Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into 2022_virt

Author: MashaMSFT

.openpublishing.publish.config.json

@@ -807,6 +807,12 @@
       "branch": "master",
       "branch_mapping": {}
     },
+    {  
+      "path_to_root": "ms-identity-dotnetcore-b2c-account-management",
+      "url": "https://github.com/Azure-Samples/ms-identity-dotnetcore-b2c-account-management",
+      "branch": "master",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "msdocs-python-flask-webapp-quickstart",
       "url": "https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart",

articles/active-directory-b2c/conditional-access-user-flow.md

@@ -91,7 +91,7 @@ To add a Conditional Access policy, disable security defaults:
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
+1. Under **Azure services**, select **Azure Active Directory**. Or use the search box to find and select **Azure Active Directory**.
 1. Select **Properties**, and then select **Manage Security defaults**.
 
    ![Disable the security defaults](media/conditional-access-user-flow/disable-security-defaults.png)

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -167,7 +167,7 @@ For more information about accessing Azure AD B2C audit logs, see [Accessing Azu
 When you want to manage Microsoft Graph, you can either do it as the application using the application permissions, or you can use delegated permissions. For delegated permissions, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource. Application permissions are used by apps that do not require a signed in user present and thus require application permissions. Because of this, only administrators can consent to application permissions.
 
 > [!NOTE]
-> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph.
+> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.
 ## Code sample: How to programmatically manage user accounts
 
 This code sample is a .NET Core console application that uses the [Microsoft Graph SDK](/graph/sdks/sdks-overview) to interact with Microsoft Graph API. Its code demonstrates how to call the API to programmatically manage users in an Azure AD B2C tenant.
@@ -212,46 +212,11 @@ The `RunAsync` method in the _Program.cs_ file:
 1. Initializes the auth provider using [OAuth 2.0 client credentials grant](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) flow. With the client credentials grant flow, the app is able to get an access token to call the Microsoft Graph API.
 1. Sets up the Microsoft Graph service client with the auth provider:
 
-    ```csharp
-    // Read application settings from appsettings.json (tenant ID, app ID, client secret, etc.)
-    AppSettings config = AppSettingsFile.ReadFromJsonFile();
-
-    // Initialize the client credential auth provider
-    IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
-        .Create(config.AppId)
-        .WithTenantId(config.TenantId)
-        .WithClientSecret(config.ClientSecret)
-        .Build();
-    ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
-
-    // Set up the Microsoft Graph service client with client credentials
-    GraphServiceClient graphClient = new GraphServiceClient(authProvider);
-    ```
+:::code language="csharp" source="~/ms-identity-dotnetcore-b2c-account-management/src/Program.cs" id="ms_docref_set_auth_provider":::
 
 The initialized *GraphServiceClient* is then used in _UserService.cs_ to perform the user management operations. For example, getting a list of the user accounts in the tenant:
 
-```csharp
-public static async Task ListUsers(GraphServiceClient graphClient)
-{
-    Console.WriteLine("Getting list of users...");
-
-    // Get all users (one page)
-    var result = await graphClient.Users
-        .Request()
-        .Select(e => new
-        {
-            e.DisplayName,
-            e.Id,
-            e.Identities
-        })
-        .GetAsync();
-
-    foreach (var user in result.CurrentPage)
-    {
-        Console.WriteLine(JsonConvert.SerializeObject(user));
-    }
-}
-```
+:::code language="csharp" source="~/ms-identity-dotnetcore-b2c-account-management/src/Services/UserService.cs" id="ms_docref_get_list_of_user_accounts":::
 
 [Make API calls using the Microsoft Graph SDKs](/graph/sdks/create-requests) includes information on how to read and write information from Microsoft Graph, use `$select` to control the properties returned, provide custom query parameters, and use the `$filter` and `$orderBy` query parameters.
 

articles/active-directory-b2c/multi-factor-authentication.md

@@ -122,7 +122,7 @@ In Azure AD B2C, you can delete a user's TOTP authenticator app enrollment. Then
 1. In the left menu, select **Users**.
 1. Search for and select the user for which you want to delete TOTP authenticator app enrollment.
 1. In the left menu, select **Authentication methods**.
-1. Under **Usable authentication methods**, find **Software OATH token (Preview)**, and then select the 3-dot menu next to it. If you don't see this interface, select **Switch to the new user authentication methods experience! Click here to use it now** to switch to the new authentication methods experience.
+1. Under **Usable authentication methods**, find **Software OATH token (Preview)**, and then select the ellipsis menu next to it. If you don't see this interface, select the option to **"Switch to the new user authentication methods experience! Click here to use it now"** to switch to the new authentication methods experience.
 1. Select **Delete**, and then select **Yes** to confirm. 
 
 :::image type="content" source="media/multi-factor-authentication/authentication-methods.png" alt-text="User authentication methods":::
@@ -137,4 +137,4 @@ Learn how to [delete a user's Software OATH token authentication method](/graph/
 
 - Learn about the [TOTP display control](display-control-time-based-one-time-password.md) and [Azure AD MFA technical profile](multi-factor-auth-technical-profile.md)
 
-::: zone-end
+::: zone-end

articles/active-directory/app-provisioning/functions-for-customizing-application-data.md

@@ -1049,7 +1049,7 @@ Example: Based on the user's first name, middle name and last name, you need to
 SingleAppRoleAssignment([appRoleAssignments])
 
 **Description:** 
-Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application. This function is required to convert the appRoleAssignments object into a single role name string. The best practice is to ensure only one appRoleAssignment is assigned to one user at a time, and if multiple roles are assigned the role string returned may not be predictable. 
+Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application. This function is required to convert the appRoleAssignments object into a single role name string. The best practice is to ensure only one appRoleAssignment is assigned to one user at a time. This function is not supported in scenarios where users have multiple app role assignments. 
 
 **Parameters:** 
 

articles/active-directory/external-identities/google-federation.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 02/24/2022
+ms.date: 03/02/2022
 
 ms.author: mimart
 author: msmimart
@@ -184,6 +184,9 @@ First, create a new project in the Google Developers Console to obtain a client
 
 1. You can leave your project at a publishing status of **Testing** and add test users to the OAuth consent screen. Or you can select the **Publish app** button on the OAuth consent screen to make the app available to any user with a Google Account.
 
+   > [!NOTE]
+   > In some cases, your app might require verification by Google (for example, if you update the application logo). For more information, see Google's [verification status help](https://support.google.com/cloud/answer/10311615#verification-status).
+
 ## Step 2: Configure Google federation in Azure AD 
 
 You'll now set the Google client ID and client secret. You can use the Azure portal or PowerShell to do so. Be sure to test your Google federation configuration by inviting yourself. Use a Gmail address and try to redeem the invitation with your invited Google account. 

articles/active-directory/external-identities/invite-internal-users.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 09/10/2021
+ms.date: 03/02/2022
 
 ms.author: mimart
 author: msmimart
@@ -37,15 +37,35 @@ Sending an invitation to an existing internal account lets you retain that user
 > In Azure AD Connect sync, there’s a default rule that writes the [onPremisesUserPrincipalName attribute](../hybrid/reference-connect-sync-attributes-synchronized.md#notes) to the user object. Because the presence of this attribute can prevent a user from signing in using external credentials, we block internal-to-external conversions for user objects with this attribute. If you’re using Azure AD Connect and you want to be able to invite internal users to B2B collaboration, you'll need to [modify the default rule](../hybrid/how-to-connect-sync-change-the-configuration.md) so the onPremisesUserPrincipalName attribute isn’t written to the user object.
 ## How to invite internal users to B2B collaboration
 
-You can use PowerShell or the invitation API to send a B2B invitation to the internal user. Make sure the email address you want to use for the invitation is set as the external email address on the internal user object.
+You can use the Azure portal, PowerShell, or the invitation API to send a B2B invitation to the internal user. Some things to note:
 
-- You must use the the email address in the User.Mail property for the invitation.
-- The domain in the user’s Mail property must match the account they’re using to sign in. Otherwise, some services such as Teams won't be able to authenticate the user.
+- Before you invite the user, make sure the `User.Mail` property of the internal user object (the user's **Email** property in the Azure portal) is set to the external email address they'll use for B2B collaboration.
 
-By default, the invitation will send the user an email letting them know they’ve been invited, but you can suppress this email and send your own instead.
+- When you invite the user, an invitation is sent to the user via email. If you're using PowerShell or the invitation API, you can suppress this email by setting `SendInvitationMessage` to `False`. Then you can notify the user in another way. [Learn more about the invitation API](customize-invitation-api.md).
 
-> [!NOTE]
-> To send your own email or other communication, you can use `New-AzureADMSInvitation` with `-SendInvitationMessage:$false` to invite users silently, and then send your own email message to the converted user. See [Azure AD B2B collaboration API and customization](customize-invitation-api.md).
+- When the user redeems the invitation, the account they're using must match the domain in the `User.Mail` property. Otherwise, some services, such as Teams, won't be able to authenticate the user.
+
+## Use the Azure portal to send a B2B invitation
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or User administrator account for the directory.
+1. Select the **Azure Active Directory** service.
+1. Select **Users**.
+1. Find the user in the list or use the search box. Then select the user.
+1. On the user's profile page, in the **Identity** section, select **Manage B2B collaboration**. 
+
+   ![Screenshot of the user profile](media/invite-internal-users/manage-b2b-collaboration-link.png)
+
+   > [!NOTE]
+   > If you see **Invitation accepted** instead of **Manage B2B collaboration**, the user has already been invited to use external credentials for B2B collaboration.
+
+1. Next to **Invite internal user to B2B collaboration?** select **Yes**, and then select **Done**. 
+
+   ![Screenshot showing the invite internal user radio button](media/invite-internal-users/invite-internal-user-selector.png)
+
+   > [!NOTE]
+   > If the option is unavailable, make sure the user's **Email** property is set to the external email address they should use for B2B collaboration.
+
+1. A confirmation message appears and an invitation is sent to the user via email. The user is then able to redeem the invitation using their external credentials.
 
 ## Use PowerShell to send a B2B invitation
 

articles/active-directory/external-identities/media/invite-internal-users/invite-internal-user-selector.png

@@ -24,7 +24,7 @@ SHA addresses this blind spot by enabling organizations to continue using their
 
 Having Azure AD pre-authenticate access to BIG-IP published services provides many benefits:
 
-- Password-less authentication through [Windows Hello](/windows/security/identity-protection/hello-for-business/hello-overview), [MS Authenticator](https://support.microsoft.com/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a), [Fast Identity Online (FIDO) keys](../authentication/howto-authentication-passwordless-security-key.md), and [Certificate-based authentication](../authentication/active-directory-certificate-based-authentication-get-started.md)
+- Password-less authentication through [Windows Hello](/windows/security/identity-protection/hello-for-business/hello-overview), [MS Authenticator](https://support.microsoft.com/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a), [Fast Identity Online (FIDO) keys](../authentication/howto-authentication-passwordless-security-key.md), and [Certificate-based authentication](../authentication/concept-certificate-based-authentication.md)
 
 - Preemptive [Conditional Access](../conditional-access/overview.md) and [Azure AD Multi-Factor Authentication (MFA)](../authentication/concept-mfa-howitworks.md)
 
@@ -174,13 +174,13 @@ Azure AD B2B guest access to SHA protected applications is also possible, but so
 
 ## Next steps
 
-Consider running an SHA Proof of concept (POC) using your existing BIG-IP infrastructure, or by [Deploying a BIG-IP Virtual Edition (VE) VM into Azure](f5-bigip-deployment-guide.md) takes approximately 30 minutes, at which point you'll have:
+Consider running a SHA Proof of concept (POC) using your existing BIG-IP infrastructure, or by [Deploying a BIG-IP Virtual Edition (VE) VM into Azure](f5-bigip-deployment-guide.md). Deploying a VM in Azure takes approximately 30 minutes, at which point you'll have:
 
-- A fully secured platform to model a SHA proof of concept
+- A fully secured platform to model a SHA pilot
 
 - A pre-production instance for testing new BIG-IP system updates and hotfixes
 
-At the same time, you should identify one or two applications that can be published via the BIG-IP and protected with SHA.
+You should should also identify one or two applications that can be published via the BIG-IP and protected with SHA.
 
 Our recommendation is to start with an application that isn’t yet published via a BIG-IP, so as to avoid potential disruption to production services. The guidelines mentioned in this article will help you get acquainted with the general procedure for creating the various BIG-IP configuration objects and setting up SHA. Once complete you should be able to do the same with any other new services, plus also have enough knowledge to convert existing BIG-IP published services over to SHA with minimal effort.