Merge pull request #244997 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 7/14

Author: ttorble

.openpublishing.redirection.azure-kubernetes-service.json

@@ -9,6 +9,11 @@
             "source_path_from_root": "/articles/aks/cilium-enterprise-marketplace.md",
             "redirect_url": "/azure/aks/azure-cni-powered-by-cilium",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/aks/web-app-routing.md",
+            "redirect_url": "/azure/aks/app-routing",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory-b2c/best-practices.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 05/29/2023
+ms.date: 07/13/2023
 ms.subservice: B2C
 ---
 
@@ -40,7 +40,7 @@ Define your application and service architecture, inventory current systems, and
 | Move on-premises dependencies to the cloud | To help ensure a resilient solution, consider moving existing application dependencies to the cloud. |
 | Migrate existing apps to b2clogin.com | The deprecation of login.microsoftonline.com will go into effect for all Azure AD B2C tenants on 04 December 2020. [Learn more](b2clogin.md). |
 | Use Identity Protection and Conditional Access | Use these capabilities for significantly greater control over risky authentications and access policies. Azure AD B2C Premium P2 is required. [Learn more](conditional-access-identity-protection-overview.md). |
-|Tenant size | You need to plan with Azure AD B2C tenant size in mind. By default, Azure AD B2C tenant can accommodate 1.25 million objects (user accounts and applications). You can increase this limit to 5.25 million objects by adding a custom domain to your tenant, and verifying it. If you need a bigger tenant size, you need to contact [Support](find-help-open-support-ticket.md).|
+|Tenant size | You need to plan with Azure AD B2C tenant size in mind. By default, Azure AD B2C tenant can accommodate 1 million objects (user accounts and applications). You can increase this limit to 5 million objects by adding a custom domain to your tenant, and verifying it. If you need a bigger tenant size, you need to contact [Support](find-help-open-support-ticket.md).|
 | Use Identity Protection and Conditional Access | Use these capabilities for greater control over risky authentications and access policies. Azure AD B2C Premium P2 is required. [Learn more](conditional-access-identity-protection-overview.md). |
 
 ## Implementation

articles/active-directory-b2c/faq.yml

@@ -8,7 +8,7 @@ metadata:
   ms.service: active-directory
   ms.workload: identity
   ms.topic: faq
-  ms.date: 06/23/2023
+  ms.date: 07/13/2023
   ms.author: godonnell
   ms.subservice: B2C
   ms.custom: "b2c-support"
@@ -59,7 +59,7 @@ sections:
       - question: |
           How many users can an Azure AD B2C tenant accommodate?
         answer: |
-          - By default, each tenant can accommodate a total of **1.25 million** objects (user accounts and applications), but you can increase this limit to **5.25 million** objects when you [add and verify a custom domain](custom-domain.md). If you want to increase this limit, please contact [Microsoft Support](find-help-open-support-ticket.md). However, if you created your tenant before **September 2022**, this limit doesn't affect you, and your tenant will retain the size allocated to it at creation, that's, **50 million** objects. 
+          - By default, each tenant can accommodate a total of **1 million** objects (user accounts and applications), but you can increase this limit to **5 million** objects when you [add and verify a custom domain](custom-domain.md). If you want to increase this limit, please contact [Microsoft Support](find-help-open-support-ticket.md). However, if you created your tenant before **September 2022**, this limit doesn't affect you, and your tenant will retain the size allocated to it at creation, that's, **50 million** objects. 
       - question: |
           Which social identity providers do you support now? Which ones do you plan to support in the future?
         answer: |

articles/active-directory-b2c/tutorial-create-tenant.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 06/23/2023
+ms.date: 07/13/2023
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -30,7 +30,7 @@ Before you create your Azure AD B2C tenant, you need to take the following consi
 
 - You can create up to **20** tenants per subscription. This limit help protect against threats to your resources, such as denial-of-service attacks, and is enforced in both the Azure portal and the underlying tenant creation API. If you want to increase this limit, please contact [Microsoft Support](find-help-open-support-ticket.md). 
 
-- By default, each tenant can accommodate a total of **1.25 million** objects (user accounts and applications), but you can increase this limit to **5.25 million** objects when you add and verify a custom domain. If you want to increase this limit, please contact [Microsoft Support](find-help-open-support-ticket.md). However, if you created your tenant before **September 2022**, this limit doesn't affect you, and your tenant will retain the size allocated to it at creation, that's, **50 million** objects. Learn how to [read your tenant usage](microsoft-graph-operations.md#tenant-usage).  
+- By default, each tenant can accommodate a total of **1 million** objects (user accounts and applications), but you can increase this limit to **5 million** objects when you add and verify a custom domain. If you want to increase this limit, please contact [Microsoft Support](find-help-open-support-ticket.md). However, if you created your tenant before **September 2022**, this limit doesn't affect you, and your tenant will retain the size allocated to it at creation, that's, **50 million** objects. Learn how to [read your tenant usage](microsoft-graph-operations.md#tenant-usage).  
 
 - If you want to reuse a tenant name that you previously tried to delete, but you see the error "Already in use by another directory" when you enter the domain name, you'll need to [follow these steps to fully delete the tenant](./faq.yml?tabs=app-reg-ga#how-do-i-delete-my-azure-ad-b2c-tenant-) before you try again. You require a role of at least *Subscription Administrator*. After deleting the tenant, you might also need to sign out and sign back in before you can reuse the domain name.
 

articles/active-directory/external-identities/customers/sample-daemon-dotnet-call-api.md

@@ -0,0 +1,156 @@
+---
+title: Call an API in a sample .NET daemon application
+description: Learn how to configure a sample .NET daemon application that calls an API protected with Azure Active Directory (Azure AD) for customers
+services: active-directory
+author: SHERMANOUKO
+manager: mwongerapk
+
+ms.author: shermanouko
+ms.service: active-directory
+ms.subservice: ciam
+ms.topic: sample
+ms.date: 07/13/2023
+
+#Customer intent: As a dev, devops, I want to configure a sample .NET daemon application that calls an API protected by Azure Active Directory (Azure AD) for customers tenant
+---
+
+# Call an API in a sample .NET daemon application 
+
+This article uses a sample .NET daemon application to show you how a daemon application acquires a token to call a protected web API. Azure Active Directory (Azure AD) for customers protects the Web API. 
+
+A daemon application acquires a token on behalf of itself (not on behalf of a user). Users can't interact with a daemon application because it requires its own identity. This type of application requests an access token by using its application identity and presenting its application ID, credential (password or certificate), and application ID URI to Azure AD. 
+
+## Prerequisites
+
+- [.NET 7.0](https://dotnet.microsoft.com/download/dotnet/7.0) or later. 
+
+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.
+
+- Azure AD for customers tenant. If you don't already have one, [sign up for a free trial](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl)</a>.
+
+## Register a daemon application and a web API
+
+In this step, you create the daemon and the web API application registrations, and you specify the scopes of your web API.
+
+### Register a web API application
+
+[!INCLUDE [active-directory-b2c-app-integration-add-user-flow](./includes/register-app/register-api-app.md)]
+
+### Configure application roles
+
+[!INCLUDE [active-directory-b2c-app-integration-add-user-flow](./includes/register-app/add-app-role.md)]
+
+### Configure optional claims
+
+[!INCLUDE [active-directory-b2c-app-integration-add-user-flow](./includes/register-app/add-optional-claims-access.md)]
+
+### Register the daemon application
+
+[!INCLUDE [active-directory-b2c-register-app](./includes/register-app/register-client-app-common.md)]
+
+### Create a client secret
+
+[!INCLUDE [active-directory-b2c-app-integration-add-user-flow](./includes/register-app/add-app-client-secret.md)]
+
+### Grant API permissions to the daemon application
+
+[!INCLUDE [active-directory-b2c-app-integration-add-user-flow](./includes/register-app/grant-api-permissions-app-permissions.md)]
+
+##  Clone or download sample daemon application and web API
+
+To get the web application sample code, you can do either of the following tasks:
+
+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/archive/refs/heads/main.zip) or clone the sample web application from GitHub by running the following command:
+
+    ```console
+        git clone https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial.git
+    ```
+If you choose to download the *.zip* file, extract the sample application file to a folder where the total length of the path is 260 or fewer characters.
+
+## Configure the sample daemon application and API
+
+To use your app registration in the client web application sample:
+
+1. In your code editor, open *ms-identity-ciam-dotnet-tutorial/2-Authorization/3-call-own-api-dotnet-core-daemon/ToDoListClient/appsettings.json* file.
+
+1. Find the placeholder:
+
+    - `Enter_the_Application_Id_Here` and replace it with the Application (client) ID of the daemon application you registered earlier.
+     
+    - `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details). 
+    
+    - `Enter_the_Client_Secret_Here` and replace it with the daemon application secret value you copied earlier.
+    
+    - `Enter_the_Web_Api_Application_Id_Here` and replace it with the Application (client) ID of the web API you copied earlier.
+
+To use your app registration in the web API sample: 
+
+1. In your code editor, open *ms-identity-ciam-dotnet-tutorial/2-Authorization/3-call-own-api-dotnet-core-daemon/ToDoListAPI/appsettings.json* file.
+
+1. Find the placeholder:
+    
+    - `Enter_the_Application_Id_Here` and replace it with the Application (client) ID of the web API you copied. 
+    
+    - `Enter_the_Tenant_Id_Here` and replace it with the Directory (tenant) ID you copied earlier.
+    
+    - `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).
+
+##  Run and test sample daemon application and API 
+
+1. Open a console window, then run the web API by using the following commands:
+
+    ```console
+    cd 2-Authorization\3-call-own-api-dotnet-core-daemon\ToDoListAPI
+    dotnet run
+    ``` 
+1. Run the daemon client by using the following commands:
+
+    ```console
+    cd 2-Authorization\3-call-own-api-dotnet-core-daemon\ToDoListClient
+    dotnet run
+    ```
+
+If your daemon application and web API successfully run, you should see something similar to the following JSON array in your console window
+
+```bash
+Posting a to-do...
+Retrieving to-do's from server...
+To-do data:
+ID: 1
+User ID: 41b1e1a8-8e51-4514-8dab-e568afa2826c
+Message: Bake bread
+Posting a second to-do...
+Retrieving to-do's from server...
+To-do data:
+ID: 1
+User ID: 41b1e1a8-8e51-4514-8dab-e568afa2826c
+Message: Bake bread
+ID: 2
+User ID: 41b1e1a8-8e51-4514-8dab-e568afa2826c
+Message: Butter bread
+Deleting a to-do...
+Retrieving to-do's from server...
+To-do data:
+ID: 2
+User ID: 41b1e1a8-8e51-4514-8dab-e568afa2826c
+Message: Butter bread
+Editing a to-do...
+Retrieving to-do's from server...
+To-do data:
+ID: 2
+User ID: 41b1e1a8-8e51-4514-8dab-e568afa2826c
+Message: Eat bread
+Deleting remaining to-do...
+Retrieving to-do's from server...
+There are no to-do's in server
+```
+
+## How it works
+
+The daemon application use [OAuth2.0 client credentials grant](../../develop/v2-oauth2-client-creds-grant-flow.md) to acquire an access token for itself and not for the user. The access token that the app requests contains the permissions represented as roles. The client credential flow uses this set of permissions in place of user scopes for application tokens. You [exposed these application permissions](#configure-application-roles) in the web API earlier, then [granted them to the daemon app](#grant-api-permissions-to-the-daemon-application). The daemon app in this article uses [Microsoft Authentication Library for .NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) to simplify the process of acquiring a token.
+
+On the API side, the web API must verify that the access token has the required permissions (application permissions). The web API rejects access tokens that don't have the required permissions. 
+
+## See also
+
+See the tutorial on how to [build your own .NET daemon app that calls an API](./tutorial-daemon-dotnet-call-api-prepare-tenant.md)

articles/active-directory/external-identities/customers/toc.yml

@@ -61,6 +61,8 @@ items:
             - name: Node.js - call an API
               href: sample-daemon-node-call-api.md
               displayName: client credentials grant
+            - name: .NET - call an API
+              href: sample-daemon-dotnet-call-api.md
         - name: Desktop app
           items:
             - name: Electron - sign in users
@@ -181,17 +183,21 @@ items:
         items: 
           - name: Node.js
             items:
-              - name: Acquire token, call an API
-                items:
-                  - name: Overview
-                    href: how-to-daemon-node-call-api-overview.md
-                    displayName: client credentials flow
-                  - name: Prepare tenant
-                    href: how-to-daemon-node-call-api-prepare-tenant.md
-                  - name: Prepare app
-                    href: how-to-daemon-node-call-api-prepare-app.md 
-                  - name: Acquire access token and call API
-                    href: how-to-daemon-node-call-api-call-api.md
+              - name: Overview
+                href: how-to-daemon-node-call-api-overview.md
+                displayName: client credentials flow
+              - name: Prepare tenant
+                href: how-to-daemon-node-call-api-prepare-tenant.md
+              - name: Prepare app
+                href: how-to-daemon-node-call-api-prepare-app.md 
+              - name: Acquire access token and call API
+                href: how-to-daemon-node-call-api-call-api.md
+          - name: .NET
+            items:
+              - name: Prepare tenant
+                href: tutorial-daemon-dotnet-call-api-prepare-tenant.md
+              - name: Acquire access token and call API
+                href: tutorial-daemon-dotnet-call-api-build-app.md 
       - name: Desktop app
         items:
           - name: .NET MAUI