Merge branch 'main' into vtap-public-preview

Author: AvirupCha

articles/active-directory-b2c/analytics-with-application-insights.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: azure-active-directory
 ms.topic: how-to
 
-ms.date: 01/26/2024
+ms.date: 04/17/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 zone_pivot_groups: b2c-policy-type
@@ -31,7 +31,7 @@ zone_pivot_groups: b2c-policy-type
 
 ::: zone pivot="b2c-custom-policy"
 
-In Azure Active Directory B2C (Azure AD B2C), you can send event data directly to [Application Insights](/azure/azure-monitor/app/app-insights-overview) by using the instrumentation key provided to Azure AD B2C. With an Application Insights technical profile, you can get detailed and customized event logs for your user journeys to:
+In Azure Active Directory B2C (Azure AD B2C), you can send event data directly to [Application Insights](/azure/azure-monitor/app/app-insights-overview) by using the connection string provided to Azure AD B2C. With an Application Insights technical profile, you can get detailed and customized event logs for your user journeys to:
 
 - Gain insights on user behavior.
 - Troubleshoot your own policies in development or in production.
@@ -42,7 +42,7 @@ In Azure Active Directory B2C (Azure AD B2C), you can send event data directly t
 
 ## Overview
 
-To enable custom event logs, add an Application Insights technical profile. In the technical profile, you define the Application Insights instrumentation key, the event name, and the claims to record. To post an event, add the technical profile as an orchestration step in a [user journey](userjourneys.md).
+To enable custom event logs, add an Application Insights technical profile. In the technical profile, you define the Application Insights connection string, the event name, and the claims to record. To post an event, add the technical profile as an orchestration step in a [user journey](userjourneys.md).
 
 When you use Application Insights, consider the following:
 
@@ -57,7 +57,7 @@ When you use Application Insights, consider the following:
 
 ## Create an Application Insights resource
 
-When you use Application Insights with Azure AD B2C, all you need to do is create a resource and get the instrumentation key. For information, see [Create an Application Insights resource](/previous-versions/azure/azure-monitor/app/create-new-resource).
+When you use Application Insights with Azure AD B2C, all you need to do is create a resource and get the connection string. For information, see [Create an Application Insights resource](/previous-versions/azure/azure-monitor/app/create-new-resource).
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Microsoft Entra ID tenant from the **Directories + subscriptions** menu.
@@ -67,9 +67,9 @@ When you use Application Insights with Azure AD B2C, all you need to do is creat
 1. For **Application Type**, select **ASP.NET web application**.
 1. For **Resource Group**, select an existing group or enter a name for a new group.
 1. Select **Create**.
-1. Open the new Application Insights resource, expand **Essentials**, and copy the instrumentation key.
+1. Open the new Application Insights resource, expand **Essentials**, and copy the connection string.
 
-![Screenshot that shows the Instrumentation Key on the Application Insights Overview tab.](./media/analytics-with-application-insights/app-insights.png)
+![Screenshot that shows the connection string on the Application Insights Overview tab.](./media/analytics-with-application-insights/app-insights.png)
 
 ## Define claims
 
@@ -122,7 +122,7 @@ Technical profiles can be considered functions in the custom policy. These funct
 
 | Technical profile | Task |
 | ----------------- | -----|
-| AppInsights-Common | The common technical profile with typical configuration. It includes the Application Insights instrumentation key, a collection of claims to record, and developer mode. The other technical profiles include the common technical profile and add more claims, such as the event name. |
+| AppInsights-Common | The common technical profile with typical configuration. It includes the Application Insights connection string, a collection of claims to record, and developer mode. The other technical profiles include the common technical profile and add more claims, such as the event name. |
 | AppInsights-SignInRequest | Records a **SignInRequest** event with a set of claims when a sign-in request has been received. |
 | AppInsights-UserSignUp | Records a **UserSignUp** event when the user triggers the sign-up option in a sign-up or sign-in journey. |
 | AppInsights-SignInComplete | Records a **SignInComplete** event upon successful authentication, when a token has been sent to the relying party application. |
@@ -137,8 +137,8 @@ Open the *TrustFrameworkExtensions.xml* file from the starter pack. Add the tech
       <DisplayName>Application Insights</DisplayName>
       <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.Insights.AzureApplicationInsightsProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
       <Metadata>
-        <!-- The ApplicationInsights instrumentation key, which you use for logging the events -->
-        <Item Key="InstrumentationKey">xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</Item>
+        <!-- The ApplicationInsights connection string, which you use for logging the events -->
+        <Item Key="ConnectionString">xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</Item>
         <Item Key="DeveloperMode">false</Item>
         <Item Key="DisableTelemetry ">false</Item>
       </Metadata>
@@ -181,7 +181,7 @@ Open the *TrustFrameworkExtensions.xml* file from the starter pack. Add the tech
 ```
 
 > [!IMPORTANT]
-> Change the instrumentation key in the `AppInsights-Common` technical profile to the GUID that your Application Insights resource provides.
+> Change the connection string in the `AppInsights-Common` technical profile to the GUID that your Application Insights resource provides.
 
 ## Add the technical profiles as orchestration steps
 

articles/active-directory-b2c/best-practices.md

@@ -82,7 +82,7 @@ Manage your Azure AD B2C environment.
 | Use version control for your custom policies | Consider using GitHub, Azure Repos, or another cloud-based version control system for your Azure AD B2C custom policies. |
 | Use the Microsoft Graph API to automate the management of your B2C tenants | Microsoft Graph APIs:<br/>Manage [Identity Experience Framework](/graph/api/resources/trustframeworkpolicy?preserve-view=true&view=graph-rest-beta) (custom policies)<br/>[Keys](/graph/api/resources/trustframeworkkeyset?preserve-view=true&view=graph-rest-beta)<br/>[User Flows](/graph/api/resources/identityuserflow?preserve-view=true&view=graph-rest-beta) |
 | Integrate with Azure DevOps | A [CI/CD pipeline](deploy-custom-policies-devops.md) makes moving code between different environments easy and ensures production readiness always.   |
-| Deploy custom policy | Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to **30 minutes** for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies: <br> - If you're deploying to a development environment, set the `DeploymentMode` attribute in your custom policy file's `<TrustFrameworkPolicy>` element to `Production`. <br> - Deploy your updated policy files to a production environment when traffic in your app is low. <br> - When you deploy to a production environment to update existing policy files, upload the updated files with new name(s), and then update your app reference to the new name(s). You can then remove the old policy files afterwards.<br> - You can set the `DeploymentMode` to `Development` in a production environment to bypass the caching behavior. However, we don't recommend this practice. If you [Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md), all claims sent to and from identity providers are collected, which is a security and performance risk. |
+| Deploy custom policy | Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to **30 minutes** for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies: <br> - If you're deploying to a development environment, set the `DeploymentMode` attribute in your custom policy file's `<TrustFrameworkPolicy>` element to `Production`. <br> - Deploy your updated policy files to a production environment when traffic in your app is low. <br> - When you deploy to a production environment to update existing policy files, upload the updated files with new names, which act as new versions of the policies. Then, update your app references to the new names/versions. You can remove the old policy files afterward or keep them as your last known good configuration for easy rollback.<br> - If you need to deploy to a production environment to update existing policy files without versioning, make the new policy backward compatible with the old policy by following some simple rules. If you need to change a technical profile, claim, or [SubJourney](subjourneys.md), create a new version of it, publish the policy, and wait for 30 minutes for Azure AD B2C caches to pick up the new version. Then, in a subsequent update, make changes to use the new version and perform another policy update. Wait for another 30 minutes, then you can delete the old version of the elements if needed. Ensure all of your business logic is inside SubJourneys.<br> - You can set the `DeploymentMode` to `Development` in a production environment to bypass the caching behavior. However, we don't recommend this practice. If you [Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md), all claims sent to and from identity providers are collected, which is a security and performance risk. |
 | Deploy app registration updates | When you modify your application registration in your Azure AD B2C tenant, such as updating the application's redirect URI, expect a delay of up to **2 hours (3600s)** for the changes to take effect in the production environment. We recommend that you modify your application registration in your production environment when traffic in your app is low.|
 | Integrate with Azure Monitor | [Audit log events](view-audit-logs.md) are only retained for seven days. [Integrate with Azure Monitor](azure-monitor.md) to retain the logs for long-term use, or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment. |
 | Setup active alerting and monitoring | [Track user behavior](./analytics-with-application-insights.md) in Azure AD B2C using Application Insights. |

articles/active-directory-b2c/jwt-issuer-technical-profile.md

@@ -14,15 +14,15 @@ ms.author: kengaderdus
 ms.subservice: b2c
 
 
-#Customer intent: As a developer implementing custom policies in Azure Active Directory B2C, I want to define a technical profile for a JWT token issuer, so that I can emit a JWT token that is returned to the relying party application during the authentication flow.
+#Customer intent: As a developer implementing custom policies in Azure Active Directory B2C, I want to define a technical profile for a JWT issuer, so that I can emit a JWT that is returned to the relying party application during the authentication flow.
 
 ---
 
-# Define a technical profile for a JWT token issuer in an Azure Active Directory B2C custom policy
+# Define a technical profile for a JWT issuer in an Azure Active Directory B2C custom policy
 
 [!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
 
-Azure Active Directory B2C (Azure AD B2C) emits several types of security tokens as it processes each authentication flow. A technical profile for a JWT token issuer emits a JWT token that is returned back to the relying party application. Usually this technical profile is the last orchestration step in the user journey.
+Azure Active Directory B2C (Azure AD B2C) emits several types of security tokens as it processes each authentication flow. A technical profile for a JWT issuer emits a JWT that is returned back to the relying party application. Usually this technical profile is the last orchestration step in the user journey.
 
 ## Protocol
 
@@ -73,7 +73,7 @@ The CryptographicKeys element contains the following attributes:
 
 | Attribute | Required | Description |
 | --------- | -------- | ----------- |
-| issuer_secret | Yes | The X509 certificate (RSA key set) to use to sign the JWT token. This is the `B2C_1A_TokenSigningKeyContainer` key you configure in [Get started with custom policies](tutorial-create-user-flows.md?pivots=b2c-custom-policy). |
+| issuer_secret | Yes | The X509 certificate (RSA key set) to use to sign the JWT. This is the `B2C_1A_TokenSigningKeyContainer` key you configure in [Get started with custom policies](tutorial-create-user-flows.md?pivots=b2c-custom-policy). |
 | issuer_refresh_token_key | Yes | The X509 certificate (RSA key set) to use to encrypt the refresh token. You configured the `B2C_1A_TokenEncryptionKeyContainer` key in [Get started with custom policies](tutorial-create-user-flows.md?pivots=b2c-custom-policy) |
 
 ## Session management

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -6,7 +6,7 @@ author: kengaderdus
 manager: CelesteDG
 ms.service: azure-active-directory
 ms.topic: how-to
-ms.date: 02/19/2025
+ms.date: 04/18/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 
@@ -139,9 +139,9 @@ The top-level resource for policy keys in the Microsoft Graph API is the [Truste
 ## Applications
 
 - [List applications](/graph/api/application-list)
-- [Create an application](/graph/api/resources/application)
+- [Create an application](/graph/api/application-post-applications)
 - [Update application](/graph/api/application-update)
-- [Create servicePrincipal](/graph/api/resources/serviceprincipal)
+- [Create servicePrincipal](/graph/api/serviceprincipal-post-serviceprincipals)
 - [Create oauth2Permission Grant](/graph/api/resources/oauth2permissiongrant)
 - [Delete application](/graph/api/application-delete)
 
@@ -195,7 +195,7 @@ For more information about accessing Azure AD B2C audit logs, see [Accessing Azu
 - [List the built-in templates for Conditional Access policy scenarios](/graph/api/conditionalaccessroot-list-templates)
 - [List all of the Conditional Access policies](/graph/api/conditionalaccessroot-list-policies)
 - [Read properties and relationships of a Conditional Access policy](/graph/api/conditionalaccesspolicy-get)
-- [Create a new Conditional Access policy](/graph/api/resources/application)
+- [Create a new Conditional Access policy](/graph/api/conditionalaccessroot-post-policies)
 - [Update a Conditional Access policy](/graph/api/conditionalaccesspolicy-update)
 - [Delete a Conditional Access policy](/graph/api/conditionalaccesspolicy-delete)
 
@@ -225,4 +225,4 @@ You can manage Microsoft Graph in two ways:
 <!-- LINK -->
 
 [graph-objectIdentity]: /graph/api/resources/objectidentity
-[graph-user]: /graph/api/resources/user
+[graph-user]: /graph/api/resources/user

articles/active-directory-b2c/partner-ping-identity.md

@@ -95,7 +95,7 @@ You can use basic user flows or advanced Identity Enterprise Framework (IEF) pol
 
    ![Screenshot of the subject sub claim URL on the Token compatibility dialog.](./media/partner-ping/token-setting.png)
 
-In the advanced policies, configuration includes the IssuanceClaimPattern metadata element to AuthorityWithTfp value in the [JWT token issuer technical profile](./jwt-issuer-technical-profile.md).
+In the advanced policies, configuration includes the IssuanceClaimPattern metadata element to AuthorityWithTfp value in the [JWT issuer technical profile](./jwt-issuer-technical-profile.md).
 
 ## Configure PingAccess and PingFederate
 

articles/active-directory-b2c/relyingparty.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: azure-active-directory
 
 ms.topic: reference
-ms.date: 03/21/2025
+ms.date: 04/17/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 
@@ -46,7 +46,7 @@ The following example shows a **RelyingParty** element in the *B2C_1A_signup_sig
       <SingleSignOn Scope="Tenant" KeepAliveInDays="7"/>
       <SessionExpiryType>Rolling</SessionExpiryType>
       <SessionExpiryInSeconds>900</SessionExpiryInSeconds>
-      <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="your-application-insights-key" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
+      <JourneyInsights TelemetryEngine="ApplicationInsights" ConnectionString="your-application-insights-connection-string" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
       <ContentDefinitionParameters>
         <Parameter Name="campaignId">{OAUTH-KV:campaignId}</Parameter>
       </ContentDefinitionParameters>
@@ -143,7 +143,7 @@ The **UserJourneyBehaviors** element contains the following elements:
 | SingleSignOn | 0:1 | The scope of the single sign-on (SSO) session behavior of a user journey. |
 | SessionExpiryType |0:1 | The authentication behavior of the session. Possible values: `Rolling` or `Absolute`. The `Rolling` value (default) indicates that the user remains signed in as long as the user is continually active in the application. The `Absolute` value indicates that the user is forced to reauthenticate after the time period specified by application session lifetime. |
 | SessionExpiryInSeconds | 0:1 | The lifetime of Azure AD B2C's session cookie specified as an integer stored on the user's browser upon successful authentication. The default is 86,400 seconds (24 hours). The minimum is 900 seconds (15 minutes). The maximum is 86,400 seconds (24 hours). |
-| JourneyInsights | 0:1 | The Azure Application Insights instrumentation key to be used. |
+| JourneyInsights | 0:1 | The Azure Application Insights connection string to be used. |
 | ContentDefinitionParameters | 0:1 | The list of key value pairs to be appended to the content definition load URI. |
 | JourneyFraming | 0:1| Allows the user interface of this policy to be loaded in an iframe. |
 | ScriptExecution| 0:1| The supported [JavaScript](javascript-and-page-layout.md) execution modes. Possible values: `Allow` or `Disallow` (default).
@@ -168,7 +168,7 @@ The **JourneyInsights** element contains the following attributes:
 | Attribute | Required | Description |
 | --------- | -------- | ----------- |
 | TelemetryEngine | Yes | The value must be `ApplicationInsights`. |
-| InstrumentationKey | Yes | The string that contains the instrumentation key for the application insights element. |
+| ConnectionString | Yes | The string that contains the connection string for the application insights element. |
 | DeveloperMode | Yes | Possible values: `true` or `false`. If `true`, Application Insights expedites the telemetry through the processing pipeline. This setting is good for development, but constrained at high volumes. The detailed activity logs are designed only to aid in development of custom policies. Do not use development mode in production. Logs collect all claims sent to and from the identity providers during development. If used in production, the developer assumes responsibility for personal data collected in the App Insights log that they own. These detailed logs are only collected when this value is set to `true`.|
 | ClientEnabled | Yes | Possible values: `true` or `false`. If `true`, sends the Application Insights client-side script for tracking page view and client-side errors. |
 | ServerEnabled | Yes | Possible values: `true` or `false`. If `true`, sends the existing UserJourneyRecorder JSON as a custom event to Application Insights. |
@@ -343,4 +343,4 @@ The following example shows how to define a SAML relying party. The subject name
     <SubjectNamingInfo ClaimType="sub" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
   </TechnicalProfile>
 </RelyingParty>
-```
+```