Merge pull request #217049 from MicrosoftDocs/main

11/03 AM Publish

Author: huypub

articles/active-directory-b2c/api-connector-samples.md

@@ -6,7 +6,7 @@ author: kengaderdus
 manager: CelesteDG
 
 ms.author: kengaderdus
-ms.date: 07/16/2021
+ms.date: 11/03/2022
 ms.custom: mvc
 ms.topic: sample
 ms.service: active-directory

articles/active-directory-b2c/identity-provider-azure-ad-single-tenant.md

@@ -81,7 +81,7 @@ If you want to get the `family_name` and `given_name` claims from Azure AD, you
 1. Select **Add optional claim**.
 1. For the **Token type**, select **ID**.
 1. Select the optional claims to add, `family_name` and `given_name`.
-1. Select **Add**. If **Turn on the Microsoft Graph email permission (required for claims to appear in token)** appears, enable it, and then select **Add** again.
+1. Select **Add**. If **Turn on the Microsoft Graph profile permission (required for claims to appear in token)** appears, enable it, and then select **Add** again.
 
 ## [Optional] Verify your app authenticity
 

articles/active-directory-b2c/sign-in-options.md

@@ -1,15 +1,15 @@
 ---
 title: Sign-in options supported by Azure AD B2C
 titleSuffix: Azure AD B2C
-description: Learn about the options for sign-up and sign-in you can use with Azure Active Directory B2C, including username and password, email, phone, or federation with social or external identity providers.
+description: Learn about the sign-up and sign-in options you can use with Azure Active Directory B2C, including username and password, email, phone, or federation with social or external identity providers.
 services: active-directory-b2c
 author: kengaderdus
 manager: CelesteDG
 
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 05/10/2021
+ms.date: 11/03/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 

articles/active-directory-b2c/user-flow-overview.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/08/2021
+ms.date: 11/03/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -23,7 +23,7 @@ In Azure AD B2C, there are two ways to provide identity user experiences:
 
 * **User flows** are predefined, built-in, configurable policies that we provide so you can create sign-up, sign-in, and policy editing experiences in minutes.
 
-* **Custom policies** enable you to create your own user journeys for complex identity experience scenarios.
+* **Custom policies** enable you to create your own user journeys for complex identity experience scenarios that are not supported by user flows. Azure AD B2C uses custom policies to provide extensibility.
 
 The following screenshot shows the user flow settings UI, versus custom policy configuration files.
 
@@ -64,7 +64,7 @@ Each user journey is defined by a policy. You can build as many or as few polici
 
 ![Diagram showing an example of a complex user journey enabled by IEF](media/user-flow-overview/custom-policy-diagram.png)
 
-A custom policy is defined by several XML files that refer to each other in a hierarchical chain. The XML elements define the claims schema, claims transformations, content definitions, claims providers, technical profiles, user journey orchestration steps, and other aspects of the identity experience.
+A custom policy is defined by multiple XML files that refer to each other in a hierarchical chain. The XML elements define the claims schema, claims transformations, content definitions, claims providers, technical profiles, user journey orchestration steps, and other aspects of the identity experience.
 
 The powerful flexibility of custom policies is most appropriate for when you need to build complex identity scenarios. Developers configuring custom policies must define the trusted relationships in careful detail to include metadata endpoints, exact claims exchange definitions, and configure secrets, keys, and certificates as needed by each identity provider.
 

articles/active-directory-b2c/user-migration.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/27/2021
+ms.date: 11/03/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -64,7 +64,7 @@ After pre migration of the accounts is complete, your custom policy and REST API
 
 To see an example custom policy and REST API, see the [seamless user migration sample](https://aka.ms/b2c-account-seamless-migration) on GitHub.
 
-![Flowchart diagram of the seamless migration approach to user migration](./media/user-migration/diagram-01-seamless-migration.png)<br />*Diagram: Seamless migration flow*
+:::image type="content" source="./media/user-migration/diagram-01-seamless-migration.png" alt-text="Flowchart diagram of the seamless migration approach to user migration":::
 
 ## Security
 
@@ -76,10 +76,10 @@ The seamless migration approach uses your own custom REST API to validate a user
 
 Not all information in the legacy identity provider should be migrated to your Azure AD B2C directory. Identify the appropriate set of user attributes to store in Azure AD B2C before migrating.
 
-- **DO** store in Azure AD B2C
+- **DO** store in Azure AD B2C:
   - Username, password, email addresses, phone numbers, membership numbers/identifiers.
   - Consent markers for privacy policy and end-user license agreements.
-- **DO NOT** store in Azure AD B2C
+- **DON'T** store in Azure AD B2C:
   - Sensitive data like credit card numbers, social security numbers (SSN), medical records, or other data regulated by government or industry compliance bodies.
   - Marketing or communication preferences, user behaviors, and insights.
 

articles/active-directory/app-proxy/toc.yml

@@ -12,6 +12,8 @@
       href: ../saas-apps/tutorial-list.md
     - name: Add an on-premises app with Application Proxy
       href: application-proxy-add-on-premises-application.md
+    - name: Configure Application Proxy - Microsoft Graph
+      href: /graph/application-proxy-configure-api?toc=/azure/active-directory/app-proxy/toc.json&bc=/azure/active-directory/app-proxy/breadcrumb/toc.json
   - name: Samples
     expanded: false
     items: 

articles/active-directory/authentication/concept-certificate-based-authentication-mobile-android.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 10/05/2022
+ms.date: 10/27/2022
 
 ms.author: justinha
 author: vimrang
@@ -61,6 +61,107 @@ Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are
 
 To determine if your email application supports Azure AD CBA, contact your application developer.
 
+## Support for certificates on hardware security key (preview)
+
+Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access. Azure AD supports CBA with YubiKey.  
+
+### Advantages of certificates on hardware security key 
+
+Security keys with certificates:  
+
+- Has the roaming nature of security key, which allows users to use the same certificate on different devices 
+- Are hardware-secured with a PIN, which makes them phishing-resistant 
+- Provide multifactor authentication with a PIN as second factor to access the private key of the certificate 
+- Satisfy the industry requirement to have MFA on separate device 
+- Help in future proofing where multiple credentials can be stored including Fast Identity Online 2 (FIDO2) keys. 
+
+### Azure AD CBA on Android mobile 
+
+Android needs a middleware application to be able to support smartcard or security keys with certificates. To support YubiKeys with Azure AD CBA, YubiKey Android SDK has been integrated into the Microsoft broker code which can be leveraged through the latest MSAL 
+
+### Azure AD CBA on Android mobile with YubiKey 
+
+Since Azure AD CBA with YubiKey on Android mobile is enabled via the latest MSAL, YubiKey Authenticator app is not a requirement for Android support. 
+
+Steps to test YubiKey on Microsoft apps on Android: 
+
+1. Install the latest Microsoft Authenticator app.
+1. Open Outlook and plug in your YubiKey. 
+1. Select **Add account** and enter your user principal name (UPN).
+1. Click **Continue**. A dialog should immediately pop up asking for permission to access your YubiKey. Click **OK**. 
+1. Select **Use Certificate or smart card**. A custom certificate picker will appear. 
+1. Select the certificate associated with the user’s account. Click **Continue**. 
+1. Enter the PIN to access YubiKey and select **Unlock**. 
+
+The user should be successfully logged in and redirected to the Outlook homepage. 
+
+>[!NOTE]
+>For a smooth CBA flow, plug in YubiKey as soon as the application is opened and accept the consent dialog from YubiKey before selecting the link **Use Certificate or smart card**. 
+
+### Troubleshoot certificates on hardware security key
+
+#### What will happen if the user has certificates both on the Android device and YubiKey? 
+
+- If the user has certificates both on the android device and YubiKey, then if the YubiKey is plugged in before user clicks **Use Certificate or smart card**, the user will be shown the certificates in the YubiKey.  
+- If the YubiKey is not plugged in before user clicks **Use Certificate or smart card**, the user will be shown all the certificates on the device. The user can **Cancel** the certificate picker, plug in the YubiKey, and restart the CBA process with YubiKey. 
+
+#### My YubiKey is locked after incorrectly typing PIN three times. How do I fix it? 
+
+- Users should see a dialog informing you that too many PIN attempts have been made. This dialog also pops up during subsequent attempts to select **Use Certificate or smart card**.
+- [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) can reset a YubiKey’s PIN. 
+
+#### I have installed Microsoft authenticator but still do not see an option to do Certificate based authentication with YubiKey 
+
+Before installing Microsoft Authenticator, uninstall Company Portal and install it after Microsoft Authenticator installation. 
+
+#### Does Azure AD CBA support YubiKey via NFC? 
+
+This feature currently only supports using YubiKey with USB and not NFC. We are working to add support for NFC. 
+
+#### Once CBA fails, clicking on the CBA option again in the ‘Other ways to signin’ link on the error page fails. 
+
+This issue happens because of certificate caching. We are working to add a fix to clear the cache. As a workaround, clicking cancel and restarting the login flow will let the user choose a new certificate and successfully login. 
+
+#### Azure AD CBA with YubiKey is failing. What information would help debug the issue? 
+
+1. Open Microsoft Authenticator app, click the three dots icon in the top right corner and select **Send Feedback**.
+1. Click **Having Trouble?**.
+1. For **Select an option**, select **Add or sign into an account**. 
+1. Describe any details you want to add. 
+1. Click the send arrow in the top right corner. Note the code provided in the dialog that appears. 
+
+### Known Issues 
+
+- Sometimes, plugging in the YubiKey and providing permission via the permission dialog and clicking **Use Certificate or smart card** will still take the user to on-device CBA picker pop up (instead of the smart card CBA picker). The user will need to cancel out of the picker, unplug their key, and re-plugin their key before attempting to sign in again.  
+- With the Most Recently Used (MRU) feature, once a user uses CBA for authentication, MRU auth method will be set to CBA. Since the user will be directly taken into CBA flow, there may not be enough time for the user to accept the Android USB consent dialog. As a workaround user needs to remove and re-plugin the YubiKey, accept the consent dialog from YubiKey then click the back button and try again to complete CBA authentication flow.  
+- Azure AD CBA with YubiKey on latest Outlook and Teams fail at times. This could be due to a keyboard configuration change when the YubiKey is plugged in. This can be solved by:
+  - Plug in YubiKey as soon as the application is opened.  
+  - Accept the consent dialog from YubiKey before selecting the link **Use Certificate or smart card**. 
+
+### Supported platforms
+
+- Applications using the latest Microsoft Authentication Library (MSAL) or Microsoft Authenticator can do CBA 
+- Microsoft first-party apps with latest MSAL libraries or Microsoft Authenticator can do CBA 
+
+#### Supported operating systems
+
+|Operating system | Certificate on-device/Derived PIV |    Smart cards        |
+|:----------------|:---------------------------------:|:---------------------:|
+| Android         | ✅                          | Supported vendors only|
+
+#### Supported browsers
+
+|Operating system | Chrome certificate on-device | Chrome smart card | Safari certificate on-device | Safari smart card | Edge certificate on-device | Edge smart card |
+|:----------------|:---------------------------------:|:---------------------:|:---------------------------------:|:---------------------:|:---------------------------------:|:---------------------:|
+| Android             |  ✅                          | ❌|N/A                          | N/A |  ❌                          | ❌|
+
+### Security key providers
+
+|Provider            |                  Android           |
+|:-------------------|:------------------------------:|
+| YubiKey            |              ✅          | 
+
+
 ## Next steps
 
 - [Overview of Azure AD CBA](concept-certificate-based-authentication.md)