: asudbring

.openpublishing.publish.config.json

@@ -807,6 +807,12 @@
       "branch": "master",
       "branch_mapping": {}
     },
+    {  
+      "path_to_root": "ms-identity-dotnetcore-b2c-account-management",
+      "url": "https://github.com/Azure-Samples/ms-identity-dotnetcore-b2c-account-management",
+      "branch": "master",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "msdocs-python-flask-webapp-quickstart",
       "url": "https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart",

articles/active-directory-b2c/conditional-access-user-flow.md

@@ -91,7 +91,7 @@ To add a Conditional Access policy, disable security defaults:
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
+1. Under **Azure services**, select **Azure Active Directory**. Or use the search box to find and select **Azure Active Directory**.
 1. Select **Properties**, and then select **Manage Security defaults**.
 
    ![Disable the security defaults](media/conditional-access-user-flow/disable-security-defaults.png)

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -167,7 +167,7 @@ For more information about accessing Azure AD B2C audit logs, see [Accessing Azu
 When you want to manage Microsoft Graph, you can either do it as the application using the application permissions, or you can use delegated permissions. For delegated permissions, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource. Application permissions are used by apps that do not require a signed in user present and thus require application permissions. Because of this, only administrators can consent to application permissions.
 
 > [!NOTE]
-> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph.
+> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.
 ## Code sample: How to programmatically manage user accounts
 
 This code sample is a .NET Core console application that uses the [Microsoft Graph SDK](/graph/sdks/sdks-overview) to interact with Microsoft Graph API. Its code demonstrates how to call the API to programmatically manage users in an Azure AD B2C tenant.
@@ -212,46 +212,11 @@ The `RunAsync` method in the _Program.cs_ file:
 1. Initializes the auth provider using [OAuth 2.0 client credentials grant](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) flow. With the client credentials grant flow, the app is able to get an access token to call the Microsoft Graph API.
 1. Sets up the Microsoft Graph service client with the auth provider:
 
-    ```csharp
-    // Read application settings from appsettings.json (tenant ID, app ID, client secret, etc.)
-    AppSettings config = AppSettingsFile.ReadFromJsonFile();
-
-    // Initialize the client credential auth provider
-    IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
-        .Create(config.AppId)
-        .WithTenantId(config.TenantId)
-        .WithClientSecret(config.ClientSecret)
-        .Build();
-    ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
-
-    // Set up the Microsoft Graph service client with client credentials
-    GraphServiceClient graphClient = new GraphServiceClient(authProvider);
-    ```
+:::code language="csharp" source="~/ms-identity-dotnetcore-b2c-account-management/src/Program.cs" id="ms_docref_set_auth_provider":::
 
 The initialized *GraphServiceClient* is then used in _UserService.cs_ to perform the user management operations. For example, getting a list of the user accounts in the tenant:
 
-```csharp
-public static async Task ListUsers(GraphServiceClient graphClient)
-{
-    Console.WriteLine("Getting list of users...");
-
-    // Get all users (one page)
-    var result = await graphClient.Users
-        .Request()
-        .Select(e => new
-        {
-            e.DisplayName,
-            e.Id,
-            e.Identities
-        })
-        .GetAsync();
-
-    foreach (var user in result.CurrentPage)
-    {
-        Console.WriteLine(JsonConvert.SerializeObject(user));
-    }
-}
-```
+:::code language="csharp" source="~/ms-identity-dotnetcore-b2c-account-management/src/Services/UserService.cs" id="ms_docref_get_list_of_user_accounts":::
 
 [Make API calls using the Microsoft Graph SDKs](/graph/sdks/create-requests) includes information on how to read and write information from Microsoft Graph, use `$select` to control the properties returned, provide custom query parameters, and use the `$filter` and `$orderBy` query parameters.
 

articles/active-directory-b2c/multi-factor-authentication.md

@@ -122,7 +122,7 @@ In Azure AD B2C, you can delete a user's TOTP authenticator app enrollment. Then
 1. In the left menu, select **Users**.
 1. Search for and select the user for which you want to delete TOTP authenticator app enrollment.
 1. In the left menu, select **Authentication methods**.
-1. Under **Usable authentication methods**, find **Software OATH token (Preview)**, and then select the 3-dot menu next to it. If you don't see this interface, select **Switch to the new user authentication methods experience! Click here to use it now** to switch to the new authentication methods experience.
+1. Under **Usable authentication methods**, find **Software OATH token (Preview)**, and then select the ellipsis menu next to it. If you don't see this interface, select the option to **"Switch to the new user authentication methods experience! Click here to use it now"** to switch to the new authentication methods experience.
 1. Select **Delete**, and then select **Yes** to confirm. 
 
 :::image type="content" source="media/multi-factor-authentication/authentication-methods.png" alt-text="User authentication methods":::
@@ -137,4 +137,4 @@ Learn how to [delete a user's Software OATH token authentication method](/graph/
 
 - Learn about the [TOTP display control](display-control-time-based-one-time-password.md) and [Azure AD MFA technical profile](multi-factor-auth-technical-profile.md)
 
-::: zone-end
+::: zone-end

articles/active-directory/external-identities/google-federation.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 02/24/2022
+ms.date: 03/02/2022
 
 ms.author: mimart
 author: msmimart
@@ -184,6 +184,9 @@ First, create a new project in the Google Developers Console to obtain a client
 
 1. You can leave your project at a publishing status of **Testing** and add test users to the OAuth consent screen. Or you can select the **Publish app** button on the OAuth consent screen to make the app available to any user with a Google Account.
 
+   > [!NOTE]
+   > In some cases, your app might require verification by Google (for example, if you update the application logo). For more information, see Google's [verification status help](https://support.google.com/cloud/answer/10311615#verification-status).
+
 ## Step 2: Configure Google federation in Azure AD 
 
 You'll now set the Google client ID and client secret. You can use the Azure portal or PowerShell to do so. Be sure to test your Google federation configuration by inviting yourself. Use a Gmail address and try to redeem the invitation with your invited Google account. 

articles/active-directory/external-identities/invite-internal-users.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 09/10/2021
+ms.date: 03/02/2022
 
 ms.author: mimart
 author: msmimart
@@ -37,15 +37,35 @@ Sending an invitation to an existing internal account lets you retain that user
 > In Azure AD Connect sync, there’s a default rule that writes the [onPremisesUserPrincipalName attribute](../hybrid/reference-connect-sync-attributes-synchronized.md#notes) to the user object. Because the presence of this attribute can prevent a user from signing in using external credentials, we block internal-to-external conversions for user objects with this attribute. If you’re using Azure AD Connect and you want to be able to invite internal users to B2B collaboration, you'll need to [modify the default rule](../hybrid/how-to-connect-sync-change-the-configuration.md) so the onPremisesUserPrincipalName attribute isn’t written to the user object.
 ## How to invite internal users to B2B collaboration
 
-You can use PowerShell or the invitation API to send a B2B invitation to the internal user. Make sure the email address you want to use for the invitation is set as the external email address on the internal user object.
+You can use the Azure portal, PowerShell, or the invitation API to send a B2B invitation to the internal user. Some things to note:
 
-- You must use the the email address in the User.Mail property for the invitation.
-- The domain in the user’s Mail property must match the account they’re using to sign in. Otherwise, some services such as Teams won't be able to authenticate the user.
+- Before you invite the user, make sure the `User.Mail` property of the internal user object (the user's **Email** property in the Azure portal) is set to the external email address they'll use for B2B collaboration.
 
-By default, the invitation will send the user an email letting them know they’ve been invited, but you can suppress this email and send your own instead.
+- When you invite the user, an invitation is sent to the user via email. If you're using PowerShell or the invitation API, you can suppress this email by setting `SendInvitationMessage` to `False`. Then you can notify the user in another way. [Learn more about the invitation API](customize-invitation-api.md).
 
-> [!NOTE]
-> To send your own email or other communication, you can use `New-AzureADMSInvitation` with `-SendInvitationMessage:$false` to invite users silently, and then send your own email message to the converted user. See [Azure AD B2B collaboration API and customization](customize-invitation-api.md).
+- When the user redeems the invitation, the account they're using must match the domain in the `User.Mail` property. Otherwise, some services, such as Teams, won't be able to authenticate the user.
+
+## Use the Azure portal to send a B2B invitation
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or User administrator account for the directory.
+1. Select the **Azure Active Directory** service.
+1. Select **Users**.
+1. Find the user in the list or use the search box. Then select the user.
+1. On the user's profile page, in the **Identity** section, select **Manage B2B collaboration**. 
+
+   ![Screenshot of the user profile](media/invite-internal-users/manage-b2b-collaboration-link.png)
+
+   > [!NOTE]
+   > If you see **Invitation accepted** instead of **Manage B2B collaboration**, the user has already been invited to use external credentials for B2B collaboration.
+
+1. Next to **Invite internal user to B2B collaboration?** select **Yes**, and then select **Done**. 
+
+   ![Screenshot showing the invite internal user radio button](media/invite-internal-users/invite-internal-user-selector.png)
+
+   > [!NOTE]
+   > If the option is unavailable, make sure the user's **Email** property is set to the external email address they should use for B2B collaboration.
+
+1. A confirmation message appears and an invitation is sent to the user via email. The user is then able to redeem the invitation using their external credentials.
 
 ## Use PowerShell to send a B2B invitation
 

articles/active-directory/external-identities/media/invite-internal-users/invite-internal-user-selector.png

@@ -14,7 +14,7 @@ ms.topic: overview
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 11/12/2021
+ms.date: 03/02/2022
 ms.author: markvi
 ms.reviewer: tspring  
 

articles/active-directory/external-identities/media/invite-internal-users/manage-b2b-collaboration-link.png

@@ -0,0 +1,61 @@
+---
+title: Azure Active Directory recommendation - Integrate third party apps with Azure AD | Microsoft Docs
+description: Learn why you should integrate third party apps with Azure AD
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: karenhoran
+editor: ''
+
+ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
+ms.service: active-directory
+ms.topic: reference
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 03/02/2022
+ms.author: markvi
+ms.reviewer: hafowler
+
+ms.collection: M365-identity-device-management
+---
+
+# Azure AD recommendation: Integrate your third party apps 
+
+[Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
+
+This article covers the recommendation to integrate third party apps. 
+
+
+## Description
+
+As an Azure AD admin responsible for managing applications, you want to use the Azure AD security features with your third party apps. Integrating these apps into Azure AD enables:
+
+- You to use one unified method to manage access to your third party apps.
+- Your users to benefit from using single sign-on to access all your apps with a single password.
+
+
+## Logic 
+
+If Azure AD determines that none of your users are using Azure AD to authenticate to your third party apps, this recommendation shows up.
+
+## Value 
+
+Integrating third party apps with Azure AD allows you to use Azure AD's security features.
+The integration:
+- Improves the productivity of your users.
+
+- Lowers your app management cost.
+
+You can then add an extra security layer by using conditional access to control how your users can access your apps.
+
+## Action plan
+
+1. Review the configuration of your apps. 
+2. For each app that isn't integrated into Azure AD yet, verify whether an integration is possible.
+ 
+
+## Next steps
+
+- [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md)
+- [Azure AD reports overview](overview-reports.md)