Merge pull request #205222 from MicrosoftDocs/main

7/19 AM Publish

Author: huypub

articles/active-directory-b2c/javascript-and-page-layout.md

@@ -233,6 +233,21 @@ function addTermsOfUseLink() {
 
 In the code, replace `termsOfUseUrl` with the link to your terms of use agreement. For your directory, create a new user attribute called **termsOfUse** and then include **termsOfUse** as a user attribute.
 
+Alternatively, you can add a link at the bottom of self-asserted pages, without using of JavaScript. Use the following localization:
+
+```xml
+<LocalizedResources Id="api.localaccountsignup.en">
+  <LocalizedStrings>
+    <!-- The following elements will display a link at the bottom of the page. -->
+    <LocalizedString ElementType="UxElement" StringId="disclaimer_link_1_text">Terms of use</LocalizedString>
+    <LocalizedString ElementType="UxElement" StringId="disclaimer_link_1_url">termsOfUseUrl</LocalizedString>
+    </LocalizedStrings>
+</LocalizedResources>
+```
+
+Replace `termsOfUseUrl` with the link to your organization's privacy policy and terms of use. 
+
+
 ## Next steps
 
 Find more information about how to [Customize the user interface of your application in Azure Active Directory B2C](customize-ui-with-html.md).

articles/active-directory-b2c/localization-string-ids.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 04/12/2022
+ms.date: 04/19/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -177,6 +177,18 @@ The following are the IDs for a content definition with an ID of `api.localaccou
 | **ver_intro_msg** | Verification is necessary. Please click Send button. |
 | **ver_input** | Verification code |
 
+### Sign-up and self-asserted pages disclaimer links
+
+The following `UxElement` string IDs will display disclaimer link(s) at the bottom of the self-asserted page. These links are not displayed by default unless specified in the localized strings.
+
+| ID | Example value |
+| --- | ------------- |
+| **disclaimer_msg_intro** | By providing your phone number, you consent to receiving a one-time passcode sent by text message to help you sign into {insert your application name}. Standard messsage and data rates may apply. |
+| **disclaimer_link_1_text** | Privacy Statement |
+| **disclaimer_link_1_url** | {insert your privacy statement URL} |
+| **disclaimer_link_2_text** | Terms and Conditions |
+| **disclaimer_link_2_url** | {insert your terms and conditions URL} |
+
 ### Sign-up and self-asserted pages error messages
 
 | ID | Default value |
@@ -238,6 +250,14 @@ The following example shows the use of some of the user interface elements in th
     <LocalizedString ElementType="UxElement" StringId="ver_input">Verification code</LocalizedString>
     <LocalizedString ElementType="UxElement" StringId="ver_intro_msg">Verification is necessary. Please click Send button.</LocalizedString>
     <LocalizedString ElementType="UxElement" StringId="ver_success_msg">E-mail address verified. You can now continue.</LocalizedString>
+    <!-- The following elements will display a message and two links at the bottom of the page. 
+         For policies that you intend to show to users in the United States, we suggest displaying the following text. Replace the content of the disclaimer_link_X_url elements with links to your organization's privacy statement and terms and conditions. 
+          Uncomment any of these lines to display them.  -->
+    <!-- <LocalizedString ElementType="UxElement" StringId="disclaimer_msg_intro">By providing your phone number, you consent to receiving a one-time passcode sent by text message to help you sign into {insert your application name}. Standard messsage and data rates may apply.</LocalizedString> -->
+    <!-- <LocalizedString ElementType="UxElement" StringId="disclaimer_link_1_text">Privacy Statement</LocalizedString>
+    <LocalizedString ElementType="UxElement" StringId="disclaimer_link_1_url">{insert your privacy statement URL}</LocalizedString> -->
+    <!-- <LocalizedString ElementType="UxElement" StringId="disclaimer_link_2_text">Terms and Conditions</LocalizedString>
+    <LocalizedString ElementType="UxElement" StringId="disclaimer_link_2_url">{insert your terms and conditions URL}</LocalizedString> -->
     <LocalizedString ElementType="ErrorMessage" StringId="ServiceThrottled">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>
     <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimNotVerified">Claim not verified: {0}</LocalizedString>
     <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsPrincipalAlreadyExists">A user with the specified ID already exists. Please choose a different one.</LocalizedString>

articles/active-directory-b2c/phone-factor-technical-profile.md

@@ -93,6 +93,7 @@ The **CryptographicKeys** element is not used.
 | ManualPhoneNumberEntryAllowed| No | Specify whether or not a user is allowed to manually enter a phone number. Possible values: `true`, or `false` (default).|
 | setting.authenticationMode | No | The method to validate the phone number. Possible values: `sms`, `phone`, or `mixed` (default).|
 | setting.autodial| No| Specify whether the technical profile should auto dial or auto send an SMS. Possible values: `true`, or `false` (default). Auto dial requires the `setting.authenticationMode` metadata be set to `sms`, or `phone`. The input claims collection must have a single phone number. |
+| setting.autosubmit | No | Specifies whether the technical profile should auto submit the one-time password entry form. Possible values are `true` (default), or `false`. When auto-submit is turned off, the user needs to select a button to progress the journey. |
 
 ### UI elements
 

articles/active-directory/app-provisioning/partner-driven-integrations.md

@@ -80,7 +80,7 @@ If you have built a SCIM Gateway and would like to add it to this list, follow t
 1. Review the Azure AD SCIM [documentation](use-scim-to-provision-users-and-groups.md) to understand the Azure AD SCIM implementation.
 1. Test compatibility between the Azure AD SCIM client and your SCIM gateway.
 1. Click the pencil at the top of this document to edit the article
-1. Once you're redirected to Github, click the pencil at the top of the article to start making changes
+1. Once you're redirected to GitHub, click the pencil at the top of the article to start making changes
 1. Make changes in the article using the Markdown language and create a pull request. Make sure to provide a description for the pull request.  
 1. An admin of the repository will review and merge your changes so that others can view them.
 

articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-group-based-permissions.md

@@ -15,7 +15,8 @@ ms.author: kenwith
 
 This article describes how you can create  and manage group-based permissions in Permissions Management with the User management dashboard.
 
-[!NOTE] The Permissions Management Administrator for all authorization systems will be able to create the new group based permissions.
+> [!NOTE] 
+> The Permissions Management Administrator for all authorization systems will be able to create the new group based permissions.
 
 ## Select administrative permissions settings for a group
 

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 04/19/2022
+ms.date: 07/18/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -101,7 +101,7 @@ The following key applications are included in the Office 365 client app:
 - OneDrive
 - Power Apps
 - Power Automate
-- Security & Compliance Center
+- Security & compliance portal
 - SharePoint Online
 - Skype for Business Online
 - Skype and Teams Tenant Admin API
@@ -112,30 +112,35 @@ A complete list of all services included can be found in the article [Apps inclu
 
 ### Microsoft Azure Management
 
-The Microsoft Azure Management application includes multiple services. 
-
-   - Azure portal
-   - Microsoft Entra admin center
-   - Azure Resource Manager provider
-   - Classic deployment model APIs
-   - Azure PowerShell
-   - Azure CLI
-   - Azure DevOps
-   - Azure Data Factory portal
-   - Azure Event Hubs
-   - Azure Service Bus
-   - [Azure SQL Database](/azure/azure-sql/database/conditional-access-configure)
-   - SQL Managed Instance
-   - Azure Synapse
-   - Visual Studio subscriptions administrator portal
+When Conditional Access policy is targeted to the Microsoft Azure Management application, within the Conditional Access policy app picker the policy will be enforced for tokens issued to application IDs of a set of services closely bound to the portal.  
+
+- Azure Resource Manager
+- Azure portal, which also covers the Microsoft Entra admin center                                                          
+- Azure Data Lake                                                
+- Application Insights API                              
+- Log Analytics API                                         
+
+Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example: 
+
+- Classic deployment model APIs 
+- Azure PowerShell 
+- Azure CLI 
+- Azure DevOps 
+- Azure Data Factory portal 
+- Azure Event Hubs 
+- Azure Service Bus 
+- [Azure SQL Database](/azure/azure-sql/database/conditional-access-configure)
+- SQL Managed Instance 
+- Azure Synapse 
+- Visual Studio subscriptions administrator portal 
 
 > [!NOTE]
 > The Microsoft Azure Management application applies to [Azure PowerShell](/powershell/azure/what-is-azure-powershell), which calls the [Azure Resource Manager API](../../azure-resource-manager/management/overview.md). It does not apply to [Azure AD PowerShell](/powershell/azure/active-directory/overview), which calls the [Microsoft Graph API](/graph/overview).
 
 For more information on how to set up a sample policy for Microsoft Azure Management, see [Conditional Access: Require MFA for Azure management](howto-conditional-access-policy-azure-management.md).
 
->[!NOTE]
->For Azure Government, you should target the Azure Government Cloud Management API application.
+> [!TIP]
+> For Azure Government, you should target the Azure Government Cloud Management API application.
 
 ### Other applications
 
@@ -150,7 +155,23 @@ Administrators can add any Azure AD registered application to Conditional Access
 > [!NOTE]
 > Since Conditional Access policy sets the requirements for accessing a service you are not able to apply it to a client (public/native) application. In other words, the policy is not set directly on a client (public/native) application, but is applied when a client calls a service. For example, a policy set on SharePoint service applies to the clients calling SharePoint. A policy set on Exchange applies to the attempt to access the email using Outlook client. That is why client (public/native) applications are not available for selection in the Cloud Apps picker and Conditional Access option is not available in the application settings for the client (public/native) application registered in your tenant. 
 
-Some applications don't appear in the picker at all. The only way to include these applications in a Conditional Access policy is to include **All apps**. 
+Some applications don't appear in the picker at all. The only way to include these applications in a Conditional Access policy is to include **All cloud apps**. 
+
+### All cloud apps
+
+Applying a Conditional Access policy to **All cloud apps** will result in the policy being enforced for all tokens issued to web sites and services. This option includes applications that aren't individually targetable in Conditional Access policy, such as Azure Active Directory. 
+
+In some cases, an **All cloud apps** policy could inadvertently block user access. These cases are excluded from policy enforcement and include:
+
+- Services required to achieve the desired security posture. For example, device enrollment calls are excluded from compliant device policy targeted to All cloud apps. 
+
+- Calls to Azure AD Graph and MS Graph, to access user profile, group membership and relationship information that is commonly used by applications excluded from policy. The excluded scopes are listed below. Consent is still required for apps to use these permissions. 
+   - For native clients:
+      - Azure AD Graph: User.read
+      - MS Graph: User.read, People.read, and UserProfile.read 
+   - For confidential / authenticated clients:
+      - Azure AD Graph: User.read, User.read.all, and User.readbasic.all
+      - MS Graph: User.read,User.read.all, User.read.All People.read, People.read.all, GroupMember.Read.All, Member.Read.Hidden, and UserProfile.read 
 
 ## User actions
 

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -69,6 +69,8 @@ Devices must be registered in Azure AD before they can be marked as compliant. M
 > [!NOTE]
 > On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.
 
+You can use the Microsoft Defender for Endpoint app along with the Approved Client app policy in Intune to set device compliance policy Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while setting up Conditional Access. Although Microsoft Defender for Endpoint on Android & iOS  (App ID - dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow of compliance information to Conditional Access.
+
 ### Require hybrid Azure AD joined device
 
 Organizations can choose to use the device identity as part of their Conditional Access policy. Organizations can require that devices are hybrid Azure AD joined using this checkbox. For more information about device identities, see the article [What is a device identity?](../devices/overview.md).