Merge branch 'MicrosoftDocs:main' into acs-teams-display-name-changed

Author: jamescadd

.openpublishing.publish.config.json

@@ -757,6 +757,12 @@
             "url": "https://github.com/AzureADQuickStarts/WebApp-OpenIdConnect-DotNet",
             "branch": "GuidedSetup",
             "branch_mapping": {}
+        },
+        {
+            "path_to_root": "azure-policy-autogen-docs",
+            "url": "https://github.com/MicrosoftDocs/azure-policy-autogen-docs",
+            "branch": "main",
+            "branch_mapping": {}
         }
     ],
     "branch_target_mapping": {

articles/active-directory-b2c/add-password-reset-policy.md

@@ -157,7 +157,7 @@ A claims transformation technical profile accesses the `isForgotPassword` claim.
 
 The **SelfAsserted-LocalAccountSignin-Email** technical profile **setting.forgotPasswordLinkOverride** defines the password reset claims exchange that executes in your user journey.
 
-The **LocalAccountWritePasswordUsingObjectId** technical profile **UseTechnicalProfileForSessionManagement** `SM-AAD` session manager is required for the user to preform subsequent logins successfully under [SSO](./custom-policy-reference-sso.md) conditions.
+The **LocalAccountWritePasswordUsingObjectId** technical profile **UseTechnicalProfileForSessionManagement** `SM-AAD` session manager is required for the user to perform subsequent logins successfully under [SSO](./custom-policy-reference-sso.md) conditions.
 
 ### Add the password reset sub journey
 

articles/active-directory-b2c/best-practices.md

@@ -84,7 +84,7 @@ Manage your Azure AD B2C environment.
 | Use the Microsoft Graph API to automate the management of your B2C tenants | Microsoft Graph APIs:<br/>Manage [Identity Experience Framework](/graph/api/resources/trustframeworkpolicy?preserve-view=true&view=graph-rest-beta) (custom policies)<br/>[Keys](/graph/api/resources/trustframeworkkeyset?preserve-view=true&view=graph-rest-beta)<br/>[User Flows](/graph/api/resources/identityuserflow?preserve-view=true&view=graph-rest-beta) |
 | Integrate with Azure DevOps | A [CI/CD pipeline](deploy-custom-policies-devops.md) makes moving code between different environments easy and ensures production readiness always.   |
 | Deploy custom policy | Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to **30 minutes** for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies: <br> - If you're deploying to a development environment, set the `DeploymentMode` attribute in your custom policy file's `<TrustFrameworkPolicy>` element to `Production`. <br> - Deploy your updated policy files to a production environment when traffic in your app is low. <br> - When you deploy to a production environment to update existing policy files, upload the updated files with new names, which act as new versions of the policies. Then, update your app references to the new names/versions. You can remove the old policy files afterward or keep them as your last known good configuration for easy rollback.<br> - If you need to deploy to a production environment to update existing policy files without versioning, make the new policy backward compatible with the old policy by following some simple rules. If you need to change a technical profile, claim, or [SubJourney](subjourneys.md), create a new version of it, publish the policy, and wait for 30 minutes for Azure AD B2C caches to pick up the new version. Then, in a subsequent update, make changes to use the new version and perform another policy update. Wait for another 30 minutes, then you can delete the old version of the elements if needed. Ensure all of your business logic is inside SubJourneys.<br> - You can set the `DeploymentMode` to `Development` in a production environment to bypass the caching behavior. However, we don't recommend this practice. If you [Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md), all claims sent to and from identity providers are collected, which is a security and performance risk. |
-| Deploy app registration updates | When you modify your application registration in your Azure AD B2C tenant, such as updating the application's redirect URI, expect a delay of up to **2 hours (3600s)** for the changes to take effect in the production environment. We recommend that you modify your application registration in your production environment when traffic in your app is low.|
+| Deploy app registration updates | When you modify your application registration in your Azure AD B2C tenant, such as updating the application's redirect URI, expect a delay of up to **2 hours (7200s)** for the changes to take effect in the production environment. We recommend that you modify your application registration in your production environment when traffic in your app is low.|
 | Integrate with Azure Monitor | [Audit log events](view-audit-logs.md) are only retained for seven days. [Integrate with Azure Monitor](azure-monitor.md) to retain the logs for long-term use, or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment. |
 | Setup active alerting and monitoring | [Track user behavior](./analytics-with-application-insights.md) in Azure AD B2C using Application Insights. |
 

articles/active-directory-b2c/media/partner-nok-nok/nok-nok-id-token-hint-architecture-diagram.png

@@ -40,7 +40,7 @@ To enable passkey authentication for your users, enable Nok Nok as an identity p
 
 The following diagram illustrates the Nok Nok solution as an IdP for Azure AD B2C by using OpenID Connect (OIDC) for passkey authentication.
 
-![Diagram of Nok Nok as IdP for Azure AD B2C using OpenID Connect (OIDC) for passkey authentication.](./media/partner-nok-nok/nok-nok-architecture-diagram.png)
+![Diagram for passkey authentication with Nok Nok as an IdP.](./media/partner-nok-nok/nok-nok-architecture-diagram.png)
 
 ### Scenario 1: Passkey registration
 1. The user navigates to the Nok Nok tutorial web app using the link provided by Nok Nok.
@@ -52,9 +52,11 @@ The following diagram illustrates the Nok Nok solution as an IdP for Azure AD B2
 ### Scenario 2: Passkey authentication
 1. The user selects the sign-in with Nok Nok Cloud button on the Azure AD B2C sign-in page.
 2. Azure AD B2C redirects the user to the Nok Nok sign-in app.
-3. The user authenticates with their passkey.
-4. The Nok Nok server validates the passkey assertion and sends an OIDC authentication response to Azure AD B2C.
-5. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
+3. The user requests passkey authentication
+4. The user authenticates with their passkey.
+5. The Nok Nok Cloud validates the passkey assertion
+6. The Nok Nok Cloud sends an OIDC authentication response to Azure AD B2C.
+7. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
 
 ## Get started with Nok Nok
 
@@ -125,6 +127,22 @@ For the following instructions, Nok Nok is a new OIDC IdP in the B2C identity pr
 
 If the flow is incomplete, confirm the user is or isn't saved in the directory.
 
+## Alternate flow for Authentication
+
+The following diagram illustrates an alternate passkey sign in or sign up flow using the ID Token Hint feature of Azure AD B2C. With this approach, an Azure custom policy verifies the ID Token Hint produced by the Nok Nok Cloud. For more details, please refer to the article, [Define an ID token hint technical profile in an Azure Active Directory B2C custom policy](./id-token-hint.md). Please contact Nok Nok support for help with integrated the required Azure custom policy.
+
+![Diagram for passkey authentication using ID Token Hint from Nok Nok.](./media/partner-nok-nok/nok-nok-id-token-hint-architecture-diagram.png)
+
+The following are the steps
+1. The user selects the sign-in with Nok Nok Cloud button.
+2. The Nok Nok Cloud request passkey authentication.
+3. The user authenticates with their passkey.
+4. The Nok Nok Cloud validates the passkey assertion.
+5. The ID Token Hint is returned.
+6. The App posts an OIDC request with the ID Token Hint to Azure AD B2C.
+7. Azure AD B2C Custom Policy verifies the ID Token Hint.
+8. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
+
 ## Next steps
 
 * [Azure AD B2C custom policy overview](./custom-policy-overview.md)

articles/active-directory-b2c/partner-nok-nok.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory business-to-customer (B2C)"
 description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)."
-ms.date: 04/01/2025
+ms.date: 07/03/2025
 ms.service: azure-active-directory
 ms.subservice: b2c
 ms.topic: whats-new
@@ -18,6 +18,15 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new and significantly updated docs from the past three months. To learn what's new with the B2C service, see [What's new in Microsoft Entra ID](../active-directory/fundamentals/whats-new.md), [Azure AD B2C developer release notes](custom-policy-developer-notes.md) and [What's new in Microsoft Entra External ID](/entra/external-id/whats-new-docs).
 
+## June 2025
+
+### Updated articles
+
+- [Configure Cloudflare Web Application Firewall with Azure Active Directory B2C](partner-cloudflare.md) - Added a note about Azure Front Door-managed certificates
+- [Azure AD B2C: Frequently asked questions (FAQ)](faq.yml) - Updated the note in the Azure AD B2C end-of-sale section
+- [Page layout versions](page-layout.md) - Added updates related to CAPTCHA
+- [Securing phone-based multifactor authentication](phone-based-mfa.md) - Added information on preventing fraudulent sign-ups 
+
 ## April 2025
 
 ### Updated articles
@@ -32,12 +41,3 @@ This month, we added an important note to our articles stating that starting May
 ### Updated articles
 - [Error codes: Azure Active Directory B2C](error-codes.md) - Updated error messages
 
-## February 2025
-
-### Updated articles
-
-- [Enable multifactor authentication in Azure Active Directory B2C](multi-factor-authentication.md) - Added SMS pricing
-- [Page layout versions](page-layout.md) - Updated the latest versions of the self-asserted and MFA pages
-- [Azure AD B2C: Frequently asked questions (FAQ)](faq.yml) - Added billing name change for SMS phone
-- [Enable CAPTCHA in Azure Active Directory B2C](add-captcha.md) - Added CAPTCHA feature flag
-

articles/active-directory-b2c/whats-new-docs.md

@@ -81,7 +81,7 @@ The following tables compare features available in the following API Management
 | [Outbound virtual network integration](integrate-vnet-outbound.md)  | ❌ | Standard  v2, Premium v2  |  ❌ | ❌ | ✔️ |
 | [Availability zones](zone-redundancy.md)  |  Premium | ✔️<sup>3</sup>  | ❌ | ✔️<sup>1</sup> | ✔️<sup>3</sup> |
 | [Multi-region deployment](api-management-howto-deploy-multi-region.md) |  Premium | ❌ |  ❌ | ✔️<sup>1</sup> | ❌ |
-| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation |  ✔️ | ✔️ | ❌ | ✔️<sup>4</sup> |  ❌ |
+| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation |  ✔️ | ❌ | ❌ | ✔️<sup>4</sup> |  ❌ |
 | [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) |  Developer, Basic, Standard, Premium | ❌ | ✔️ | ❌ | ❌ |
 | [TLS settings](api-management-howto-manage-protocols-ciphers.md) |  ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
 | **HTTP/2** (Client-to-gateway) | ✔️<sup>5</sup> | ✔️<sup>5</sup> |❌ | ✔️ | ❌ |

articles/api-management/api-management-gateways-overview.md

@@ -9,7 +9,7 @@ ms.topic: tutorial
 ms.date: 03/26/2025
 ms.author: danlep
 
-#customer intent: As a developer, I want to publish mutliple versions of an API so that all callers to the API don't need to use the same version.
+#customer intent: As a developer, I want to publish multiple versions of an API so that all callers to the API don't need to use the same version.
 ---
 
 # Tutorial: Publish multiple versions of your API

articles/api-management/api-management-get-started-publish-versions.md

@@ -37,6 +37,7 @@ Information in the following table is updated regularly. Capacity availability i
 | East US 2 | ✅ | ✅ | ✅ | ✅ |
 | France Central  | ✅ | ✅ | | ✅ |
 | Germany West Central  | ✅ | ✅ | ✅ | ✅ |
+| Italy North | ✅ | ✅ |  |  |
 | Japan East | ✅ | ✅ | | ✅ |
 | Korea Central | ✅ | ✅ | ✅ | | 
 | North Central US | ✅ | ✅ |  | ✅ |
@@ -45,7 +46,8 @@ Information in the following table is updated regularly. Capacity availability i
 | South Africa North | ✅ | ✅ | |  |
 | South Central US | ✅ | ✅ |  |  |
 | South India | ✅ | ✅ |  |  |
-| Southeast Asia | ✅ | ✅ | | ✅ |
+| Sweden Central | ✅ | ✅ | | |
+| South India | ✅ | ✅ |  |  |
 | Switzerland North | ✅ |✅ |  | |
 | UK South | ✅  | ✅ | ✅ | ✅ |
 | UK West | ✅  | ✅ | | |

articles/api-management/api-management-region-availability.md

@@ -1,6 +1,6 @@
 ---
 title: Import an Azure OpenAI API as REST API - Azure API Management
-description: How to import an Azure OpenAI API as a REST API from the Azure OpenAI in Foundry Models or from an OpenAPI specification.
+description: How to import an Azure OpenAI API as a REST API from Azure OpenAI in Foundry Models or from an OpenAPI specification.
 ms.service: azure-api-management
 author: dlepow
 ms.author: danlep
@@ -20,7 +20,8 @@ You can import AI model endpoints deployed in [Azure OpenAI in Foundry Models](/
 
 This article shows two options to import an Azure OpenAI API into an Azure API Management instance as a REST API:
 
-- [Import an Azure OpenAI API directly from Azure OpenAI in Foundry Models](#option-1-import-api-from-azure-openai) (recommended)
+- [Import an Azure OpenAI API directly from Azure OpenAI](#option-1-import-api-from-azure-openai) (recommended)
+ 
 - [Download and add the OpenAPI specification](#option-2-add-an-openapi-specification-to-api-management) for Azure OpenAI and add it to API Management as an OpenAPI API.
 
 Learn more about managing AI APIs in API Management:
@@ -35,12 +36,12 @@ Learn more about managing AI APIs in API Management:
     Make a note of the ID (name) of the deployment. You'll need it when you test the imported API in API Management.
 
     > [!NOTE]
-    > API Management policies such as [azure-openai-token-limit](azure-openai-token-limit-policy.md) and [azure-openai-emit-token-metric](azure-openai-emit-token-metric-policy.md) are supported for certain API endpoints exposed through specific Azure OpenAI models. For more information, see [Supported Azure OpenAI in Foundry Models](azure-openai-token-limit-policy.md).
+    > API Management policies such as [azure-openai-token-limit](azure-openai-token-limit-policy.md) and [azure-openai-emit-token-metric](azure-openai-emit-token-metric-policy.md) are supported for certain API endpoints exposed through specific Azure OpenAI models. For more information, see [Supported Azure OpenAI models](azure-openai-token-limit-policy.md#supported-azure-openai-in-foundry-models-models).
 
 - Permissions to grant access to the Azure OpenAI resource from the API Management instance.
 
-## Option 1. Import API from Azure OpenAI
-
+## Option 1. Import API from Azure OpenAI 
+ 
 You can import an Azure OpenAI API directly from Azure OpenAI to API Management. 
 
 [!INCLUDE [api-management-workspace-availability](../../includes/api-management-workspace-availability.md)]
@@ -135,8 +136,8 @@ To ensure that your Azure OpenAI API is working as expected, test it in the API
 1. Select an operation that's compatible with the model you deployed in the Azure OpenAI resource. 
     The page displays fields for parameters and headers.
 1. In **Template parameters**, enter the following values:
-    * `deployment-id` - the ID of a deployment in the Azure OpenAI
-    * `api-version` - a valid Azure OpenAI API version, such as the API version you selected when you imported the API.
+     * `deployment-id` - the ID of a deployment in Azure OpenAI   
+     * `api-version` - a valid Azure OpenAI API version, such as the API version you selected when you imported the API.
       :::image type="content" source="media/azure-openai-api-from-specification/test-azure-openai-api.png" alt-text="Screenshot of testing an Azure OpenAI API in the portal." lightbox="media/azure-openai-api-from-specification/test-azure-openai-api.png" :::
 1. Enter other parameters and headers as needed. Depending on the operation, you might need to configure or update a **Request body**.
     > [!NOTE]