Merge pull request #240873 from MicrosoftDocs/main

6/08/2023 10AM Publishing

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -4340,6 +4340,11 @@
       "redirect_url": "/azure/active-directory/external-identities/what-is-b2b",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/active-directory/external-identities/azure-ad-account.md",
+      "redirect_url": "/azure/active-directory/external-identities/default-account",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/active-directory/active-directory-accessmanagement-managing-group-owners.md",
       "redirect_url": "/azure/active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners",

articles/active-directory-b2c/partner-azure-web-application-firewall.md

@@ -18,6 +18,9 @@ ms.subservice: B2C
 
 Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant, with a custom domain. WAF protects web applications from common exploits and vulnerabilities.
 
+>[!NOTE]
+>This feature is in public preview. 
+
 See, [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)
 
 ## Prerequisites

articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md

@@ -93,5 +93,12 @@ Summary of factors that influence the time it takes to complete an **initial cyc
 
 - If performance becomes an issue, and you're attempting to provision most users and groups in your tenant, then use scoping filters. Scoping filters allow you to fine tune the data that the provisioning service extracts from Azure AD by filtering out users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).
 
+The **incremental cycle** may also take longer than the duration we have documented above. Some of the factors that influence this duration are:
+
+- The  number of changes on the individual objects properties.
+- The number of changes on the groups memberships.
+- The scope of assignment configured for the app. Configuration of **sync assigned users and groups only** is recommended where possible.
+
+
 ## Next steps
 [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](user-provisioning.md)

articles/active-directory/authentication/fido2-compatibility.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Browser support of FIDO2 passwordless authentication
 
-Azure Active Directory allows [FIDO2 security keys](./concept-authentication-passwordless.md#fido2-security-keys) to be used as a passwordless device. The availability of FIDO2 authentication for Microsoft accounts was [announced in 2018](https://techcommunity.microsoft.com/t5/identity-standards-blog/all-about-fido2-ctap2-and-webauthn/ba-p/288910), and it became [generally available](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/passwordless-authentication-is-now-generally-available/ba-p/1994700) in March 2021. The following diagram shows which browsers and operating system combinations support passwordless authentication using FIDO2 authentication keys with Azure Active Directory.
+Azure Active Directory allows [FIDO2 security keys](./concept-authentication-passwordless.md#fido2-security-keys) to be used as a passwordless device. The availability of FIDO2 authentication for Microsoft accounts was [announced in 2018](https://techcommunity.microsoft.com/t5/identity-standards-blog/all-about-fido2-ctap2-and-webauthn/ba-p/288910), and it became [generally available](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/passwordless-authentication-is-now-generally-available/ba-p/1994700) in March 2021. The following diagram shows which browsers and operating system combinations support passwordless authentication using FIDO2 authentication keys with Azure Active Directory. Azure AD currently supports only hardware FIDO2 keys and does not support passkeys for any platform.
 
 ## Supported browsers
 

articles/active-directory/develop/sample-v2-code.md

@@ -1,38 +1,58 @@
 ---
-title: Prepare your application - Sign in users to an ASP.NET web app 
-description: Create and prepare an ASP.NET web app for authentication
+title: Tutorial - Prepare an ASP.NET web app for authentication in a customer tenant
+description: Learn how to prepare an ASP.NET web app for authentication with your Azure Active Directory (Azure AD) for customers tenant.
 services: active-directory
 author: cilwerner
 ms.author: cwerner
 manager: celestedg
 ms.service: active-directory
-ms.workload: identity
+
 ms.subservice: ciam
-ms.topic: how-to
+ms.topic: tutorial
 ms.date: 05/23/2023
-ms.custom: it-pro
+
 #Customer intent: As a dev, devops, I want to learn about how to enable authentication in my own ASP.NET web app with Azure Active Directory (Azure AD) for customers tenant.
 ---
 
-# Prepare your application: Sign in users to an ASP.NET web app using an Azure Active Directory (AD) for customers tenant
+# Tutorial: Prepare an ASP.NET web app for authentication in a customer tenant
+
+In the [previous article](./how-to-web-app-dotnet-sign-in-prepare-tenant.md), you registered an application and configured user flows in your Azure Active Directory (Azure AD) for customers tenant.
 
-After registering an application and creating a user flow in a Azure Active Directory (AD) for customers tenant, an ASP.NET web application can be created using an integrated development environment (IDE). In this article, you'll create an ASP.NET project in your IDE, and configure it for authentication.
+In this tutorial you'll;
+
+> [!div class="checklist"]
+> * Create an ASP.NET project in Visual Studio Code
+> * Add the required NuGet packages
+> * Configure the settings for the application
+> * Add code to implement authentication
 
 ## Prerequisites
 
-- Completion of the prerequisites and steps in [Sign in users in your own ASP.NET web application by using an Azure AD for customers tenant - Prepare your tenant](./how-to-web-app-dotnet-sign-in-prepare-tenant.md).
-- Although any IDE that supports React applications can be used, Visual Studio Code is used for this guide. This can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads/) page.
-- [.NET 7.0 SDK](https://dotnet.microsoft.com/download/dotnet).
+* Completion of the prerequisites and steps in [Prepare your customer tenant for building an ASP.NET web app](./how-to-web-app-dotnet-sign-in-prepare-tenant.md).
+* Although any integrated development environment (IDE) that supports ASP.NET applications can be used, this tutorial uses **Visual Studio Code**. You can download it [here](https://visualstudio.microsoft.com/downloads/).
+* [.NET 7.0 SDK](https://dotnet.microsoft.com/download/dotnet).
 
 ## Create an ASP.NET project
 
-1. Open a terminal in your IDE and navigate to the location in which to create your project.
-1. Enter the following command to make the project folder and create your project.
+1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project.
+1. Open a new terminal by selecting **Terminal** > **New Terminal**.
+1. Enter the following command to make a Model View Controller (MVC) ASP.NET project.
 
     ```powershell
     dotnet new mvc -n aspnet_webapp
     ```
 
+## Install identity packages
+
+Identity related NuGet packages must be installed in the project to authenticate users.
+
+1. Enter the following commands to change into the *aspnet_webapp* folder and install the relevant NuGet package:
+
+    ```powershell
+    cd aspnet_webapp
+    dotnet add package Microsoft.Identity.Web.UI
+    ```
+
 ## Configure the application for authentication
 
 1. Open the *appsettings.json* file and replace the existing code with the following snippet.
@@ -71,7 +91,94 @@ After registering an application and creating a user flow in a Azure Active Dire
 1. In the `https` section of `profiles`, change the `https` URL in `applicationUrl` so that it reads `https://localhost:7274`. You used this URL to define the **Redirect URI**.
 1. Save the changes to your file.
 
+## Add authorization to *HomeController.cs*
+
+The *HomeController.cs* file contains the code for the home page of the application and needs to have the capability to authorize the user. The `Microsoft.AspNetCore.Authorization` namespace provides the classes and interfaces to implement authorization to the web app, and the `[Authorize]` attribute is used to specify that only authenticated users can use the web app.
+
+1. In your code editor, open *Controllers\HomeController.cs* file.
+1. Authorization needs to be added to the controller, add `Microsoft.AspNetCore.Authorization` so that the top of the file is identical to the following snippet:
+
+    ```cshtml
+    using System.Diagnostics;
+    using Microsoft.AspNetCore.Authorization;
+    using Microsoft.AspNetCore.Mvc;
+    using aspnet_webapp.Models;
+    ```
+
+1. Additionally, add the `[Authorize]` attribute directly above the `HomeController` class definition.
+
+    ```csharp
+    [Authorize]
+    ```
+
+## Add authentication and authorization to *Program.cs*
+
+The *Program.cs* needs to be modified to add authentication and authorization to the web app. This includes adding namespaces for authentication and authorization, and being able to sign in users with the Microsoft identity platform.
+
+1. To add the required namespaces, open *Program.cs* and add the following snippet to the top of the file:
+
+    ```csharp
+    using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+    using Microsoft.AspNetCore.Authorization;
+    using Microsoft.AspNetCore.Mvc.Authorization;
+    using Microsoft.Identity.Web;
+    using Microsoft.Identity.Web.UI;
+    using System.IdentityModel.Tokens.Jwt;
+    ```
+
+1. Next, add the authentication services to the application which will enable the web app to sign in users with the Microsoft identity platform. You can replace the rest of the code in *Program.cs* with the following snippet:
+
+    ```csharp
+    var builder = WebApplication.CreateBuilder(args);
+
+    // Add services to the container.
+    builder.Services.AddControllersWithViews();
+
+    // This is required to be instantiated before the OpenIdConnectOptions starts getting configured.
+    // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.
+    // For instance, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles' claim.
+    // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
+    JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
+
+    // Sign-in users with the Microsoft identity platform
+    builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+        .AddMicrosoftIdentityWebApp(builder.Configuration)
+        .EnableTokenAcquisitionToCallDownstreamApi()
+        .AddInMemoryTokenCaches();
+
+    builder.Services.AddControllersWithViews(options =>
+    {
+        var policy = new AuthorizationPolicyBuilder()
+            .RequireAuthenticatedUser()
+            .Build();
+        options.Filters.Add(new AuthorizeFilter(policy));
+    }).AddMicrosoftIdentityUI();
+
+    var app = builder.Build();
+
+    // Configure the HTTP request pipeline.
+    if (!app.Environment.IsDevelopment())
+    {
+        app.UseExceptionHandler("/Home/Error");
+        // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+        app.UseHsts();
+    }
+
+    app.UseHttpsRedirection();
+    app.UseStaticFiles();
+
+    app.UseRouting();
+    app.UseAuthorization();
+
+    app.MapControllerRoute(
+        name: "default",
+        pattern: "{controller=Home}/{action=Index}/{id?}");
+
+    app.Run();
+
+    ```
+
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Sign in and sign out](how-to-web-app-dotnet-sign-in-sign-out.md)
+> [Sign in and sign out](how-to-web-app-dotnet-sign-in-sign-out.md)

articles/active-directory/external-identities/customers/how-to-web-app-dotnet-sign-in-prepare-app.md

@@ -1,35 +1,49 @@
 ---
-title: Prepare your tenant - Sign in users to an ASP.NET web app
-description: Learn about how to prepare your Azure Active Directory (AD) for customers tenant for customers to sign in users in your own ASP.NET web application by using Azure AD for customers tenant.
+title: Tutorial - Prepare your customer tenant to authenticate users in an ASP.NET web app
+description: Learn how to configure your Azure Active Directory (Azure AD) for customers tenant for authentication with an ASP.NET web application
 services: active-directory
 author: cilwerner
 manager: celestedg
 
 ms.author: cwerner
 ms.service: active-directory
-ms.workload: identity
 ms.subservice: ciam
-ms.topic: how-to
+ms.topic: tutorial
 ms.date: 05/23/2023
-ms.custom: developer
+
 #Customer intent: As a dev, devops, I want to learn about how to enable authentication in my own ASP.NET web app with Azure Active Directory (Azure AD) for customers tenant
 ---
 
-# Prepare your tenant: Sign in users to an ASP.NET web app using an Azure Active Directory (AD) for customers tenant
+# Tutorial: Prepare your customer tenant to authenticate users in an ASP.NET web app
+
+This tutorial series demonstrates how to build an ASP.NET web application from scratch and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for .NET](/entra/msal/dotnet) and [Microsoft Identity Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) libraries to authenticate your app with your Azure Active Directory (Azure AD) for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences.
 
-This how-to guide demonstrates how to prepare your Azure Active Directory (Azure AD) for customers tenant for authentication. You'll register a web application in the Microsoft Entra admin center, and record its identifiers. You'll then create a sign in and sign out user flow in the Microsoft Entra admin center and associate your web application with the user flow.
+In this tutorial, you'll;
+
+> [!div class="checklist"]
+> * Register a web application in the Microsoft Entra admin center, and record its identifiers
+> * Create a client secret for the web application
+> * Define the platform and URLs
+> * Grant permissions to the web application to access the Microsoft Graph API
+> * Create a sign in and sign out user flow in the Microsoft Entra admin center
+> * Associate your web application with the user flow
 
 ## Prerequisites
 
-- Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.
+- An Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+- This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions:
+    * Application administrator
+    * Application developer
+    * Cloud application administrator
 
-If you have already registered a web application in the Microsoft Entra admin center, and associated it with a user flow, you can skip the steps in this article and move to [Prepare your application](how-to-web-app-dotnet-sign-in-prepare-app.md).
+- An Azure AD for customers tenant. If you haven't already, [create one now](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl). You can use an existing customer tenant if you have one.
 
-## Register the web app
+## Register the web app and record identifiers
 
 [!INCLUDE [ciam-register-app](./includes/register-app/register-client-app-common.md)]
 
-## Define the platform and URLs
+## Add a platform redirect URL
 
 [!INCLUDE [ciam-register-app](./includes/register-app/add-platform-redirect-url-dotnet.md)]
 
@@ -52,4 +66,4 @@ If you have already registered a web application in the Microsoft Entra admin ce
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Prepare your application](how-to-web-app-dotnet-sign-in-prepare-app.md)
+> [Prepare ASP.NET web app](how-to-web-app-dotnet-sign-in-prepare-app.md)