MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 7 additions & 1 deletion b/‎.openpublishing.publish.config.json
Lines changed: 7 additions & 1 deletion
diff --git a/‎.openpublishing.redirection.json
Lines changed: 37 additions & 17 deletions b/‎.openpublishing.redirection.json
Lines changed: 37 additions & 17 deletions
diff --git a/‎articles/active-directory/authentication/concept-authentication-passwordless.md
Lines changed: 2 additions & 1 deletion b/‎articles/active-directory/authentication/concept-authentication-passwordless.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎articles/active-directory/develop/includes/remind-not-to-relay-token-nonaud.md
Lines changed: 25 additions & 0 deletions b/‎articles/active-directory/develop/includes/remind-not-to-relay-token-nonaud.md
Lines changed: 25 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/publisher-verification-overview.md
Lines changed: 4 additions & 0 deletions b/‎articles/active-directory/develop/publisher-verification-overview.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/sample-v2-code.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/sample-v2-code.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/scenario-daemon-app-configuration.md
Lines changed: 36 additions & 2 deletions b/‎articles/active-directory/develop/scenario-daemon-app-configuration.md
Lines changed: 36 additions & 2 deletions
diff --git a/‎articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/fundamentals/service-accounts-governing-azure.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/service-accounts-governing-azure.md
Lines changed: 1 addition & 1 deletion
@@ -800,7 +800,13 @@
       "url": "https://github.com/Azure-Samples/msdocs-python-django-webapp-quickstart",
       "branch": "main",
       "branch_mapping": {}
-    }    
+    },
+    {
+      "path_to_root": "msdocs-nodejs-mongodb-azure-sample-app",
+      "url": "https://github.com/Azure-Samples/msdocs-nodejs-mongodb-azure-sample-app",
+      "branch": "main",
+      "branch_mapping": {}
+    }     
   ],
   "branch_target_mapping": {
     "live": [
 
@@ -2518,6 +2518,11 @@
       "redirect_url": "/azure/machine-learning/how-to-configure-auto-train#troubleshooting",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/machine-learning/how-to-compute-cluster-instance-os-upgrade.md",
+      "redirect_url": "/azure/machine-learning/concept-vulnerability-management",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/machine-learning/how-to-deploy-custom-docker-image.md",
       "redirect_url": "/azure/machine-learning/how-to-deploy-custom-container",
@@ -13474,7 +13479,7 @@
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-excel.md",
-      "redirect_url": "/connectors/excelonlinebusiness/",
+      "redirect_url": "/connectors/excelonlinebusiness",
       "redirect_document_id": false
     },
     {
@@ -31327,11 +31332,6 @@
       "redirect_url": "https://azure.microsoft.com/updates/cleardb-removal-from-the-azure-marketplace/",
       "redirect_document_id": false
     },
-    {
-      "source_path_from_root": "/articles/connectors/connectors-create-api-box",
-      "redirect_url": "/connectors/box/",
-      "redirect_document_id": true
-    },
     {
       "source_path_from_root": "/articles/logic-apps/logic-apps-custom-connector-register.md",
       "redirect_url": "/connectors/custom-connectors",
@@ -31372,15 +31372,20 @@
       "redirect_url": "/connectors/custom-connectors/submit-certification",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/connectors/connectors-create-api-box",
+      "redirect_url": "/connectors/box/",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-dropbox",
       "redirect_url": "/connectors/dropbox/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-facebook",
       "redirect_url": "/connectors/facebook/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-googledrive.md",
@@ -31390,47 +31395,47 @@
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-mailchimp",
       "redirect_url": "/connectors/mailchimp/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-microsofttranslator",
       "redirect_url": "/connectors/microsofttranslator/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-office365-users",
       "redirect_url": "/connectors/office365users/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-office365-video",
       "redirect_url": "/connectors/office365video/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-projectonline",
       "redirect_url": "/connectors/projectonline/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-rss",
       "redirect_url": "/connectors/rss/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-trello",
       "redirect_url": "/connectors/trello/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-twitter",
       "redirect_url": "/connectors/twitter/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-yammer",
       "redirect_url": "/connectors/yammer/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/connectors/connectors-create-api-wunderlist.md",
@@ -40767,6 +40772,21 @@
       "redirect_url": "/azure/aks/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/aks/open-service-mesh-ip-port-exclusion.md",
+      "redirect_url": "/azure/aks/open-service-mesh-about",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/aks/open-service-mesh-deploy-new-application.md",
+      "redirect_url": "/azure/aks/open-service-mesh-about",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/aks/open-service-mesh-deploy-existing-application.md",
+      "redirect_url": "/azure/aks/open-service-mesh-about",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-monitor/platform/alerts-metric-create-templates.md",
       "redirect_url": "/azure/azure-monitor/alerts/alerts-metric-create-templates",
 
@@ -122,8 +122,9 @@ The following providers offer FIDO2 security keys of different form factors that
 | IDmelon Technologies Inc. | ![y]              | ![y]| ![y]| ![y]| ![n]           | https://www.idmelon.com/#idmelon                                                                    |
 | Kensington                | ![y]              | ![y]| ![n]| ![n]| ![n]           | https://www.kensington.com/solutions/product-category/why-biometrics/                               |
 | KONA I                    | ![y]              | ![n]| ![y]| ![y]| ![n]           | https://konai.com/business/security/fido                                                            |
-| NEOWAVE                   | ![n]              | ![y]| ![y]| ![n]| ![n]           | https://neowave.fr/en/products/fido-range/                                                          |
+| NeoWave                   | ![n]              | ![y]| ![y]| ![n]| ![n]           | https://neowave.fr/en/products/fido-range/                                                          |
 | Nymi                      | ![y]              | ![n]| ![y]| ![n]| ![n]           | https://www.nymi.com/nymi-band                                                                      | 
+| Octatco                   | ![y]              | ![y]| ![n]| ![n]| ![n]           | https://octatco.com/                                                                                |
 | OneSpan Inc.              | ![n]              | ![y]| ![n]| ![y]| ![n]           | https://www.onespan.com/products/fido                                                               |
 | Thales Group              | ![n]              | ![y]| ![y]| ![n]| ![n]           | https://cpl.thalesgroup.com/access-management/authenticators/fido-devices                           |
 | Thetis                    | ![y]              | ![y]| ![y]| ![y]| ![n]           | https://thetis.io/collections/fido2                                                                 |
 
@@ -0,0 +1,25 @@
+---
+title: Don't send your middle-tier OBO token to any non-audience party
+description: Include file warning that access tokens acquired by the middle-tier shouldn't be sent to any party except that which is identified by the audience claim.
+services: active-directory
+author: iambmelt
+manager: CelesteDG
+
+ms.service: active-directory
+ms.subservice: develop
+ms.workload: identity
+ms.topic: include
+ms.date: 12/7/2021
+ms.author: brianmel
+ms.reviewer: brianmel
+ms.custom: aaddev
+---
+
+> [!WARNING]
+> **DO NOT** send access tokens that were issued to the middle tier to any other party. Access tokens issued to the middle tier are intended for use _only_ by that middle tier.
+>
+> Security risks of relaying access tokens from a middle-tier resource to a client (instead of the client getting the access tokens themselves) include:
+>
+> - Increased risk of token interception over compromised SSL/TLS channels.
+> - Inability to satisfy token binding and Conditional Access scenarios requiring claim step-up (for example, MFA, Sign-in Frequency).
+> - Incompatibility with admin-configured device-based policies (for example, MDM, location-based policies).
@@ -23,8 +23,12 @@ Publisher verification helps admins and end users understand the authenticity of
 When an application is marked as publisher verified, it means that the publisher has verified their identity using a [Microsoft Partner Network](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process and has associated this MPN account with their application registration. 
 
 A blue "verified" badge appears on the Azure AD consent prompt and other screens:
+
 ![Consent prompt](./media/publisher-verification-overview/consent-prompt.png)
 
+> [!NOTE]
+> We recently changed the color of the "verified" badge from blue to gray. We will revert that change sometime in the last half of February 2022, so the "verified" badge will be blue.
+
 This feature is primarily for developers building multi-tenant apps that leverage [OAuth 2.0 and OpenID Connect](active-directory-v2-protocols.md) with the [Microsoft identity platform](v2-overview.md). These apps can sign users in using OpenID Connect, or they may use OAuth 2.0 to request access to data using APIs like [Microsoft Graph](https://developer.microsoft.com/graph/).
 
 ## Benefits
 
@@ -83,7 +83,7 @@ The following samples show public client desktop applications that access the Mi
 > | Java | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-java-desktop/) | MSAL Java | Integrated Windows authentication |
 > | Node.js | [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-desktop) | MSAL Node | Authorization code with PKCE |
 > | Powershell | [Call Microsoft Graph by signing in users using username/password](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) | MSAL.NET | Resource owner password credentials |
-> | Python | [Sign in users](https://github.com/Azure-Samples/ms-identity-python-desktop) | MSAL Python | Authorization code with PKCE |
+> | Python | [Sign in users](https://github.com/Azure-Samples/ms-identity-python-desktop) | MSAL Python | Resource owner password credentials |
 > | Universal Window Platform (UWP) | [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/main/2-With-broker) | MSAL.NET | Web account manager |
 > | Windows Presentation Foundation (WPF) | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | MSAL.NET | Authorization code with PKCE |
 > | XAML | &#8226; [Sign in users and call ASP.NET core web API](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API) <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | MSAL.NET | Authorization code with PKCE |
 
@@ -81,7 +81,12 @@ Configuration parameters for the [Node.js daemon sample](https://github.com/Azur
 # Credentials
 TENANT_ID=Enter_the_Tenant_Info_Here
 CLIENT_ID=Enter_the_Application_Id_Here
+
+// You provide either a ClientSecret or a CertificateConfiguration, or a ClientAssertion. These settings are exclusive
 CLIENT_SECRET=Enter_the_Client_Secret_Here
+CERTIFICATE_THUMBPRINT=Enter_the_certificate_thumbprint_Here
+CERTIFICATE_PRIVATE_KEY=Enter_the_certificate_private_key_Here
+CLIENT_ASSERTION=Enter_the_Assertion_String_Here
 
 # Endpoints
 // the Azure AD endpoint is the authority endpoint for token issuance
@@ -267,6 +272,7 @@ app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
     .WithAuthority(new Uri(config.Authority))
     .Build();
 ```
+
 # [Java](#tab/java)
 
 In MSAL Java, there are two builders to instantiate the confidential client application with certificates:
@@ -302,7 +308,24 @@ ConfidentialClientApplication cca =
 
 # [Node.js](#tab/nodejs)
 
-The sample application does not implement initialization with certificates at the moment.
+```JavaScript
+
+const config = {
+    auth: {
+        clientId: process.env.CLIENT_ID,
+        authority: process.env.AAD_ENDPOINT + process.env.TENANT_ID,
+        clientCertificate: {
+            thumbprint:  process.env.CERTIFICATE_THUMBPRINT, // a 40-digit hexadecimal string
+            privateKey:  process.env.CERTIFICATE_PRIVATE_KEY,
+        }
+    }
+};
+
+// Create an MSAL application object
+const cca = new msal.ConfidentialClientApplication(config);
+```
+
+For details, see [Use certificate credentials with MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/certificate-credentials.md).
 
 # [Python](#tab/python)
 
@@ -371,7 +394,18 @@ ConfidentialClientApplication cca =
 
 # [Node.js](#tab/nodejs)
 
-The sample application does not implement initialization with assertions at the moment.
+```JavaScript
+const clientConfig = {
+    auth: {
+        clientId: process.env.CLIENT_ID,
+        authority: process.env.AAD_ENDPOINT + process.env.TENANT_ID,
+        clientAssertion:  process.env.CLIENT_ASSERTION
+    }
+};
+const cca = new msal.ConfidentialClientApplication(clientConfig);
+```
+
+For details, see [Initialize the ConfidentialClientApplication object](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md).
 
 # [Python](#tab/python)
 
 
@@ -52,6 +52,8 @@ To request an access token, make an HTTP POST to the tenant-specific Microsoft i
 https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
 ```
 
+[!INCLUDE [remind-not-to-relay-token-nonaud](includes/remind-not-to-relay-token-nonaud.md)]
+
 There are two cases depending on whether the client application chooses to be secured by a shared secret or a certificate.
 
 ### First case: Access token request with a shared secret
 
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 There are three types of service accounts in Azure Active Directory (Azure AD): [managed identities](service-accounts-managed-identities.md), [service principals](service-accounts-principal.md), and user accounts employed as service accounts. As you create these service accounts for automated use, they're granted permissions to access resources in Azure and Azure AD. Resources can include Microsoft 365 services, software as a service (SaaS) applications, custom applications, databases, HR systems, and so on. Governing Azure AD service accounts means that you manage their creation, permissions, and lifecycle to ensure security and continuity.
 
 > [!IMPORTANT] 
-> We do not recommend using user accounts as service accounts as they are inherently less secure. This includes on-premises service accounts that are synced to Azure AD, as they are  not converted to service principals. Instead, we recommend the use of managed identities or service principals. Note that at this time the use of conditional access policies is not possible with service principals, but the functionality is coming.
+> We do not recommend using user accounts as service accounts as they are inherently less secure. This includes on-premises service accounts that are synced to Azure AD, as they are  not converted to service principals. Instead, we recommend the use of managed identities or service principals. Note that at this time the use of conditional access policies with service principals is called Conditional Access for workload identities and it's in public preview.
 
 
 ## Plan your service account