Merge pull request #264345 from MicrosoftDocs/main

1/26/2024 AM Publish

Author: Taojunshen

articles/active-directory-b2c/analytics-with-application-insights.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.topic: how-to
 
-ms.date: 01/11/2024
+ms.date: 01/26/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -38,6 +38,8 @@ In Azure Active Directory B2C (Azure AD B2C), you can send event data directly t
 - Measure performance.
 - Create notifications from Application Insights.
 
+[!INCLUDE [active-directory-b2c-limited-to-custom-policy](../../includes/active-directory-b2c-public-preview.md)]
+
 ## Overview
 
 To enable custom event logs, add an Application Insights technical profile. In the technical profile, you define the Application Insights instrumentation key, the event name, and the claims to record. To post an event, add the technical profile as an orchestration step in a [user journey](userjourneys.md).
@@ -183,11 +185,13 @@ Open the *TrustFrameworkExtensions.xml* file from the starter pack. Add the tech
 
 ## Add the technical profiles as orchestration steps
 
-Add new orchestration steps that refer to the technical profiles.
+Add new orchestration steps that refer to the technical profiles.  
 
 > [!IMPORTANT]
 > After you add the new orchestration steps, renumber the steps sequentially without skipping any integers from 1 to N.
 
+1. Identify the policy file that contains your user journey, such as `SocialAndLocalAccounts/SignUpOrSignin.xml`, then open it.
+
 1. Call `AppInsights-SignInRequest` as the second orchestration step. This step tracks that a sign-up or sign-in request has been received.
 
    ```xml
@@ -199,10 +203,12 @@ Add new orchestration steps that refer to the technical profiles.
    </OrchestrationStep>
    ```
 
-1. Before the `SendClaims` orchestration step, add a new step that calls `AppInsights-UserSignup`. It's triggered when the user selects the sign-up button in a sign-up or sign-in journey.
+1. Before the `SendClaims` orchestration step, add a new step that calls `AppInsights-UserSignup`. It's triggered when the user selects the sign-up button in a sign-up or sign-in journey. You may need to update the orchestration step, `Order="8"`,to make sure you don't skip any integer from the first to the last orchestration step. 
 
    ```xml
-   <!-- Handles the user selecting the sign-up link in the local account sign-in page -->
+   <!-- Handles the user selecting the sign-up link in the local account sign-in page 
+    The `SendClaims` orchestration step comes after this one,
+    -->
    <OrchestrationStep Order="8" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
@@ -221,10 +227,12 @@ Add new orchestration steps that refer to the technical profiles.
    </OrchestrationStep>
    ```
 
-1. After the `SendClaims` orchestration step, call `AppInsights-SignInComplete`. This step shows a successfully completed journey.
+1. After the `SendClaims` orchestration step, call `AppInsights-SignInComplete`. This step shows a successfully completed journey. You may need to update the orchestration step, `Order="10"`, to make sure you don't skip any integer from the first to the last orchestration step. 
 
    ```xml
-   <!-- Track that we have successfully sent a token -->
+   <!-- Track that we have successfully sent a token 
+    The `SendClaims` orchestration step come before this one,
+    -->
    <OrchestrationStep Order="10" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="TrackSignInComplete" TechnicalProfileReferenceId="AppInsights-SignInComplete" />

articles/active-directory-b2c/b2clogin.md

@@ -9,12 +9,12 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: how-to
-ms.date: 01/11/2024
+ms.date: 01/26/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 
 
-#Customer intent: As an Azure AD B2C application developer, I want to update the redirect URLs in my identity provider's applications to reference b2clogin.com or a custom domain, so that I can authenticate users with Azure AD B2C using the updated endpoints and policies.
+#Customer intent: As an Azure AD B2C application developer, I want to update the redirect URLs in my identity provider's applications to reference b2clogin.com or a custom domain, so that I can authenticate users with Azure AD B2C using the updated endpoints.
 
 ---
 
@@ -27,17 +27,18 @@ When you set up an identity provider for sign-up and sign-in in your Azure Activ
 The transition to b2clogin.com only applies to authentication endpoints that use Azure AD B2C policies (user flows or custom policies) to authenticate users. These endpoints have a `<policy-name>` parameter, which specifies the policy Azure AD B2C should use. [Learn more about Azure AD B2C policies](technical-overview.md#identity-experiences-user-flows-or-custom-policies). 
 
 Old endpoints may look like:
-- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>
-- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize<b>?p=\<policy-name\></b></code>
+- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code> or <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize<b>?p=\<policy-name\></b></code> for `/authorize` endpoint.
+- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/logout</code> or <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/logout<b>?p=\<policy-name\></b></code> for `/logout` endpoint.
 
-A corresponding updated endpoint would look like:
-- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>
-- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code>
+A corresponding updated endpoint would look similar to the following endpoints:
+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code> or  <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code> for the `/authorize` endpoint.
+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/logout</code> or <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/logout?<b>p=\<policy-name\></b></code> for the `/logout` endpoint.
 
-With Azure AD B2C [custom domain](./custom-domain.md) the corresponding updated endpoint would look like:
 
-- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>
-- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code>
+With Azure AD B2C [custom domain](./custom-domain.md) the corresponding updated endpoint would look similar to the following endpoints. You can use either of these endpoints:
+
+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code> or <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code> for the `/authorize` endpoint.
+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/logout</code> or <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/logout?<b>p=\<policy-name\></b></code> for the `/logout` endpoint.
 
 ## Endpoints that are not affected
 
@@ -49,6 +50,12 @@ This change doesn't affect all endpoints, which don't contain a policy parameter
 https://login.microsoftonline.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/token
 ```
 
+However, if you only want to obtain a token to authenticate users, then you can specify the policy that your application wishes to use to authenticate users. In this case, the updated `/token` endpoints  would look similar to the following examples.
+
+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/token</code> or  <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/token?<b>p=\<policy-name\></b></code> when you use *b2clogin.com*. 
+
+-  <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/token</code> or <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/token?<b>p=\<policy-name\></b></code> when you use a custom domain.
+
 ## Overview of required changes
 
 There are several modifications you might need to make to migrate your applications from *login.microsoftonline.com* using Azure AD B2C endpoints:
@@ -149,4 +156,4 @@ For migrating Azure API Management APIs protected by Azure AD B2C, see the [Migr
 [msal-dotnet]: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
 [msal-dotnet-b2c]: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics
 [msal-js]: https://github.com/AzureAD/microsoft-authentication-library-for-js
-[msal-js-b2c]: ../active-directory/develop/msal-b2c-overview.md
+[msal-js-b2c]: ../active-directory/develop/msal-b2c-overview.md

articles/active-directory-b2c/custom-domain.md

@@ -6,7 +6,7 @@ author: kengaderdus
 manager: CelesteDG
 ms.service: active-directory
 ms.topic: how-to
-ms.date: 01/11/2024
+ms.date: 01/26/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -267,8 +267,8 @@ In the following redirect URI:
 https://<custom-domain-name>/<tenant-name>/oauth2/authresp
 ``` 
 
-- Replace **&lt;custom-domain-name&gt;** with your custom domain name.
-- Replace **&lt;tenant-name&gt;** with the name of your tenant, or your tenant ID.
+- Replace &lt;`custom-domain-name`&gt; with your custom domain name.
+- Replace &lt;`tenant-name`&gt; with the name of your tenant, or your tenant ID.
 
 The following example shows a valid OAuth redirect URI:
 
@@ -295,9 +295,9 @@ The custom domain integration applies to authentication endpoints that use Azure
 - <code>https://\<custom-domain\>/<tenant-name\>/<b>\<policy-name\></b>/oauth2/v2.0/token</code>
 
 Replace:
-- **custom-domain** with your custom domain
-- **tenant-name** with your tenant name or tenant ID
-- **policy-name** with your policy name.
+- &lt;`custom-domain`&gt; with your custom domain
+- &lt;`tenant-name`&gt; with your tenant name or tenant ID
+- &lt;`policy-name`&gt; with your policy name.
 
 The [SAML service provider](./saml-service-provider.md) metadata may look like the following sample: 
 

articles/active-directory-b2c/troubleshoot-with-application-insights.md

@@ -6,7 +6,7 @@ author: kengaderdus
 manager: CelesteDG
 ms.service: active-directory
 ms.topic: troubleshooting
-ms.date: 01/11/2024
+ms.date: 01/22/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -27,6 +27,8 @@ zone_pivot_groups: b2c-policy-type
 
 ::: zone pivot="b2c-custom-policy"
 
+[!INCLUDE [active-directory-b2c-limited-to-custom-policy](../../includes/active-directory-b2c-public-preview.md)]
+
 This article provides steps for collecting logs from Active Directory B2C (Azure AD B2C) so that you can diagnose problems with your custom policies. Application Insights provides a way to diagnose exceptions and visualize application performance issues. Azure AD B2C includes a feature for sending data to Application Insights.
 
 The detailed activity logs described here should be enabled **ONLY** during the development of your custom policies.
@@ -176,7 +178,7 @@ After you save the settings, the Application insights logs appear on the **Azure
 
 ## Configure Application Insights in Production
 
-To improve your production environment performance and better user experience, it's important to configure your policy to ignore messages that are unimportant. Use the following configuration in production environments and no logs are sent to your application insights.
+To improve your production environment performance and better user experience, it's important to configure your policy to ignore messages that are unimportant. You also need to make sure that you don't log Personally Identifiable Information (PII). Use the following configuration in production environments and no logs are sent to your application insights.
 
 1. Set the `DeploymentMode` attribute of the [TrustFrameworkPolicy](trustframeworkpolicy.md) to `Production`. 
 

articles/active-directory-b2c/trustframeworkpolicy.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: reference
-ms.date: 01/11/2024
+ms.date: 01/23/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 
@@ -75,6 +75,8 @@ The **TrustFrameworkPolicy** element contains the following elements:
 
 To inherit a policy from another policy, a **BasePolicy** element must be declared under the **TrustFrameworkPolicy** element of the policy file. The **BasePolicy** element is a reference to the base policy from which this policy is derived.
 
+[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-custom-policy-occurrence.md)]
+
 The **BasePolicy** element contains the following elements:
 
 | Element | Occurrences | Description |

articles/active-directory-b2c/view-audit-logs.md

@@ -9,18 +9,20 @@ manager: CelesteDG
 ms.service: active-directory
 ms.topic: how-to
 
-ms.date: 01/11/2024
+ms.date: 01/22/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: fasttrack-edit
 
 
-#Customer intent: As an Azure AD B2C administrator, I want to access and view the audit logs for my B2C tenant, so that I can monitor activity, track user sign-ins, and troubleshoot any issues related to B2C resources and applications.
+#Customer intent: As an Azure AD B2C administrator, I want to access and view the audit logs for my Azure AD B2C tenant, so that I can monitor activity, track user sign-ins, and troubleshoot any issues related to B2C resources and applications.
 
 ---
 
 # Accessing Azure AD B2C audit logs
 
+[!INCLUDE [active-directory-b2c-limited-to-custom-policy](../../includes/active-directory-b2c-public-preview.md)]
+
 Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity information about B2C resources, tokens issued, and administrator access. This article provides a brief overview of the information available in audit logs and instructions on how to access this data for your Azure AD B2C tenant.
 
 Audit log events are only retained for **seven days**. Plan to download and store your logs using one of the methods shown below if you require a longer retention period.

articles/ai-services/openai/concepts/gpt-with-vision.md

@@ -20,29 +20,34 @@ To try out GPT-4 Turbo with Vision, see the [quickstart](/azure/ai-services/open
 
 The GPT-4 Turbo with Vision model answers general questions about what's present in the images or videos you upload.
 
-
 ## Enhancements
 
 Enhancements let you incorporate other Azure AI services (such as Azure AI Vision) to add new functionality to the chat-with-vision experience.
 
 **Object grounding**: Azure AI Vision complements GPT-4 Turbo with Vision’s text response by identifying and locating salient objects in the input images. This lets the chat model give more accurate and detailed responses about the contents of the image.
 
+> [!IMPORTANT]
+> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.
+
 :::image type="content" source="../media/concepts/gpt-v/object-grounding.png" alt-text="Screenshot of an image with object grounding applied. Objects have bounding boxes with labels.":::
 
 :::image type="content" source="../media/concepts/gpt-v/object-grounding-response.png" alt-text="Screenshot of a chat response to an image prompt about an outfit. The response is an itemized list of clothing items seen in the image.":::
 
 **Optical Character Recognition (OCR)**: Azure AI Vision complements GPT-4 Turbo with Vision by providing high-quality OCR results as supplementary information to the chat model. It allows the model to produce higher quality responses for images with dense text, transformed images, and numbers-heavy financial documents, and increases the variety of languages the model can recognize in text.
 
+> [!IMPORTANT]
+> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.
+
 :::image type="content" source="../media/concepts/gpt-v/receipts.png" alt-text="Photo of several receipts.":::
 
 :::image type="content" source="../media/concepts/gpt-v/ocr-response.png" alt-text="Screenshot of the JSON response of an OCR call.":::
 
 **Video prompt**: The **video prompt** enhancement lets you use video clips as input for AI chat, enabling the model to generate summaries and answers about video content. It uses Azure AI Vision Video Retrieval to sample a set of frames from a video and create a transcript of the speech in the video.
 
-In order to use the video prompt enhancement, you need both an Azure AI Vision resource and an Azure Video Indexer resource, in addition to your Azure OpenAI resource.
-
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RW1eHRf]
 
+> [!NOTE]
+> In order to use the video prompt enhancement, you need both an Azure AI Vision resource and an Azure Video Indexer resource, in the paid (S0) tier, in addition to your Azure OpenAI resource.
 
 ## Special pricing information
 

articles/ai-services/openai/concepts/models.md

@@ -107,10 +107,16 @@ See [model versions](../concepts/model-versions.md) to learn about how Azure Ope
 
 ### GPT-4 and GPT-4 Turbo Preview model availability
 
-| Model Availability | gpt-4 (0314) | gpt-4 (0613) | gpt-4 (1106-preview) | gpt-4 (vision-preview) | 
-|---|:---|:---|:---|:---|
-| Available to all subscriptions with Azure OpenAI access | | Australia East <br> Canada East <br> France Central <br> Sweden Central <br> Switzerland North | Australia East <br> Canada East <br> East US 2 <br> France Central <br> Norway East <br> South India <br> Sweden Central <br> UK South <br> West US | Sweden Central <br> Switzerland North <br> West US | 
-| Available to subscriptions with current access to the model version in the region | East US <br> France Central <br> South Central US <br> UK South | East US <br> East US 2 <br> Japan East <br> UK South | | Australia East |
+   
+| Model | Regions where model is available to all subscriptions with Azure OpenAI access | Regions where model is available only to subscriptions with previous access to that model/region |  
+|---|:---|:---|  
+| gpt-4 (0314) | | East US <br> France Central <br> South Central US <br> UK South |  
+| gpt-4 (0613) | Australia East <br> Canada East <br> France Central <br> Sweden Central <br> Switzerland North | East US <br> East US 2 <br> Japan East <br> UK South |  
+| gpt-4 (1106-preview) | Australia East <br> Canada East <br> East US 2 <br> France Central <br> Norway East <br> South India <br> Sweden Central <br> UK South <br> West US | |  
+| gpt-4 (vision-preview) |   | Sweden Central <br> Switzerland North<br>Australia East <br> West US |  
+
+> [!NOTE]
+> As a temporary measure, GPT-4 Turbo with Vision is currently unavailable to new customers.
 
 ### GPT-3.5 models
 

articles/ai-services/openai/gpt-v-quickstart.md

@@ -27,6 +27,12 @@ zone_pivot_groups: openai-quickstart-gpt-v
 
 ::: zone-end
 
+::: zone pivot="programming-language-python"
+
+[!INCLUDE [Python quickstart](includes/gpt-v-python.md)]
+
+::: zone-end
+
 ## Next steps
 
 * Learn more about these APIs in the [GPT-4 Turbo with Vision how-to guide](./gpt-v-quickstart.md)