Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into sancha/pvtlink

Author: Lakshmisha-KS

.openpublishing.publish.config.json

@@ -128,54 +128,6 @@
       "branch": "master",
       "branch_mapping": {}
     },
-    {
-      "path_to_root": "samples-mediaservices-integration",
-      "url": "https://github.com/Azure-Samples/media-services-dotnet-functions-integration",
-      "branch": "main",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "samples-mediaservices-encryptiondrm",
-      "url": "https://github.com/Azure-Samples/media-services-dotnet-dynamic-encryption-with-drm",
-      "branch": "master",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "samples-mediaservices-encryptionfairplay",
-      "url": "https://github.com/Azure-Samples/media-services-dotnet-dynamic-encryption-with-fairplay",
-      "branch": "master",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "samples-mediaservices-encryptionaes",
-      "url": "https://github.com/Azure-Samples/media-services-dotnet-dynamic-encryption-with-aes",
-      "branch": "master",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "samples-mediaservices-copyblob",
-      "url": "https://github.com/Azure-Samples/media-services-dotnet-copy-blob-into-asset",
-      "branch": "master",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "samples-mediaservices-deliverplayready",
-      "url": "https://github.com/Azure-Samples/media-services-dotnet-deliver-playready-widevine-licenses",
-      "branch": "master",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "samples-mediaservices-livestream",
-      "url": "https://github.com/Azure-Samples/media-services-dotnet-encode-live-stream-with-ams-clear",
-      "branch": "master",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "samples-mediaservices-encoderstandard",
-      "url": "https://github.com/Azure-Samples/media-services-dotnet-on-demand-encoding-with-media-encoder-standard",
-      "branch": "master",
-      "branch_mapping": {}
-    },
     {
       "path_to_root": "azure-app-service-multi-container",
       "url": "https://github.com/Azure-Samples/multicontainerwordpress",
@@ -374,30 +326,6 @@
       "branch": "master",
       "branch_mapping": {}
     },
-    {
-      "path_to_root": "media-services-v3-dotnet-tutorials",
-      "url": "https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials",
-      "branch": "main",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "media-services-v3-dotnet",
-      "url": "https://github.com/Azure-Samples/media-services-v3-dotnet",
-      "branch": "main",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "media-services-v3-dotnet-core-functions-integration",
-      "url": "https://github.com/Azure-Samples/media-services-v3-dotnet-core-functions-integration",
-      "branch": "main",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "media-services-v3-python",
-      "url": "https://github.com/Azure-Samples/media-services-v3-python",
-      "branch": "main",
-      "branch_mapping": {}
-    },
     {
       "path_to_root": "samples-javascript",
       "url": "https://github.com/Microsoft/tsiclient",
@@ -410,24 +338,6 @@
       "branch": "master",
       "branch_mapping": {}
     },
-    {
-      "path_to_root": "media-services-v3-dotnet-core-tutorials",
-      "url": "https://github.com/Azure-Samples/media-services-v3-dotnet-core-tutorials",
-      "branch": "master",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "media-services-v3-rest-postman",
-      "url": "https://github.com/Azure-Samples/media-services-v3-rest-postman",
-      "branch": "master",
-      "branch_mapping": {}
-    },
-    {
-      "path_to_root": "media-services-v3-node-tutorials",
-      "url": "https://github.com/Azure-Samples/media-services-v3-node-tutorials",
-      "branch": "main",
-      "branch_mapping": {}
-    },
     {
       "path_to_root": "media-services-video-indexer",
       "url": "https://github.com/Azure-Samples/media-services-video-indexer",

articles/active-directory/authentication/howto-authentication-temporary-access-pass.md

@@ -71,9 +71,9 @@ To configure the Temporary Access Pass authentication method policy:
 After you enable a policy, you can create a Temporary Access Pass for a user in Azure AD. 
 These roles can perform the following actions related to a Temporary Access Pass.
 
-- Global Administrator can create, delete, view a Temporary Access Pass on any user (except themselves)
-- Privileged Authentication Administrators can create, delete, view a Temporary Access Pass on admins and members (except themselves)
-- Authentication Administrators can create, delete, view a Temporary Access Pass on members  (except themselves)
+- Global Administrators can create, delete, and view a Temporary Access Pass on any user (except themselves)
+- Privileged Authentication Administrators can create, delete, and view a Temporary Access Pass on admins and members (except themselves)
+- Authentication Administrators can create, delete, and view a Temporary Access Pass on members  (except themselves)
 - Global Reader can view the Temporary Access Pass details on the user (without reading the code itself).
 
 1. Sign in to the Azure portal as either a Global administrator, Privileged Authentication administrator, or Authentication administrator. 

articles/active-directory/develop/app-resilience-continuous-access-evaluation.md

@@ -137,8 +137,8 @@ Your app would then use the claims challenge to acquire a new access token for t
 ```javascript
 const tokenRequest = {
     claims: window.atob(claimsChallenge), // decode the base64 string
-    scopes: ['User.Read']
-    account: msalInstance.getActiveAccount();
+    scopes: ['User.Read'],
+    account: msalInstance.getActiveAccount()
 };
 
 let tokenResponse;
@@ -173,8 +173,9 @@ You can test your application by signing in a user and then using the Azure port
 
 ## Code samples
 
-- [React single-page application using MSAL React to sign-in users against Azure Active Directory](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph)
-- [Enable your ASP.NET Core web app to sign in users and call Microsoft Graph with the Microsoft identity platform](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph)
+- [Enable your Angular single-page application to sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/2-Authorization-I/1-call-graph)
+- [Enable your React single-page application to sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph)
+- [Enable your ASP.NET Core web app to sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph)
 
 ## Next steps
 

articles/active-directory/develop/claims-challenge.md

@@ -237,10 +237,14 @@ const checkIsClientCapableOfClaimsChallenge = (req, res, next) => {
 
 ---
 
+## Code samples
+
+- [Enable your Angular single-page application to sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/2-Authorization-I/1-call-graph)
+- [Enable your React single-page application to sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph)
+- [Enable your ASP.NET Core web app to sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph)
+
 ## Next steps
 
 - [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md#request-an-authorization-code)
 - [How to use Continuous Access Evaluation enabled APIs in your applications](app-resilience-continuous-access-evaluation.md)
 - [Granular Conditional Access for sensitive data and actions](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775)
-- [React single-page application using MSAL React to sign-in users against Azure Active Directory](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph)
-- [Enable your ASP.NET Core web app to sign in users and call Microsoft Graph with the Microsoft identity platform](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph)

articles/active-directory/develop/msal-js-prompt-behavior.md

@@ -1,6 +1,6 @@
 ---
-title: Interactive request prompt behavior (MSAL.js)
-description: Learn to customize prompt behavior in interactive calls using the Microsoft Authentication Library for JavaScript (MSAL.js).
+title: Prompt behavior with MSAL.js
+description: Learn to customize prompt behavior using the Microsoft Authentication Library for JavaScript (MSAL.js).
 services: active-directory
 author: mmacy
 manager: CelesteDG
@@ -16,34 +16,76 @@ ms.custom: aaddev
 #Customer intent: As an application developer, I want to learn about customizing the UI prompt behaviors in MSAL.js library so I can decide if this platform meets my application development needs and requirements.
 ---
 
-# Prompt behavior in MSAL.js interactive requests
+# Prompt behavior with MSAL.js
 
-When a user has established an active Azure AD session with multiple user accounts, the Azure AD sign in page will by default prompt the user to select an account before proceeding to sign in. Users will not see an account selection experience if there is only a single authenticated session with Azure AD.
+MSAL.js allows passing a prompt value as part of its login or token request methods. Based on your application scenario, you can customize the Azure AD prompt behavior for a request by setting the **prompt** parameter in the [request object](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#commonauthorizationurlrequest): 
 
-The MSAL.js library (starting in v0.2.4) does not send a prompt parameter during the interactive requests (`loginRedirect`, `loginPopup`, `acquireTokenRedirect` and `acquireTokenPopup`), and thereby does not enforce any prompt behavior. For silent token requests using the `acquireTokenSilent` method, MSAL.js passes a prompt parameter set to `none`.
+```javascript
+import { PublicClientApplication } from "@azure/msal-browser";
 
-Based on your application scenario, you can control the prompt behavior for the interactive requests by setting the prompt parameter in the request parameters passed to the methods. For example, if you want to invoke the account selection experience:
+const pca = new PublicClientApplication({
+    auth: {
+        clientId: "YOUR_CLIENT_ID"
+    }
+});
 
-```javascript
-var request = {
+const loginRequest = {
     scopes: ["user.read"],
     prompt: 'select_account',
 }
 
-userAgentApplication.loginRedirect(request);
+pca.loginPopup(loginRequest)
+    .then(response => {
+        // do something with the response
+    })
+    .catch(error => {
+        // handle errors
+    });
 ```
 
+## Supported prompt values
+
+The following prompt values can be used when authenticating with the Microsoft identity platform:
+
+| Parameter  | Behavior                                                                         |
+|------------|----------------------------------------------------------------------------------|
+| `login`  | Forces the user to enter their credentials on that request, negating single-sign on. |
+| `none`  | Ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns a *login_required* or *interaction_required* error. |
+| `consent`  | Triggers the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. |
+| `select_account` | Interrupts single sign-on by providing an account selection experience listing all the accounts in session or an option to choose a different account altogether. |
+| `create` | Triggers a sign-up dialog allowing external users to create an account. For more information, see: [Self-service sign-up](../external-identities/self-service-sign-up-overview.md) |
+
+MSAL.js will throw an `invalid_prompt` error for any unsupported prompt values:
+
+```console
+invalid_prompt_value: Supported prompt values are 'login', 'select_account', 'consent', 'create' and 'none'. Please see here for valid configuration options: https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#commonauthorizationurlrequest Given value: my_custom_prompt
+```
+
+## Default prompt values
+
+The following shows default prompt values that MSAL.js uses:
 
-The following prompt values can be passed when authenticating with Azure AD:
+| MSAL.js method         | Default prompt | Allowed prompts |
+|------------------------|----------------|-----------------|
+| `loginPopup`           | N/A            | Any             |
+| `loginRedirect`        | N/A            | Any             |
+| `ssoSilent`            | `none`         | N/A (ignored)   |
+| `acquireTokenPopup`    | N/A            | Any             |
+| `acquireTokenRedirect` | N/A            | Any             |
+| `acquireTokenSilent`   | `none`         | N/A (ignored)   |
 
-**login:** This value will force the user to enter credentials on the authentication request.
+> [!NOTE]
+> Note that **prompt** is a protocol-level parameter and signals the desired authentication behavior to the identity provider. It does not affect MSAL.js behavior and MSAL.js does not have control over how the service will ultimately handle the request. In most circumstances, Azure AD will try to honor the request. If this is not possible, it may return an error response, or completely ignore the given prompt value.
 
-**select_account:** This value will provide the user with an account selection experience listing all the accounts in session.
+## Interactive requests with prompt=none
 
-**consent:** This value will invoke the OAuth consent dialogue that allows users to grant permissions to the app.
+Generally, when you need to make a silent request, use a silent MSAL.js method (`ssoSilent`, `acquireTokenSilent`), and handle any *login_required* or *interaction_required* errors with an interactive method (`loginPopup`, `loginRedirect`, `acquireTokenPopup`, `acquireTokenRedirect`). 
 
-**none:** This value will ensure that the user does not see any interactive prompt. It is recommended not to pass this value to interactive methods in MSAL.js as it can have unexpected behaviors. Instead, use the `acquireTokenSilent` method to achieve silent calls.
+In some cases however, the prompt value `none` can be used together with an interactive MSAL.js method to achieve silent authentication. For instance, due to the third-party cookie restrictions in some browsers, `ssoSilent` requests will fail despite an active user session with Azure AD. As a remedy, you can pass the prompt value `none` to an interactive request such as `loginPopup`. MSAL.js will then open a popup window to Azure AD and Azure AD will honor the prompt value by utilizing the existing session cookie. In this case, the user will see a brief popup window but will not be prompted for a credential entry.
 
 ## Next steps
 
-Read more about the `prompt` parameter in the [OAuth 2.0 implicit grant](v2-oauth2-implicit-grant-flow.md) protocol which MSAL.js library uses.
+- [Single sign-on with MSAL.js](msal-js-sso.md)
+- [Handle errors and exceptions in MSAL.js](msal-error-handling-js.md)
+- [Handle ITP in Safari and other browsers where third-party cookies are blocked](reference-third-party-cookies-spas.md)
+- [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)

articles/active-directory/develop/whats-new-docs.md

@@ -5,7 +5,7 @@ services: active-directory
 author: mmacy
 manager: CelesteDG
 
-ms.date: 09/01/2022
+ms.date: 09/03/2022
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
@@ -18,6 +18,19 @@ ms.custom: has-adal-ref
 
 Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
 
+## September 2022
+
+### New articles
+
+- [Configure a user-assigned managed identity to trust an external identity provider (preview)](workload-identity-federation-create-trust-user-assigned-managed-identity.md)
+- [Important considerations and restrictions for federated identity credentials](workload-identity-federation-considerations.md)
+
+### Updated articles
+
+- [How to use Continuous Access Evaluation enabled APIs in your applications](app-resilience-continuous-access-evaluation.md)
+- [Run automated integration tests](test-automate-integration-testing.md)
+- [Tutorial: Sign in users and call the Microsoft Graph API from a JavaScript single-page application (SPA)](tutorial-v2-javascript-spa.md)
+
 ## August 2022
 
 ### Updated articles
@@ -51,13 +64,3 @@ Welcome to what's new in the Microsoft identity platform documentation. This art
 - [Microsoft identity platform access tokens](access-tokens.md)
 - [Single-page application: Sign-in and Sign-out](scenario-spa-sign-in.md)
 - [Tutorial: Add sign-in to Microsoft to an ASP.NET web app](tutorial-v2-asp-webapp.md)
-
-## June 2022
-
-### Updated articles
-
-- [Add app roles to your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md)
-- [Azure AD Authentication and authorization error codes](reference-aadsts-error-codes.md)
-- [Microsoft identity platform refresh tokens](refresh-tokens.md)
-- [Single-page application: Acquire a token to call an API](scenario-spa-acquire-token.md)
-- [Tutorial: Sign in users and call the Microsoft Graph API in an Electron desktop app](tutorial-v2-nodejs-desktop.md)

articles/active-directory/devices/concept-azure-ad-register.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: conceptual
-ms.date: 02/15/2022
+ms.date: 09/30/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -26,10 +26,11 @@ The goal of Azure AD registered - also known as Workplace joined - devices is to
 |   | Bring your own device |
 |   | Mobile devices |
 | **Device ownership** | User or Organization |
-| **Operating Systems** | Windows 10 or newer, iOS, Android, and macOS |
+| **Operating Systems** | Windows 10 or newer, iOS, Android, macOS, Ubuntu 20.04/22.04 |
 | **Provisioning** | Windows 10 or newer – Settings |
 |   | iOS/Android – Company Portal or Microsoft Authenticator app |
 |   | macOS – Company Portal |
+|   | Linux - Intune Agent | 
 | **Device sign in options** | End-user local credentials |
 |   | Password |
 |   | Windows Hello |