MicrosoftDocs
diff --git a/‎.openpublishing.redirection.healthcare-apis.json
Lines changed: 7 additions & 3 deletions b/‎.openpublishing.redirection.healthcare-apis.json
Lines changed: 7 additions & 3 deletions
diff --git a/‎articles/active-directory-b2c/custom-policies-series-call-rest-api.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/custom-policies-series-call-rest-api.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/develop/application-model.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/develop/application-model.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/develop/reference-aadsts-error-codes.md
Lines changed: 2 additions & 1 deletion b/‎articles/active-directory/develop/reference-aadsts-error-codes.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎articles/active-directory/develop/scenario-daemon-acquire-token.md
Lines changed: 76 additions & 36 deletions b/‎articles/active-directory/develop/scenario-daemon-acquire-token.md
Lines changed: 76 additions & 36 deletions
@@ -586,15 +586,19 @@
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/iot-data-flow.md",
-          "redirect_url": "/azure/healthcare-apis/iot/understand-service",
+          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-data-processing-stages",
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/data-flow.md",
-          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-message-processing-stages",
+          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-data-processing-stages",
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/understand-service.md",
-          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-message-processing-stages",
+          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-data-processing-stages",
+          "redirect_document_id": false
+      },
+      {   "source_path_from_root": "/articles/healthcare-apis/iot/overview-of-device-message-processing-stages.md",
+          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-data-processing-stages",
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/how-to-use-device-mappings.md",
 
@@ -88,7 +88,7 @@ You need to deploy an app, which will serve as your external app. Your custom po
                     "code" : "errorCode",
                     "requestId": "requestId",
                     "userMessage" : "The access code you entered is incorrect. Please try again.",
-                    "developerMessage" : `The The provided code ${req.body.accessCode} does not match the expected code for user.`,
+                    "developerMessage" : `The provided code ${req.body.accessCode} does not match the expected code for user.`,
                     "moreInfo" :"https://docs.microsoft.com/en-us/azure/active-directory-b2c/string-transformations"
                 };
                 res.status(409).send(errorResponse);                
@@ -133,7 +133,7 @@ You need to deploy an app, which will serve as your external app. Your custom po
             "code": "errorCode",
             "requestId": "requestId",
             "userMessage": "The access code you entered is incorrect. Please try again.",
-            "developerMessage": "The The provided code 54321 does not match the expected code for user.",
+            "developerMessage": "The provided code 54321 does not match the expected code for user.",
             "moreInfo": "https://docs.microsoft.com/en-us/azure/active-directory-b2c/string-transformations"
         }
     ```
 
@@ -28,9 +28,9 @@ For an identity provider to know that a user has access to a particular app, bot
 * Decide if you want to allow users to sign in only if they belong to your organization. This architecture is known as a single-tenant application. Or, you can allow users to sign in by using any work or school account, which is known as a multi-tenant application. You can also allow personal Microsoft accounts or a social account from LinkedIn, Google, and so on.
 * Request scope permissions. For example, you can request the "user.read" scope, which grants permission to read the profile of the signed-in user.
 * Define scopes that define access to your web API. Typically, when an app wants to access your API, it will need to request permissions to the scopes you define.
-* Share a secret with the Microsoft identity platform that proves the app's identity. Using a secret is relevant in the case where the app is a confidential client application. A confidential client application is an application that can hold credentials securely. A trusted back-end server is required to store the credentials.
+* Share a secret with the Microsoft identity platform that proves the app's identity. Using a secret is relevant in the case where the app is a confidential client application. A confidential [client application](developer-glossary.md#client-application) is an application that can hold credentials securely, like a [web client](developer-glossary.md#web-client). A trusted back-end server is required to store the credentials.
 
-After the app is registered, it's given a unique identifier that it shares with the Microsoft identity platform when it requests tokens. If the app is a [confidential client application](developer-glossary.md#client-application), it will also share the secret or the public key depending on whether certificates or secrets were used.
+After the app is registered, it's given a unique identifier that it shares with the Microsoft identity platform when it requests tokens. If the app is a confidential client application, it will also share the secret or the public key depending on whether certificates or secrets were used.
 
 The Microsoft identity platform represents applications by using a model that fulfills two main functions:
 
@@ -44,14 +44,14 @@ The Microsoft identity platform:
 * Provides infrastructure for implementing app provisioning within the app developer's tenant, and to any other Azure AD tenant.
 * Handles user consent during token request time and facilitates the dynamic provisioning of apps across tenants.
 
-*Consent* is the process of a resource owner granting authorization for a client application to access protected resources, under specific permissions, on behalf of the resource owner. The Microsoft identity platform enables:
+[*Consent*](developer-glossary.md#consent) is the process of a resource owner granting authorization for a client application to access protected resources, under specific permissions, on behalf of the resource owner. The Microsoft identity platform enables:
 
 * Users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
 * Administrators to ultimately decide what apps are allowed to do and which users can use specific apps, and how the directory resources are accessed.
 
 ## Multi-tenant apps
 
-In the Microsoft identity platform, an [application object](developer-glossary.md#application-object) describes an application. At deployment time, the Microsoft identity platform uses the application object as a blueprint to create a [service principal](developer-glossary.md#service-principal-object), which represents a concrete instance of an application within a directory or tenant. The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. The Microsoft identity platform creates a service principal from an application object through [consent](developer-glossary.md#consent).
+In the Microsoft identity platform, an [application object](developer-glossary.md#application-object) describes an application. At deployment time, the Microsoft identity platform uses the application object as a blueprint to create a [service principal](developer-glossary.md#service-principal-object), which represents a concrete instance of an application within a directory or tenant. The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. The Microsoft identity platform creates a service principal from an application object through consent.
 
 The following diagram shows a simplified Microsoft identity platform provisioning flow driven by consent. It shows two tenants: *A* and *B*.
 
 
@@ -165,6 +165,7 @@ The `error` field has several possible values - review the protocol documentatio
 | AADSTS50143 | Session mismatch - Session is invalid because user tenant doesn't match the domain hint due to different resource. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) with Correlation ID, Request ID, and Error code to get more details. |
 | AADSTS50144 | InvalidPasswordExpiredOnPremPassword - User's Active Directory password has expired. Generate a new password for the user or have the user use the self-service reset tool to reset their password. |
 | AADSTS50146 | MissingCustomSigningKey - This app is required to be configured with an app-specific signing key. It is either not configured with one, or the key has expired or isn't yet valid. Please contact the owner of the application. |
+| AADSTS501461 | AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key. |
 | AADSTS50147 | MissingCodeChallenge - The size of the code challenge parameter isn't valid. |
 | AADSTS501481 | The Code_Verifier doesn't match the code_challenge supplied in the authorization request.|
 | AADSTS501491 |  InvalidCodeChallengeMethodInvalidSize - Invalid size of Code_Challenge parameter.|
@@ -183,7 +184,7 @@ The `error` field has several possible values - review the protocol documentatio
 | AADSTS50194 | Application '{appId}'({appName}) isn't configured as a multi-tenant application. Usage of the /common endpoint isn't supported for such applications created after '{time}'. Use a tenant-specific endpoint or configure the application to be multi-tenant. |
 | AADSTS50196 | LoopDetected - A client loop has been detected. Check the app’s logic to ensure that token caching is implemented, and that error conditions are handled correctly.  The app has made too many of the same request in too short a period, indicating that it is in a faulty state or is abusively requesting tokens. |
 | AADSTS50197 | ConflictingIdentities - The user could not be found. Try signing in again. |
-| AADSTS50199 | CmsiInterrupt - For security reasons, user confirmation is required for this request.  Because this is an "interaction_required" error, the client should do interactive auth.  This occurs because a system webview has been used to request a token for a native application - the user must be prompted to ask if this was actually the app they meant to sign into. To avoid this prompt, the redirect URI should be part of the following safe list: <br />http://<br />https://<br />chrome-extension:// (desktop Chrome browser only) |
+| AADSTS50199 | CmsiInterrupt - For security reasons, user confirmation is required for this request. Interrupt is shown for all scheme redirects in mobile browsers. <br />No action required. The user was asked to confirm that this app is the application they intended to sign into. <br />This is a security feature that helps prevent spoofing attacks. This occurs because a system webview has been used to request a token for a native application. <br />To avoid this prompt, the redirect URI should be part of the following safe list: <br />http://<br />https://<br />chrome-extension:// (desktop Chrome browser only) |
 | AADSTS51000 | RequiredFeatureNotEnabled - The feature is disabled. |
 | AADSTS51001 | DomainHintMustbePresent - Domain hint must be present with on-premises security identifier or on-premises UPN. |
 | AADSTS1000104| XCB2BResourceCloudNotAllowedOnIdentityTenant - Resource cloud {resourceCloud} isn't allowed on identity tenant {identityTenant}. {resourceCloud} - cloud instance which owns the resource. {identityTenant} - is the tenant where signing-in identity is originated from. |
 
@@ -22,11 +22,23 @@ After you've constructed a confidential client application, you can acquire a to
 
 The scope to request for a client credential flow is the name of the resource followed by `/.default`. This notation tells Azure Active Directory (Azure AD) to use the *application-level permissions* declared statically during application registration. Also, these API permissions must be granted by a tenant administrator.
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
-```csharp
-ResourceId = "someAppIDURI";
-var scopes = new [] {  ResourceId+"/.default"};
+Here's an example of defining the scopes for the web API as part of the configuration in an [*appsettings.json*](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/2-Call-OwnApi/daemon-console/appsettings.json) file. This example is taken from the [.NET Core console daemon](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub.
+
+```json
+{
+	"AzureAd": {
+		// Same AzureAd section as before.
+	},
+
+	"MyWebApi": {
+		"BaseUrl": "https://localhost:44372/",
+		"RelativePath": "api/TodoList",
+		"RequestAppToken": true,
+		"Scopes": [ "[Enter here the scopes for your web API]" ]
+	}
+}
 ```
 
 # [Java](#tab/java)
@@ -53,6 +65,13 @@ In MSAL Python, the configuration file looks like this code snippet:
 }
 ```
 
+# [.NET (low level)](#tab/dotnet)
+
+```csharp
+ResourceId = "someAppIDURI";
+var scopes = new [] {  ResourceId+"/.default"};
+```
+
 ---
 
 ### Azure AD (v1.0) resources
@@ -65,42 +84,25 @@ The scope used for client credentials should always be the resource ID followed
 
 ## AcquireTokenForClient API
 
-To acquire a token for the app, you'll use `AcquireTokenForClient` or its equivalent, depending on the platform.
+To acquire a token for the app, use `AcquireTokenForClient` or its equivalent, depending on the platform.
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
+
+With Microsoft.Identity.Web, you don't need to acquire a token. You can use higher level APIs, as you see in [Calling a web API from a daemon application](scenario-daemon-call-api.md). If however you're using an SDK that requires a token, the following code snippet shows how to get this token.
 
 ```csharp
-using Microsoft.Identity.Client;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web;
 
-// With client credentials flows, the scope is always of the shape "resource/.default" because the
-// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
-// a tenant administrator.
-string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
+// In the Program.cs, acquire a token for your downstream API
 
-AuthenticationResult result = null;
-try
-{
- result = await app.AcquireTokenForClient(scopes)
-                  .ExecuteAsync();
-}
-catch (MsalUiRequiredException ex)
-{
-    // The application doesn't have sufficient permissions.
-    // - Did you declare enough app permissions during app creation?
-    // - Did the tenant admin grant permissions to the application?
-}
-catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
-{
-    // Invalid scope. The scope has to be in the form "https://resourceurl/.default"
-    // Mitigation: Change the scope to be as expected.
-}
+var tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
+ITokenAcquirer acquirer = tokenAcquirerFactory.GetTokenAcquirer();
+AcquireTokenResult tokenResult = await acquirer.GetTokenForUserAsync(new[] { https://graph.microsoft.com/.default" });
+string accessToken = tokenResult.AccessToken;
 ```
 
-### AcquireTokenForClient uses the application token cache
-
-In MSAL.NET, `AcquireTokenForClient` uses the application token cache. (All the other AcquireToken*XX* methods use the user token cache.)
-Don't call `AcquireTokenSilent` before you call `AcquireTokenForClient`, because `AcquireTokenSilent` uses the *user* token cache. `AcquireTokenForClient` checks the *application* token cache itself and updates it.
-
 # [Java](#tab/java)
 
 This code is extracted from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/tree/dev/msal4j-sdk/src/samples/confidential-client/).
@@ -152,7 +154,7 @@ private static IAuthenticationResult acquireToken() throws Exception {
 
 # [Node.js](#tab/nodejs)
 
-The code snippet below illustrates token acquisition in an MSAL Node confidential client application:
+The following code snippet illustrates token acquisition in an MSAL Node confidential client application:
 
 ```JavaScript
 try {
@@ -187,6 +189,40 @@ else:
     print(result.get("correlation_id"))  # You might need this when reporting a bug.
 ```
 
+# [.NET (low level)](#tab/dotnet)
+
+```csharp
+using Microsoft.Identity.Client;
+
+// With client credentials flows, the scope is always of the shape "resource/.default" because the
+// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
+// a tenant administrator.
+string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
+
+AuthenticationResult result = null;
+try
+{
+ result = await app.AcquireTokenForClient(scopes)
+                  .ExecuteAsync();
+}
+catch (MsalUiRequiredException ex)
+{
+    // The application doesn't have sufficient permissions.
+    // - Did you declare enough app permissions during app creation?
+    // - Did the tenant admin grant permissions to the application?
+}
+catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
+{
+    // Invalid scope. The scope has to be in the form "https://resourceurl/.default"
+    // Mitigation: Change the scope to be as expected.
+}
+```
+
+### AcquireTokenForClient uses the application token cache
+
+In MSAL.NET, `AcquireTokenForClient` uses the application token cache. (All the other AcquireToken*XX* methods use the user token cache.)
+Don't call `AcquireTokenSilent` before you call `AcquireTokenForClient`, because `AcquireTokenSilent` uses the *user* token cache. `AcquireTokenForClient` checks the *application* token cache itself and updates it.
+
 ---
 
 ### Protocol
@@ -253,10 +289,10 @@ If your daemon app calls your own web API and you weren't able to add an app per
 
 ## Next steps
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
 Move on to the next article in this scenario,
-[Calling a web API](./scenario-daemon-call-api.md?tabs=dotnet).
+[Calling a web API](./scenario-daemon-call-api.md?tabs=idweb).
 
 # [Java](#tab/java)
 
@@ -273,4 +309,8 @@ Move on to the next article in this scenario,
 Move on to the next article in this scenario,
 [Calling a web API](./scenario-daemon-call-api.md?tabs=python).
 
+# [.NET low level](#tab/dotnet)
+
+Move on to the next article in this scenario,
+[Calling a web API](./scenario-daemon-call-api.md?tabs=dotnet).
 ---