Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into adDiskGA

Author: roygara

articles/active-directory-b2c/partner-akamai-secure-hybrid-access.md

@@ -40,7 +40,7 @@ To get started, you'll need:
 
 - An application that uses headers for authentication. In this sample, we'll use an application that displays headers [docker header-demo-app](https://hub.docker.com/r/mistermik/header-demo-app).
 
-- **OR** an OpenID Connect (OIDC) application. In this sample, we'll use an [ASP.NET MVC web app](https://learn.microsoft.com/azure/active-directory/develop/tutorial-v2-asp-webapp) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
+- **OR** an OpenID Connect (OIDC) application. In this sample, we'll use an [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
 
 ## Scenario description
 
@@ -111,9 +111,9 @@ Akamai Enterprise Application Access supports SAML federation with cloud IdPs li
 
 2. Create a signing certificate for Azure AD B2C to sign the SAML response sent to Akamai Enterprise Application Access:
 
-   a. [**Obtain a certificate**](https://learn.microsoft.com/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy#obtain-a-certificate). If you don't already have a certificate, you can use a self-signed certificate.
+   a. [**Obtain a certificate**](saml-service-provider.md?tabs=windows&pivots=b2c-custom-policy#obtain-a-certificate). If you don't already have a certificate, you can use a self-signed certificate.
 
-   b. [**Upload the certificate**](https://learn.microsoft.com/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy#upload-the-certificate) in your Azure AD B2C tenant. Take note of the name as it will be needed in the `TechnicalProfile` mentioned in the next steps.
+   b. [**Upload the certificate**](./saml-service-provider.md?tabs=windows&pivots=b2c-custom-policy#upload-the-certificate) in your Azure AD B2C tenant. Take note of the name as it will be needed in the `TechnicalProfile` mentioned in the next steps.
 
 3. Enable your policy to connect with a SAML application.
 
@@ -398,7 +398,7 @@ Once the Application is deployed in a private environment and a connector is cap
 
 #### Option 2: OpenID Connect
 
-In this sample, we'll use a [ASP.NET MVC web app](https://learn.microsoft.com/azure/active-directory/develop/tutorial-v2-asp-webapp) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
+In this sample, we'll use a [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
 
 1. Configure the OIDC to SAML bridging in the **AZURE AD B2C SAML IdP** created with the previous steps.
 
@@ -422,7 +422,7 @@ In this sample, we'll use a [ASP.NET MVC web app](https://learn.microsoft.com/az
 
    [ ![Screenshot shows the akamai oidc app claim settings.](./media/partner-akamai-secure-hybrid-access/akamai-oidc-claims-settings.png)](./media/partner-akamai-secure-hybrid-access/akamai-oidc-claims-settings.png#lightbox)
 
-7. Replace startup class with the following code in the [ASP.NET MVC web app](https://learn.microsoft.com/azure/active-directory/develop/tutorial-v2-asp-webapp).
+7. Replace startup class with the following code in the [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md).
 
    These few changes configure the Authorization code flow grant, the authorization code will be redeemed for tokens at the token endpoint for the application, and it introduces the Metadata Address to set the discovery endpoint for obtaining metadata from Akamai.
 
@@ -496,7 +496,7 @@ In this sample, we'll use a [ASP.NET MVC web app](https://learn.microsoft.com/az
 
 8. In the `web.config` file add the Metadata address, replace clientId, clientsecret, authority, redirectUri and PostLogoutRedirectUri with the values from the Akamai application in `appSettings`.
 
-   You can find these values in the previous step 5 in the  OpenID tab for the HTTP Akamai Application, where you created `Discovery URL=MetadataAddress`. `redirectUri` is the local address for the Akamai connector to resolve to the local OIDC application. `Authority` is the authorization_endpoint you can find from your `.well-known/openid-configuration` [document](https://learn.microsoft.com/azure/active-directory/develop/v2-protocols-oidc).
+   You can find these values in the previous step 5 in the  OpenID tab for the HTTP Akamai Application, where you created `Discovery URL=MetadataAddress`. `redirectUri` is the local address for the Akamai connector to resolve to the local OIDC application. `Authority` is the authorization_endpoint you can find from your `.well-known/openid-configuration` [document](../active-directory/develop/v2-protocols-oidc.md).
 
    Discovery URL: `https://fabrikam.login.go.akamai-access.com/.well-known/openid-configuration`
 
@@ -532,8 +532,8 @@ In this sample, we'll use a [ASP.NET MVC web app](https://learn.microsoft.com/az
 
 - [Akamai Enterprise Application Access getting started documentation](https://techdocs.akamai.com/eaa/docs/welcome-guide)
 
-- [Custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview)
+- [Custom policies in Azure AD B2C](custom-policy-overview.md)
 
-- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)
+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
 
-- [Register a SAML application in Azure AD B2C](https://learn.microsoft.com/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy)
+- [Register a SAML application in Azure AD B2C](saml-service-provider.md?tabs=windows&pivots=b2c-custom-policy)

articles/active-directory/conditional-access/terms-of-use.md

@@ -413,7 +413,7 @@ A: You can [review previously accepted terms of use policies](#how-users-can-rev
 A: If you've configured both Azure AD terms of use and [Intune terms and conditions](/intune/terms-and-conditions-create), the user will be required to accept both. For more information, see the [Choosing the right Terms solution for your organization blog post](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409).
 
 **Q: What endpoints does the terms of use service use for authentication?**<br />
-A: Terms of use utilize the following endpoints for authentication: https://tokenprovider.termsofuse.identitygovernance.azure.com and https://account.activedirectory.windowsazure.com. If your organization has an allowlist of URLs for enrollment, you'll need to add these endpoints to your allowlist, along with the Azure AD endpoints for sign-in.
+A: Terms of use utilize the following endpoints for authentication: https://tokenprovider.termsofuse.identitygovernance.azure.com, https://myaccount.microsoft.com and https://account.activedirectory.windowsazure.com. If your organization has an allowlist of URLs for enrollment, you'll need to add these endpoints to your allowlist, along with the Azure AD endpoints for sign-in.
 
 ## Next steps
 

articles/active-directory/develop/msal-net-token-cache-serialization.md

@@ -548,149 +548,7 @@ A product-quality, file-based token cache serializer for public client applicati
 
 #### Dual token cache serialization (MSAL unified cache and ADAL v3)
 
-If you want to implement token cache serialization with the unified cache format (common to ADAL.NET 4.x, MSAL.NET 2.x, and other MSALs of the same generation or older, on the same platform), take a look at the following code:
-
-```csharp
-string appLocation = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location;
-string cacheFolder = Path.GetFullPath(appLocation) + @"..\..\..\..");
-string adalV3cacheFileName = Path.Combine(cacheFolder, "cacheAdalV3.bin");
-string unifiedCacheFileName = Path.Combine(cacheFolder, "unifiedCache.bin");
-
-IPublicClientApplication app;
-app = PublicClientApplicationBuilder.Create(clientId)
-                                    .Build();
-FilesBasedTokenCacheHelper.EnableSerialization(app.UserTokenCache,
-                                               unifiedCacheFileName,
-                                               adalV3cacheFileName);
-
-```
-
-This time, the helper class is defined as:
-
-```csharp
-using System;
-using System.IO;
-using System.Security.Cryptography;
-using Microsoft.Identity.Client;
-
-namespace CommonCacheMsalV3
-{
- /// <summary>
- /// Simple persistent cache implementation of the dual cache serialization (ADAL v3 legacy
- /// and unified cache format) for a desktop applications (from MSAL 2.x)
- /// </summary>
- static class FilesBasedTokenCacheHelper
- {
-  /// <summary>
-  /// Enables the serialization of the token cache
-  /// </summary>
-  /// <param name="adalV3CacheFileName">File name where the cache is serialized with the
-  /// ADAL v3 token cache format. Can
-  /// be <c>null</c> if you don't want to implement the legacy ADAL v3 token cache
-  /// serialization in your MSAL 2.x+ application</param>
-  /// <param name="unifiedCacheFileName">File name where the cache is serialized
-  /// with the unified cache format, common to
-  /// ADAL v4 and MSAL v2 and later, and also across ADAL/MSAL on the same platform.
-  ///  Should not be <c>null</c></param>
-  /// <returns></returns>
-  public static void EnableSerialization(ITokenCache tokenCache, string unifiedCacheFileName, string adalV3CacheFileName)
-  {
-   UnifiedCacheFileName = unifiedCacheFileName;
-   AdalV3CacheFileName = adalV3CacheFileName;
-
-   tokenCache.SetBeforeAccess(BeforeAccessNotification);
-   tokenCache.SetAfterAccess(AfterAccessNotification);
-  }
-
-  /// <summary>
-  /// File path where the token cache is serialized with the unified cache format
-  /// (ADAL.NET v4, MSAL.NET v3)
-  /// </summary>
-  public static string UnifiedCacheFileName { get; private set; }
-
-  /// <summary>
-  /// File path where the token cache is serialized with the legacy ADAL v3 format
-  /// </summary>
-  public static string AdalV3CacheFileName { get; private set; }
-
-  private static readonly object FileLock = new object();
-
-  public static void BeforeAccessNotification(TokenCacheNotificationArgs args)
-  {
-   lock (FileLock)
-   {
-    args.TokenCache.DeserializeAdalV3(ReadFromFileIfExists(AdalV3CacheFileName));
-    try
-    {
-     args.TokenCache.DeserializeMsalV3(ReadFromFileIfExists(UnifiedCacheFileName));
-    }
-    catch(Exception ex)
-    {
-     // Compatibility with the MSAL v2 cache if you used one
-     args.TokenCache.DeserializeMsalV2(ReadFromFileIfExists(UnifiedCacheFileName));
-    }
-   }
-  }
-
-  public static void AfterAccessNotification(TokenCacheNotificationArgs args)
-  {
-   // if the access operation resulted in a cache update
-   if (args.HasStateChanged)
-   {
-    lock (FileLock)
-    {
-     WriteToFileIfNotNull(UnifiedCacheFileName, args.TokenCache.SerializeMsalV3());
-     if (!string.IsNullOrWhiteSpace(AdalV3CacheFileName))
-     {
-      WriteToFileIfNotNull(AdalV3CacheFileName, args.TokenCache.SerializeAdalV3());
-     }
-    }
-   }
-  }
-
-  /// <summary>
-  /// Read the content of a file if it exists
-  /// </summary>
-  /// <param name="path">File path</param>
-  /// <returns>Content of the file (in bytes)</returns>
-  private static byte[] ReadFromFileIfExists(string path)
-  {
-   byte[] protectedBytes = (!string.IsNullOrEmpty(path) && File.Exists(path))
-       ? File.ReadAllBytes(path) : null;
-   byte[] unprotectedBytes = encrypt ?
-       ((protectedBytes != null) ? ProtectedData.Unprotect(protectedBytes, null, DataProtectionScope.CurrentUser) : null)
-       : protectedBytes;
-   return unprotectedBytes;
-  }
-
-  /// <summary>
-  /// Writes a blob of bytes to a file. If the blob is <c>null</c>, deletes the file
-  /// </summary>
-  /// <param name="path">path to the file to write</param>
-  /// <param name="blob">Blob of bytes to write</param>
-  private static void WriteToFileIfNotNull(string path, byte[] blob)
-  {
-   if (blob != null)
-   {
-    byte[] protectedBytes = encrypt
-      ? ProtectedData.Protect(blob, null, DataProtectionScope.CurrentUser)
-      : blob;
-    File.WriteAllBytes(path, protectedBytes);
-   }
-   else
-   {
-    File.Delete(path);
-   }
-  }
-
-  // Change if you want to test with an unencrypted blob (this is a JSON format)
-  private static bool encrypt = true;
- }
-}
-```
-
-For more details see the sample: https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/TokenCacheMigration/ADAL2MSAL
-
+If you want to implement token cache serialization with the unified cache format (common to ADAL.NET 4.x, MSAL.NET 2.x, and other MSALs of the same generation or older, on the same platform), take a look at the following sample: https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/TokenCacheMigration/ADAL2MSAL.
 
 ---
 

articles/active-directory/governance/lifecycle-workflow-tasks.md

@@ -309,7 +309,7 @@ For Microsoft Graph the parameters for the **Run a Custom Task Extension** task
 
 ```Example for usage within the workflow
 {
-             "category": "joiner,leaver",
+            "category": "joiner,leaver",
             "description": "Run a Custom Task Extension to call-out to an external system.",
             "displayName": "Run a Custom Task Extension",
             "isEnabled": true,
@@ -318,7 +318,7 @@ For Microsoft Graph the parameters for the **Run a Custom Task Extension** task
             "arguments": [
                 {
                     "name": "customTaskExtensionID",
-                    "value": ""<ID of your Custom Task Extension>""
+                    "value": "<ID of your Custom Task Extension>"
                 }
             ]
 }

articles/active-directory/hybrid/how-to-connect-import-export-config.md

@@ -22,6 +22,9 @@ Each time the configuration is changed from the Azure AD Connect wizard, a new t
 > [!IMPORTANT]
 > Only changes made by Azure AD Connect are automatically exported. Any changes made by using PowerShell, the Synchronization Service Manager, or the Synchronization Rules Editor must be exported on demand as needed to maintain an up-to-date copy. Export on demand can also be used to place a copy of the settings in a secure location for disaster recovery purposes.
 
+>[!NOTE]
+>This feature cannot be used if the AADConnect installation was modified to include the G-SQL connector or the G-LDAP connector.
+
 >[!NOTE]
 > This feature cannot be combined with using an existing ADSync database. The use of import/export configuration and using existing database are mutually exclusive.
 

articles/active-directory/manage-apps/assign-app-owners.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: app-mgmt
 ms.topic: how-to
-ms.date: 12/02/2021
+ms.date: 12/05/2022
 ms.author: saibandaru
 #Customer intent: As an Azure AD administrator, I want to assign owners to enterprise applications.
 

articles/active-directory/manage-apps/overview-assign-app-owners.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: app-mgmt
 ms.topic: conceptual
-ms.date: 02/11/2022
+ms.date: 12/05/2022
 ms.author: saibandaru
 
 #Customer intent: As an Azure AD administrator, I want to learn about enterprise application ownership.
@@ -32,7 +32,11 @@ If you have an ownerless application in your tenant, you can access the audit lo
 
 You may also see other users who have scoped permissions on the application by navigating to “Roles and Administrators” tab. Once you find the right person to own the application, a user with a highly privileged administrative role in the organization can assign the new owner for the application. See [Assign enterprise application owners](assign-app-owners.md).
 
-As a best practice, we recommend proactive monitoring applications in your environment to ensure there are at least two owners, where possible, to avoid the situation of ownerless apps. Additionally, you should utilize the serviceManagementReference property on the application object to reference the team contact information from your enterprise Service or Asset Management Database. The serviceManagementReference property ensures you have team contact even if an individual leaves the organization. 
+As a best practice, we recommend proactive monitoring applications in your environment to ensure there are at least two owners, where possible, to avoid the situation of ownerless apps. Additionally, you should utilize the serviceManagementReference property on the application object to reference the team contact information from your enterprise Service or Asset Management Database. The serviceManagementReference property ensures you have team contact even if an individual leaves the organization.
+
+**How can I find enterprise applications that are ownerless or at risk of being ownerless in my organization?**
+
+To learn how to identify ownerless enterprise apps or those with only one owner using Microsoft Graph API, see [List ownerless applications](/graph/tutorial-applications-basics.md#manage-application-ownership).
 
 **How do you add yourself as an owner of an enterprise application?**